Restored changelog entries
This commit restores all changelog entries between the
mbedtls-3.6.0 tag and the mbedtls-4.0.0-beta tag.
git diff ce4683e..09dc57d --name-status -- ChangeLog.d
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
diff --git a/ChangeLog.d/9126.txt b/ChangeLog.d/9126.txt
new file mode 100644
index 0000000..22939df
--- /dev/null
+++ b/ChangeLog.d/9126.txt
@@ -0,0 +1,5 @@
+Default behavior changes
+ * In a PSA-client-only build (i.e. MBEDTLS_PSA_CRYPTO_CLIENT &&
+ !MBEDTLS_PSA_CRYPTO_C), do not automatically enable local crypto when the
+ corresponding PSA mechanism is enabled, since the server provides the
+ crypto. Fixes #9126.
diff --git a/ChangeLog.d/9302.txt b/ChangeLog.d/9302.txt
new file mode 100644
index 0000000..d61ba19
--- /dev/null
+++ b/ChangeLog.d/9302.txt
@@ -0,0 +1,6 @@
+Features
+ * Added new configuration option MBEDTLS_PSA_STATIC_KEY_SLOTS, which
+ uses static storage for keys, enabling malloc-less use of key slots.
+ The size of each buffer is given by the option
+ MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE. By default it accommodates the
+ largest PSA key enabled in the build.
diff --git a/ChangeLog.d/9684.txt b/ChangeLog.d/9684.txt
new file mode 100644
index 0000000..115ded8
--- /dev/null
+++ b/ChangeLog.d/9684.txt
@@ -0,0 +1,2 @@
+Removals
+ * Remove support for the DHE-PSK key exchange in TLS 1.2.
diff --git a/ChangeLog.d/9685.txt b/ChangeLog.d/9685.txt
new file mode 100644
index 0000000..9820aff
--- /dev/null
+++ b/ChangeLog.d/9685.txt
@@ -0,0 +1,2 @@
+Removals
+ * Remove support for the DHE-RSA key exchange in TLS 1.2.
diff --git a/ChangeLog.d/9690.txt b/ChangeLog.d/9690.txt
new file mode 100644
index 0000000..d00eb16
--- /dev/null
+++ b/ChangeLog.d/9690.txt
@@ -0,0 +1,8 @@
+Security
+ * Fix a buffer underrun in mbedtls_pk_write_key_der() when
+ called on an opaque key, MBEDTLS_USE_PSA_CRYPTO is enabled,
+ and the output buffer is smaller than the actual output.
+ Fix a related buffer underrun in mbedtls_pk_write_key_pem()
+ when called on an opaque RSA key, MBEDTLS_USE_PSA_CRYPTO is enabled
+ and MBEDTLS_MPI_MAX_SIZE is smaller than needed for a 4096-bit RSA key.
+ CVE-2024-49195
diff --git a/ChangeLog.d/9874.txt b/ChangeLog.d/9874.txt
new file mode 100644
index 0000000..a4d2e03
--- /dev/null
+++ b/ChangeLog.d/9874.txt
@@ -0,0 +1,5 @@
+API changes
+ * Align the mbedtls_ssl_ticket_setup() function with the PSA Crypto API.
+ Instead of taking a mbedtls_cipher_type_t as an argument, this function
+ now takes 3 new arguments: a PSA algorithm, key type and key size, to
+ specify the AEAD for ticket protection.
diff --git a/ChangeLog.d/9892.txt b/ChangeLog.d/9892.txt
new file mode 100644
index 0000000..01d21b6
--- /dev/null
+++ b/ChangeLog.d/9892.txt
@@ -0,0 +1,4 @@
+Removals
+ * Remove deprecated mbedtls_x509write_crt_set_serial(). The function was
+ already deprecated and superseeded by
+ mbedtls_x509write_crt_set_serial_raw().
diff --git a/ChangeLog.d/9956.txt b/ChangeLog.d/9956.txt
new file mode 100644
index 0000000..cea4af1
--- /dev/null
+++ b/ChangeLog.d/9956.txt
@@ -0,0 +1,6 @@
+Removals
+ * Following the removal of DHM module (#9972 and TF-PSA-Crypto#175) the
+ following SSL functions are removed:
+ - mbedtls_ssl_conf_dh_param_bin
+ - mbedtls_ssl_conf_dh_param_ctx
+ - mbedtls_ssl_conf_dhm_min_bitlen
diff --git a/ChangeLog.d/9964.txt b/ChangeLog.d/9964.txt
new file mode 100644
index 0000000..ca0cc4b
--- /dev/null
+++ b/ChangeLog.d/9964.txt
@@ -0,0 +1,25 @@
+Removals
+ * Removal of the following sample programs:
+ pkey/rsa_genkey.c
+ pkey/pk_decrypt.c
+ pkey/dh_genprime.c
+ pkey/rsa_verify.c
+ pkey/mpi_demo.c
+ pkey/rsa_decrypt.c
+ pkey/key_app.c
+ pkey/dh_server.c
+ pkey/ecdh_curve25519.c
+ pkey/pk_encrypt.c
+ pkey/rsa_sign.c
+ pkey/key_app_writer.c
+ pkey/dh_client.c
+ pkey/ecdsa.c
+ pkey/rsa_encrypt.c
+ wince_main.c
+ aes/crypt_and_hash.c
+ random/gen_random_ctr_drbg.c
+ random/gen_entropy.c
+ hash/md_hmac_demo.c
+ hash/hello.c
+ hash/generic_sum.c
+ cipher/cipher_aead_demo.c
diff --git a/ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt b/ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt
new file mode 100644
index 0000000..079cd74
--- /dev/null
+++ b/ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt
@@ -0,0 +1,4 @@
+Security
+ * Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does
+ not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when
+ MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.
diff --git a/ChangeLog.d/add-psa-iop-generate-key.txt b/ChangeLog.d/add-psa-iop-generate-key.txt
new file mode 100644
index 0000000..0f586ee
--- /dev/null
+++ b/ChangeLog.d/add-psa-iop-generate-key.txt
@@ -0,0 +1,3 @@
+Features
+ * Add an interruptible version of generate key to the PSA interface.
+ See psa_generate_key_iop_setup() and related functions.
diff --git a/ChangeLog.d/add-psa-iop-key-agreement.txt b/ChangeLog.d/add-psa-iop-key-agreement.txt
new file mode 100644
index 0000000..92dfde1
--- /dev/null
+++ b/ChangeLog.d/add-psa-iop-key-agreement.txt
@@ -0,0 +1,4 @@
+Features
+ * Add an interruptible version of key agreement to the PSA interface.
+ See psa_key_agreement_iop_setup() and related functions.
+
diff --git a/ChangeLog.d/add-psa-key-agreement.txt b/ChangeLog.d/add-psa-key-agreement.txt
new file mode 100644
index 0000000..771e6e2
--- /dev/null
+++ b/ChangeLog.d/add-psa-key-agreement.txt
@@ -0,0 +1,3 @@
+Features
+ * Add a new psa_key_agreement() PSA API to perform key agreement and return
+ an identifier for the newly created key.
diff --git a/ChangeLog.d/add-tls-exporter.txt b/ChangeLog.d/add-tls-exporter.txt
new file mode 100644
index 0000000..1aea653
--- /dev/null
+++ b/ChangeLog.d/add-tls-exporter.txt
@@ -0,0 +1,6 @@
+Features
+ * Add the function mbedtls_ssl_export_keying_material() which allows the
+ client and server to extract additional shared symmetric keys from an SSL
+ session, according to the TLS-Exporter specification in RFC 8446 and 5705.
+ This requires MBEDTLS_SSL_KEYING_MATERIAL_EXPORT to be defined in
+ mbedtls_config.h.
diff --git a/ChangeLog.d/asn1-missing-guard-in-rsa.txt b/ChangeLog.d/asn1-missing-guard-in-rsa.txt
new file mode 100644
index 0000000..bb5b470
--- /dev/null
+++ b/ChangeLog.d/asn1-missing-guard-in-rsa.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * MBEDTLS_ASN1_PARSE_C and MBEDTLS_ASN1_WRITE_C are now automatically enabled
+ as soon as MBEDTLS_RSA_C is enabled. Fixes #9041.
diff --git a/ChangeLog.d/check-config.txt b/ChangeLog.d/check-config.txt
new file mode 100644
index 0000000..8570a11
--- /dev/null
+++ b/ChangeLog.d/check-config.txt
@@ -0,0 +1,9 @@
+Changes
+ * Warn if mbedtls/check_config.h is included manually, as this can
+ lead to spurious errors. Error if a *adjust*.h header is included
+ manually, as this can lead to silently inconsistent configurations,
+ potentially resulting in buffer overflows.
+ When migrating from Mbed TLS 2.x, if you had a custom config.h that
+ included check_config.h, remove this inclusion from the Mbed TLS 3.x
+ configuration file (renamed to mbedtls_config.h). This change was made
+ in Mbed TLS 3.0, but was not announced in a changelog entry at the time.
diff --git a/ChangeLog.d/configuration-split.txt b/ChangeLog.d/configuration-split.txt
new file mode 100644
index 0000000..f4d9bc6
--- /dev/null
+++ b/ChangeLog.d/configuration-split.txt
@@ -0,0 +1,16 @@
+Changes
+ * Cryptography and platform configuration options have been migrated
+ from the Mbed TLS library configuration file mbedtls_config.h to
+ crypto_config.h that will become the TF-PSA-Crypto configuration file,
+ see config-split.md for more information. The reference and test custom
+ configuration files respectively in configs/ and tests/configs/ have
+ been updated accordingly.
+ To migrate custom Mbed TLS configurations where
+ MBEDTLS_PSA_CRYPTO_CONFIG is disabled, you should first adapt them
+ to the PSA configuration scheme based on PSA_WANT_XXX symbols
+ (see psa-conditional-inclusion-c.md for more information).
+ To migrate custom Mbed TLS configurations where
+ MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you should migrate the
+ cryptographic and platform configuration options from mbedtls_config.h
+ to crypto_config.h (see config-split.md for more information and configs/
+ for examples).
diff --git a/ChangeLog.d/dynamic-keystore.txt b/ChangeLog.d/dynamic-keystore.txt
new file mode 100644
index 0000000..c6aac3c
--- /dev/null
+++ b/ChangeLog.d/dynamic-keystore.txt
@@ -0,0 +1,10 @@
+Features
+ * When the new compilation option MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled,
+ the number of volatile PSA keys is virtually unlimited, at the expense
+ of increased code size. This option is off by default, but enabled in
+ the default mbedtls_config.h. Fixes #9216.
+
+Bugfix
+ * Fix interference between PSA volatile keys and built-in keys
+ when MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS is enabled and
+ MBEDTLS_PSA_KEY_SLOT_COUNT is more than 4096.
diff --git a/ChangeLog.d/ecdsa-conversion-overflow.txt b/ChangeLog.d/ecdsa-conversion-overflow.txt
new file mode 100644
index 0000000..83b7f2f
--- /dev/null
+++ b/ChangeLog.d/ecdsa-conversion-overflow.txt
@@ -0,0 +1,6 @@
+Security
+ * Fix a stack buffer overflow in mbedtls_ecdsa_der_to_raw() and
+ mbedtls_ecdsa_raw_to_der() when the bits parameter is larger than the
+ largest supported curve. In some configurations with PSA disabled,
+ all values of bits are affected. This never happens in internal library
+ calls, but can affect applications that call these functions directly.
diff --git a/ChangeLog.d/error-unification.txt b/ChangeLog.d/error-unification.txt
new file mode 100644
index 0000000..bcf5ba1
--- /dev/null
+++ b/ChangeLog.d/error-unification.txt
@@ -0,0 +1,11 @@
+API changes
+ * The PSA and Mbed TLS error spaces are now unified. mbedtls_xxx()
+ functions can now return PSA_ERROR_xxx values.
+ There is no longer a distinction between "low-level" and "high-level"
+ Mbed TLS error codes.
+ This will not affect most applications since the error values are
+ between -32767 and -1 as before.
+
+Removals
+ * Remove mbedtls_low_level_sterr() and mbedtls_high_level_strerr(),
+ since these concepts no longer exists. There is just mbedtls_strerror().
diff --git a/ChangeLog.d/fix-aesni-asm-clobbers.txt b/ChangeLog.d/fix-aesni-asm-clobbers.txt
new file mode 100644
index 0000000..538f0c5
--- /dev/null
+++ b/ChangeLog.d/fix-aesni-asm-clobbers.txt
@@ -0,0 +1,5 @@
+Bugfix
+ * Fix missing constraints on the AES-NI inline assembly which is used on
+ GCC-like compilers when building AES for generic x86_64 targets. This
+ may have resulted in incorrect code with some compilers, depending on
+ optimizations. Fixes #9819.
diff --git a/ChangeLog.d/fix-clang-psa-build-without-dhm.txt b/ChangeLog.d/fix-clang-psa-build-without-dhm.txt
new file mode 100644
index 0000000..7ae1c68
--- /dev/null
+++ b/ChangeLog.d/fix-clang-psa-build-without-dhm.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix Clang compilation error when MBEDTLS_USE_PSA_CRYPTO is enabled
+ but MBEDTLS_DHM_C is disabled. Reported by Michael Schuster in #9188.
diff --git a/ChangeLog.d/fix-compilation-when-memcpy-is-function-like-macro.txt b/ChangeLog.d/fix-compilation-when-memcpy-is-function-like-macro.txt
new file mode 100644
index 0000000..11e7d25
--- /dev/null
+++ b/ChangeLog.d/fix-compilation-when-memcpy-is-function-like-macro.txt
@@ -0,0 +1,2 @@
+Bugfix
+ * Fix compilation error when memcpy() is a function-like macros. Fixes #8994.
diff --git a/ChangeLog.d/fix-compilation-with-djgpp.txt b/ChangeLog.d/fix-compilation-with-djgpp.txt
new file mode 100644
index 0000000..5b79fb6
--- /dev/null
+++ b/ChangeLog.d/fix-compilation-with-djgpp.txt
@@ -0,0 +1,2 @@
+Bugfix
+ * Fix compilation on MS-DOS DJGPP. Fixes #9813.
diff --git a/ChangeLog.d/fix-concurrently-loading-non-existent-keys.txt b/ChangeLog.d/fix-concurrently-loading-non-existent-keys.txt
new file mode 100644
index 0000000..8a406a1
--- /dev/null
+++ b/ChangeLog.d/fix-concurrently-loading-non-existent-keys.txt
@@ -0,0 +1,4 @@
+Bugfix
+ * Fix rare concurrent access bug where attempting to operate on a
+ non-existent key while concurrently creating a new key could potentially
+ corrupt the key store.
diff --git a/ChangeLog.d/fix-driver-schema-check.txt b/ChangeLog.d/fix-driver-schema-check.txt
new file mode 100644
index 0000000..9b6d8ac
--- /dev/null
+++ b/ChangeLog.d/fix-driver-schema-check.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix invalid JSON schemas for driver descriptions used by
+ generate_driver_wrappers.py.
diff --git a/ChangeLog.d/fix-legacy-compression-issue.txt b/ChangeLog.d/fix-legacy-compression-issue.txt
new file mode 100644
index 0000000..2549af8
--- /dev/null
+++ b/ChangeLog.d/fix-legacy-compression-issue.txt
@@ -0,0 +1,6 @@
+Bugfix
+ * Fixes an issue where some TLS 1.2 clients could not connect to an
+ Mbed TLS 3.6.0 server, due to incorrect handling of
+ legacy_compression_methods in the ClientHello.
+ fixes #8995, #9243.
+
diff --git a/ChangeLog.d/fix-msvc-version-guard-format-zu.txt b/ChangeLog.d/fix-msvc-version-guard-format-zu.txt
new file mode 100644
index 0000000..eefda61
--- /dev/null
+++ b/ChangeLog.d/fix-msvc-version-guard-format-zu.txt
@@ -0,0 +1,5 @@
+Bugfix
+ * Fix definition of MBEDTLS_PRINTF_SIZET to prevent runtime crashes that
+ occurred whenever SSL debugging was enabled on a copy of Mbed TLS built
+ with Visual Studio 2013 or MinGW.
+ Fixes #10017.
diff --git a/ChangeLog.d/fix-psa-cmac.txt b/ChangeLog.d/fix-psa-cmac.txt
new file mode 100644
index 0000000..e3c8aec
--- /dev/null
+++ b/ChangeLog.d/fix-psa-cmac.txt
@@ -0,0 +1,4 @@
+Bugfix
+ * Fix the build when MBEDTLS_PSA_CRYPTO_CONFIG is enabled and the built-in
+ CMAC is enabled, but no built-in unauthenticated cipher is enabled.
+ Fixes #9209.
diff --git a/ChangeLog.d/fix-redefination_warning_messages_for_GNU_SOURCE.txt b/ChangeLog.d/fix-redefination_warning_messages_for_GNU_SOURCE.txt
new file mode 100644
index 0000000..b5c2650
--- /dev/null
+++ b/ChangeLog.d/fix-redefination_warning_messages_for_GNU_SOURCE.txt
@@ -0,0 +1,5 @@
+Bugfix
+ * Fix issue of redefinition warning messages for _GNU_SOURCE in
+ entropy_poll.c and sha_256.c. There was a build warning during
+ building for linux platform.
+ Resolves #9026
diff --git a/ChangeLog.d/fix-rsa-performance-regression.txt b/ChangeLog.d/fix-rsa-performance-regression.txt
new file mode 100644
index 0000000..603612a
--- /dev/null
+++ b/ChangeLog.d/fix-rsa-performance-regression.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix unintended performance regression when using short RSA public keys.
+ Fixes #9232.
diff --git a/ChangeLog.d/fix-secure-element-key-creation.txt b/ChangeLog.d/fix-secure-element-key-creation.txt
new file mode 100644
index 0000000..23a46c0
--- /dev/null
+++ b/ChangeLog.d/fix-secure-element-key-creation.txt
@@ -0,0 +1,5 @@
+Bugfix
+ * Fix error handling when creating a key in a dynamic secure element
+ (feature enabled by MBEDTLS_PSA_CRYPTO_SE_C). In a low memory condition,
+ the creation could return PSA_SUCCESS but using or destroying the key
+ would not work. Fixes #8537.
diff --git a/ChangeLog.d/fix-server-mode-only-build.txt b/ChangeLog.d/fix-server-mode-only-build.txt
new file mode 100644
index 0000000..d1d8341
--- /dev/null
+++ b/ChangeLog.d/fix-server-mode-only-build.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix server mode only build when MBEDTLS_SSL_SRV_C is enabled but
+ MBEDTLS_SSL_CLI_C is disabled. Reported by M-Bab on GitHub in #9186.
diff --git a/ChangeLog.d/fix-string-to-names-memory-management.txt b/ChangeLog.d/fix-string-to-names-memory-management.txt
new file mode 100644
index 0000000..87bc596
--- /dev/null
+++ b/ChangeLog.d/fix-string-to-names-memory-management.txt
@@ -0,0 +1,18 @@
+Security
+ * Fix possible use-after-free or double-free in code calling
+ mbedtls_x509_string_to_names(). This was caused by the function calling
+ mbedtls_asn1_free_named_data_list() on its head argument, while the
+ documentation did no suggest it did, making it likely for callers relying
+ on the documented behaviour to still hold pointers to memory blocks after
+ they were free()d, resulting in high risk of use-after-free or double-free,
+ with consequences ranging up to arbitrary code execution.
+ In particular, the two sample programs x509/cert_write and x509/cert_req
+ were affected (use-after-free if the san string contains more than one DN).
+ Code that does not call mbedtls_string_to_names() directly is not affected.
+ Found by Linh Le and Ngan Nguyen from Calif.
+
+Changes
+ * The function mbedtls_x509_string_to_names() now requires its head argument
+ to point to NULL on entry. This makes it likely that existing risky uses of
+ this function (see the entry in the Security section) will be detected and
+ fixed.
diff --git a/ChangeLog.d/fix-string-to-names-store-named-data.txt b/ChangeLog.d/fix-string-to-names-store-named-data.txt
new file mode 100644
index 0000000..e517cbb
--- /dev/null
+++ b/ChangeLog.d/fix-string-to-names-store-named-data.txt
@@ -0,0 +1,8 @@
+Security
+ * Fix a bug in mbedtls_x509_string_to_names() and the
+ mbedtls_x509write_{crt,csr}_set_{subject,issuer}_name() functions,
+ where some inputs would cause an inconsistent state to be reached, causing
+ a NULL dereference either in the function itself, or in subsequent
+ users of the output structure, such as mbedtls_x509_write_names(). This
+ only affects applications that create (as opposed to consume) X.509
+ certificates, CSRs or CRLs. Found by Linh Le and Ngan Nguyen from Calif.
diff --git a/ChangeLog.d/fix-test-suite-pk-warnings.txt b/ChangeLog.d/fix-test-suite-pk-warnings.txt
new file mode 100644
index 0000000..2604219
--- /dev/null
+++ b/ChangeLog.d/fix-test-suite-pk-warnings.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix redefinition warnings when SECP192R1 and/or SECP192K1 are disabled.
+ Fixes #9029.
diff --git a/ChangeLog.d/fix_reporting_of_key_usage_issues.txt b/ChangeLog.d/fix_reporting_of_key_usage_issues.txt
new file mode 100644
index 0000000..b81fb42
--- /dev/null
+++ b/ChangeLog.d/fix_reporting_of_key_usage_issues.txt
@@ -0,0 +1,11 @@
+Security
+ * With TLS 1.3, when a server enables optional authentication of the
+ client, if the client-provided certificate does not have appropriate values
+ in keyUsage or extKeyUsage extensions, then the return value of
+ mbedtls_ssl_get_verify_result() would incorrectly have the
+ MBEDTLS_X509_BADCERT_KEY_USAGE and MBEDTLS_X509_BADCERT_EXT_KEY_USAGE bits
+ clear. As a result, an attacker that had a certificate valid for uses other
+ than TLS client authentication could be able to use it for TLS client
+ authentication anyway. Only TLS 1.3 servers were affected, and only with
+ optional authentication (required would abort the handshake with a fatal
+ alert).
diff --git a/ChangeLog.d/fix_ubsan_mp_aead_gcm.txt b/ChangeLog.d/fix_ubsan_mp_aead_gcm.txt
new file mode 100644
index 0000000..e4726a4
--- /dev/null
+++ b/ChangeLog.d/fix_ubsan_mp_aead_gcm.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix undefined behaviour (incrementing a NULL pointer by zero length) when
+ passing in zero length additional data to multipart AEAD.
diff --git a/ChangeLog.d/mbedtls_psa_ecp_generate_key-no_public_key.txt b/ChangeLog.d/mbedtls_psa_ecp_generate_key-no_public_key.txt
new file mode 100644
index 0000000..69c00e1
--- /dev/null
+++ b/ChangeLog.d/mbedtls_psa_ecp_generate_key-no_public_key.txt
@@ -0,0 +1,3 @@
+Changes
+ * Improve performance of PSA key generation with ECC keys: it no longer
+ computes the public key (which was immediately discarded). Fixes #9732.
diff --git a/ChangeLog.d/mbedtls_psa_register_se_key.txt b/ChangeLog.d/mbedtls_psa_register_se_key.txt
new file mode 100644
index 0000000..2fc2751
--- /dev/null
+++ b/ChangeLog.d/mbedtls_psa_register_se_key.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Document and enforce the limitation of mbedtls_psa_register_se_key()
+ to persistent keys. Resolves #9253.
diff --git a/ChangeLog.d/mbedtls_psa_rsa_load_representation-memory_leak.txt b/ChangeLog.d/mbedtls_psa_rsa_load_representation-memory_leak.txt
new file mode 100644
index 0000000..dba25af
--- /dev/null
+++ b/ChangeLog.d/mbedtls_psa_rsa_load_representation-memory_leak.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix a memory leak that could occur when failing to process an RSA
+ key through some PSA functions due to low memory conditions.
diff --git a/ChangeLog.d/mbedtls_ssl_set_hostname.txt b/ChangeLog.d/mbedtls_ssl_set_hostname.txt
new file mode 100644
index 0000000..250a5ba
--- /dev/null
+++ b/ChangeLog.d/mbedtls_ssl_set_hostname.txt
@@ -0,0 +1,16 @@
+Default behavior changes
+ * In TLS clients, if mbedtls_ssl_set_hostname() has not been called,
+ mbedtls_ssl_handshake() now fails with
+ MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
+ if certificate-based authentication of the server is attempted.
+ This is because authenticating a server without knowing what name
+ to expect is usually insecure.
+
+Security
+ * Note that TLS clients should generally call mbedtls_ssl_set_hostname()
+ if they use certificate authentication (i.e. not pre-shared keys).
+ Otherwise, in many scenarios, the server could be impersonated.
+ The library will now prevent the handshake and return
+ MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
+ if mbedtls_ssl_set_hostname() has not been called.
+ Reported by Daniel Stenberg.
diff --git a/ChangeLog.d/oid.txt b/ChangeLog.d/oid.txt
new file mode 100644
index 0000000..53828d8
--- /dev/null
+++ b/ChangeLog.d/oid.txt
@@ -0,0 +1,8 @@
+Removals
+ * The library no longer offers interfaces to look up values by OID
+ or OID by enum values.
+ The header <mbedtls/oid.h> now only defines functions to convert
+ between binary and dotted string OID representations, and macros
+ for OID strings that are relevant to X.509.
+ The compilation option MBEDTLS_OID_C no longer
+ exists. OID tables are included in the build automatically as needed.
diff --git a/ChangeLog.d/pk-norsa-warning.txt b/ChangeLog.d/pk-norsa-warning.txt
new file mode 100644
index 0000000..d00aa8a
--- /dev/null
+++ b/ChangeLog.d/pk-norsa-warning.txt
@@ -0,0 +1,2 @@
+Bugfix
+ * Fix a compilation warning in pk.c when PSA is enabled and RSA is disabled.
diff --git a/ChangeLog.d/psa-always-on.txt b/ChangeLog.d/psa-always-on.txt
new file mode 100644
index 0000000..45f4d9b
--- /dev/null
+++ b/ChangeLog.d/psa-always-on.txt
@@ -0,0 +1,10 @@
+Default behavior changes
+ * The PK, X.509, PKCS7 and TLS modules now always use the PSA subsystem
+ to perform cryptographic operations, with a few exceptions documented
+ in docs/architecture/psa-migration/psa-limitations.md. This
+ corresponds to the behavior of Mbed TLS 3.x when
+ MBEDTLS_USE_PSA_CRYPTO is enabled. In effect, MBEDTLS_USE_PSA_CRYPTO
+ is now always enabled.
+ * psa_crypto_init() must be called before performing any cryptographic
+ operation, including indirect requests such as parsing a key or
+ certificate or starting a TLS handshake.
diff --git a/ChangeLog.d/psa-crypto-config-always-on.txt b/ChangeLog.d/psa-crypto-config-always-on.txt
new file mode 100644
index 0000000..d255f8c
--- /dev/null
+++ b/ChangeLog.d/psa-crypto-config-always-on.txt
@@ -0,0 +1,7 @@
+Default behavior changes
+ * The `PSA_WANT_XXX` symbols as defined in
+ tf-psa-crypto/include/psa/crypto_config.h are now always used in the
+ configuration of the cryptographic mechanisms exposed by the PSA API.
+ This corresponds to the configuration behavior of Mbed TLS 3.x when
+ MBEDTLS_PSA_CRYPTO_CONFIG is enabled. In effect, MBEDTLS_PSA_CRYPTO_CONFIG
+ is now always enabled and the configuration option has been removed.
diff --git a/ChangeLog.d/psa_cipher_decrypt-ccm_star-iv_length_enforcement.txt b/ChangeLog.d/psa_cipher_decrypt-ccm_star-iv_length_enforcement.txt
new file mode 100644
index 0000000..39e03b9
--- /dev/null
+++ b/ChangeLog.d/psa_cipher_decrypt-ccm_star-iv_length_enforcement.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix psa_cipher_decrypt() with CCM* rejecting messages less than 3 bytes
+ long. Credit to Cryptofuzz. Fixes #9314.
diff --git a/ChangeLog.d/psa_generate_key_custom.txt b/ChangeLog.d/psa_generate_key_custom.txt
new file mode 100644
index 0000000..3fc1bd7
--- /dev/null
+++ b/ChangeLog.d/psa_generate_key_custom.txt
@@ -0,0 +1,9 @@
+API changes
+ * The experimental functions psa_generate_key_ext() and
+ psa_key_derivation_output_key_ext() have been replaced by
+ psa_generate_key_custom() and psa_key_derivation_output_key_custom().
+ They have almost exactly the same interface, but the variable-length
+ data is passed in a separate parameter instead of a flexible array
+ member. This resolves a build failure under C++ compilers that do not
+ support flexible array members (a C99 feature not adopted by C++).
+ Fixes #9020.
diff --git a/ChangeLog.d/psa_util-bits-0.txt b/ChangeLog.d/psa_util-bits-0.txt
new file mode 100644
index 0000000..9aa70ad
--- /dev/null
+++ b/ChangeLog.d/psa_util-bits-0.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix undefined behavior in some cases when mbedtls_psa_raw_to_der() or
+ mbedtls_psa_der_to_raw() is called with bits=0.
diff --git a/ChangeLog.d/psa_util_in_builds_without_psa.txt b/ChangeLog.d/psa_util_in_builds_without_psa.txt
new file mode 100644
index 0000000..7c0866d
--- /dev/null
+++ b/ChangeLog.d/psa_util_in_builds_without_psa.txt
@@ -0,0 +1,5 @@
+Bugfix
+ * When MBEDTLS_PSA_CRYPTO_C was disabled and MBEDTLS_ECDSA_C enabled,
+ some code was defining 0-size arrays, resulting in compilation errors.
+ Fixed by disabling the offending code in configurations without PSA
+ Crypto, where it never worked. Fixes #9311.
diff --git a/ChangeLog.d/removal-of-rng.txt b/ChangeLog.d/removal-of-rng.txt
new file mode 100644
index 0000000..a8a19f4
--- /dev/null
+++ b/ChangeLog.d/removal-of-rng.txt
@@ -0,0 +1,5 @@
+API changes
+ * All API functions now use the PSA random generator psa_get_random()
+ internally. As a consequence, functions no longer take RNG parameters.
+ Please refer to the migration guide at :
+ tf-psa-crypto/docs/4.0-migration-guide.md.
diff --git a/ChangeLog.d/remove-compat-2.x.txt b/ChangeLog.d/remove-compat-2.x.txt
new file mode 100644
index 0000000..37f012c
--- /dev/null
+++ b/ChangeLog.d/remove-compat-2.x.txt
@@ -0,0 +1,2 @@
+Removals
+ * Remove compat-2-x.h header from mbedtls.
diff --git a/ChangeLog.d/remove-crypto-alt-interface.txt b/ChangeLog.d/remove-crypto-alt-interface.txt
new file mode 100644
index 0000000..f9ab4c2
--- /dev/null
+++ b/ChangeLog.d/remove-crypto-alt-interface.txt
@@ -0,0 +1,5 @@
+Removals
+ * Drop support for crypto alt interface. Removes MBEDTLS_XXX_ALT options
+ at the module and function level for crypto mechanisms only. The remaining
+ alt interfaces for platform, threading and timing are unchanged.
+ Fixes #8149.
diff --git a/ChangeLog.d/remove-via-padlock-support.txt b/ChangeLog.d/remove-via-padlock-support.txt
new file mode 100644
index 0000000..a3f4b96
--- /dev/null
+++ b/ChangeLog.d/remove-via-padlock-support.txt
@@ -0,0 +1,3 @@
+Removals
+ * Drop support for VIA Padlock. Removes MBEDTLS_PADLOCK_C.
+ Fixes #5903.
diff --git a/ChangeLog.d/remove_RSA_key_exchange.txt b/ChangeLog.d/remove_RSA_key_exchange.txt
new file mode 100644
index 0000000..f9baaf1
--- /dev/null
+++ b/ChangeLog.d/remove_RSA_key_exchange.txt
@@ -0,0 +1,2 @@
+Removals
+ * Remove support for the RSA key exchange in TLS 1.2.
diff --git a/ChangeLog.d/replace-close-with-mbedtls_net_close.txt b/ChangeLog.d/replace-close-with-mbedtls_net_close.txt
new file mode 100644
index 0000000..213cf55
--- /dev/null
+++ b/ChangeLog.d/replace-close-with-mbedtls_net_close.txt
@@ -0,0 +1,4 @@
+Bugfix
+ * Use 'mbedtls_net_close' instead of 'close' in 'mbedtls_net_bind'
+ and 'mbedtls_net_connect' to prevent possible double close fd
+ problems. Fixes #9711.
diff --git a/ChangeLog.d/repo-split.txt b/ChangeLog.d/repo-split.txt
new file mode 100644
index 0000000..f03b5ed
--- /dev/null
+++ b/ChangeLog.d/repo-split.txt
@@ -0,0 +1,5 @@
+Changes
+ * Move the crypto part of the library (content of tf-psa-crypto directory)
+ from the Mbed TLS to the TF-PSA-Crypto repository. The crypto code and
+ tests development will now occur in TF-PSA-Crypto, which Mbed TLS
+ references as a Git submodule.
diff --git a/ChangeLog.d/rm-ssl-conf-curves.txt b/ChangeLog.d/rm-ssl-conf-curves.txt
new file mode 100644
index 0000000..4b29adc
--- /dev/null
+++ b/ChangeLog.d/rm-ssl-conf-curves.txt
@@ -0,0 +1,4 @@
+Removals
+ * Remove the function mbedtls_ssl_conf_curves() which had been deprecated
+ in favour of mbedtls_ssl_conf_groups() since Mbed TLS 3.1.
+
diff --git a/ChangeLog.d/split-numeric-string-conversions-out-of-the-oid-module.txt b/ChangeLog.d/split-numeric-string-conversions-out-of-the-oid-module.txt
new file mode 100644
index 0000000..938e9ec
--- /dev/null
+++ b/ChangeLog.d/split-numeric-string-conversions-out-of-the-oid-module.txt
@@ -0,0 +1,4 @@
+Changes
+ * Functions regarding numeric string conversions for OIDs have been moved
+ from the OID module and now reside in X.509 module. This helps to reduce
+ the code size as these functions are not commonly used outside of X.509.
diff --git a/ChangeLog.d/tls-hs-defrag-in.txt b/ChangeLog.d/tls-hs-defrag-in.txt
new file mode 100644
index 0000000..6bab02a
--- /dev/null
+++ b/ChangeLog.d/tls-hs-defrag-in.txt
@@ -0,0 +1,7 @@
+Bugfix
+ * Support re-assembly of fragmented handshake messages in TLS (both
+ 1.2 and 1.3). The lack of support was causing handshake failures with
+ some servers, especially with TLS 1.3 in practice. There are a few
+ limitations, notably a fragmented ClientHello is only supported when
+ TLS 1.3 support is enabled. See the documentation of
+ mbedtls_ssl_handshake() for details.
diff --git a/ChangeLog.d/tls-key-exchange-rsa.txt b/ChangeLog.d/tls-key-exchange-rsa.txt
new file mode 100644
index 0000000..4df6b3e
--- /dev/null
+++ b/ChangeLog.d/tls-key-exchange-rsa.txt
@@ -0,0 +1,2 @@
+Removals
+ * Remove support for the RSA-PSK key exchange in TLS 1.2.
diff --git a/ChangeLog.d/tls12-check-finished-calc.txt b/ChangeLog.d/tls12-check-finished-calc.txt
new file mode 100644
index 0000000..cd52d32
--- /dev/null
+++ b/ChangeLog.d/tls12-check-finished-calc.txt
@@ -0,0 +1,6 @@
+Security
+ * Fix a vulnerability in the TLS 1.2 handshake. If memory allocation failed
+ or there was a cryptographic hardware failure when calculating the
+ Finished message, it could be calculated incorrectly. This would break
+ the security guarantees of the TLS handshake.
+ CVE-2025-27810
diff --git a/ChangeLog.d/tls13-cert-regressions.txt b/ChangeLog.d/tls13-cert-regressions.txt
new file mode 100644
index 0000000..8dd8a32
--- /dev/null
+++ b/ChangeLog.d/tls13-cert-regressions.txt
@@ -0,0 +1,18 @@
+Bugfix
+ * Fixed a regression introduced in 3.6.0 where the CA callback set with
+ mbedtls_ssl_conf_ca_cb() would stop working when connections were
+ upgraded to TLS 1.3. Fixed by adding support for the CA callback with TLS
+ 1.3.
+ * Fixed a regression introduced in 3.6.0 where clients that relied on
+ optional/none authentication mode, by calling mbedtls_ssl_conf_authmode()
+ with MBEDTLS_SSL_VERIFY_OPTIONAL or MBEDTLS_SSL_VERIFY_NONE, would stop
+ working when connections were upgraded to TLS 1.3. Fixed by adding
+ support for optional/none with TLS 1.3 as well. Note that the TLS 1.3
+ standard makes server authentication mandatory; users are advised not to
+ use authmode none, and to carefully check the results when using optional
+ mode.
+ * Fixed a regression introduced in 3.6.0 where context-specific certificate
+ verify callbacks, set with mbedtls_ssl_set_verify() as opposed to
+ mbedtls_ssl_conf_verify(), would stop working when connections were
+ upgraded to TLS 1.3. Fixed by adding support for context-specific verify
+ callback in TLS 1.3.
diff --git a/ChangeLog.d/tls13-middlebox-compat-disabled.txt b/ChangeLog.d/tls13-middlebox-compat-disabled.txt
new file mode 100644
index 0000000..f5331bc
--- /dev/null
+++ b/ChangeLog.d/tls13-middlebox-compat-disabled.txt
@@ -0,0 +1,4 @@
+Bugfix
+ * When MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE is disabled, work with
+ peers that have middlebox compatibility enabled, as long as no
+ problematic middlebox is in the way. Fixes #9551.
diff --git a/ChangeLog.d/tls13-without-tickets.txt b/ChangeLog.d/tls13-without-tickets.txt
new file mode 100644
index 0000000..8ceef21
--- /dev/null
+++ b/ChangeLog.d/tls13-without-tickets.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix TLS 1.3 client build and runtime when support for session tickets is
+ disabled (MBEDTLS_SSL_SESSION_TICKETS configuration option). Fixes #6395.
diff --git a/ChangeLog.d/unterminated-string-initialization.txt b/ChangeLog.d/unterminated-string-initialization.txt
new file mode 100644
index 0000000..75a72ca
--- /dev/null
+++ b/ChangeLog.d/unterminated-string-initialization.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Silence spurious -Wunterminated-string-initialization warnings introduced
+ by GCC 15. Fixes #9944.