Assemble Changelog
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
diff --git a/ChangeLog b/ChangeLog
index ec94776..9578ffd 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,87 @@
Mbed TLS ChangeLog (Sorted per branch, date)
+= Mbed TLS x.x.x branch released xxxx-xx-xx
+
+Default behavior changes
+ * In TLS clients, if mbedtls_ssl_set_hostname() has not been called,
+ mbedtls_ssl_handshake() now fails with
+ MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
+ if certificate-based authentication of the server is attempted.
+ This is because authenticating a server without knowing what name
+ to expect is usually insecure. To restore the old behavior, either
+ call mbedtls_ssl_set_hostname() with NULL as the hostname, or
+ enable the new compile-time option
+ MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME.
+
+Features
+ * Added new configuration option MBEDTLS_PSA_STATIC_KEY_SLOTS, which
+ uses static storage for keys, enabling malloc-less use of key slots.
+ The size of each buffer is given by the option
+ MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE. By default it accommodates the
+ largest PSA key enabled in the build.
+ * MD module can now perform PSA dispatching also when
+ `MBEDTLS_PSA_CRYPTO_CLIENT && !MBEDTLS_PSA_CRYPTO_C`, even though this
+ configuration is not officially supported. This requires that a
+ PSA Crypto provider library which:
+ * supports the required `PSA_WANT_ALG_xxx` and
+ * implements `psa_can_do_hash()` on the client interface
+ is linked against Mbed TLS and that `psa_crypto_init()` is called before
+ performing any PSA call.
+
+Security
+ * Note that TLS clients should generally call mbedtls_ssl_set_hostname()
+ if they use certificate authentication (i.e. not pre-shared keys).
+ Otherwise, in many scenarios, the server could be impersonated.
+ The library will now prevent the handshake and return
+ MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
+ if mbedtls_ssl_set_hostname() has not been called.
+ CVE-2025-27809
+ * Zeroize a temporary heap buffer used in psa_key_derivation_output_key()
+ when deriving an ECC key pair.
+ * Zeroize temporary heap buffers used in PSA operations.
+ * Fix a vulnerability in the TLS 1.2 handshake. If memory allocation failed
+ or there was a cryptographic hardware failure when calculating the
+ Finished message, it could be calculated incorrectly. This would break
+ the security guarantees of the TLS handshake.
+ CVE-2025-27810
+
+Bugfix
+ * When MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE is disabled, work with
+ peers that have middlebox compatibility enabled, as long as no
+ problematic middlebox is in the way. Fixes #9551.
+ * Fix invalid JSON schemas for driver descriptions used by
+ generate_driver_wrappers.py.
+ * Use 'mbedtls_net_close' instead of 'close' in 'mbedtls_net_bind'
+ and 'mbedtls_net_connect' to prevent possible double close fd
+ problems. Fixes #9711.
+ * Fix undefined behavior in some cases when mbedtls_psa_raw_to_der() or
+ mbedtls_psa_der_to_raw() is called with bits=0.
+ * Fix compilation on MS-DOS DJGPP. Fixes #9813.
+ * Fix missing constraints on the AES-NI inline assembly which is used on
+ GCC-like compilers when building AES for generic x86_64 targets. This
+ may have resulted in incorrect code with some compilers, depending on
+ optimizations. Fixes #9819.
+ * Support re-assembly of fragmented handshake messages in TLS (both
+ 1.2 and 1.3). The lack of support was causing handshake failures with
+ some servers, especially with TLS 1.3 in practice. There are a few
+ limitations, notably a fragmented ClientHello is only supported when
+ TLS 1.3 support is enabled. See the documentation of
+ mbedtls_ssl_handshake() for details.
+ * Fix definition of MBEDTLS_PRINTF_SIZET to prevent runtime crashes that
+ occurred whenever SSL debugging was enabled on a copy of Mbed TLS built
+ with Visual Studio 2013 or MinGW.
+ Fixes #10017.
+ * Remove Everest Visual Studio 2010 compatibility headers, which could
+ shadow standard CRT headers inttypes.h and stdbool.h with incomplete
+ implementatios if placed on the include path, eg. when building Mbed TLS
+ with the .sln file shipped with the project.
+ * Fix issue where psa_key_derivation_input_integer() is not detecting
+ bad state after an operation has been aborted.
+
+Changes
+ * Improve performance of PSA key generation with ECC keys: it no longer
+ computes the public key (which was immediately discarded). Fixes #9732.
+
= Mbed TLS 3.6.2 branch released 2024-10-14
Security
diff --git a/ChangeLog.d/9302.txt b/ChangeLog.d/9302.txt
deleted file mode 100644
index d61ba19..0000000
--- a/ChangeLog.d/9302.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Features
- * Added new configuration option MBEDTLS_PSA_STATIC_KEY_SLOTS, which
- uses static storage for keys, enabling malloc-less use of key slots.
- The size of each buffer is given by the option
- MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE. By default it accommodates the
- largest PSA key enabled in the build.
diff --git a/ChangeLog.d/9652.txt b/ChangeLog.d/9652.txt
deleted file mode 100644
index 98a8eae..0000000
--- a/ChangeLog.d/9652.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-Features
- * MD module can now perform PSA dispatching also when
- `MBEDTLS_PSA_CRYPTO_CLIENT && !MBEDTLS_PSA_CRYPTO_C`, even though this
- configuration is not officially supported. This requires that a
- PSA Crypto provider library which:
- * supports the required `PSA_WANT_ALG_xxx` and
- * implements `psa_can_do_hash()` on the client interface
- is linked against Mbed TLS and that `psa_crypto_init()` is called before
- performing any PSA call.
diff --git a/ChangeLog.d/fix-aesni-asm-clobbers.txt b/ChangeLog.d/fix-aesni-asm-clobbers.txt
deleted file mode 100644
index 538f0c5..0000000
--- a/ChangeLog.d/fix-aesni-asm-clobbers.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * Fix missing constraints on the AES-NI inline assembly which is used on
- GCC-like compilers when building AES for generic x86_64 targets. This
- may have resulted in incorrect code with some compilers, depending on
- optimizations. Fixes #9819.
diff --git a/ChangeLog.d/fix-compilation-with-djgpp.txt b/ChangeLog.d/fix-compilation-with-djgpp.txt
deleted file mode 100644
index 5b79fb6..0000000
--- a/ChangeLog.d/fix-compilation-with-djgpp.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Bugfix
- * Fix compilation on MS-DOS DJGPP. Fixes #9813.
diff --git a/ChangeLog.d/fix-driver-schema-check.txt b/ChangeLog.d/fix-driver-schema-check.txt
deleted file mode 100644
index 9b6d8ac..0000000
--- a/ChangeLog.d/fix-driver-schema-check.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix invalid JSON schemas for driver descriptions used by
- generate_driver_wrappers.py.
diff --git a/ChangeLog.d/fix-key-derive-bad-state-error.txt b/ChangeLog.d/fix-key-derive-bad-state-error.txt
deleted file mode 100644
index 0bccf77..0000000
--- a/ChangeLog.d/fix-key-derive-bad-state-error.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix issue where psa_key_derivation_input_integer() is not detecting
- bad state after an operation has been aborted.
diff --git a/ChangeLog.d/fix-msvc-version-guard-format-zu.txt b/ChangeLog.d/fix-msvc-version-guard-format-zu.txt
deleted file mode 100644
index 2713f6c..0000000
--- a/ChangeLog.d/fix-msvc-version-guard-format-zu.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-Bugfix
- * Fix definition of MBEDTLS_PRINTF_SIZET to prevent runtime crashes that
- occurred whenever SSL debugging was enabled on a copy of Mbed TLS built
- with Visual Studio 2013 or MinGW.
- Fixes #10017.
- * Remove Everest Visual Studio 2010 compatibility headers, which could
- shadow standard CRT headers inttypes.h and stdbool.h with incomplete
- implementatios if placed on the include path, eg. when building Mbed TLS
- with the .sln file shipped with the project.
diff --git a/ChangeLog.d/mbedtls_psa_ecp_generate_key-no_public_key.txt b/ChangeLog.d/mbedtls_psa_ecp_generate_key-no_public_key.txt
deleted file mode 100644
index 69c00e1..0000000
--- a/ChangeLog.d/mbedtls_psa_ecp_generate_key-no_public_key.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Changes
- * Improve performance of PSA key generation with ECC keys: it no longer
- computes the public key (which was immediately discarded). Fixes #9732.
diff --git a/ChangeLog.d/mbedtls_ssl_set_hostname.txt b/ChangeLog.d/mbedtls_ssl_set_hostname.txt
deleted file mode 100644
index 236f491..0000000
--- a/ChangeLog.d/mbedtls_ssl_set_hostname.txt
+++ /dev/null
@@ -1,19 +0,0 @@
-Default behavior changes
- * In TLS clients, if mbedtls_ssl_set_hostname() has not been called,
- mbedtls_ssl_handshake() now fails with
- MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
- if certificate-based authentication of the server is attempted.
- This is because authenticating a server without knowing what name
- to expect is usually insecure. To restore the old behavior, either
- call mbedtls_ssl_set_hostname() with NULL as the hostname, or
- enable the new compile-time option
- MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME.
-
-Security
- * Note that TLS clients should generally call mbedtls_ssl_set_hostname()
- if they use certificate authentication (i.e. not pre-shared keys).
- Otherwise, in many scenarios, the server could be impersonated.
- The library will now prevent the handshake and return
- MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
- if mbedtls_ssl_set_hostname() has not been called.
- CVE-2025-27809
diff --git a/ChangeLog.d/psa-zeroize.txt b/ChangeLog.d/psa-zeroize.txt
deleted file mode 100644
index 6bdaa00..0000000
--- a/ChangeLog.d/psa-zeroize.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Security
- * Zeroize a temporary heap buffer used in psa_key_derivation_output_key()
- when deriving an ECC key pair.
- * Zeroize temporary heap buffers used in PSA operations.
diff --git a/ChangeLog.d/psa_util-bits-0.txt b/ChangeLog.d/psa_util-bits-0.txt
deleted file mode 100644
index 9aa70ad..0000000
--- a/ChangeLog.d/psa_util-bits-0.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix undefined behavior in some cases when mbedtls_psa_raw_to_der() or
- mbedtls_psa_der_to_raw() is called with bits=0.
diff --git a/ChangeLog.d/replace-close-with-mbedtls_net_close.txt b/ChangeLog.d/replace-close-with-mbedtls_net_close.txt
deleted file mode 100644
index 213cf55..0000000
--- a/ChangeLog.d/replace-close-with-mbedtls_net_close.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
- * Use 'mbedtls_net_close' instead of 'close' in 'mbedtls_net_bind'
- and 'mbedtls_net_connect' to prevent possible double close fd
- problems. Fixes #9711.
diff --git a/ChangeLog.d/tls-hs-defrag-in.txt b/ChangeLog.d/tls-hs-defrag-in.txt
deleted file mode 100644
index 6bab02a..0000000
--- a/ChangeLog.d/tls-hs-defrag-in.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-Bugfix
- * Support re-assembly of fragmented handshake messages in TLS (both
- 1.2 and 1.3). The lack of support was causing handshake failures with
- some servers, especially with TLS 1.3 in practice. There are a few
- limitations, notably a fragmented ClientHello is only supported when
- TLS 1.3 support is enabled. See the documentation of
- mbedtls_ssl_handshake() for details.
diff --git a/ChangeLog.d/tls12-check-finished-calc.txt b/ChangeLog.d/tls12-check-finished-calc.txt
deleted file mode 100644
index cd52d32..0000000
--- a/ChangeLog.d/tls12-check-finished-calc.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Security
- * Fix a vulnerability in the TLS 1.2 handshake. If memory allocation failed
- or there was a cryptographic hardware failure when calculating the
- Finished message, it could be calculated incorrectly. This would break
- the security guarantees of the TLS handshake.
- CVE-2025-27810
diff --git a/ChangeLog.d/tls13-middlebox-compat-disabled.txt b/ChangeLog.d/tls13-middlebox-compat-disabled.txt
deleted file mode 100644
index f5331bc..0000000
--- a/ChangeLog.d/tls13-middlebox-compat-disabled.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
- * When MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE is disabled, work with
- peers that have middlebox compatibility enabled, as long as no
- problematic middlebox is in the way. Fixes #9551.