Assemble ChangeLog
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
diff --git a/ChangeLog b/ChangeLog
index 5cadd2b..4d4bbdb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,115 @@
Mbed TLS ChangeLog (Sorted per branch, date)
+= Mbed TLS 3.6.4 branch released 2025-06-30
+
+Features
+ * Add the function mbedtls_ssl_export_keying_material() which allows the
+ client and server to extract additional shared symmetric keys from an SSL
+ session, according to the TLS-Exporter specification in RFC 8446 and 5705.
+ This requires MBEDTLS_SSL_KEYING_MATERIAL_EXPORT to be defined in
+ mbedtls_config.h.
+
+Security
+ * Fix a buffer overread in mbedtls_lms_import_public_key() when the input is
+ less than 3 bytes. Reported by Linh Le and Ngan Nguyen from Calif.
+ CVE-2025-49601
+ * Fix a vulnerability in LMS verification through which an adversary could
+ get an invalid signature accepted if they could cause a hash accelerator
+ to fail. Found and reported by Linh Le and Ngan Nguyen from Calif.
+ CVE-2025-49600
+ * On x86/amd64 platforms, with some compilers, when the library is
+ compiled with support for both AESNI and software AES and AESNI is
+ available in hardware, an adversary with fine control over which
+ threads make progress in a multithreaded program could force software
+ AES to be used for some time when the program starts. This could allow
+ the adversary to conduct timing attacks and potentially recover the
+ key. In particular, this attacker model may be possible against an SGX
+ enclave.
+ The same vulnerability affects GCM acceleration, which could allow
+ a similarly powerful adversary to craft GCM forgeries.
+ CVE-2025-52496
+ * Fix possible use-after-free or double-free in code calling
+ mbedtls_x509_string_to_names(). This was caused by the function calling
+ mbedtls_asn1_free_named_data_list() on its head argument, while the
+ documentation did no suggest it did, making it likely for callers relying
+ on the documented behaviour to still hold pointers to memory blocks after
+ they were free()d, resulting in high risk of use-after-free or double-free,
+ with consequences ranging up to arbitrary code execution.
+ In particular, the two sample programs x509/cert_write and x509/cert_req
+ were affected (use-after-free if the san string contains more than one DN).
+ Code that does not call mbedtls_string_to_names() directly is not affected.
+ Found by Linh Le and Ngan Nguyen from Calif.
+ CVE-2025-47917
+ * Fix a bug in mbedtls_asn1_store_named_data() where it would sometimes leave
+ an item in the output list in an inconsistent state with val.p == NULL but
+ val.len > 0. This impacts applications that call this function directly,
+ or indirectly via mbedtls_x509_string_to_names() or one of the
+ mbedtls_x509write_{crt,csr}_set_{subject,issuer}_name() functions. The
+ inconsistent state of the output could then cause a NULL dereference either
+ inside the same call to mbedtls_x509_string_to_names(), or in subsequent
+ users of the output structure, such as mbedtls_x509_write_names(). This
+ only affects applications that create (as opposed to consume) X.509
+ certificates, CSRs or CRLs, or that call mbedtls_asn1_store_named_data()
+ directly. Found by Linh Le and Ngan Nguyen from Calif.
+ CVE-2025-48965
+ * Fix an integer underflow that could occur when parsing malformed PEM
+ keys, which could be used by an attacker capable of feeding encrypted
+ PEM keys to a user. This could cause a crash or information disclosure.
+ Found and reported by Linh Le and Ngan Nguyen from Calif.
+ CVE-2025-52497
+ * Fix a timing side channel in the implementation of PKCS#7 padding
+ which would allow an attacker who can request decryption of arbitrary
+ ciphertexts to recover the plaintext through a timing oracle attack.
+ Reported by Ka Lok Wu from Stony Brook University and Doria Tang from
+ The Chinese University of Hong Kong.
+ CVE-2025-49087
+
+Bugfix
+ * Fix failures of PSA multipart or interruptible operations when the
+ library or the application is built with a compiler where
+ "union foo x = {0}" does not initialize non-default members of the
+ union, such as GCC 15 and some versions of Clang 18. This affected MAC
+ multipart operations, MAC-based key derivation operations, interruptible
+ signature, interruptible verification, and potentially other operations
+ when using third-party drivers. This also affected one-shot MAC
+ operations using the built-in implementation. Fixes #9814.
+ * On entry to PSA driver entry points that set up a multipart operation
+ ("xxx_setup"), the operation object is supposed to be all-bits-zero.
+ This was sometimes not the case when an operation object is reused,
+ or with compilers where "union foo x = {0}" does not initialize
+ non-default members of the union. The PSA core now ensures that this
+ guarantee is met in all cases. Fixes #9975.
+ * Resolved build issue with C++ projects using Mbed TLS 3.6 when compiling
+ with the MSVC toolset v142 and earlier. Fixes mbedtls issue #7087.
+ * Silence spurious -Wunterminated-string-initialization warnings introduced
+ by GCC 15. Fixes #9944.
+ * Fix a sloppy check in LMS public key import, which could lead to accepting
+ keys with a different LMS or LM-OTS types on some platforms. Specifically,
+ this could happen on platforms where enum types are smaller than 32 bits
+ and compiler optimization is enabled. Found and reported by Linh Le and
+ Ngan Nguyen from Calif.
+ * Fix a race condition on x86/amd64 platforms in AESNI support detection
+ that could lead to using software AES in some threads at the very
+ beginning of a multithreaded program. Reported by Solar Designer.
+ Fixes #9840.
+ * Fix mbedtls_base64_decode() on inputs that did not have the correct
+ number of trailing equal signs, or had 4*k+1 digits. They were accepted
+ as long as they had at most two trailing equal signs. They are now
+ rejected. Furthermore, before, on inputs with too few equal signs, the
+ function reported the correct size in *olen when it returned
+ MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL, but truncated the output to the
+ last multiple of 3 bytes.
+ * When calling mbedtls_asn1_write_raw_buffer() with NULL, 0 as the last two
+ arguments, undefined behaviour would be triggered, in the form of a call to
+ memcpy(..., NULL, 0). This was harmless in practice, but could trigger
+ complains from sanitizers or static analyzers.
+
+Changes
+ * The function mbedtls_x509_string_to_names() now requires its head argument
+ to point to NULL on entry. This makes it likely that existing risky uses of
+ this function (see the entry in the Security section) will be detected and
+ fixed.
+
= Mbed TLS 3.6.3 branch released 2025-03-24
Default behavior changes
diff --git a/ChangeLog.d/1351_lms_overread.txt b/ChangeLog.d/1351_lms_overread.txt
deleted file mode 100644
index c6ad772..0000000
--- a/ChangeLog.d/1351_lms_overread.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Security
- * Fix a buffer overread in mbedtls_lms_import_public_key() when the input is
- less than 3 bytes. Reported by Linh Le and Ngan Nguyen from Calif.
- CVE-2025-49601
diff --git a/ChangeLog.d/1352_lms_enum_casting.txt b/ChangeLog.d/1352_lms_enum_casting.txt
deleted file mode 100644
index de66d28..0000000
--- a/ChangeLog.d/1352_lms_enum_casting.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Bugfix
- * Fix a sloppy check in LMS public key import, which could lead to accepting
- keys with a different LMS or LM-OTS types on some platforms. Specifically,
- this could happen on platforms where enum types are smaller than 32 bits
- and compiler optimization is enabled. Found and reported by Linh Le and
- Ngan Nguyen from Calif.
diff --git a/ChangeLog.d/1353_lms_check_return_of_merkle_leaf.txt b/ChangeLog.d/1353_lms_check_return_of_merkle_leaf.txt
deleted file mode 100644
index 4d8bd8a..0000000
--- a/ChangeLog.d/1353_lms_check_return_of_merkle_leaf.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Security
- * Fix a vulnerability in LMS verification through which an adversary could
- get an invalid signature accepted if they could cause a hash accelerator
- to fail. Found and reported by Linh Le and Ngan Nguyen from Calif.
- CVE-2025-49600
diff --git a/ChangeLog.d/add-tls-exporter.txt b/ChangeLog.d/add-tls-exporter.txt
deleted file mode 100644
index 1aea653..0000000
--- a/ChangeLog.d/add-tls-exporter.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Features
- * Add the function mbedtls_ssl_export_keying_material() which allows the
- client and server to extract additional shared symmetric keys from an SSL
- session, according to the TLS-Exporter specification in RFC 8446 and 5705.
- This requires MBEDTLS_SSL_KEYING_MATERIAL_EXPORT to be defined in
- mbedtls_config.h.
diff --git a/ChangeLog.d/aesni_has_support.txt b/ChangeLog.d/aesni_has_support.txt
deleted file mode 100644
index 26b7c2c..0000000
--- a/ChangeLog.d/aesni_has_support.txt
+++ /dev/null
@@ -1,17 +0,0 @@
-Bugfix
- * Fix a race condition on x86/amd64 platforms in AESNI support detection
- that could lead to using software AES in some threads at the very
- beginning of a multithreaded program. Reported by Solar Designer.
- Fixes #9840.
-
-Security
- * On x86/amd64 platforms, with some compilers, when the library is
- compiled with support for both AESNI and software AES and AESNI is
- available in hardware, an adversary with fine control over which
- threads make progress in a multithreaded program could force software
- AES to be used for some time when the program starts. This could allow
- the adversary to conduct timing attacks and potentially recover the
- key. In particular, this attacker model may be possible against an SGX
- enclave.
- The same vulnerability affects GCM acceleration, which could allow
- a similarly powerful adversary to craft GCM forgeries.
diff --git a/ChangeLog.d/base64_decode.txt b/ChangeLog.d/base64_decode.txt
deleted file mode 100644
index 2cd2c59..0000000
--- a/ChangeLog.d/base64_decode.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-Bugfix
- * Fix mbedtls_base64_decode() on inputs that did not have the correct
- number of trailing equal signs, or had 4*k+1 digits. They were accepted
- as long as they had at most two trailing equal signs. They are now
- rejected. Furthermore, before, on inputs with too few equal signs, the
- function reported the correct size in *olen when it returned
- MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL, but truncated the output to the
- last multiple of 3 bytes.
diff --git a/ChangeLog.d/fix-asn1write-raw-buffer.txt b/ChangeLog.d/fix-asn1write-raw-buffer.txt
deleted file mode 100644
index 292631a..0000000
--- a/ChangeLog.d/fix-asn1write-raw-buffer.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * When calling mbedtls_asn1_write_raw_buffer() with NULL, 0 as the last two
- arguments, undefined behaviour would be triggered, in the form of a call to
- memcpy(..., NULL, 0). This was harmless in practice, but could trigger
- complains from sanitizers or static analyzers.
diff --git a/ChangeLog.d/fix-string-to-names-memory-management.txt b/ChangeLog.d/fix-string-to-names-memory-management.txt
deleted file mode 100644
index 87bc596..0000000
--- a/ChangeLog.d/fix-string-to-names-memory-management.txt
+++ /dev/null
@@ -1,18 +0,0 @@
-Security
- * Fix possible use-after-free or double-free in code calling
- mbedtls_x509_string_to_names(). This was caused by the function calling
- mbedtls_asn1_free_named_data_list() on its head argument, while the
- documentation did no suggest it did, making it likely for callers relying
- on the documented behaviour to still hold pointers to memory blocks after
- they were free()d, resulting in high risk of use-after-free or double-free,
- with consequences ranging up to arbitrary code execution.
- In particular, the two sample programs x509/cert_write and x509/cert_req
- were affected (use-after-free if the san string contains more than one DN).
- Code that does not call mbedtls_string_to_names() directly is not affected.
- Found by Linh Le and Ngan Nguyen from Calif.
-
-Changes
- * The function mbedtls_x509_string_to_names() now requires its head argument
- to point to NULL on entry. This makes it likely that existing risky uses of
- this function (see the entry in the Security section) will be detected and
- fixed.
diff --git a/ChangeLog.d/fix-string-to-names-store-named-data.txt b/ChangeLog.d/fix-string-to-names-store-named-data.txt
deleted file mode 100644
index 422ce07..0000000
--- a/ChangeLog.d/fix-string-to-names-store-named-data.txt
+++ /dev/null
@@ -1,12 +0,0 @@
-Security
- * Fix a bug in mbedtls_asn1_store_named_data() where it would sometimes leave
- an item in the output list in an inconsistent state with val.p == NULL but
- val.len > 0. This impacts applications that call this function directly,
- or indirectly via mbedtls_x509_string_to_names() or one of the
- mbedtls_x509write_{crt,csr}_set_{subject,issuer}_name() functions. The
- inconsistent state of the output could then cause a NULL dereference either
- inside the same call to mbedtls_x509_string_to_names(), or in subsequent
- users of the output structure, such as mbedtls_x509_write_names(). This
- only affects applications that create (as opposed to consume) X.509
- certificates, CSRs or CRLS, or that call mbedtls_asn1_store_named_data()
- directly. Found by Linh Le and Ngan Nguyen from Calif.
diff --git a/ChangeLog.d/move-crypto-struct-inclusion.txt b/ChangeLog.d/move-crypto-struct-inclusion.txt
deleted file mode 100644
index b84e6d3..0000000
--- a/ChangeLog.d/move-crypto-struct-inclusion.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Resolved build issue with C++ projects using Mbed TLS 3.6 when compiling
- with the MSVC toolset v142 and earlier. Fixes mbedtls issue #7087.
diff --git a/ChangeLog.d/pem-integer-underflow.txt b/ChangeLog.d/pem-integer-underflow.txt
deleted file mode 100644
index 77274aa..0000000
--- a/ChangeLog.d/pem-integer-underflow.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Security
- * Fix an integer underflow that could occur when parsing malformed PEM
- keys, which could be used by an attacker capable of feeding encrypted
- PEM keys to a user. This could cause a crash or information disclosure.
- Found and reported by Linh Le and Ngan Nguyen from Calif.
diff --git a/ChangeLog.d/pkcs7-padding-side-channel-fix.txt b/ChangeLog.d/pkcs7-padding-side-channel-fix.txt
deleted file mode 100644
index c5cbc75..0000000
--- a/ChangeLog.d/pkcs7-padding-side-channel-fix.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Security
- * Fix a timing side channel in the implementation of PKCS#7 padding
- which would allow an attacker who can request decryption of arbitrary
- ciphertexts to recover the plaintext through a timing oracle attack.
- Reported by Ka Lok Wu from Stony Brook University and Doria Tang from
- The Chinese University of Hong Kong.
diff --git a/ChangeLog.d/union-initialization.txt b/ChangeLog.d/union-initialization.txt
deleted file mode 100644
index a63e1eb..0000000
--- a/ChangeLog.d/union-initialization.txt
+++ /dev/null
@@ -1,15 +0,0 @@
-Bugfix
- * Fix failures of PSA multipart or interruptible operations when the
- library or the application is built with a compiler where
- "union foo x = {0}" does not initialize non-default members of the
- union, such as GCC 15 and some versions of Clang 18. This affected MAC
- multipart operations, MAC-based key derivation operations, interruptible
- signature, interruptible verification, and potentially other operations
- when using third-party drivers. This also affected one-shot MAC
- operations using the built-in implementation. Fixes #9814.
- * On entry to PSA driver entry points that set up a multipart operation
- ("xxx_setup"), the operation object is supposed to be all-bits-zero.
- This was sometimes not the case when an operation object is reused,
- or with compilers where "union foo x = {0}" does not initialize
- non-default members of the union. The PSA core now ensures that this
- guarantee is met in all cases. Fixes #9975.
diff --git a/ChangeLog.d/unterminated-string-initialization.txt b/ChangeLog.d/unterminated-string-initialization.txt
deleted file mode 100644
index 75a72ca..0000000
--- a/ChangeLog.d/unterminated-string-initialization.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Silence spurious -Wunterminated-string-initialization warnings introduced
- by GCC 15. Fixes #9944.