Merge pull request #10413 from bjwtaylor/remove-des

Removal of DES from mbedtls
diff --git a/ChangeLog.d/9684.txt b/ChangeLog.d/9684.txt
new file mode 100644
index 0000000..115ded8
--- /dev/null
+++ b/ChangeLog.d/9684.txt
@@ -0,0 +1,2 @@
+Removals
+   * Remove support for the DHE-PSK key exchange in TLS 1.2.
diff --git a/ChangeLog.d/9685.txt b/ChangeLog.d/9685.txt
new file mode 100644
index 0000000..9820aff
--- /dev/null
+++ b/ChangeLog.d/9685.txt
@@ -0,0 +1,2 @@
+Removals
+   * Remove support for the DHE-RSA key exchange in TLS 1.2.
diff --git a/ChangeLog.d/9874.txt b/ChangeLog.d/9874.txt
new file mode 100644
index 0000000..a4d2e03
--- /dev/null
+++ b/ChangeLog.d/9874.txt
@@ -0,0 +1,5 @@
+API changes
+   * Align the mbedtls_ssl_ticket_setup() function with the PSA Crypto API.
+     Instead of taking a mbedtls_cipher_type_t as an argument, this function
+     now takes 3 new arguments: a PSA algorithm, key type and key size, to
+     specify the AEAD for ticket protection.
diff --git a/ChangeLog.d/9892.txt b/ChangeLog.d/9892.txt
new file mode 100644
index 0000000..962bdad
--- /dev/null
+++ b/ChangeLog.d/9892.txt
@@ -0,0 +1,5 @@
+Removals
+   * Remove deprecated mbedtls_x509write_crt_set_serial(). The function was
+     already deprecated and superseded by
+     mbedtls_x509write_crt_set_serial_raw().
+
diff --git a/ChangeLog.d/9956.txt b/ChangeLog.d/9956.txt
new file mode 100644
index 0000000..cea4af1
--- /dev/null
+++ b/ChangeLog.d/9956.txt
@@ -0,0 +1,6 @@
+Removals
+   * Following the removal of DHM module (#9972 and TF-PSA-Crypto#175) the
+     following SSL functions are removed:
+     - mbedtls_ssl_conf_dh_param_bin
+     - mbedtls_ssl_conf_dh_param_ctx
+     - mbedtls_ssl_conf_dhm_min_bitlen
diff --git a/ChangeLog.d/9964.txt b/ChangeLog.d/9964.txt
new file mode 100644
index 0000000..189b4c1
--- /dev/null
+++ b/ChangeLog.d/9964.txt
@@ -0,0 +1,26 @@
+Removals
+   * Sample programs for the legacy crypto API have been removed.
+          pkey/rsa_genkey.c
+          pkey/pk_decrypt.c
+          pkey/dh_genprime.c
+          pkey/rsa_verify.c
+          pkey/mpi_demo.c
+          pkey/rsa_decrypt.c
+          pkey/key_app.c
+          pkey/dh_server.c
+          pkey/ecdh_curve25519.c
+          pkey/pk_encrypt.c
+          pkey/rsa_sign.c
+          pkey/key_app_writer.c
+          pkey/dh_client.c
+          pkey/ecdsa.c
+          pkey/rsa_encrypt.c
+          wince_main.c
+          aes/crypt_and_hash.c
+          random/gen_random_ctr_drbg.c
+          random/gen_entropy.c
+          hash/md_hmac_demo.c
+          hash/hello.c
+          hash/generic_sum.c
+          cipher/cipher_aead_demo.c
+
diff --git a/ChangeLog.d/add-tls-exporter.txt b/ChangeLog.d/add-tls-exporter.txt
new file mode 100644
index 0000000..1aea653
--- /dev/null
+++ b/ChangeLog.d/add-tls-exporter.txt
@@ -0,0 +1,6 @@
+Features
+   * Add the function mbedtls_ssl_export_keying_material() which allows the
+     client and server to extract additional shared symmetric keys from an SSL
+     session, according to the TLS-Exporter specification in RFC 8446 and 5705.
+     This requires MBEDTLS_SSL_KEYING_MATERIAL_EXPORT to be defined in
+     mbedtls_config.h.
diff --git a/ChangeLog.d/error-unification.txt b/ChangeLog.d/error-unification.txt
new file mode 100644
index 0000000..1f8e8af
--- /dev/null
+++ b/ChangeLog.d/error-unification.txt
@@ -0,0 +1,12 @@
+API changes
+   * The PSA and Mbed TLS error spaces are now unified. mbedtls_xxx()
+     functions can now return PSA_ERROR_xxx values.
+     There is no longer a distinction between "low-level" and "high-level"
+     Mbed TLS error codes.
+     This will not affect most applications since the error values are
+     between -32767 and -1 as before.
+
+Removals
+   * Remove mbedtls_low_level_strerr() and mbedtls_high_level_strerr(),
+     since these concepts no longer exists. There is just mbedtls_strerror().
+
diff --git a/ChangeLog.d/fix-asn1-store-named-data.txt b/ChangeLog.d/fix-asn1-store-named-data.txt
new file mode 100644
index 0000000..7a040bd
--- /dev/null
+++ b/ChangeLog.d/fix-asn1-store-named-data.txt
@@ -0,0 +1,8 @@
+Security
+   * Fix a bug in tf-psa-crypto's mbedtls_asn1_store_named_data() where it
+     would sometimes leave an item in the output list in an inconsistent
+     state with val.p == NULL but val.len > 0. Affected functions used in X.509
+     would then dereference a NULL pointer. Applications that do not
+     call this function (directly, or indirectly through X.509 writing) are not
+     affected. Found by Linh Le and Ngan Nguyen from Calif.
+
diff --git a/ChangeLog.d/fix-clang-psa-build-without-dhm.txt b/ChangeLog.d/fix-clang-psa-build-without-dhm.txt
new file mode 100644
index 0000000..543f4db
--- /dev/null
+++ b/ChangeLog.d/fix-clang-psa-build-without-dhm.txt
@@ -0,0 +1,5 @@
+Bugfix
+   * Fix Clang compilation error when finite-field Diffie-Hellman is disabled.
+     Reported by Michael Schuster in #9188.
+
+
diff --git a/ChangeLog.d/fix-compilation-when-memcpy-is-function-like-macro.txt b/ChangeLog.d/fix-compilation-when-memcpy-is-function-like-macro.txt
new file mode 100644
index 0000000..11e7d25
--- /dev/null
+++ b/ChangeLog.d/fix-compilation-when-memcpy-is-function-like-macro.txt
@@ -0,0 +1,2 @@
+Bugfix
+   * Fix compilation error when memcpy() is a function-like macros. Fixes #8994.
diff --git a/ChangeLog.d/fix-compilation-with-djgpp.txt b/ChangeLog.d/fix-compilation-with-djgpp.txt
new file mode 100644
index 0000000..5b79fb6
--- /dev/null
+++ b/ChangeLog.d/fix-compilation-with-djgpp.txt
@@ -0,0 +1,2 @@
+Bugfix
+   * Fix compilation on MS-DOS DJGPP. Fixes #9813.
diff --git a/ChangeLog.d/fix-dependency-on-generated-files.txt b/ChangeLog.d/fix-dependency-on-generated-files.txt
index b3e7e4e..540cf0de 100644
--- a/ChangeLog.d/fix-dependency-on-generated-files.txt
+++ b/ChangeLog.d/fix-dependency-on-generated-files.txt
@@ -1,3 +1,3 @@
 Bugfix
-    * Fix potential CMake parallel build failure when building both the static
-      and shared libraries.
+   * Fix potential CMake parallel build failure when building both the static
+     and shared libraries.
diff --git a/ChangeLog.d/fix-legacy-compression-issue.txt b/ChangeLog.d/fix-legacy-compression-issue.txt
new file mode 100644
index 0000000..2549af8
--- /dev/null
+++ b/ChangeLog.d/fix-legacy-compression-issue.txt
@@ -0,0 +1,6 @@
+Bugfix
+   * Fixes an issue where some TLS 1.2 clients could not connect to an
+     Mbed TLS 3.6.0 server, due to incorrect handling of
+     legacy_compression_methods in the ClientHello.
+     fixes #8995, #9243.
+
diff --git a/ChangeLog.d/fix-msvc-version-guard-format-zu.txt b/ChangeLog.d/fix-msvc-version-guard-format-zu.txt
new file mode 100644
index 0000000..eefda61
--- /dev/null
+++ b/ChangeLog.d/fix-msvc-version-guard-format-zu.txt
@@ -0,0 +1,5 @@
+Bugfix
+   * Fix definition of MBEDTLS_PRINTF_SIZET to prevent runtime crashes that
+     occurred whenever SSL debugging was enabled on a copy of Mbed TLS built
+     with Visual Studio 2013 or MinGW.
+     Fixes #10017.
diff --git a/ChangeLog.d/fix-server-mode-only-build.txt b/ChangeLog.d/fix-server-mode-only-build.txt
new file mode 100644
index 0000000..d1d8341
--- /dev/null
+++ b/ChangeLog.d/fix-server-mode-only-build.txt
@@ -0,0 +1,3 @@
+Bugfix
+   * Fix server mode only build when MBEDTLS_SSL_SRV_C is enabled but
+     MBEDTLS_SSL_CLI_C is disabled. Reported by M-Bab on GitHub in #9186.
diff --git a/ChangeLog.d/fix-string-to-names-memory-management.txt b/ChangeLog.d/fix-string-to-names-memory-management.txt
new file mode 100644
index 0000000..6b744a7
--- /dev/null
+++ b/ChangeLog.d/fix-string-to-names-memory-management.txt
@@ -0,0 +1,19 @@
+Security
+   * Fix possible use-after-free or double-free in code calling
+     mbedtls_x509_string_to_names(). This was caused by the function calling
+     mbedtls_asn1_free_named_data_list() on its head argument, while the
+     documentation did no suggest it did, making it likely for callers relying
+     on the documented behaviour to still hold pointers to memory blocks after
+     they were free()d, resulting in high risk of use-after-free or double-free,
+     with consequences ranging up to arbitrary code execution.
+     In particular, the two sample programs x509/cert_write and x509/cert_req
+     were affected (use-after-free if the san string contains more than one DN).
+     Code that does not call mbedtls_string_to_names() directly is not affected.
+     Found by Linh Le and Ngan Nguyen from Calif.
+     CVE-2025-47917
+
+Changes
+   * The function mbedtls_x509_string_to_names() now requires its head argument
+     to point to NULL on entry. This makes it likely that existing risky uses of
+     this function (see the entry in the Security section) will be detected and
+     fixed.
diff --git a/ChangeLog.d/fix-string-to-names-store-named-data.txt b/ChangeLog.d/fix-string-to-names-store-named-data.txt
new file mode 100644
index 0000000..b088468
--- /dev/null
+++ b/ChangeLog.d/fix-string-to-names-store-named-data.txt
@@ -0,0 +1,10 @@
+Security
+   * Fix a bug in mbedtls_x509_string_to_names() and the
+     mbedtls_x509write_{crt,csr}_set_{subject,issuer}_name() functions,
+     where some inputs would cause an inconsistent state to be reached, causing
+     a NULL dereference either in the function itself, or in subsequent
+     users of the output structure, such as mbedtls_x509_write_names(). This
+     only affects applications that create (as opposed to consume) X.509
+     certificates, CSRs or CRLs. Found by Linh Le and Ngan Nguyen from Calif.
+     CVE-2025-48965
+
diff --git a/ChangeLog.d/fix_reporting_of_key_usage_issues.txt b/ChangeLog.d/fix_reporting_of_key_usage_issues.txt
new file mode 100644
index 0000000..506f2bd
--- /dev/null
+++ b/ChangeLog.d/fix_reporting_of_key_usage_issues.txt
@@ -0,0 +1,12 @@
+Security
+   * With TLS 1.3, when a server enables optional authentication of the
+     client, if the client-provided certificate does not have appropriate values
+     in keyUsage or extKeyUsage extensions, then the return value of
+     mbedtls_ssl_get_verify_result() would incorrectly have the
+     MBEDTLS_X509_BADCERT_KEY_USAGE and MBEDTLS_X509_BADCERT_EXT_KEY_USAGE bits
+     clear. As a result, an attacker that had a certificate valid for uses other
+     than TLS client authentication could be able to use it for TLS client
+     authentication anyway. Only TLS 1.3 servers were affected, and only with
+     optional authentication (required would abort the handshake with a fatal
+     alert).
+     CVE-2024-45159
diff --git a/ChangeLog.d/mbedtls_ssl_set_hostname.txt b/ChangeLog.d/mbedtls_ssl_set_hostname.txt
new file mode 100644
index 0000000..05f375d
--- /dev/null
+++ b/ChangeLog.d/mbedtls_ssl_set_hostname.txt
@@ -0,0 +1,18 @@
+Default behavior changes
+   * In TLS clients, if mbedtls_ssl_set_hostname() has not been called,
+     mbedtls_ssl_handshake() now fails with
+     MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
+     if certificate-based authentication of the server is attempted.
+     This is because authenticating a server without knowing what name
+     to expect is usually insecure.
+
+Security
+   * Note that TLS clients should generally call mbedtls_ssl_set_hostname()
+     if they use certificate authentication (i.e. not pre-shared keys).
+     Otherwise, in many scenarios, the server could be impersonated.
+     The library will now prevent the handshake and return
+     MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
+     if mbedtls_ssl_set_hostname() has not been called.
+     Reported by Daniel Stenberg.
+     CVE-2025-27809
+
diff --git a/ChangeLog.d/oid.txt b/ChangeLog.d/oid.txt
new file mode 100644
index 0000000..53828d8
--- /dev/null
+++ b/ChangeLog.d/oid.txt
@@ -0,0 +1,8 @@
+Removals
+   * The library no longer offers interfaces to look up values by OID
+     or OID by enum values.
+     The header <mbedtls/oid.h> now only defines functions to convert
+     between binary and dotted string OID representations, and macros
+     for OID strings that are relevant to X.509.
+     The compilation option MBEDTLS_OID_C no longer
+     exists. OID tables are included in the build automatically as needed.
diff --git a/ChangeLog.d/psa-always-on.txt b/ChangeLog.d/psa-always-on.txt
new file mode 100644
index 0000000..6607e9f
--- /dev/null
+++ b/ChangeLog.d/psa-always-on.txt
@@ -0,0 +1,11 @@
+Default behavior changes
+   * The X.509 and TLS modules now always use the PSA subsystem
+     to perform cryptographic operations, with a few exceptions documented
+     in docs/architecture/psa-migration/psa-limitations.md. This
+     corresponds to the behavior of Mbed TLS 3.x when
+     MBEDTLS_USE_PSA_CRYPTO is enabled. In effect, MBEDTLS_USE_PSA_CRYPTO
+     is now always enabled.
+   * psa_crypto_init() must be called before performing any cryptographic
+     operation, including indirect requests such as parsing a key or
+     certificate or starting a TLS handshake.
+
diff --git a/ChangeLog.d/removal-of-rng.txt b/ChangeLog.d/removal-of-rng.txt
new file mode 100644
index 0000000..7ecb29f
--- /dev/null
+++ b/ChangeLog.d/removal-of-rng.txt
@@ -0,0 +1,6 @@
+API changes
+   * All API functions now use the PSA random generator psa_generate_random()
+     internally. As a consequence, functions no longer take RNG parameters.
+     Please refer to the migration guide at :
+     docs/4.0-migration-guide.md.
+
diff --git a/ChangeLog.d/remove-compat-2.x.txt b/ChangeLog.d/remove-compat-2.x.txt
new file mode 100644
index 0000000..37f012c
--- /dev/null
+++ b/ChangeLog.d/remove-compat-2.x.txt
@@ -0,0 +1,2 @@
+Removals
+   * Remove compat-2-x.h header from mbedtls.
diff --git a/ChangeLog.d/remove_RSA_key_exchange.txt b/ChangeLog.d/remove_RSA_key_exchange.txt
new file mode 100644
index 0000000..f9baaf1
--- /dev/null
+++ b/ChangeLog.d/remove_RSA_key_exchange.txt
@@ -0,0 +1,2 @@
+Removals
+   * Remove support for the RSA key exchange in TLS 1.2.
diff --git a/ChangeLog.d/replace-close-with-mbedtls_net_close.txt b/ChangeLog.d/replace-close-with-mbedtls_net_close.txt
new file mode 100644
index 0000000..213cf55
--- /dev/null
+++ b/ChangeLog.d/replace-close-with-mbedtls_net_close.txt
@@ -0,0 +1,4 @@
+Bugfix
+   * Use 'mbedtls_net_close' instead of 'close' in 'mbedtls_net_bind'
+     and 'mbedtls_net_connect' to prevent possible double close fd
+     problems. Fixes #9711.
diff --git a/ChangeLog.d/repo-split.txt b/ChangeLog.d/repo-split.txt
new file mode 100644
index 0000000..f03b5ed
--- /dev/null
+++ b/ChangeLog.d/repo-split.txt
@@ -0,0 +1,5 @@
+Changes
+   * Move the crypto part of the library (content of tf-psa-crypto directory)
+     from the Mbed TLS to the TF-PSA-Crypto repository. The crypto code and
+     tests development will now occur in TF-PSA-Crypto, which Mbed TLS
+     references as a Git submodule.
diff --git a/ChangeLog.d/rm-ssl-conf-curves.txt b/ChangeLog.d/rm-ssl-conf-curves.txt
new file mode 100644
index 0000000..4b29adc
--- /dev/null
+++ b/ChangeLog.d/rm-ssl-conf-curves.txt
@@ -0,0 +1,4 @@
+Removals
+   * Remove the function mbedtls_ssl_conf_curves() which had been deprecated
+     in favour of mbedtls_ssl_conf_groups() since Mbed TLS 3.1.
+
diff --git a/ChangeLog.d/split-numeric-string-conversions-out-of-the-oid-module.txt b/ChangeLog.d/split-numeric-string-conversions-out-of-the-oid-module.txt
new file mode 100644
index 0000000..938e9ec
--- /dev/null
+++ b/ChangeLog.d/split-numeric-string-conversions-out-of-the-oid-module.txt
@@ -0,0 +1,4 @@
+Changes
+   * Functions regarding numeric string conversions for OIDs have been moved
+     from the OID module and now reside in X.509 module. This helps to reduce
+     the code size as these functions are not commonly used outside of X.509.
diff --git a/ChangeLog.d/tls-hs-defrag-in.txt b/ChangeLog.d/tls-hs-defrag-in.txt
new file mode 100644
index 0000000..6bab02a
--- /dev/null
+++ b/ChangeLog.d/tls-hs-defrag-in.txt
@@ -0,0 +1,7 @@
+Bugfix
+   * Support re-assembly of fragmented handshake messages in TLS (both
+     1.2 and 1.3). The lack of support was causing handshake failures with
+     some servers, especially with TLS 1.3 in practice. There are a few
+     limitations, notably a fragmented ClientHello is only supported when
+     TLS 1.3 support is enabled. See the documentation of
+     mbedtls_ssl_handshake() for details.
diff --git a/ChangeLog.d/tls-key-exchange-rsa.txt b/ChangeLog.d/tls-key-exchange-rsa.txt
new file mode 100644
index 0000000..4df6b3e
--- /dev/null
+++ b/ChangeLog.d/tls-key-exchange-rsa.txt
@@ -0,0 +1,2 @@
+Removals
+   * Remove support for the RSA-PSK key exchange in TLS 1.2.
diff --git a/ChangeLog.d/tls12-check-finished-calc.txt b/ChangeLog.d/tls12-check-finished-calc.txt
new file mode 100644
index 0000000..cd52d32
--- /dev/null
+++ b/ChangeLog.d/tls12-check-finished-calc.txt
@@ -0,0 +1,6 @@
+Security
+   * Fix a vulnerability in the TLS 1.2 handshake. If memory allocation failed
+     or there was a cryptographic hardware failure when calculating the
+     Finished message, it could be calculated incorrectly. This would break
+     the security guarantees of the TLS handshake.
+     CVE-2025-27810
diff --git a/ChangeLog.d/tls13-cert-regressions.txt b/ChangeLog.d/tls13-cert-regressions.txt
new file mode 100644
index 0000000..8dd8a32
--- /dev/null
+++ b/ChangeLog.d/tls13-cert-regressions.txt
@@ -0,0 +1,18 @@
+Bugfix
+   * Fixed a regression introduced in 3.6.0 where the CA callback set with
+     mbedtls_ssl_conf_ca_cb() would stop working when connections were
+     upgraded to TLS 1.3. Fixed by adding support for the CA callback with TLS
+     1.3.
+   * Fixed a regression introduced in 3.6.0 where clients that relied on
+     optional/none authentication mode, by calling mbedtls_ssl_conf_authmode()
+     with MBEDTLS_SSL_VERIFY_OPTIONAL or MBEDTLS_SSL_VERIFY_NONE, would stop
+     working when connections were upgraded to TLS 1.3. Fixed by adding
+     support for optional/none with TLS 1.3 as well. Note that the TLS 1.3
+     standard makes server authentication mandatory; users are advised not to
+     use authmode none, and to carefully check the results when using optional
+     mode.
+   * Fixed a regression introduced in 3.6.0 where context-specific certificate
+     verify callbacks, set with mbedtls_ssl_set_verify() as opposed to
+     mbedtls_ssl_conf_verify(), would stop working when connections were
+     upgraded to TLS 1.3. Fixed by adding support for context-specific verify
+     callback in TLS 1.3.
diff --git a/ChangeLog.d/tls13-middlebox-compat-disabled.txt b/ChangeLog.d/tls13-middlebox-compat-disabled.txt
new file mode 100644
index 0000000..f5331bc
--- /dev/null
+++ b/ChangeLog.d/tls13-middlebox-compat-disabled.txt
@@ -0,0 +1,4 @@
+Bugfix
+   * When MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE is disabled, work with
+     peers that have middlebox compatibility enabled, as long as no
+     problematic middlebox is in the way. Fixes #9551.
diff --git a/ChangeLog.d/tls13-without-tickets.txt b/ChangeLog.d/tls13-without-tickets.txt
new file mode 100644
index 0000000..8ceef21
--- /dev/null
+++ b/ChangeLog.d/tls13-without-tickets.txt
@@ -0,0 +1,3 @@
+Bugfix
+   * Fix TLS 1.3 client build and runtime when support for session tickets is
+     disabled (MBEDTLS_SSL_SESSION_TICKETS configuration option). Fixes #6395.
diff --git a/ChangeLog.d/unterminated-string-initialization.txt b/ChangeLog.d/unterminated-string-initialization.txt
new file mode 100644
index 0000000..75a72ca
--- /dev/null
+++ b/ChangeLog.d/unterminated-string-initialization.txt
@@ -0,0 +1,3 @@
+Bugfix
+   * Silence spurious -Wunterminated-string-initialization warnings introduced
+     by GCC 15. Fixes #9944.
diff --git a/ChangeLog.d/x509write_crt_set_serial_raw-alignment.txt b/ChangeLog.d/x509write_crt_set_serial_raw-alignment.txt
index e04f45a..e7ac546 100644
--- a/ChangeLog.d/x509write_crt_set_serial_raw-alignment.txt
+++ b/ChangeLog.d/x509write_crt_set_serial_raw-alignment.txt
@@ -1,3 +1,3 @@
 API changes
-    * Change the serial argument of the mbedtls_x509write_crt_set_serial_raw
-      function to a const to align with the rest of the API.
+   * Change the serial argument of the mbedtls_x509write_crt_set_serial_raw
+     function to a const to align with the rest of the API.