Create aggregated ChangeLog

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>

ChangeLog

@@ -1,6 +1,6 @@
 mbed TLS ChangeLog (Sorted per branch, date)
 
-= Mbed TLS 3.0.0 branch released 2021-xx-xx
+= Mbed TLS 3.0.0 branch released 2021-07-07
 
 API changes
    * Remove HAVEGE module.
@@ -36,12 +36,146 @@ API changes
    * Drop support for RC4 TLS ciphersuites.
    * Drop support for single-DES ciphersuites.
    * Drop support for MBEDTLS_SSL_HW_RECORD_ACCEL.
+   * Update AEAD output size macros to bring them in line with the PSA Crypto
+     API version 1.0 spec. This version of the spec parameterizes them on the
+     key type used, as well as the key bit-size in the case of
+     PSA_AEAD_TAG_LENGTH.
+   * Add configuration option MBEDTLS_X509_REMOVE_INFO which
+     removes the mbedtls_x509_*_info(), mbedtls_debug_print_crt()
+     as well as other functions and constants only used by
+     those functions. This reduces the code footprint by
+     several kB.
+   * Remove SSL error codes `MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED`
+     and `MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH` which are never
+     returned from the public SSL API.
+   * Remove `MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE` and return
+     `MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` instead.
+   * The output parameter of mbedtls_sha512_finish_ret, mbedtls_sha512_ret,
+     mbedtls_sha256_finish_ret and mbedtls_sha256_ret now has a pointer type
+     rather than array type. This removes spurious warnings in some compilers
+     when outputting a SHA-384 or SHA-224 hash into a buffer of exactly
+     the hash size.
+   * Remove the MBEDTLS_TEST_NULL_ENTROPY config option. Fixes #4388.
+   * The interface of the GCM module has changed to remove restrictions on
+     how the input to multipart operations is broken down. mbedtls_gcm_finish()
+     now takes an extra output parameter for the last partial output block.
+     mbedtls_gcm_update() now takes extra parameters for the output length.
+     The software implementation always produces the full output at each
+     call to mbedtls_gcm_update(), but alternative implementations activated
+     by MBEDTLS_GCM_ALT may delay partial blocks to the next call to
+     mbedtls_gcm_update() or mbedtls_gcm_finish(). Furthermore, applications
+     no longer pass the associated data to mbedtls_gcm_starts(), but to the
+     new function mbedtls_gcm_update_ad().
+     These changes are backward compatible for users of the cipher API.
+   * Replace MBEDTLS_SHA512_NO_SHA384 config option with MBEDTLS_SHA384_C.
+     This separates config option enabling the SHA384 algorithm from option
+     enabling the SHA512 algorithm. Fixes #4034.
+   * Introduce MBEDTLS_SHA224_C.
+     This separates config option enabling the SHA224 algorithm from option
+     enabling SHA256.
+    * The getter and setter API of the SSL session cache (used for
+      session-ID based session resumption) has changed to that of
+      a key-value store with keys being session IDs and values
+      being opaque instances of `mbedtls_ssl_session`.
+   * Remove the mode parameter from RSA operation functions. Signature and
+     decryption functions now always use the private key and verification and
+     encryption use the public key. Verification functions also no longer have
+     RNG parameters.
+    * Modify semantics of `mbedtls_ssl_conf_[opaque_]psk()`:
+      In Mbed TLS 2.X, the API prescribes that later calls overwrite
+      the effect of earlier calls. In Mbed TLS 3.0, calling
+      `mbedtls_ssl_conf_[opaque_]psk()` more than once will fail,
+      leaving the PSK that was configured first intact.
+      Support for more than one PSK may be added in 3.X.
+   * The function mbedtls_x509write_csr_set_extension() has an extra parameter
+     which allows to mark an extension as critical. Fixes #4055.
+   * For multi-part AEAD operations with the cipher module, calling
+     mbedtls_cipher_finish() is now mandatory. Previously the documentation
+     was unclear on this point, and this function happened to never do
+     anything with the currently implemented AEADs, so in practice it was
+     possible to skip calling it, which is no longer supported.
+   * The option MBEDTLS_ECP_FIXED_POINT_OPTIM use pre-computed comb tables
+     instead of computing tables in runtime. Thus, this option now increase
+     code size, and it does not increase RAM usage in runtime anymore.
+   * Remove the SSL APIs mbedtls_ssl_get_input_max_frag_len() and
+     mbedtls_ssl_get_output_max_frag_len(), and add a new API
+     mbedtls_ssl_get_max_in_record_payload(), complementing the existing
+     mbedtls_ssl_get_max_out_record_payload().
+     Uses of mbedtls_ssl_get_input_max_frag_len() and
+     mbedtls_ssl_get_input_max_frag_len() should be replaced by
+     mbedtls_ssl_get_max_in_record_payload() and
+     mbedtls_ssl_get_max_out_record_payload(), respectively.
+   * mbedtls_rsa_init() now always selects the PKCS#1v1.5 encoding for an RSA
+     key. To use an RSA key with PSS or OAEP, call mbedtls_rsa_set_padding()
+     after initializing the context. mbedtls_rsa_set_padding() now returns an
+     error if its parameters are invalid.
+    * Replace MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE by a runtime
+      configuration function mbedtls_ssl_conf_preference_order(). Fixes #4398.
+   * Instead of accessing the len field of a DHM context, which is no longer
+     supported, use the new function mbedtls_dhm_get_len() .
+   * In modules that implement cryptographic hash functions, many functions
+     mbedtls_xxx() now return int instead of void, and the corresponding
+     function mbedtls_xxx_ret() which was identical except for returning int
+     has been removed. This also concerns mbedtls_xxx_drbg_update(). See the
+     migration guide for more information. Fixes #4212.
+   * For all functions that take a random number generator (RNG) as a
+     parameter, this parameter is now mandatory (that is, NULL is not an
+     acceptable value). Functions which previously accepted NULL and now
+     reject it are: the X.509 CRT and CSR writing functions; the PK and RSA
+     sign and decrypt function; mbedtls_rsa_private(); the functions
+     in DHM and ECDH that compute the shared secret; the scalar multiplication
+     functions in ECP.
+   * The following functions now require an RNG parameter:
+     mbedtls_ecp_check_pub_priv(), mbedtls_pk_check_pair(),
+     mbedtls_pk_parse_key(), mbedtls_pk_parse_keyfile().
+   * mbedtls_ssl_conf_export_keys_ext_cb() and
+     mbedtls_ssl_conf_export_keys_cb() have been removed and
+     replaced by a new API mbedtls_ssl_set_export_keys_cb().
+     Raw keys and IVs are no longer passed to the callback.
+     Further, callbacks now receive an additional parameter
+     indicating the type of secret that's being exported,
+     paving the way for the larger number of secrets
+     in TLS 1.3. Finally, the key export callback and
+     context are now connection-specific.
+   * Signature functions in the RSA and PK modules now require the hash
+     length parameter to be the size of the hash input. For RSA signatures
+     other than raw PKCS#1 v1.5, this must match the output size of the
+     specified hash algorithm.
+   * The functions mbedtls_pk_sign(), mbedtls_pk_sign_restartable(),
+     mbedtls_ecdsa_write_signature() and
+     mbedtls_ecdsa_write_signature_restartable() now take an extra parameter
+     indicating the size of the output buffer for the signature.
+   * Implement one-shot cipher functions, psa_cipher_encrypt and
+     psa_cipher_decrypt, according to the PSA Crypto API 1.0.0
+     specification.
+   * Direct access to fields of structures declared in public headers is no
+     longer supported except for fields that are documented public. Use accessor
+     functions instead. For more information, see the migration guide entry
+     "Most structure fields are now private".
+
+Default behavior changes
+   * Enable by default the functionalities which have no reason to be disabled.
+     They are: ARIA block cipher, CMAC mode, elliptic curve J-PAKE library and
+     Key Wrapping mode as defined in NIST SP 800-38F. Fixes #4036.
+   * Some default policies for X.509 certificate verification and TLS have
+     changed: curves and hashes weaker than 255 bits are no longer accepted
+     by default. The default order in TLS now favors faster curves over larger
+     curves.
 
 Requirement changes
    * The library now uses the %zu format specifier with the printf() family of
      functions, so requires a toolchain that supports it. This change does not
      affect the maintained LTS branches, so when contributing changes please
      bear this in mind and do not add them to backported code.
+   * If you build the development version of Mbed TLS, rather than an official
+     release, some configuration-independent files are now generated at build
+     time rather than checked into source control. This includes some library
+     source files as well as the Visual Studio solution. Perl, Python 3 and a
+     C compiler for the host platform are required. See “Generated source files
+     in the development branch” in README.md for more information.
+   * Refresh the minimum supported versions of tools to build the
+     library. CMake versions older than 3.10.2 and Python older
+     than 3.6 are no longer supported.
 
 Removals
    * Remove the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
@@ -49,7 +183,6 @@ Removals
      certificates signed with SHA-1 due to the known attacks against SHA-1.
      If needed, SHA-1 certificates can still be verified by using a custom
      verification profile.
-
    * Removed deprecated things in psa/crypto_compat.h. Fixes #4284
    * Removed deprecated functions from hashing modules. Fixes #4280.
    * Remove PKCS#11 library wrapper. PKCS#11 has limited functionality,
@@ -58,12 +191,133 @@ Removals
      More details on PCKS#11 wrapper removal can be found in the mailing list
      https://lists.trustedfirmware.org/pipermail/mbed-tls/2020-April/000024.html
    * Remove deprecated error codes. Fix #4283
+   * Remove MBEDTLS_ENABLE_WEAK_CIPHERSUITES configuration option. Fixes #4416.
+   * Remove the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
+     compile-time option. This option has been inactive for a long time.
+     Please use the `lifetime` parameter of `mbedtls_ssl_ticket_setup()`
+     instead.
+   * Remove the following deprecated functions and constants of hex-encoded
+     primes based on RFC 5114 and RFC 3526 from library code and tests:
+     mbedtls_aes_encrypt(), mbedtls_aes_decrypt(), mbedtls_mpi_is_prime(),
+     mbedtls_cipher_auth_encrypt(), mbedtls_cipher_auth_decrypt(),
+     mbedtls_ctr_drbg_update(), mbedtls_hmac_drbg_update(),
+     mbedtls_ecdsa_write_signature_det(), mbedtls_ecdsa_sign_det(),
+     mbedtls_ssl_conf_dh_param(), mbedtls_ssl_get_max_frag_len(),
+     MBEDTLS_DHM_RFC5114_MODP_2048_P, MBEDTLS_DHM_RFC5114_MODP_2048_G,
+     MBEDTLS_DHM_RFC3526_MODP_2048_P, MBEDTLS_DHM_RFC3526_MODP_2048_G,
+     MBEDTLS_DHM_RFC3526_MODP_3072_P, MBEDTLS_DHM_RFC3526_MODP_3072_G,
+     MBEDTLS_DHM_RFC3526_MODP_4096_P, MBEDTLS_DHM_RFC3526_MODP_4096_G.
+     Remove the deprecated file: include/mbedtls/net.h. Fixes #4282.
+   * Remove MBEDTLS_SSL_MAX_CONTENT_LEN configuration option, since
+     MBEDTLS_SSL_IN_CONTENT_LEN and MBEDTLS_SSL_OUT_CONTENT_LEN replace
+     it. Fixes #4362.
+   * Remove the MBEDTLS_SSL_RECORD_CHECKING option and enable by default its
+     previous action. Fixes #4361.
+   * Remove support for TLS 1.0, TLS 1.1 and DTLS 1.0, as well as support for
+     CBC record splitting, fallback SCSV, and the ability to configure
+     ciphersuites per version, which are no longer relevant. This removes the
+     configuration options MBEDTLS_SSL_PROTO_TLS1,
+     MBEDTLS_SSL_PROTO_TLS1_1, MBEDTLS_SSL_CBC_RECORD_SPLITTING and
+     MBEDTLS_SSL_FALLBACK_SCSV as well as the functions
+     mbedtls_ssl_conf_cbc_record_splitting(),
+     mbedtls_ssl_get_key_exchange_md_ssl_tls(), mbedtls_ssl_conf_fallback(),
+     and mbedtls_ssl_conf_ciphersuites_for_version(). Fixes #4286.
+   * The RSA module no longer supports private-key operations with the public
+     key and vice versa.
+   * Remove the MBEDTLS_SSL_DTLS_BADMAC_LIMIT config.h option. Fixes #4403.
+   * Remove all the 3DES ciphersuites:
+     MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
+     MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
+     MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+     MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
+     MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+     MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
+     MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA,
+     MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
+     MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA. Remove the
+     MBEDTLS_REMOVE_3DES_CIPHERSUITES option which is no longer relevant.
+     Fixes #4367.
+   * Remove the MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 option and let the code
+     behave as if it was always disabled. Fixes #4386.
+   * Remove MBEDTLS_ECDH_LEGACY_CONTEXT config option since this was purely for
+     backward compatibility which is no longer supported. Addresses #4404.
+   * Remove the following macros: MBEDTLS_CHECK_PARAMS,
+     MBEDTLS_CHECK_PARAMS_ASSERT, MBEDTLS_PARAM_FAILED,
+     MBEDTLS_PARAM_FAILED_ALT. Fixes #4313.
+   * Remove the  MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION config.h
+     option. The mbedtls_x509_crt_parse_der_with_ext_cb() is the way to go for
+     migration path. Fixes #4378.
+    * Remove the MBEDTLS_X509_CHECK_KEY_USAGE and
+      MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE config.h options and let the code
+      behave as if they were always enabled. Fixes #4405.
+   * MBEDTLS_ECP_MAX_BITS is no longer a configuration option because it is
+     now determined automatically based on supported curves.
+    * Remove the following functions: mbedtls_timing_self_test(),
+      mbedtls_hardclock_poll(), mbedtls_timing_hardclock() and
+      mbedtls_set_alarm(). Fixes #4083.
+   * The configuration option MBEDTLS_ECP_NO_INTERNAL_RNG has been removed as
+     it no longer had any effect.
+    * Remove all support for MD2, MD4, RC4, Blowfish and XTEA. This removes the
+      corresponding modules and all their APIs and related configuration
+      options. Fixes #4084.
+   * Remove MBEDTLS_SSL_TRUNCATED_HMAC and also remove
+     MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT config option. Users are better served by
+     using a CCM-8 ciphersuite than a CBC ciphersuite with truncated HMAC.
+     See issue #4341 for more details.
+   * Remove the compile-time option
+     MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE.
 
 Features
    * Add mbedtls_rsa_rsassa_pss_sign_ext() function allowing to generate a
      signature with a specific salt length. This function allows to validate
      test cases provided in the NIST's CAVP test suite. Contributed by Cédric
      Meuter in PR #3183.
+   * Added support for built-in driver keys through the PSA opaque crypto
+     driver interface. Refer to the documentation of
+     MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS for more information.
+   * Implement psa_sign_message() and psa_verify_message().
+   * The multi-part GCM interface (mbedtls_gcm_update() or
+     mbedtls_cipher_update()) no longer requires the size of partial inputs to
+     be a multiple of 16.
+   * The multi-part GCM interface now supports chunked associated data through
+     multiple calls to mbedtls_gcm_update_ad().
+   * The new function mbedtls_mpi_random() generates a random value in a
+     given range uniformly.
+   * Alternative implementations of the AES, DHM, ECJPAKE, ECP, RSA and timing
+     modules had undocumented constraints on their context types. These
+     constraints have been relaxed.
+     See docs/architecture/alternative-implementations.md for the remaining
+     constraints.
+   * The new functions mbedtls_dhm_get_len() and mbedtls_dhm_get_bitlen()
+     query the size of the modulus in a Diffie-Hellman context.
+   * The new function mbedtls_dhm_get_value() copy a field out of a
+     Diffie-Hellman context.
+   * Use the new function mbedtls_ecjpake_set_point_format() to select the
+     point format for ECJPAKE instead of accessing the point_format field
+     directly, which is no longer supported.
+   * Implement psa_mac_compute() and psa_mac_verify() as defined in the
+     PSA Cryptograpy API 1.0.0 specification.
+
+Security
+* Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
+  private keys and of blinding values for DHM and elliptic curves (ECP)
+  computations. Reported by FlorianF89 in #4245.
+* Fix a potential side channel vulnerability in ECDSA ephemeral key generation.
+  An adversary who is capable of very precise timing measurements could
+  learn partial information about the leading bits of the nonce used for the
+  signature, allowing the recovery of the private key after observing a
+  large number of signature operations. This completes a partial fix in
+  Mbed TLS 2.20.0.
+   * An adversary with access to precise enough information about memory
+     accesses (typically, an untrusted operating system attacking a secure
+     enclave) could recover an RSA private key after observing the victim
+     performing a single private-key operation. Found and reported by
+     Zili KOU, Wenjian HE, Sharad Sinha, and Wei ZHANG.
+   * An adversary with access to precise enough timing information (typically, a
+     co-located process) could recover a Curve25519 or Curve448 static ECDH key
+     after inputting a chosen public key and observing the victim performing the
+     corresponding private-key operation. Found and reported by Leila Batina,
+     Lukas Chmielewski, Björn Haase, Niels Samwel and Peter Schwabe.
 
 Bugfix
    * Fix premature fopen() call in mbedtls_entropy_write_seed_file which may
@@ -87,6 +341,76 @@ Bugfix
      mbedtls_mpi_read_string() was called on "-0", or when
      mbedtls_mpi_mul_mpi() and mbedtls_mpi_mul_int() was called with one of
      the arguments being negative and the other being 0. Fixes #4643.
+   * Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is
+     defined. Fixes #4217.
+   * Fix an incorrect error code when parsing a PKCS#8 private key.
+   * In a TLS client, enforce the Diffie-Hellman minimum parameter size
+     set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the
+     minimum size was rounded down to the nearest multiple of 8.
+   * In library/net_sockets.c, _POSIX_C_SOURCE and _XOPEN_SOURCE are
+     defined to specific values.  If the code is used in a context
+     where these are already defined, this can result in a compilation
+     error.  Instead, assume that if they are defined, the values will
+     be adequate to build Mbed TLS.
+   * With MBEDTLS_PSA_CRYPTO_C disabled, some functions were getting built
+     nonetheless, resulting in undefined reference errors when building a
+     shared library. Reported by Guillermo Garcia M. in #4411.
+   * The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
+     when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
+     was disabled. Fix the dependency. Fixes #4472.
+   * Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499.
+   * Fix test suite code on platforms where int32_t is not int, such as
+     Arm Cortex-M. Fixes #4530.
+   * Fix some issues affecting MBEDTLS_ARIA_ALT implementations: a misplaced
+     directive in a header and a missing initialization in the self-test.
+   * Fix a missing initialization in the Camellia self-test, affecting
+     MBEDTLS_CAMELLIA_ALT implementations.
+   * Restore the ability to configure PSA via Mbed TLS options to support RSA
+     key pair operations but exclude RSA key generation. When MBEDTLS_GENPRIME
+     is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key().
+     Fixes #4512.
+   * Fix a regression introduced in 2.24.0 which broke (D)TLS CBC ciphersuites
+     (when the encrypt-then-MAC extension is not in use) with some ALT
+     implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
+     the affected side to wrongly reject valid messages. Fixes #4118.
+   * Remove outdated check-config.h check that prevented implementing the
+     timing module on Mbed OS. Fixes #4633.
+   * Fix PSA_ALG_TLS12_PRF and PSA_ALG_TLS12_PSK_TO_MS being too permissive
+     about missing inputs.
+   * Fix mbedtls_net_poll() and mbedtls_net_recv_timeout() often failing with
+     MBEDTLS_ERR_NET_POLL_FAILED on Windows. Fixes #4465.
+   * Fix a resource leak in a test suite with an alternative AES
+     implementation. Fixes #4176.
+   * Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs. This
+     could notably be triggered by setting the TLS debug level to 3 or above
+     and using a Montgomery curve for the key exchange. Reported by lhuang04
+     in #4578. Fixes #4608.
+   * psa_verify_hash() was relying on implementation-specific behavior of
+     mbedtls_rsa_rsassa_pss_verify() and was causing failures in some _ALT
+     implementations. This reliance is now removed. Fixes #3990.
+   * Disallow inputs of length different from the corresponding hash when
+     signing or verifying with PSA_ALG_RSA_PSS (The PSA Crypto API mandates
+     that PSA_ALG_RSA_PSS uses the same hash throughout the algorithm.)
+   * Fix a null pointer dereference when mbedtls_mpi_exp_mod() was called with
+     A=0 represented with 0 limbs. Up to and including Mbed TLS 2.26, this bug
+     could not be triggered by code that constructed A with one of the
+     mbedtls_mpi_read_xxx functions (including in particular TLS code) since
+     those always built an mpi object with at least one limb.
+     Credit to OSS-Fuzz. Fixes #4641.
+   * Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no
+     effect on Mbed TLS's internal use of mbedtls_mpi_gcd(), but may affect
+     applications that call mbedtls_mpi_gcd() directly. Fixes #4642.
+   * The PSA API no longer allows the creation or destruction of keys with a
+     read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY
+     can now only be used as intended, for keys that cannot be modified through
+     normal use of the API.
+   * When MBEDTLS_PSA_CRYPTO_SPM is enabled, crypto_spe.h was not included
+     in all the right places. Include it from crypto_platform.h, which is
+     the natural place. Fixes #4649.
+   * Fix which alert is sent in some cases to conform to the
+     applicable RFC: on an invalid Finished message value, an
+     invalid max_fragment_length extension, or an
+     unsupported extension used by the server.
 
 Changes
    * Fix the setting of the read timeout in the DTLS sample programs.
@@ -94,6 +418,49 @@ Changes
    * Fix memsan build false positive in x509_crt.c with clang 11
    * There is ongoing work for the next release (= Mbed TLS 3.0.0 branch to
      be released 2021-xx-xx), including various API-breaking changes.
+   * Alternative implementations of CMAC may now opt to not support 3DES as a
+     CMAC block cipher, and still pass the CMAC self test.
+   * Remove the AES sample application programs/aes/aescrypt2 which shows
+     bad cryptographic practice. Fix #1906.
+   * Remove configs/config-psa-crypto.h, which no longer had any intended
+     differences from the default configuration, but had accidentally diverged.
+   * When building the test suites with GNU make, invoke python3 or python, not
+     python2, which is no longer supported upstream.
+   * fix build failure on MinGW toolchain when __USE_MING_ANSI_STDIO is on.
+     When that flag is on, standard GNU C printf format specifiers
+     should be used.
+   * Replace MBEDTLS_SSL_CID_PADDING_GRANULARITY and
+     MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY with a new single unified option
+     MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY. Fixes #4335.
+   * Reduce the default value of MBEDTLS_ECP_WINDOW_SIZE. This reduces RAM usage
+     during ECC operations at a negligible performance cost.
+   * mbedtls_mpi_read_binary(), mbedtls_mpi_read_binary_le() and
+     mbedtls_mpi_read_string() now construct an mbedtls_mpi object with 0 limbs
+     when their input has length 0. Note that this is an implementation detail
+     and can change at any time, so this change should be transparent, but it
+     may result in mbedtls_mpi_write_binary() or mbedtls_mpi_write_string()
+     now writing an empty string where it previously wrote one or more
+     zero digits when operating from values constructed with an mpi_read
+     function and some mpi operations.
+   * Add CMake package config generation for CMake projects consuming Mbed TLS.
+   * config.h has been split into build_info.h and mbedtls_config.h
+     build_info.h is intended to be included from C code directly, while
+     mbedtls_config.h is intended to be edited by end users wishing to
+     change the build configuration, and should generally only be included from
+     build_info.h.
+   * The handling of MBEDTLS_CONFIG_FILE has been moved into build_info.h.
+   * A config file version symbol, MBEDTLS_CONFIG_VERSION was introduced.
+     Defining it to a particular value will ensure that Mbed TLS interprets
+     the config file in a way that's compatible with the config file format
+     used by the Mbed TLS release whose MBEDTLS_VERSION_NUMBER has the same
+     value.
+     The only value supported by Mbed TLS 3.0.0 is 0x03000000.
+   * Various changes to which alert and/or error code may be returned
+   * during the TLS handshake.
+   * Implicitly add PSA_KEY_USAGE_SIGN_MESSAGE key usage policy flag when
+     PSA_KEY_USAGE_SIGN_HASH flag is set and PSA_KEY_USAGE_VERIFY_MESSAGE flag
+     when PSA_KEY_USAGE_VERIFY_HASH flag is set. This usage flag extension
+     is also applied when loading a key from storage.
 
 = mbed TLS 2.26.0 branch released 2021-03-08
 

ChangeLog.d/add-cmake-package-config.txt

@@ -1,2 +0,0 @@
-Changes
-   * Add CMake package config generation for CMake projects consuming Mbed TLS.

ChangeLog.d/add-missing-parenthesis.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is
-     defined. Fixes #4217.

ChangeLog.d/aescrypt2.txt

@@ -1,3 +0,0 @@
-Changes
-   * Remove the AES sample application programs/aes/aescrypt2 which shows
-     bad cryptographic practice. Fix #1906.

ChangeLog.d/allow_alt_cmac_without_des.txt

@@ -1,3 +0,0 @@
-Changes
-   * Alternative implementations of CMAC may now opt to not support 3DES as a
-     CMAC block cipher, and still pass the CMAC self test.

ChangeLog.d/alt-context-relaxation.txt

@@ -1,6 +0,0 @@
-Features
-   * Alternative implementations of the AES, DHM, ECJPAKE, ECP, RSA and timing
-     modules had undocumented constraints on their context types. These
-     constraints have been relaxed.
-     See docs/architecture/alternative-implementations.md for the remaining
-     constraints.

ChangeLog.d/aria-alt.txt

@@ -1,5 +0,0 @@
-Bugfix
-   * Fix some issues affecting MBEDTLS_ARIA_ALT implementations: a misplaced
-     directive in a header and a missing initialization in the self-test.
-   * Fix a missing initialization in the Camellia self-test, affecting
-     MBEDTLS_CAMELLIA_ALT implementations.

ChangeLog.d/cipher-delayed-output.txt

@@ -1,6 +0,0 @@
-API changes
-   * For multi-part AEAD operations with the cipher module, calling
-     mbedtls_cipher_finish() is now mandatory. Previously the documentation
-     was unclear on this point, and this function happened to never do
-     anything with the currently implemented AEADs, so in practice it was
-     possible to skip calling it, which is no longer supported.

ChangeLog.d/ciphersuite-sha1-sha384-guard.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
-     when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
-     was disabled. Fix the dependency. Fixes #4472.

ChangeLog.d/ciphersuite-sha384-guard.txt

@@ -1,2 +0,0 @@
-Bugfix
-   * Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499.

ChangeLog.d/default-curves.txt

@@ -1,9 +0,0 @@
-Default behavior changes
-   * Some default policies for X.509 certificate verification and TLS have
-     changed: curves and hashes weaker than 255 bits are no longer accepted
-     by default. The default order in TLS now favors faster curves over larger
-     curves.
-
-Removals
-   * Remove the compile-time option
-     MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE.

ChangeLog.d/dhm-fields.txt

@@ -1,9 +0,0 @@
-Features
-   * The new functions mbedtls_dhm_get_len() and mbedtls_dhm_get_bitlen()
-     query the size of the modulus in a Diffie-Hellman context.
-   * The new function mbedtls_dhm_get_value() copy a field out of a
-     Diffie-Hellman context.
-
-API changes
-   * Instead of accessing the len field of a DHM context, which is no longer
-     supported, use the new function mbedtls_dhm_get_len() .

ChangeLog.d/dhm_min_bitlen.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * In a TLS client, enforce the Diffie-Hellman minimum parameter size
-     set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the
-     minimum size was rounded down to the nearest multiple of 8.

ChangeLog.d/ecdsa-random-leading-zeros.txt

@@ -1,7 +0,0 @@
-Security
-* Fix a potential side channel vulnerability in ECDSA ephemeral key generation.
-  An adversary who is capable of very precise timing measurements could
-  learn partial information about the leading bits of the nonce used for the
-  signature, allowing the recovery of the private key after observing a
-  large number of signature operations. This completes a partial fix in
-  Mbed TLS 2.20.0.

ChangeLog.d/ecjpake-point_format.txt

@@ -1,4 +0,0 @@
-Features
-   * Use the new function mbedtls_ecjpake_set_point_format() to select the
-     point format for ECJPAKE instead of accessing the point_format field
-     directly, which is no longer supported.

ChangeLog.d/ecp-window-size.txt

@@ -1,3 +0,0 @@
-Changes
-   * Reduce the default value of MBEDTLS_ECP_WINDOW_SIZE. This reduces RAM usage
-     during ECC operations at a negligible performance cost.

ChangeLog.d/ecp_max_bits.txt

@@ -1,3 +0,0 @@
-Removals
-   * MBEDTLS_ECP_MAX_BITS is no longer a configuration option because it is
-     now determined automatically based on supported curves.

ChangeLog.d/fix-mingw-build.txt

@@ -1,5 +0,0 @@
-Changes
-   * fix build failure on MinGW toolchain when __USE_MING_ANSI_STDIO is on.
-     When that flag is on, standard GNU C printf format specifiers
-     should be used.
-

ChangeLog.d/fix-pk-parse-key-error-code.txt

@@ -1,2 +0,0 @@
-Bugfix
-   * Fix an incorrect error code when parsing a PKCS#8 private key.

ChangeLog.d/fix-rsa-leak.txt

@@ -1,6 +0,0 @@
-Security
-   * An adversary with access to precise enough information about memory
-     accesses (typically, an untrusted operating system attacking a secure
-     enclave) could recover an RSA private key after observing the victim
-     performing a single private-key operation. Found and reported by
-     Zili KOU, Wenjian HE, Sharad Sinha, and Wei ZHANG.

ChangeLog.d/fix-ssl-cf-hmac-alt.txt

@@ -1,5 +0,0 @@
-Bugfix
-   * Fix a regression introduced in 2.24.0 which broke (D)TLS CBC ciphersuites
-     (when the encrypt-then-MAC extension is not in use) with some ALT
-     implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
-     the affected side to wrongly reject valid messages. Fixes #4118.

ChangeLog.d/fix_tls_alert_codes.txt

@@ -1,5 +0,0 @@
-Bugfix
-   * Fix which alert is sent in some cases to conform to the
-     applicable RFC: on an invalid Finished message value, an
-     invalid max_fragment_length extension, or an
-     unsupported extension used by the server.

ChangeLog.d/gcm-update.txt

@@ -1,19 +0,0 @@
-API changes
-   * The interface of the GCM module has changed to remove restrictions on
-     how the input to multipart operations is broken down. mbedtls_gcm_finish()
-     now takes an extra output parameter for the last partial output block.
-     mbedtls_gcm_update() now takes extra parameters for the output length.
-     The software implementation always produces the full output at each
-     call to mbedtls_gcm_update(), but alternative implementations activated
-     by MBEDTLS_GCM_ALT may delay partial blocks to the next call to
-     mbedtls_gcm_update() or mbedtls_gcm_finish(). Furthermore, applications
-     no longer pass the associated data to mbedtls_gcm_starts(), but to the
-     new function mbedtls_gcm_update_ad().
-     These changes are backward compatible for users of the cipher API.
-
-Features
-   * The multi-part GCM interface (mbedtls_gcm_update() or
-     mbedtls_cipher_update()) no longer requires the size of partial inputs to
-     be a multiple of 16.
-   * The multi-part GCM interface now supports chunked associated data through
-     multiple calls to mbedtls_gcm_update_ad().

ChangeLog.d/host_test-int32.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix test suite code on platforms where int32_t is not int, such as
-     Arm Cortex-M. Fixes #4530.

ChangeLog.d/implicit_key_usage_policy.txt

@@ -1,5 +0,0 @@
-Changes
-   * Implicitly add PSA_KEY_USAGE_SIGN_MESSAGE key usage policy flag when
-     PSA_KEY_USAGE_SIGN_HASH flag is set and PSA_KEY_USAGE_VERIFY_MESSAGE flag
-     when PSA_KEY_USAGE_VERIFY_HASH flag is set. This usage flag extension
-     is also applied when loading a key from storage.

ChangeLog.d/issue4036.txt

@@ -1,5 +0,0 @@
-Default behavior changes
-   * Enable by default the functionalities which have no reason to be disabled.
-     They are: ARIA block cipher, CMAC mode, elliptic curve J-PAKE library and
-     Key Wrapping mode as defined in NIST SP 800-38F. Fixes #4036.
-

ChangeLog.d/issue4055.txt

@@ -1,3 +0,0 @@
-API changes
-   * The function mbedtls_x509write_csr_set_extension() has an extra parameter
-     which allows to mark an extension as critical. Fixes #4055.

ChangeLog.d/issue4083.txt

@@ -1,4 +0,0 @@
-Removals
-    * Remove the following functions: mbedtls_timing_self_test(),
-      mbedtls_hardclock_poll(), mbedtls_timing_hardclock() and
-      mbedtls_set_alarm(). Fixes #4083.

ChangeLog.d/issue4084.txt

@@ -1,4 +0,0 @@
-Removals
-    * Remove all support for MD2, MD4, RC4, Blowfish and XTEA. This removes the
-      corresponding modules and all their APIs and related configuration
-      options. Fixes #4084.

ChangeLog.d/issue4128.txt

@@ -1,4 +0,0 @@
-API changes
-   * The option MBEDTLS_ECP_FIXED_POINT_OPTIM use pre-computed comb tables
-     instead of computing tables in runtime. Thus, this option now increase
-     code size, and it does not increase RAM usage in runtime anymore.

ChangeLog.d/issue4176.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix a resource leak in a test suite with an alternative AES
-     implementation. Fixes #4176.

ChangeLog.d/issue4212.txt

@@ -1,6 +0,0 @@
-API changes
-   * In modules that implement cryptographic hash functions, many functions
-     mbedtls_xxx() now return int instead of void, and the corresponding
-     function mbedtls_xxx_ret() which was identical except for returning int
-     has been removed. This also concerns mbedtls_xxx_drbg_update(). See the
-     migration guide for more information. Fixes #4212.

ChangeLog.d/issue4282.txt

@@ -1,13 +0,0 @@
-Removals
-   * Remove the following deprecated functions and constants of hex-encoded
-     primes based on RFC 5114 and RFC 3526 from library code and tests:
-     mbedtls_aes_encrypt(), mbedtls_aes_decrypt(), mbedtls_mpi_is_prime(),
-     mbedtls_cipher_auth_encrypt(), mbedtls_cipher_auth_decrypt(),
-     mbedtls_ctr_drbg_update(), mbedtls_hmac_drbg_update(),
-     mbedtls_ecdsa_write_signature_det(), mbedtls_ecdsa_sign_det(),
-     mbedtls_ssl_conf_dh_param(), mbedtls_ssl_get_max_frag_len(),
-     MBEDTLS_DHM_RFC5114_MODP_2048_P, MBEDTLS_DHM_RFC5114_MODP_2048_G,
-     MBEDTLS_DHM_RFC3526_MODP_2048_P, MBEDTLS_DHM_RFC3526_MODP_2048_G,
-     MBEDTLS_DHM_RFC3526_MODP_3072_P, MBEDTLS_DHM_RFC3526_MODP_3072_G,
-     MBEDTLS_DHM_RFC3526_MODP_4096_P, MBEDTLS_DHM_RFC3526_MODP_4096_G.
-     Remove the deprecated file: include/mbedtls/net.h. Fixes #4282.

ChangeLog.d/issue4286.txt

@@ -1,10 +0,0 @@
-Removals
-   * Remove support for TLS 1.0, TLS 1.1 and DTLS 1.0, as well as support for
-     CBC record splitting, fallback SCSV, and the ability to configure
-     ciphersuites per version, which are no longer relevant. This removes the
-     configuration options MBEDTLS_SSL_PROTO_TLS1,
-     MBEDTLS_SSL_PROTO_TLS1_1, MBEDTLS_SSL_CBC_RECORD_SPLITTING and
-     MBEDTLS_SSL_FALLBACK_SCSV as well as the functions
-     mbedtls_ssl_conf_cbc_record_splitting(),
-     mbedtls_ssl_get_key_exchange_md_ssl_tls(), mbedtls_ssl_conf_fallback(),
-     and mbedtls_ssl_conf_ciphersuites_for_version(). Fixes #4286.

ChangeLog.d/issue4313.txt

@@ -1,4 +0,0 @@
-Removals
-   * Remove the following macros: MBEDTLS_CHECK_PARAMS,
-     MBEDTLS_CHECK_PARAMS_ASSERT, MBEDTLS_PARAM_FAILED,
-     MBEDTLS_PARAM_FAILED_ALT. Fixes #4313.

ChangeLog.d/issue4335.txt

@@ -1,4 +0,0 @@
-Changes
-   * Replace MBEDTLS_SSL_CID_PADDING_GRANULARITY and
-     MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY with a new single unified option
-     MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY. Fixes #4335.

ChangeLog.d/issue4361.txt

@@ -1,3 +0,0 @@
-Removals
-   * Remove the MBEDTLS_SSL_RECORD_CHECKING option and enable by default its
-     previous action. Fixes #4361.

ChangeLog.d/issue4367.txt

@@ -1,13 +0,0 @@
-Removals
-   * Remove all the 3DES ciphersuites:
-     MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
-     MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
-     MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
-     MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
-     MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
-     MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
-     MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA,
-     MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
-     MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA. Remove the
-     MBEDTLS_REMOVE_3DES_CIPHERSUITES option which is no longer relevant.
-     Fixes #4367.

ChangeLog.d/issue4378.txt

@@ -1,4 +0,0 @@
-Removals
-   * Remove the  MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION config.h
-     option. The mbedtls_x509_crt_parse_der_with_ext_cb() is the way to go for
-     migration path. Fixes #4378.

ChangeLog.d/issue4386.txt

@@ -1,3 +0,0 @@
-Removals
-   * Remove the MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 option and let the code
-     behave as if it was always disabled. Fixes #4386.

ChangeLog.d/issue4398.txt

@@ -1,3 +0,0 @@
-API changes
-    * Replace MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE by a runtime
-      configuration function mbedtls_ssl_conf_preference_order(). Fixes #4398.

ChangeLog.d/issue4403.txt

@@ -1,2 +0,0 @@
-Removals
-   * Remove the MBEDTLS_SSL_DTLS_BADMAC_LIMIT config.h option. Fixes #4403.

ChangeLog.d/issue4405.txt

@@ -1,4 +0,0 @@
-Removals
-    * Remove the MBEDTLS_X509_CHECK_KEY_USAGE and
-      MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE config.h options and let the code
-      behave as if they were always enabled. Fixes #4405.

ChangeLog.d/key-export.txt

@@ -1,10 +0,0 @@
-API changes
-   * mbedtls_ssl_conf_export_keys_ext_cb() and
-     mbedtls_ssl_conf_export_keys_cb() have been removed and
-     replaced by a new API mbedtls_ssl_set_export_keys_cb().
-     Raw keys and IVs are no longer passed to the callback.
-     Further, callbacks now receive an additional parameter
-     indicating the type of secret that's being exported,
-     paving the way for the larger number of secrets
-     in TLS 1.3. Finally, the key export callback and
-     context are now connection-specific.

ChangeLog.d/make-generate-tests-python.txt

@@ -1,3 +0,0 @@
-Changes
-   * When building the test suites with GNU make, invoke python3 or python, not
-     python2, which is no longer supported upstream.

ChangeLog.d/mandatory-rng-param.txt

@@ -1,14 +0,0 @@
-API changes
-   * For all functions that take a random number generator (RNG) as a
-     parameter, this parameter is now mandatory (that is, NULL is not an
-     acceptable value). Functions which previously accepted NULL and now
-     reject it are: the X.509 CRT and CSR writing functions; the PK and RSA
-     sign and decrypt function; mbedtls_rsa_private(); the functions
-     in DHM and ECDH that compute the shared secret; the scalar multiplication
-     functions in ECP.
-   * The following functions now require an RNG parameter:
-     mbedtls_ecp_check_pub_priv(), mbedtls_pk_check_pair(),
-     mbedtls_pk_parse_key(), mbedtls_pk_parse_keyfile().
-Removals
-   * The configuration option MBEDTLS_ECP_NO_INTERNAL_RNG has been removed as
-     it no longer had any effect.

ChangeLog.d/max-record-payload-api.txt

@@ -1,9 +0,0 @@
-API changes
-   * Remove the SSL APIs mbedtls_ssl_get_input_max_frag_len() and
-     mbedtls_ssl_get_output_max_frag_len(), and add a new API
-     mbedtls_ssl_get_max_in_record_payload(), complementing the existing
-     mbedtls_ssl_get_max_out_record_payload().
-     Uses of mbedtls_ssl_get_input_max_frag_len() and
-     mbedtls_ssl_get_input_max_frag_len() should be replaced by
-     mbedtls_ssl_get_max_in_record_payload() and
-     mbedtls_ssl_get_max_out_record_payload(), respectively.

ChangeLog.d/mbed-can-do-timing.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Remove outdated check-config.h check that prevented implementing the
-     timing module on Mbed OS. Fixes #4633.

ChangeLog.d/mbedtls_debug_print_mpi.txt

@@ -1,5 +0,0 @@
-Bugfix
-   * Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs. This
-     could notably be triggered by setting the TLS debug level to 3 or above
-     and using a Montgomery curve for the key exchange. Reported by lhuang04
-     in #4578. Fixes #4608.

ChangeLog.d/mpi_exp_mod-zero.txt

@@ -1,7 +0,0 @@
-Bugfix
-   * Fix a null pointer dereference when mbedtls_mpi_exp_mod() was called with
-     A=0 represented with 0 limbs. Up to and including Mbed TLS 2.26, this bug
-     could not be triggered by code that constructed A with one of the
-     mbedtls_mpi_read_xxx functions (including in particular TLS code) since
-     those always built an mpi object with at least one limb.
-     Credit to OSS-Fuzz. Fixes #4641.

ChangeLog.d/mpi_gcd-0.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no
-     effect on Mbed TLS's internal use of mbedtls_mpi_gcd(), but may affect
-     applications that call mbedtls_mpi_gcd() directly. Fixes #4642.

ChangeLog.d/mpi_random.txt

@@ -1,3 +0,0 @@
-Features
-   * The new function mbedtls_mpi_random() generates a random value in a
-     given range uniformly.

ChangeLog.d/mpi_read_zero.txt

@@ -1,9 +0,0 @@
-Changes
-   * mbedtls_mpi_read_binary(), mbedtls_mpi_read_binary_le() and
-     mbedtls_mpi_read_string() now construct an mbedtls_mpi object with 0 limbs
-     when their input has length 0. Note that this is an implementation detail
-     and can change at any time, so this change should be transparent, but it
-     may result in mbedtls_mpi_write_binary() or mbedtls_mpi_write_string()
-     now writing an empty string where it previously wrote one or more
-     zero digits when operating from values constructed with an mpi_read
-     function and some mpi operations.

ChangeLog.d/no-generated-files.txt

@@ -1,7 +0,0 @@
-Requirement changes
-   * If you build the development version of Mbed TLS, rather than an official
-     release, some configuration-independent files are now generated at build
-     time rather than checked into source control. This includes some library
-     source files as well as the Visual Studio solution. Perl, Python 3 and a
-     C compiler for the host platform are required. See “Generated source files
-     in the development branch” in README.md for more information.

ChangeLog.d/one-shot-mac.txt

@@ -1,3 +0,0 @@
-Features
-   * Implement psa_mac_compute() and psa_mac_verify() as defined in the
-     PSA Cryptograpy API 1.0.0 specification.

ChangeLog.d/one-shot_cipher_functions.txt

@@ -1,4 +0,0 @@
-API changes
-   * Implement one-shot cipher functions, psa_cipher_encrypt and
-     psa_cipher_decrypt, according to the PSA Crypto API 1.0.0
-     specification.

ChangeLog.d/out_size.txt

@@ -1,5 +0,0 @@
-API changes
-   * The functions mbedtls_pk_sign(), mbedtls_pk_sign_restartable(),
-     mbedtls_ecdsa_write_signature() and
-     mbedtls_ecdsa_write_signature_restartable() now take an extra parameter
-     indicating the size of the output buffer for the signature.

ChangeLog.d/posix-define.txt

@@ -1,6 +0,0 @@
-Bugfix
-   * In library/net_sockets.c, _POSIX_C_SOURCE and _XOPEN_SOURCE are
-     defined to specific values.  If the code is used in a context
-     where these are already defined, this can result in a compilation
-     error.  Instead, assume that if they are defined, the values will
-     be adequate to build Mbed TLS.

ChangeLog.d/private-fields.txt

@@ -1,5 +0,0 @@
-API changes
-   * Direct access to fields of structures declared in public headers is no
-     longer supported except for fields that are documented public. Use accessor
-     functions instead. For more information, see the migration guide entry
-     "Most structure fields are now private".

ChangeLog.d/psa-aead-output-size-macros-1.0.txt

@@ -1,5 +0,0 @@
-API changes
-   * Update AEAD output size macros to bring them in line with the PSA Crypto
-     API version 1.0 spec. This version of the spec parameterizes them on the
-     key type used, as well as the key bit-size in the case of
-     PSA_AEAD_TAG_LENGTH.

ChangeLog.d/psa-builtin-keys-implementation.txt

@@ -1,4 +0,0 @@
-Features
-   * Added support for built-in driver keys through the PSA opaque crypto
-     driver interface. Refer to the documentation of
-     MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS for more information.

ChangeLog.d/psa-read-only-keys.txt

@@ -1,5 +0,0 @@
-Bugfix
-   * The PSA API no longer allows the creation or destruction of keys with a
-     read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY
-     can now only be used as intended, for keys that cannot be modified through
-     normal use of the API.

ChangeLog.d/psa-rsa-verify-alt-fix.txt

@@ -1,7 +0,0 @@
-Bugfix
-   * psa_verify_hash() was relying on implementation-specific behavior of
-     mbedtls_rsa_rsassa_pss_verify() and was causing failures in some _ALT
-     implementations. This reliance is now removed. Fixes #3990.
-   * Disallow inputs of length different from the corresponding hash when
-     signing or verifying with PSA_ALG_RSA_PSS (The PSA Crypto API mandates
-     that PSA_ALG_RSA_PSS uses the same hash throughout the algorithm.)

ChangeLog.d/psa-without-genprime-fix.txt

@@ -1,5 +0,0 @@
-Bugfix
-   * Restore the ability to configure PSA via Mbed TLS options to support RSA
-     key pair operations but exclude RSA key generation. When MBEDTLS_GENPRIME
-     is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key().
-     Fixes #4512.

ChangeLog.d/psa_key_derivation-bad_workflow.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix PSA_ALG_TLS12_PRF and PSA_ALG_TLS12_PSK_TO_MS being too permissive
-     about missing inputs.

ChangeLog.d/psa_sign_message.txt

@@ -1,2 +0,0 @@
-Features
-   * Implement psa_sign_message() and psa_verify_message().

ChangeLog.d/random-range.txt

@@ -1,4 +0,0 @@
-Security
-* Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
-  private keys and of blinding values for DHM and elliptic curves (ECP)
-  computations. Reported by FlorianF89 in #4245.

ChangeLog.d/reject-low-order-points-early.txt

@@ -1,6 +0,0 @@
-Security
-   * An adversary with access to precise enough timing information (typically, a
-     co-located process) could recover a Curve25519 or Curve448 static ECDH key
-     after inputting a chosen public key and observing the victim performing the
-     corresponding private-key operation. Found and reported by Leila Batina,
-     Lukas Chmielewski, Björn Haase, Niels Samwel and Peter Schwabe.

ChangeLog.d/relaxed-psk-semantics.txt

@@ -1,7 +0,0 @@
-API changes
-    * Modify semantics of `mbedtls_ssl_conf_[opaque_]psk()`:
-      In Mbed TLS 2.X, the API prescribes that later calls overwrite
-      the effect of earlier calls. In Mbed TLS 3.0, calling
-      `mbedtls_ssl_conf_[opaque_]psk()` more than once will fail,
-      leaving the PSK that was configured first intact.
-      Support for more than one PSK may be added in 3.X.

ChangeLog.d/remove-config-psa-crypto.txt

@@ -1,3 +0,0 @@
-Changes
-   * Remove configs/config-psa-crypto.h, which no longer had any intended
-     differences from the default configuration, but had accidentally diverged.

ChangeLog.d/remove-enable-weak-ciphersuites.txt

@@ -1,2 +0,0 @@
-Removals
-   * Remove MBEDTLS_ENABLE_WEAK_CIPHERSUITES configuration option. Fixes #4416.

ChangeLog.d/remove-max-content-len.txt

@@ -1,4 +0,0 @@
-Removals
-   * Remove MBEDTLS_SSL_MAX_CONTENT_LEN configuration option, since
-     MBEDTLS_SSL_IN_CONTENT_LEN and MBEDTLS_SSL_OUT_CONTENT_LEN replace
-     it. Fixes #4362.

ChangeLog.d/remove-rsa-mode-parameter.txt

@@ -1,8 +0,0 @@
-Removals
-   * The RSA module no longer supports private-key operations with the public
-     key and vice versa.
-API changes
-   * Remove the mode parameter from RSA operation functions. Signature and
-     decryption functions now always use the private key and verification and
-     encryption use the public key. Verification functions also no longer have
-     RNG parameters.

ChangeLog.d/remove_null_entropy.txt

@@ -1,2 +0,0 @@
-API changes
-   * Remove the MBEDTLS_TEST_NULL_ENTROPY config option. Fixes #4388.

ChangeLog.d/require-matching-hashlen-rsa.txt

@@ -1,5 +0,0 @@
-API changes
-   * Signature functions in the RSA and PK modules now require the hash
-     length parameter to be the size of the hash input. For RSA signatures
-     other than raw PKCS#1 v1.5, this must match the output size of the
-     specified hash algorithm.

ChangeLog.d/rm-ecdh-legacy-context-option.txt

@@ -1,3 +0,0 @@
-Removals
-   * Remove MBEDTLS_ECDH_LEGACY_CONTEXT config option since this was purely for
-     backward compatibility which is no longer supported. Addresses #4404.

ChangeLog.d/rm-ticket-lifetime-option.txt

@@ -1,5 +0,0 @@
-Removals
-   * Remove the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
-     compile-time option. This option has been inactive for a long time.
-     Please use the `lifetime` parameter of `mbedtls_ssl_ticket_setup()`
-     instead.

ChangeLog.d/rm-truncated-hmac-ext.txt

@@ -1,5 +0,0 @@
-Removals
-   * Remove MBEDTLS_SSL_TRUNCATED_HMAC and also remove
-     MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT config option. Users are better served by
-     using a CCM-8 ciphersuite than a CBC ciphersuite with truncated HMAC.
-     See issue #4341 for more details.

ChangeLog.d/rsa-padding.txt

@@ -1,5 +0,0 @@
-API changes
-   * mbedtls_rsa_init() now always selects the PKCS#1v1.5 encoding for an RSA
-     key. To use an RSA key with PSS or OAEP, call mbedtls_rsa_set_padding()
-     after initializing the context. mbedtls_rsa_set_padding() now returns an
-     error if its parameters are invalid.

ChangeLog.d/session-cache-api.txt

@@ -1,5 +0,0 @@
-API changes
-    * The getter and setter API of the SSL session cache (used for
-      session-ID based session resumption) has changed to that of
-      a key-value store with keys being session IDs and values
-      being opaque instances of `mbedtls_ssl_session`.

ChangeLog.d/sha224_sha384.txt

@@ -1,7 +0,0 @@
-API changes
-   * Replace MBEDTLS_SHA512_NO_SHA384 config option with MBEDTLS_SHA384_C.
-     This separates config option enabling the SHA384 algorithm from option
-     enabling the SHA512 algorithm. Fixes #4034.
-   * Introduce MBEDTLS_SHA224_C.
-     This separates config option enabling the SHA224 algorithm from option
-     enabling SHA256.

ChangeLog.d/sha512-output-type.txt

@@ -1,6 +0,0 @@
-API changes
-   * The output parameter of mbedtls_sha512_finish_ret, mbedtls_sha512_ret,
-     mbedtls_sha256_finish_ret and mbedtls_sha256_ret now has a pointer type
-     rather than array type. This removes spurious warnings in some compilers
-     when outputting a SHA-384 or SHA-224 hash into a buffer of exactly
-     the hash size.

ChangeLog.d/split-config.txt

@@ -1,13 +0,0 @@
-Changes
-   * config.h has been split into build_info.h and mbedtls_config.h
-     build_info.h is intended to be included from C code directly, while
-     mbedtls_config.h is intended to be edited by end users wishing to
-     change the build configuration, and should generally only be included from
-     build_info.h.
-   * The handling of MBEDTLS_CONFIG_FILE has been moved into build_info.h.
-   * A config file version symbol, MBEDTLS_CONFIG_VERSION was introduced.
-     Defining it to a particular value will ensure that Mbed TLS interprets
-     the config file in a way that's compatible with the config file format
-     used by the Mbed TLS release whose MBEDTLS_VERSION_NUMBER has the same
-     value.
-     The only value supported by Mbed TLS 3.0.0 is 0x03000000.

ChangeLog.d/spm_build.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * When MBEDTLS_PSA_CRYPTO_SPM is enabled, crypto_spe.h was not included
-     in all the right places. Include it from crypto_platform.h, which is
-     the natural place. Fixes #4649.

ChangeLog.d/ssl-error-code-cleanup.txt

@@ -1,6 +0,0 @@
-API changes
-   * Remove SSL error codes `MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED`
-     and `MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH` which are never
-     returned from the public SSL API.
-   * Remove `MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE` and return
-     `MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` instead.

ChangeLog.d/tool-versions.txt

@@ -1,4 +0,0 @@
-Requirement changes
-   * Refresh the minimum supported versions of tools to build the
-     library. CMake versions older than 3.10.2 and Python older
-     than 3.6 are no longer supported.

ChangeLog.d/undefined_reference_without_psa.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * With MBEDTLS_PSA_CRYPTO_C disabled, some functions were getting built
-     nonetheless, resulting in undefined reference errors when building a
-     shared library. Reported by Guillermo Garcia M. in #4411.

ChangeLog.d/update_ssl_error_codes.txt

@@ -1,3 +0,0 @@
-Changes
-   * Various changes to which alert and/or error code may be returned
-   * during the TLS handshake.

ChangeLog.d/winsock.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * Fix mbedtls_net_poll() and mbedtls_net_recv_timeout() often failing with
-     MBEDTLS_ERR_NET_POLL_FAILED on Windows. Fixes #4465.
-

ChangeLog.d/x509_remove_info.txt

@@ -1,6 +0,0 @@
-API changes
-   * Add configuration option MBEDTLS_X509_REMOVE_INFO which
-     removes the mbedtls_x509_*_info(), mbedtls_debug_print_crt()
-     as well as other functions and constants only used by
-     those functions. This reduces the code footprint by
-     several kB.