Build aggregated ChangeLog
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
diff --git a/ChangeLog b/ChangeLog
index a6d4adf..3231cb4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,203 @@
mbed TLS ChangeLog (Sorted per branch, date)
+= mbed TLS x.x.x branch released xxxx-xx-xx
+
+API changes
+ * Update AEAD output size macros to bring them in line with the PSA Crypto
+ API version 1.0 spec. This version of the spec parameterizes them on the
+ key type used, as well as the key bit-size in the case of
+ PSA_AEAD_TAG_LENGTH.
+ The old versions of these macros were renamed and deprecated as follows:
+ - PSA_AEAD_TAG_LENGTH -> PSA_AEAD_TAG_LENGTH_1_ARG
+ - PSA_AEAD_ENCRYPT_OUTPUT_SIZE -> PSA_AEAD_ENCRYPT_OUTPUT_SIZE_2_ARG
+ - PSA_AEAD_DECRYPT_OUTPUT_SIZE -> PSA_AEAD_DECRYPT_OUTPUT_SIZE_2_ARG
+ - PSA_AEAD_UPDATE_OUTPUT_SIZE -> PSA_AEAD_UPDATE_OUTPUT_SIZE_2_ARG
+ - PSA_AEAD_FINISH_OUTPUT_SIZE -> PSA_AEAD_FINISH_OUTPUT_SIZE_1_ARG
+ - PSA_AEAD_VERIFY_OUTPUT_SIZE -> PSA_AEAD_VERIFY_OUTPUT_SIZE_1_ARG
+ * Implement one-shot cipher functions, psa_cipher_encrypt and
+ psa_cipher_decrypt, according to the PSA Crypto API 1.0.0
+ specification.
+
+Requirement changes
+ * The library now uses the %zu format specifier with the printf() family of
+ functions, so requires a toolchain that supports it. This change does not
+ affect the maintained LTS branches, so when contributing changes please
+ bear this in mind and do not add them to backported code.
+
+Features
+ * Add mbedtls_rsa_rsassa_pss_sign_ext() function allowing to generate a
+ signature with a specific salt length. This function allows to validate
+ test cases provided in the NIST's CAVP test suite. Contributed by Cédric
+ Meuter in PR #3183.
+ * Added support for built-in driver keys through the PSA opaque crypto
+ driver interface. Refer to the documentation of
+ MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS for more information.
+ * Implement psa_sign_message() and psa_verify_message().
+ * The new function mbedtls_mpi_random() generates a random value in a
+ given range uniformly.
+ * Implement psa_mac_compute() and psa_mac_verify() as defined in the
+ PSA Cryptograpy API 1.0.0 specification.
+ * MBEDTLS_ECP_MAX_BITS is now determined automatically from the configured
+ curves and no longer needs to be configured explicitly to save RAM.
+
+Security
+* Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
+ private keys and of blinding values for DHM and elliptic curves (ECP)
+ computations. Reported by FlorianF89 in #4245.
+* Fix a potential side channel vulnerability in ECDSA ephemeral key generation.
+ An adversary who is capable of very precise timing measurements could
+ learn partial information about the leading bits of the nonce used for the
+ signature, allowing the recovery of the private key after observing a
+ large number of signature operations. This completes a partial fix in
+ Mbed TLS 2.20.0.
+ * It was possible to configure MBEDTLS_ECP_MAX_BITS to a value that is
+ too small, leading to buffer overflows in ECC operations. Fail the build
+ in such a case.
+ * An adversary with access to precise enough information about memory
+ accesses (typically, an untrusted operating system attacking a secure
+ enclave) could recover an RSA private key after observing the victim
+ performing a single private-key operation. Found and reported by
+ Zili KOU, Wenjian HE, Sharad Sinha, and Wei ZHANG.
+ * An adversary with access to precise enough timing information (typically, a
+ co-located process) could recover a Curve25519 or Curve448 static ECDH key
+ after inputting a chosen public key and observing the victim performing the
+ corresponding private-key operation. Found and reported by Leila Batina,
+ Lukas Chmielewski, Björn Haase, Niels Samwel and Peter Schwabe.
+
+Bugfix
+ * Add printf function attributes to mbedtls_debug_print_msg to ensure we
+ get printf format specifier warnings.
+ * Fix premature fopen() call in mbedtls_entropy_write_seed_file which may
+ lead to the seed file corruption in case if the path to the seed file is
+ equal to MBEDTLS_PLATFORM_STD_NV_SEED_FILE. Contributed by Victor
+ Krasnoshchok in #3616.
+ * PSA functions other than psa_open_key now return PSA_ERROR_INVALID_HANDLE
+ rather than PSA_ERROR_DOES_NOT_EXIST for an invalid handle, bringing them
+ in line with version 1.0.0 of the specification. Fix #4162.
+ * PSA functions creating a key now return PSA_ERROR_INVALID_ARGUMENT rather
+ than PSA_ERROR_INVALID_HANDLE when the identifier specified for the key
+ to create is not valid, bringing them in line with version 1.0.0 of the
+ specification. Fix #4271.
+ * Fix some cases in the bignum module where the library constructed an
+ unintended representation of the value 0 which was not processed
+ correctly by some bignum operations. This could happen when
+ mbedtls_mpi_read_string() was called on "-0", or when
+ mbedtls_mpi_mul_mpi() and mbedtls_mpi_mul_int() was called with one of
+ the arguments being negative and the other being 0. Fixes #4643.
+ * Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
+ zero. Fixes #1792
+ * Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is
+ defined. Fixes #4217.
+ * Fix an incorrect error code when parsing a PKCS#8 private key.
+ * In a TLS client, enforce the Diffie-Hellman minimum parameter size
+ set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the
+ minimum size was rounded down to the nearest multiple of 8.
+ * In library/net_sockets.c, _POSIX_C_SOURCE and _XOPEN_SOURCE are
+ defined to specific values. If the code is used in a context
+ where these are already defined, this can result in a compilation
+ error. Instead, assume that if they are defined, the values will
+ be adequate to build Mbed TLS.
+ * The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
+ when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
+ was disabled. Fix the dependency. Fixes #4472.
+ * Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499.
+ * With MBEDTLS_PSA_CRYPTO_C disabled, some functions were getting built
+ nonetheless, resulting in undefined reference errors when building a
+ shared library. Reported by Guillermo Garcia M. in #4411.
+ * Fix test suite code on platforms where int32_t is not int, such as
+ Arm Cortex-M. Fixes #4530.
+ * Fix some issues affecting MBEDTLS_ARIA_ALT implementations: a misplaced
+ directive in a header and a missing initialization in the self-test.
+ * Fix a missing initialization in the Camellia self-test, affecting
+ MBEDTLS_CAMELLIA_ALT implementations.
+ * Restore the ability to configure PSA via Mbed TLS options to support RSA
+ key pair operations but exclude RSA key generation. When MBEDTLS_GENPRIME
+ is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key().
+ Fixes #4512.
+ * Fix a regression introduced in 2.24.0 which broke (D)TLS CBC ciphersuites
+ (when the encrypt-then-MAC extension is not in use) with some ALT
+ implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
+ the affected side to wrongly reject valid messages. Fixes #4118.
+ * Remove outdated check-config.h check that prevented implementing the
+ timing module on Mbed OS. Fixes #4633.
+ * Fix PSA_ALG_TLS12_PRF and PSA_ALG_TLS12_PSK_TO_MS being too permissive
+ about missing inputs.
+ * Fix mbedtls_net_poll() and mbedtls_net_recv_timeout() often failing with
+ MBEDTLS_ERR_NET_POLL_FAILED on Windows. Fixes #4465.
+ * Fix a resource leak in a test suite with an alternative AES
+ implementation. Fixes #4176.
+ * Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs. This
+ could notably be triggered by setting the TLS debug level to 3 or above
+ and using a Montgomery curve for the key exchange. Reported by lhuang04
+ in #4578. Fixes #4608.
+ * psa_verify_hash() was relying on implementation-specific behavior of
+ mbedtls_rsa_rsassa_pss_verify() and was causing failures in some _ALT
+ implementations. This reliance is now removed. Fixes #3990.
+ * Disallow inputs of length different from the corresponding hash when
+ signing or verifying with PSA_ALG_RSA_PSS (The PSA Crypto API mandates
+ that PSA_ALG_RSA_PSS uses the same hash throughout the algorithm.)
+ * Fix a null pointer dereference when mbedtls_mpi_exp_mod() was called with
+ A=0 represented with 0 limbs. Up to and including Mbed TLS 2.26, this bug
+ could not be triggered by code that constructed A with one of the
+ mbedtls_mpi_read_xxx functions (including in particular TLS code) since
+ those always built an mpi object with at least one limb.
+ Credit to OSS-Fuzz. Fixes #4641.
+ * Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no
+ effect on Mbed TLS's internal use of mbedtls_mpi_gcd(), but may affect
+ applications that call mbedtls_mpi_gcd() directly. Fixes #4642.
+ * The PSA API no longer allows the creation or destruction of keys with a
+ read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY
+ can now only be used as intended, for keys that cannot be modified through
+ normal use of the API.
+ * When MBEDTLS_PSA_CRYPTO_SPM is enabled, crypto_spe.h was not included
+ in all the right places. Include it from crypto_platform.h, which is
+ the natural place. Fixes #4649.
+ * mbedtls_pk_sign() and mbedtls_pk_verify() and their extended and
+ restartable variants now always honor the specified hash length if
+ nonzero. Before, for RSA, hash_len was ignored in favor of the length of
+ the specified hash algorithm.
+ * Fix which alert is sent in some cases to conform to the
+ applicable RFC: on an invalid Finished message value, an
+ invalid max_fragment_length extension, or an
+ unsupported extension used by the server.
+
+Changes
+ * Add extra printf compiler warning flags to builds.
+ * Fix memsan build false positive in x509_crt.c with clang 11
+ * Fix the setting of the read timeout in the DTLS sample programs.
+ * Remove the AES sample application programs/aes/aescrypt2 which shows
+ bad cryptographic practice. Fix #1906.
+ * Alternative implementations of CMAC may now opt to not support 3DES as a
+ CMAC block cipher, and still pass the CMAC self test.
+ * Remove configs/config-psa-crypto.h, which was identical to the default
+ configuration except for having some extra cryptographic mechanisms
+ enabled and for unintended differences. This configuration was primarily
+ intended to demonstrate the PSA API, and lost most of its usefulness when
+ MBEDTLS_PSA_CRYPTO_C became enabled by default.
+ * When building the test suites with GNU make, invoke python3 or python, not
+ python2, which is no longer supported upstream.
+ * When using session cache based session resumption on the server,
+ double-check that custom session cache implementations return
+ sessions which are consistent with the negotiated ciphersuite
+ and compression method.
+ * fix build failure on MinGW toolchain when __USE_MING_ANSI_STDIO is on.
+ When that flag is on, standard GNU C printf format specifiers
+ should be used.
+ * Reduce the default value of MBEDTLS_ECP_WINDOW_SIZE. This reduces RAM usage
+ during ECC operations at a negligible performance cost.
+ * mbedtls_mpi_read_binary(), mbedtls_mpi_read_binary_le() and
+ mbedtls_mpi_read_string() now construct an mbedtls_mpi object with 0 limbs
+ when their input has length 0. Note that this is an implementation detail
+ and can change at any time, so this change should be transparent, but it
+ may result in mbedtls_mpi_write_binary() or mbedtls_mpi_write_string()
+ now writing an empty string where it previously wrote one or more
+ zero digits when operating from values constructed with an mpi_read
+ function and some mpi operations.
+ * Implicitly add PSA_KEY_USAGE_SIGN_MESSAGE key usage policy flag when
+ PSA_KEY_USAGE_SIGN_HASH flag is set and PSA_KEY_USAGE_VERIFY_MESSAGE flag
+ when PSA_KEY_USAGE_VERIFY_HASH flag is set. This usage flag extension
+ is also applied when loading a key from storage.
+
= mbed TLS 2.26.0 branch released 2021-03-08
API changes
diff --git a/ChangeLog.d/add-missing-parenthesis.txt b/ChangeLog.d/add-missing-parenthesis.txt
deleted file mode 100644
index 9576ff3..0000000
--- a/ChangeLog.d/add-missing-parenthesis.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is
- defined. Fixes #4217.
diff --git a/ChangeLog.d/aescrypt2.txt b/ChangeLog.d/aescrypt2.txt
deleted file mode 100644
index 7ffa49e..0000000
--- a/ChangeLog.d/aescrypt2.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Changes
- * Remove the AES sample application programs/aes/aescrypt2 which shows
- bad cryptographic practice. Fix #1906.
diff --git a/ChangeLog.d/allow_alt_cmac_without_des.txt b/ChangeLog.d/allow_alt_cmac_without_des.txt
deleted file mode 100644
index 5193a9e..0000000
--- a/ChangeLog.d/allow_alt_cmac_without_des.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Changes
- * Alternative implementations of CMAC may now opt to not support 3DES as a
- CMAC block cipher, and still pass the CMAC self test.
diff --git a/ChangeLog.d/aria-alt.txt b/ChangeLog.d/aria-alt.txt
deleted file mode 100644
index 20aaa2b..0000000
--- a/ChangeLog.d/aria-alt.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * Fix some issues affecting MBEDTLS_ARIA_ALT implementations: a misplaced
- directive in a header and a missing initialization in the self-test.
- * Fix a missing initialization in the Camellia self-test, affecting
- MBEDTLS_CAMELLIA_ALT implementations.
diff --git a/ChangeLog.d/bugfix_PR3616.txt b/ChangeLog.d/bugfix_PR3616.txt
deleted file mode 100644
index 47d1044..0000000
--- a/ChangeLog.d/bugfix_PR3616.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * Fix premature fopen() call in mbedtls_entropy_write_seed_file which may
- lead to the seed file corruption in case if the path to the seed file is
- equal to MBEDTLS_PLATFORM_STD_NV_SEED_FILE. Contributed by Victor
- Krasnoshchok in #3616.
diff --git a/ChangeLog.d/ciphersuite-sha1-sha384-guard.txt b/ChangeLog.d/ciphersuite-sha1-sha384-guard.txt
deleted file mode 100644
index d253f34..0000000
--- a/ChangeLog.d/ciphersuite-sha1-sha384-guard.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
- * The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
- when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
- was disabled. Fix the dependency. Fixes #4472.
diff --git a/ChangeLog.d/ciphersuite-sha384-guard.txt b/ChangeLog.d/ciphersuite-sha384-guard.txt
deleted file mode 100644
index 0ddf463..0000000
--- a/ChangeLog.d/ciphersuite-sha384-guard.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Bugfix
- * Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499.
diff --git a/ChangeLog.d/dhm_min_bitlen.txt b/ChangeLog.d/dhm_min_bitlen.txt
deleted file mode 100644
index e7ea827..0000000
--- a/ChangeLog.d/dhm_min_bitlen.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
- * In a TLS client, enforce the Diffie-Hellman minimum parameter size
- set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the
- minimum size was rounded down to the nearest multiple of 8.
diff --git a/ChangeLog.d/dtls_sample_use_read_timeout.txt b/ChangeLog.d/dtls_sample_use_read_timeout.txt
deleted file mode 100644
index e3150d6..0000000
--- a/ChangeLog.d/dtls_sample_use_read_timeout.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Changes
- * Fix the setting of the read timeout in the DTLS sample programs.
diff --git a/ChangeLog.d/ecdsa-random-leading-zeros.txt b/ChangeLog.d/ecdsa-random-leading-zeros.txt
deleted file mode 100644
index cbc674b..0000000
--- a/ChangeLog.d/ecdsa-random-leading-zeros.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-Security
-* Fix a potential side channel vulnerability in ECDSA ephemeral key generation.
- An adversary who is capable of very precise timing measurements could
- learn partial information about the leading bits of the nonce used for the
- signature, allowing the recovery of the private key after observing a
- large number of signature operations. This completes a partial fix in
- Mbed TLS 2.20.0.
diff --git a/ChangeLog.d/ecp-window-size.txt b/ChangeLog.d/ecp-window-size.txt
deleted file mode 100644
index 909d4e8..0000000
--- a/ChangeLog.d/ecp-window-size.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Changes
- * Reduce the default value of MBEDTLS_ECP_WINDOW_SIZE. This reduces RAM usage
- during ECC operations at a negligible performance cost.
diff --git a/ChangeLog.d/ecp_max_bits.txt b/ChangeLog.d/ecp_max_bits.txt
deleted file mode 100644
index 834deda..0000000
--- a/ChangeLog.d/ecp_max_bits.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-Security
- * It was possible to configure MBEDTLS_ECP_MAX_BITS to a value that is
- too small, leading to buffer overflows in ECC operations. Fail the build
- in such a case.
-
-Features
- * MBEDTLS_ECP_MAX_BITS is now determined automatically from the configured
- curves and no longer needs to be configured explicitly to save RAM.
diff --git a/ChangeLog.d/ensure_hash_len_is_valid.txt b/ChangeLog.d/ensure_hash_len_is_valid.txt
deleted file mode 100644
index d3e2930..0000000
--- a/ChangeLog.d/ensure_hash_len_is_valid.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * mbedtls_pk_sign() and mbedtls_pk_verify() and their extended and
- restartable variants now always honor the specified hash length if
- nonzero. Before, for RSA, hash_len was ignored in favor of the length of
- the specified hash algorithm.
diff --git a/ChangeLog.d/fix-invalid-id-error-code.txt b/ChangeLog.d/fix-invalid-id-error-code.txt
deleted file mode 100644
index 069a767..0000000
--- a/ChangeLog.d/fix-invalid-id-error-code.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * PSA functions creating a key now return PSA_ERROR_INVALID_ARGUMENT rather
- than PSA_ERROR_INVALID_HANDLE when the identifier specified for the key
- to create is not valid, bringing them in line with version 1.0.0 of the
- specification. Fix #4271.
diff --git a/ChangeLog.d/fix-mingw-build.txt b/ChangeLog.d/fix-mingw-build.txt
deleted file mode 100644
index 383b1c7..0000000
--- a/ChangeLog.d/fix-mingw-build.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Changes
- * fix build failure on MinGW toolchain when __USE_MING_ANSI_STDIO is on.
- When that flag is on, standard GNU C printf format specifiers
- should be used.
-
diff --git a/ChangeLog.d/fix-pk-parse-key-error-code.txt b/ChangeLog.d/fix-pk-parse-key-error-code.txt
deleted file mode 100644
index 3aa330b..0000000
--- a/ChangeLog.d/fix-pk-parse-key-error-code.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Bugfix
- * Fix an incorrect error code when parsing a PKCS#8 private key.
diff --git a/ChangeLog.d/fix-printf-specifiers.txt b/ChangeLog.d/fix-printf-specifiers.txt
deleted file mode 100644
index 4867721..0000000
--- a/ChangeLog.d/fix-printf-specifiers.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-Bugfix
- * Add printf function attributes to mbedtls_debug_print_msg to ensure we
- get printf format specifier warnings.
-Changes
- * Add extra printf compiler warning flags to builds.
-Requirement changes
- * The library now uses the %zu format specifier with the printf() family of
- functions, so requires a toolchain that supports it. This change does not
- affect the maintained LTS branches, so when contributing changes please
- bear this in mind and do not add them to backported code.
diff --git a/ChangeLog.d/fix-rsa-leak.txt b/ChangeLog.d/fix-rsa-leak.txt
deleted file mode 100644
index b7d3e3e..0000000
--- a/ChangeLog.d/fix-rsa-leak.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Security
- * An adversary with access to precise enough information about memory
- accesses (typically, an untrusted operating system attacking a secure
- enclave) could recover an RSA private key after observing the victim
- performing a single private-key operation. Found and reported by
- Zili KOU, Wenjian HE, Sharad Sinha, and Wei ZHANG.
diff --git a/ChangeLog.d/fix-ssl-cf-hmac-alt.txt b/ChangeLog.d/fix-ssl-cf-hmac-alt.txt
deleted file mode 100644
index 57ffa02..0000000
--- a/ChangeLog.d/fix-ssl-cf-hmac-alt.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * Fix a regression introduced in 2.24.0 which broke (D)TLS CBC ciphersuites
- (when the encrypt-then-MAC extension is not in use) with some ALT
- implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
- the affected side to wrongly reject valid messages. Fixes #4118.
diff --git a/ChangeLog.d/fix_memsan_build_clang11.txt b/ChangeLog.d/fix_memsan_build_clang11.txt
deleted file mode 100644
index 3f5cc05..0000000
--- a/ChangeLog.d/fix_memsan_build_clang11.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Changes
- * Fix memsan build false positive in x509_crt.c with clang 11
diff --git a/ChangeLog.d/fix_return_type_for_invalid_crypto_key.txt b/ChangeLog.d/fix_return_type_for_invalid_crypto_key.txt
deleted file mode 100644
index dc6996e..0000000
--- a/ChangeLog.d/fix_return_type_for_invalid_crypto_key.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
- * PSA functions other than psa_open_key now return PSA_ERROR_INVALID_HANDLE
- rather than PSA_ERROR_DOES_NOT_EXIST for an invalid handle, bringing them
- in line with version 1.0.0 of the specification. Fix #4162.
diff --git a/ChangeLog.d/fix_tls_alert_codes.txt b/ChangeLog.d/fix_tls_alert_codes.txt
deleted file mode 100644
index 10235d7..0000000
--- a/ChangeLog.d/fix_tls_alert_codes.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * Fix which alert is sent in some cases to conform to the
- applicable RFC: on an invalid Finished message value, an
- invalid max_fragment_length extension, or an
- unsupported extension used by the server.
diff --git a/ChangeLog.d/host_test-int32.txt b/ChangeLog.d/host_test-int32.txt
deleted file mode 100644
index 60ef8e9..0000000
--- a/ChangeLog.d/host_test-int32.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix test suite code on platforms where int32_t is not int, such as
- Arm Cortex-M. Fixes #4530.
diff --git a/ChangeLog.d/implicit_key_usage_policy.txt b/ChangeLog.d/implicit_key_usage_policy.txt
deleted file mode 100644
index ee33ecb..0000000
--- a/ChangeLog.d/implicit_key_usage_policy.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Changes
- * Implicitly add PSA_KEY_USAGE_SIGN_MESSAGE key usage policy flag when
- PSA_KEY_USAGE_SIGN_HASH flag is set and PSA_KEY_USAGE_VERIFY_MESSAGE flag
- when PSA_KEY_USAGE_VERIFY_HASH flag is set. This usage flag extension
- is also applied when loading a key from storage.
diff --git a/ChangeLog.d/issue1792.txt b/ChangeLog.d/issue1792.txt
deleted file mode 100644
index 9949bf4..0000000
--- a/ChangeLog.d/issue1792.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
- zero. Fixes #1792
diff --git a/ChangeLog.d/issue4176.txt b/ChangeLog.d/issue4176.txt
deleted file mode 100644
index ddca37f..0000000
--- a/ChangeLog.d/issue4176.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix a resource leak in a test suite with an alternative AES
- implementation. Fixes #4176.
diff --git a/ChangeLog.d/make-generate-tests-python.txt b/ChangeLog.d/make-generate-tests-python.txt
deleted file mode 100644
index 4b9009d..0000000
--- a/ChangeLog.d/make-generate-tests-python.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Changes
- * When building the test suites with GNU make, invoke python3 or python, not
- python2, which is no longer supported upstream.
diff --git a/ChangeLog.d/mbed-can-do-timing.txt b/ChangeLog.d/mbed-can-do-timing.txt
deleted file mode 100644
index d83da02..0000000
--- a/ChangeLog.d/mbed-can-do-timing.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Remove outdated check-config.h check that prevented implementing the
- timing module on Mbed OS. Fixes #4633.
diff --git a/ChangeLog.d/mbedtls_debug_print_mpi.txt b/ChangeLog.d/mbedtls_debug_print_mpi.txt
deleted file mode 100644
index d1b4f5b..0000000
--- a/ChangeLog.d/mbedtls_debug_print_mpi.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs. This
- could notably be triggered by setting the TLS debug level to 3 or above
- and using a Montgomery curve for the key exchange. Reported by lhuang04
- in #4578. Fixes #4608.
diff --git a/ChangeLog.d/mpi_exp_mod-zero.txt b/ChangeLog.d/mpi_exp_mod-zero.txt
deleted file mode 100644
index 9df9031..0000000
--- a/ChangeLog.d/mpi_exp_mod-zero.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-Bugfix
- * Fix a null pointer dereference when mbedtls_mpi_exp_mod() was called with
- A=0 represented with 0 limbs. Up to and including Mbed TLS 2.26, this bug
- could not be triggered by code that constructed A with one of the
- mbedtls_mpi_read_xxx functions (including in particular TLS code) since
- those always built an mpi object with at least one limb.
- Credit to OSS-Fuzz. Fixes #4641.
diff --git a/ChangeLog.d/mpi_gcd-0.txt b/ChangeLog.d/mpi_gcd-0.txt
deleted file mode 100644
index 41e11e1..0000000
--- a/ChangeLog.d/mpi_gcd-0.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
- * Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no
- effect on Mbed TLS's internal use of mbedtls_mpi_gcd(), but may affect
- applications that call mbedtls_mpi_gcd() directly. Fixes #4642.
diff --git a/ChangeLog.d/mpi_random.txt b/ChangeLog.d/mpi_random.txt
deleted file mode 100644
index 9e6a416..0000000
--- a/ChangeLog.d/mpi_random.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
- * The new function mbedtls_mpi_random() generates a random value in a
- given range uniformly.
diff --git a/ChangeLog.d/mpi_read_negative_zero.txt b/ChangeLog.d/mpi_read_negative_zero.txt
deleted file mode 100644
index 3285769..0000000
--- a/ChangeLog.d/mpi_read_negative_zero.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-Bugfix
- * Fix some cases in the bignum module where the library constructed an
- unintended representation of the value 0 which was not processed
- correctly by some bignum operations. This could happen when
- mbedtls_mpi_read_string() was called on "-0", or when
- mbedtls_mpi_mul_mpi() and mbedtls_mpi_mul_int() was called with one of
- the arguments being negative and the other being 0. Fixes #4643.