Prepare ChangeLog for 3.5.0 release

```
./scripts/assemble_changelog.py
```

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>

ChangeLog

@@ -1,5 +1,291 @@
 Mbed TLS ChangeLog (Sorted per branch, date)
 
+= Mbed TLS x.x.x branch released xxxx-xx-xx
+
+API changes
+   * Mbed TLS 3.4 introduced support for omitting the built-in implementation
+     of ECDSA and/or EC J-PAKE when those are provided by a driver. However,
+     their was a flaw in the logic checking if the built-in implementation, in
+     that if failed to check if all the relevant curves were supported by the
+     accelerator. As a result, it was possible to declare no curves as
+     accelerated and still have the built-in implementation compiled out.
+     Starting with this release, it is necessary to declare which curves are
+     accelerated (using MBEDTLS_PSA_ACCEL_ECC_xxx macros), or they will be
+     considered not accelerated, and the built-in implementation of the curves
+     and any algorithm possible using them will be included in the build.
+   * Add new millisecond time type `mbedtls_ms_time_t` and `mbedtls_ms_time()`
+     function, needed for TLS 1.3 ticket lifetimes. Alternative implementations
+     can be created using an ALT interface.
+
+Requirement changes
+   * Officially require Python 3.8 now that earlier versions are out of support.
+   * Minimum required Windows version is now Windows Vista, or
+     Windows Server 2008.
+
+New deprecations
+   * PSA_WANT_KEY_TYPE_xxx_KEY_PAIR and
+     MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR, where xxx is either ECC or RSA,
+     are now being deprecated in favor of PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
+     MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy. Here yyy can be: BASIC,
+     IMPORT, EXPORT, GENERATE, DERIVE. The goal is to have a finer detail about
+     the capabilities of the PSA side for either key.
+   * MBEDTLS_CIPHER_BLKSIZE_MAX is deprecated in favor of
+     MBEDTLS_MAX_BLOCK_LENGTH (if you intended what the name suggests:
+     maximum size of any supported block cipher) or the new name
+     MBEDTLS_CMAC_MAX_BLOCK_SIZE (if you intended the actual semantics:
+     maximum size of a block cipher supported by the CMAC module).
+   * mbedtls_pkcs5_pbes2() and mbedtls_pkcs12_pbe() functions are now
+     deprecated in favor of mbedtls_pkcs5_pbes2_ext() and
+     mbedtls_pkcs12_pbe_ext() as they offer more security by checking
+     for overflow of the output buffer and reporting the actual length
+     of the output.
+
+Features
+   * All modules that use hashes or HMAC can now take advantage of PSA Crypto
+     drivers when MBEDTLS_PSA_CRYPTO_C is enabled and psa_crypto_init() has
+     been called. Previously (in 3.3), this was restricted to a few modules,
+     and only in builds where MBEDTLS_MD_C was disabled; in particular the
+     entropy module was not covered which meant an external RNG had to be
+     provided - these limitations are lifted in this version. A new set of
+     feature macros, MBEDTLS_MD_CAN_xxx, has been introduced that can be used
+     to check for availability of hash algorithms, regardless of whether
+     they're provided by a built-in implementation, a driver or both. See
+     docs/driver-only-builds.md.
+   * When a PSA driver for ECDH is present, it is now possible to disable
+     MBEDTLS_ECDH_C in the build in order to save code size. For TLS 1.2
+     key exchanges based on ECDH(E) to work, this requires
+     MBEDTLS_USE_PSA_CRYPTO. Restartable/interruptible ECDHE operations in
+     TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet,
+     as PSA does not have an API for restartable ECDH yet.
+   * When all of ECDH, ECDSA and EC J-PAKE are either disabled or provided by
+     a driver, it is possible to disable MBEDTLS_ECP_C (and MBEDTLS_BIGNUM_C
+     if not required by another module) and still get support for ECC keys and
+     algorithms in PSA, with some limitations. See docs/driver-only-builds.txt
+     for details.
+   * Add parsing of directoryName subtype for subjectAltName extension in
+     x509 certificates.
+   * Add support for server-side TLS version negotiation. If both TLS 1.2 and
+     TLS 1.3 protocols are enabled, the TLS server now selects TLS 1.2 or
+     TLS 1.3 depending on the capabilities and preferences of TLS clients.
+     Fixes #6867.
+   * X.509 hostname verification now supports IPAddress Subject Alternate Names.
+   * Add support for reading and writing X25519 and X448
+     public and private keys in RFC 8410 format using the existing PK APIs.
+   * When parsing X.509 certificates, support the extensions
+     SignatureKeyIdentifier and AuthorityKeyIdentifier.
+   * Don't include the PSA dispatch functions for PAKEs (psa_pake_setup() etc)
+     if no PAKE algorithms are requested
+   * Add support for the FFDH algorithm and DH key types in PSA, with
+     parameters from RFC 7919. This includes a built-in implementation based
+     on MBEDTLS_BIGNUM_C, and a driver dispatch layer enabling alternative
+     implementations of FFDH through the driver entry points.
+   * It is now possible to generate certificates with SubjectAltNames.
+     Currently supported subtypes: DnsName, UniformResourceIdentifier,
+     IP address, OtherName, and DirectoryName, as defined in RFC 5280.
+     See mbedtls_x509write_crt_set_subject_alternative_name for
+     more information.
+   * X.509 hostname verification now partially supports URI Subject Alternate
+     Names. Only exact matching, without any normalization procedures
+     described in 7.4 of RFC5280, will result in a positive URI verification.
+   * Add function mbedtls_oid_from_numeric_string() to parse an OID from a
+     string to a DER-encoded mbedtls_asn1_buf.
+    * Add SHA-3 family hash functions.
+   * Add support to restrict AES to 128-bit keys in order to save code size.
+     A new configuration option, MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH, can be
+     used to enable this feature.
+   * AES performance improvements. Uplift varies by platform,
+     toolchain, optimisation flags and mode.
+     Aarch64, gcc -Os and CCM, GCM and XTS benefit the most.
+     On Aarch64, uplift is typically around 20 - 110%.
+     When compiling with gcc -Os on Aarch64, AES-XTS improves
+     by 4.5x.
+   * Add support for PBKDF2-HMAC through the PSA API.
+   * New symbols PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
+     MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy (where xxx is either ECC, RSA
+     or DH) were introduced in order to have finer accuracy in defining the
+     PSA capabilities for each key. These capabilities, named yyy above, can be
+     any of: BASIC, IMPORT, EXPORT, GENERATE, DERIVE.
+     - DERIVE is only available for ECC keys, not for RSA or DH ones.
+     - implementations are free to enable more than what it was strictly
+       requested. For example BASIC internally enables IMPORT and EXPORT
+       (useful for testing purposes), but this might change in the future.
+   * Add support for FFDH key exchange in TLS 1.3.
+     This is automatically enabled as soon as PSA_WANT_ALG_FFDH
+     and the ephemeral or psk-ephemeral key exchange mode are enabled.
+     By default, all groups are offered; the list of groups can be
+     configured using the existing API function mbedtls_ssl_conf_groups().
+   * Improve mbedtls_x509_time performance and reduce memory use.
+   * Reduce syscalls to time() during certificate verification.
+   * Allow MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE to be set by
+     setting the CMake variable of the same name at configuration time.
+   * Add getter (mbedtls_ssl_cache_get_timeout()) to access
+     `mbedtls_ssl_cache_context.timeout`.
+   * Add getter (mbedtls_ssl_get_hostname()) to access
+     `mbedtls_ssl_context.hostname`.
+   * Add getter (mbedtls_ssl_conf_get_endpoint()) to access
+     `mbedtls_ssl_config.endpoint`.
+   * Support for "opaque" (PSA-held) ECC keys in the PK module has been
+     extended: it is now possible to use mbedtls_pk_write_key_der(),
+     mbedtls_pk_write_key_pem(), mbedtls_pk_check_pair(), and
+     mbedtls_pk_verify() with opaque ECC keys (provided the PSA attributes
+     allow it).
+   * The documentation of mbedtls_ecp_group now describes the optimized
+     representation of A for some curves. Fixes #8045.
+   * Add a possibility to generate CSR's with RCF822 and directoryName subtype
+     of subjectAltName extension in x509 certificates.
+   * Add support for PBKDF2-CMAC through the PSA API.
+   * New configuration option MBEDTLS_AES_USE_HARDWARE_ONLY introduced. When
+     using CPU-accelerated AES (e.g., Arm Crypto Extensions), this option
+     disables the plain C implementation and the run-time detection for the
+     CPU feature, which reduces code size and avoids the vulnerability of the
+     plain C implementation.
+   * Accept arbitrary AttributeType and AttributeValue in certificate
+     Distinguished Names using RFC 4514 syntax.
+   * Applications using ECC over secp256r1 through the PSA API can use a
+     new implementation with a much smaller footprint, but some minor
+     usage restrictions. See the documentation of the new configuration
+     option MBEDTLS_PSA_P256M_DRIVER_ENABLED for details.
+
+Security
+   * Fix a case where potentially sensitive information held in memory would not
+     be completely zeroized during TLS 1.2 handshake, in both server and client
+     configurations.
+   * In configurations with ARIA or Camellia but not AES, the value of
+     MBEDTLS_CIPHER_BLKSIZE_MAX was 8, rather than 16 as the name might
+     suggest. This did not affect any library code, because this macro was
+     only used in relation with CMAC which does not support these ciphers.
+     This may affect application code that uses this macro.
+   * Developers using mbedtls_pkcs5_pbes2() or mbedtls_pkcs12_pbe() should
+     review the size of the output buffer passed to this function, and note
+     that the output after decryption may include CBC padding. Consider moving
+     to the new functions mbedtls_pkcs5_pbes2_ext() or mbedtls_pkcs12_pbe_ext()
+     which checks for overflow of the output buffer and reports the actual
+     length of the output.
+   * Improve padding calculations in CBC decryption, NIST key unwrapping and
+     RSA OAEP decryption. With the previous implementation, some compilers
+     (notably recent versions of Clang and IAR) could produce non-constant
+     time code, which could allow a padding oracle attack if the attacker
+     has access to precise timing measurements.
+   * Updates to constant-time C code so that compilers are less likely to use
+     conditional instructions, which can have an observable difference in
+     timing. (Clang has been seen to do this.) Also introduce assembly
+     implementations for 32- and 64-bit Arm and for x86 and x86-64, which are
+     guaranteed not to use conditional instructions.
+   * Fix definition of MBEDTLS_MD_MAX_BLOCK_SIZE, which was too
+     small when MBEDTLS_SHA384_C was defined and MBEDTLS_SHA512_C was
+     undefined. Mbed TLS itself was unaffected by this, but user code
+     which used MBEDTLS_MD_MAX_BLOCK_SIZE could be affected. The only
+     release containing this bug was Mbed TLS 3.4.0.
+   * Fix a buffer overread when parsing short TLS application data records in
+     null-cipher cipher suites. Credit to OSS-Fuzz.
+   * Fix a remotely exploitable heap buffer overflow in TLS handshake parsing.
+     In TLS 1.3, all configurations are affected except PSK-only ones, and
+     both clients and servers are affected.
+     In TLS 1.2, the affected configurations are those with
+     MBEDTLS_USE_PSA_CRYPTO and ECDH enabled but DHM and RSA disabled,
+     and only servers are affected, not clients.
+     Credit to OSS-Fuzz.
+
+Bugfix
+   * Fix proper sizing for PSA_EXPORT_[KEY_PAIR/PUBLIC_KEY]_MAX_SIZE and
+     PSA_SIGNATURE_MAX_SIZE buffers when at least one accelerated EC is bigger
+     than all built-in ones and RSA is disabled.
+     Resolves #6622.
+   * Add missing md.h includes to some of the external programs from
+     the programs directory. Without this, even though the configuration
+     was sufficient for a particular program to work, it would only print
+     a message that one of the required defines is missing.
+   * Fix declaration of mbedtls_ecdsa_sign_det_restartable() function
+     in the ecdsa.h header file. There was a build warning when the
+     configuration macro MBEDTLS_ECDSA_SIGN_ALT was defined.
+     Resolves #7407.
+   * Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not
+     MBEDTLS_ECDSA_VERIFY_ALT, causing ecdsa verify to fail. Fixes #7498.
+   * Fix missing PSA initialization in sample programs when
+     MBEDTLS_USE_PSA_CRYPTO is enabled.
+   * Fix the J-PAKE driver interface for user and peer to accept any values
+     (previously accepted values were limited to "client" or "server").
+   * Fix clang and armclang compilation error when targeting certain Arm
+     M-class CPUs (Cortex-M0, Cortex-M0+, Cortex-M1, Cortex-M23,
+     SecurCore SC000). Fixes #1077.
+   * Fix "unterminated '#pragma clang attribute push'" in sha256/sha512.c when
+     built with MBEDTLS_SHAxxx_USE_A64_CRYPTO_IF_PRESENT but don't have a
+     way to detect the crypto extensions required. A warning is still issued.
+   * Fixed an issue that caused compile errors when using CMake and the IAR
+     toolchain.
+   * Fix very high stack usage in SSL debug code. Reported by Maximilian
+     Gerhardt in #7804.
+   * Fix a compilation failure in the constant_time module when
+     building for arm64_32 (e.g., for watchos). Reported by Paulo
+     Coutinho in #7787.
+   * Fix crypt_and_hash decryption fail when used with a stream cipher
+     mode of operation due to the input not being multiple of block size.
+     Resolves #7417.
+   * Fix a bug in which mbedtls_x509_string_to_names() would return success
+     when given a invalid name string if it did not contain '=' or ','.
+   * Fix compilation warnings in aes.c, which prevented the
+     example TF-M configuration in configs/ from building cleanly:
+     tfm_mbedcrypto_config_profile_medium.h with
+     crypto_config_profile_medium.h.
+   * In TLS 1.3, fix handshake failure when a client in its ClientHello
+     proposes an handshake based on PSK only key exchange mode or at least
+     one of the key exchange modes using ephemeral keys to a server that
+     supports only the PSK key exchange mode.
+   * Fix CCM* with no tag being not supported in a build with CCM as the only
+     symmetric encryption algorithm and the PSA configuration enabled.
+   * Fix the build with MBEDTLS_PSA_INJECT_ENTROPY. Fixes #7516.
+   * Fix a compilation error on some platforms when including mbedtls/ssl.h
+     with all TLS support disabled. Fixes #6628.
+   * Fix x509 certificate generation to conform to RFC 5480 / RFC 5758 when
+     using ECC key. The certificate was rejected by some crypto frameworks.
+     Fixes #2924.
+   * Fix a potential corruption of the passed-in IV when mbedtls_aes_crypt_cbc()
+     is called with zero length and padlock is not enabled.
+   * Fix compile failure due to empty enum in cipher_wrap.c, when building
+     with a very minimal configuration. Fixes #7625.
+   * Fix some cases where mbedtls_mpi_mod_exp, RSA key construction or ECDSA
+     signature can silently return an incorrect result in low memory conditions.
+   * Don't try to include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE when
+     MBEDTLS_PSA_CRYPTO_CONFIG is disabled.
+   * Fix IAR compiler warnings.
+   * Fix an issue when parsing an otherName subject alternative name into a
+     mbedtls_x509_san_other_name struct. The type-id of the otherName was not
+     copied to the struct. This meant that the struct had incomplete
+     information about the otherName SAN and contained uninitialized memory.
+   * Fix the detection of HardwareModuleName otherName SANs. These were being
+     detected by comparing the wrong field and the check was erroneously
+     inverted.
+   * Fix a build error in some configurations with MBEDTLS_PSA_CRYPTO_CONFIG
+     enabled, where some low-level modules required by requested PSA crypto
+     features were not getting automatically enabled. Fixes #7420.
+   * Fix undefined symbols in some builds using TLS 1.3 with a custom
+     configuration file.
+   * Fix log level for the got supported group message. Fixes #6765
+   * Functions in the ssl_cache module now return a negative MBEDTLS_ERR_xxx
+     error code on failure. Before, they returned 1 to indicate failure in
+     some cases involving a missing entry or a full cache.
+   * mbedtls_pk_parse_key() now rejects trailing garbage in encrypted keys.
+
+Changes
+   * Enable Arm / Thumb bignum assembly for most Arm platforms when
+     compiling with gcc, clang or armclang and -O0.
+   * Enforce minimum RSA key size when generating a key
+     to avoid accidental misuse.
+   * Use heap memory to allocate DER encoded RSA private key.
+     This reduces stack usage significantly for RSA signature
+     operations when MBEDTLS_PSA_CRYPTO_C is defined.
+   * Update Windows code to use BCryptGenRandom and wcslen, and
+     ensure that conversions between size_t, ULONG, and int are
+     always done safely.  Original contribution by Kevin Kane #635, #730
+     followed by Simon Butcher #1453.
+   * Users intergrating their own PSA drivers should be aware that
+     the file library/psa_crypto_driver_wrappers.c has been renamed
+     to psa_crypto_driver_wrappers_no_static.c.
+   * When using CBC with the cipher module, the requirement to call
+     mbedtls_cipher_set_padding_mode() is now enforced. Previously, omitting
+     this call accidentally applied a default padding mode chosen at compile
+     time.
+
 = Mbed TLS 3.4.1 branch released 2023-08-04
 
 Bugfix

ChangeLog.d/Define-PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy.txt

@@ -1,18 +0,0 @@
-New deprecations
-   * PSA_WANT_KEY_TYPE_xxx_KEY_PAIR and
-     MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR, where xxx is either ECC or RSA,
-     are now being deprecated in favor of PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
-     MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy. Here yyy can be: BASIC,
-     IMPORT, EXPORT, GENERATE, DERIVE. The goal is to have a finer detail about
-     the capabilities of the PSA side for either key.
-
-Features
-   * New symbols PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
-     MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy (where xxx is either ECC, RSA
-     or DH) were introduced in order to have finer accuracy in defining the
-     PSA capabilities for each key. These capabilities, named yyy above, can be
-     any of: BASIC, IMPORT, EXPORT, GENERATE, DERIVE.
-     - DERIVE is only available for ECC keys, not for RSA or DH ones.
-     - implementations are free to enable more than what it was strictly
-       requested. For example BASIC internally enables IMPORT and EXPORT
-       (useful for testing purposes), but this might change in the future.

ChangeLog.d/MBEDTLS_CIPHER_BLKSIZE_MAX.txt

@@ -1,13 +0,0 @@
-New deprecations
-   * MBEDTLS_CIPHER_BLKSIZE_MAX is deprecated in favor of
-     MBEDTLS_MAX_BLOCK_LENGTH (if you intended what the name suggests:
-     maximum size of any supported block cipher) or the new name
-     MBEDTLS_CMAC_MAX_BLOCK_SIZE (if you intended the actual semantics:
-     maximum size of a block cipher supported by the CMAC module).
-
-Security
-   * In configurations with ARIA or Camellia but not AES, the value of
-     MBEDTLS_CIPHER_BLKSIZE_MAX was 8, rather than 16 as the name might
-     suggest. This did not affect any library code, because this macro was
-     only used in relation with CMAC which does not support these ciphers.
-     This may affect application code that uses this macro.

ChangeLog.d/MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * Functions in the ssl_cache module now return a negative MBEDTLS_ERR_xxx
-     error code on failure. Before, they returned 1 to indicate failure in
-     some cases involving a missing entry or a full cache.

ChangeLog.d/Switch-pkparse-to-new-pbe-funsctions.txt

@@ -1,9 +0,0 @@
-New deprecations
-   * mbedtls_pkcs5_pbes2() and mbedtls_pkcs12_pbe() functions are now
-     deprecated in favor of mbedtls_pkcs5_pbes2_ext() and
-     mbedtls_pkcs12_pbe_ext() as they offer more security by checking
-     for overflow of the output buffer and reporting the actual length
-     of the output.
-
-Bugfix
-   * mbedtls_pk_parse_key() now rejects trailing garbage in encrypted keys.

ChangeLog.d/X509Parse_SignatureKeyId_AuthorityKeyId.txt

@@ -1,3 +0,0 @@
-Features
-   * When parsing X.509 certificates, support the extensions
-     SignatureKeyIdentifier and AuthorityKeyIdentifier.

ChangeLog.d/add-aes-128bit-only.txt

@@ -1,4 +0,0 @@
-Features
-   * Add support to restrict AES to 128-bit keys in order to save code size.
-     A new configuration option, MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH, can be
-     used to enable this feature.

ChangeLog.d/add-aes-hardware-only-option.txt

@@ -1,6 +0,0 @@
-Features
-   * New configuration option MBEDTLS_AES_USE_HARDWARE_ONLY introduced. When
-     using CPU-accelerated AES (e.g., Arm Crypto Extensions), this option
-     disables the plain C implementation and the run-time detection for the
-     CPU feature, which reduces code size and avoids the vulnerability of the
-     plain C implementation.

ChangeLog.d/add-directoryname-san.txt

@@ -1,3 +0,0 @@
-Features
-   * Add parsing of directoryName subtype for subjectAltName extension in
-     x509 certificates.

ChangeLog.d/add-getters-for-some-fields.txt

@@ -1,7 +0,0 @@
-Features
-   * Add getter (mbedtls_ssl_cache_get_timeout()) to access
-     `mbedtls_ssl_cache_context.timeout`.
-   * Add getter (mbedtls_ssl_get_hostname()) to access
-     `mbedtls_ssl_context.hostname`.
-   * Add getter (mbedtls_ssl_conf_get_endpoint()) to access
-     `mbedtls_ssl_config.endpoint`.

ChangeLog.d/add-milliseconds-time-api.txt

@@ -1,5 +0,0 @@
-API changes
-   * Add new millisecond time type `mbedtls_ms_time_t` and `mbedtls_ms_time()`
-     function, needed for TLS 1.3 ticket lifetimes. Alternative implementations
-     can be created using an ALT interface.
-

ChangeLog.d/add-missing-md-includes.txt

@@ -1,5 +0,0 @@
-Bugfix
-   * Add missing md.h includes to some of the external programs from
-     the programs directory. Without this, even though the configuration
-     was sufficient for a particular program to work, it would only print
-     a message that one of the required defines is missing.

ChangeLog.d/add-new-pkcs5-pbe2-ext-fun.txt

@@ -1,7 +0,0 @@
-Security
-   * Developers using mbedtls_pkcs5_pbes2() or mbedtls_pkcs12_pbe() should
-     review the size of the output buffer passed to this function, and note
-     that the output after decryption may include CBC padding. Consider moving
-     to the new functions mbedtls_pkcs5_pbes2_ext() or mbedtls_pkcs12_pbe_ext()
-     which checks for overflow of the output buffer and reports the actual
-     length of the output.

ChangeLog.d/add-pbkdf2-cmac.txt

@@ -1,2 +0,0 @@
-Features
-   * Add support for PBKDF2-CMAC through the PSA API.

ChangeLog.d/add-pbkdf2-hmac.txt

@@ -1,2 +0,0 @@
-Features
-   * Add support for PBKDF2-HMAC through the PSA API.

ChangeLog.d/add-psa_want_alg_some_pake.txt

@@ -1,3 +0,0 @@
-Features
-   * Don't include the PSA dispatch functions for PAKEs (psa_pake_setup() etc)
-     if no PAKE algorithms are requested

ChangeLog.d/add-rfc822-directoryname-csr-gen.txt

@@ -1,3 +0,0 @@
-Features
-   * Add a possibility to generate CSR's with RCF822 and directoryName subtype
-     of subjectAltName extension in x509 certificates.

ChangeLog.d/add-subjectAltName-certs.txt

@@ -1,6 +0,0 @@
-Features
-   * It is now possible to generate certificates with SubjectAltNames.
-     Currently supported subtypes: DnsName, UniformResourceIdentifier,
-     IP address, OtherName, and DirectoryName, as defined in RFC 5280.
-     See mbedtls_x509write_crt_set_subject_alternative_name for
-     more information.

ChangeLog.d/aes-perf.txt

@@ -1,7 +0,0 @@
-Features
-   * AES performance improvements. Uplift varies by platform,
-     toolchain, optimisation flags and mode.
-     Aarch64, gcc -Os and CCM, GCM and XTS benefit the most.
-     On Aarch64, uplift is typically around 20 - 110%.
-     When compiling with gcc -Os on Aarch64, AES-XTS improves
-     by 4.5x.

ChangeLog.d/armclang-compile-fix.txt

@@ -1,7 +0,0 @@
-Bugfix
-   * Fix clang and armclang compilation error when targeting certain Arm
-     M-class CPUs (Cortex-M0, Cortex-M0+, Cortex-M1, Cortex-M23,
-     SecurCore SC000). Fixes #1077.
-Changes
-   * Enable Arm / Thumb bignum assembly for most Arm platforms when
-     compiling with gcc, clang or armclang and -O0.

ChangeLog.d/basic-uri-verification.txt

@@ -1,4 +0,0 @@
-Features
-   * X.509 hostname verification now partially supports URI Subject Alternate
-     Names. Only exact matching, without any normalization procedures
-     described in 7.4 of RFC5280, will result in a positive URI verification.

ChangeLog.d/bugfix_iar_typo.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fixed an issue that caused compile errors when using CMake and the IAR
-     toolchain.

ChangeLog.d/check-set_padding-is-called.txt

@@ -1,5 +0,0 @@
-Changes
-   * When using CBC with the cipher module, the requirement to call
-     mbedtls_cipher_set_padding_mode() is now enforced. Previously, omitting
-     this call accidentally applied a default padding mode chosen at compile
-     time.

ChangeLog.d/cmake-pass-through-config-defines.txt

@@ -1,3 +0,0 @@
-Features
-   * Allow MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE to be set by
-     setting the CMake variable of the same name at configuration time.

ChangeLog.d/config_psa-include-order.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * Fix a build error in some configurations with MBEDTLS_PSA_CRYPTO_CONFIG
-     enabled, where some low-level modules required by requested PSA crypto
-     features were not getting automatically enabled. Fixes #7420.

ChangeLog.d/driver-ffdh.txt

@@ -1,5 +0,0 @@
-Features
-   * Add support for the FFDH algorithm and DH key types in PSA, with
-     parameters from RFC 7919. This includes a built-in implementation based
-     on MBEDTLS_BIGNUM_C, and a driver dispatch layer enabling alternative
-     implementations of FFDH through the driver entry points.

ChangeLog.d/driver-only-ecc.txt

@@ -1,23 +0,0 @@
-Features
-   * When a PSA driver for ECDH is present, it is now possible to disable
-     MBEDTLS_ECDH_C in the build in order to save code size. For TLS 1.2
-     key exchanges based on ECDH(E) to work, this requires
-     MBEDTLS_USE_PSA_CRYPTO. Restartable/interruptible ECDHE operations in
-     TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet,
-     as PSA does not have an API for restartable ECDH yet.
-   * When all of ECDH, ECDSA and EC J-PAKE are either disabled or provided by
-     a driver, it is possible to disable MBEDTLS_ECP_C (and MBEDTLS_BIGNUM_C
-     if not required by another module) and still get support for ECC keys and
-     algorithms in PSA, with some limitations. See docs/driver-only-builds.txt
-     for details.
-API changes
-   * Mbed TLS 3.4 introduced support for omitting the built-in implementation
-     of ECDSA and/or EC J-PAKE when those are provided by a driver. However,
-     their was a flaw in the logic checking if the built-in implementation, in
-     that if failed to check if all the relevant curves were supported by the
-     accelerator. As a result, it was possible to declare no curves as
-     accelerated and still have the built-in implementation compiled out.
-     Starting with this release, it is necessary to declare which curves are
-     accelerated (using MBEDTLS_PSA_ACCEL_ECC_xxx macros), or they will be
-     considered not accelerated, and the built-in implementation of the curves
-     and any algorithm possible using them will be included in the build.

ChangeLog.d/driver-only-hashes.txt

@@ -1,11 +0,0 @@
-Features
-   * All modules that use hashes or HMAC can now take advantage of PSA Crypto
-     drivers when MBEDTLS_PSA_CRYPTO_C is enabled and psa_crypto_init() has
-     been called. Previously (in 3.3), this was restricted to a few modules,
-     and only in builds where MBEDTLS_MD_C was disabled; in particular the
-     entropy module was not covered which meant an external RNG had to be
-     provided - these limitations are lifted in this version. A new set of
-     feature macros, MBEDTLS_MD_CAN_xxx, has been introduced that can be used
-     to check for availability of hash algorithms, regardless of whether
-     they're provided by a built-in implementation, a driver or both. See
-     docs/driver-only-builds.md.

ChangeLog.d/ec_jpake_user_peer_2.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix the J-PAKE driver interface for user and peer to accept any values
-     (previously accepted values were limited to "client" or "server").

ChangeLog.d/enforce-min-RSA-key-size.txt

@@ -1,3 +0,0 @@
-Changes
-   * Enforce minimum RSA key size when generating a key
-     to avoid accidental misuse.

ChangeLog.d/extend-distinguished-names.txt

@@ -1,3 +0,0 @@
-Features
-   * Accept arbitrary AttributeType and AttributeValue in certificate
-     Distinguished Names using RFC 4514 syntax.

ChangeLog.d/extend-pk-opaque-ecc.txt

@@ -1,6 +0,0 @@
-Features
-   * Support for "opaque" (PSA-held) ECC keys in the PK module has been
-     extended: it is now possible to use mbedtls_pk_write_key_der(),
-     mbedtls_pk_write_key_pem(), mbedtls_pk_check_pair(), and
-     mbedtls_pk_verify() with opaque ECC keys (provided the PSA attributes
-     allow it).

ChangeLog.d/ffdh-tls-1-3.txt

@@ -1,6 +0,0 @@
-Features
-   * Add support for FFDH key exchange in TLS 1.3.
-     This is automatically enabled as soon as PSA_WANT_ALG_FFDH
-     and the ephemeral or psk-ephemeral key exchange mode are enabled.
-     By default, all groups are offered; the list of groups can be
-     configured using the existing API function mbedtls_ssl_conf_groups().

ChangeLog.d/fix-a-few-unchecked-return.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix some cases where mbedtls_mpi_mod_exp, RSA key construction or ECDSA
-     signature can silently return an incorrect result in low memory conditions.

ChangeLog.d/fix-aes-cbc-iv-corruption.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix a potential corruption of the passed-in IV when mbedtls_aes_crypt_cbc()
-     is called with zero length and padlock is not enabled.

ChangeLog.d/fix-crypt_and_hash-decrypt-issue.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * Fix crypt_and_hash decryption fail when used with a stream cipher
-     mode of operation due to the input not being multiple of block size.
-     Resolves #7417.

ChangeLog.d/fix-declaration-of-mbedtls_ecdsa_sign_det_restartable-function.txt

@@ -1,5 +0,0 @@
-Bugfix
-   * Fix declaration of mbedtls_ecdsa_sign_det_restartable() function
-     in the ecdsa.h header file. There was a build warning when the
-     configuration macro MBEDTLS_ECDSA_SIGN_ALT was defined.
-     Resolves #7407.

ChangeLog.d/fix-empty-enum.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix compile failure due to empty enum in cipher_wrap.c, when building
-     with a very minimal configuration. Fixes #7625.

ChangeLog.d/fix-hrr-in-psk-kem.txt

@@ -1,5 +0,0 @@
-Bugfix
-   * In TLS 1.3, fix handshake failure when a client in its ClientHello
-     proposes an handshake based on PSK only key exchange mode or at least
-     one of the key exchange modes using ephemeral keys to a server that
-     supports only the PSK key exchange mode.

ChangeLog.d/fix-iar-compiler-warnings.txt

@@ -1,2 +0,0 @@
-Bugfix
-   * Fix IAR compiler warnings.

ChangeLog.d/fix-ilp32.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * Fix a compilation failure in the constant_time module when
-     building for arm64_32 (e.g., for watchos). Reported by Paulo
-     Coutinho in #7787.

ChangeLog.d/fix-log-level-msg.txt

@@ -1,2 +0,0 @@
-Bugfix
-   * Fix log level for the got supported group message. Fixes #6765

ChangeLog.d/fix-string-to-names-retcode.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix a bug in which mbedtls_x509_string_to_names() would return success
-     when given a invalid name string if it did not contain '=' or ','.

ChangeLog.d/fix-tfm-build.txt

@@ -1,5 +0,0 @@
-Bugfix
-   * Fix compilation warnings in aes.c, which prevented the
-     example TF-M configuration in configs/ from building cleanly:
-     tfm_mbedcrypto_config_profile_medium.h with
-     crypto_config_profile_medium.h.

ChangeLog.d/fix-tls-padbuf-zeroization.txt

@@ -1,4 +0,0 @@
-Security
-   * Fix a case where potentially sensitive information held in memory would not
-     be completely zeroized during TLS 1.2 handshake, in both server and client
-     configurations.

ChangeLog.d/fix-unterminated-pragma-clang-attribute-push.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * Fix "unterminated '#pragma clang attribute push'" in sha256/sha512.c when
-     built with MBEDTLS_SHAxxx_USE_A64_CRYPTO_IF_PRESENT but don't have a
-     way to detect the crypto extensions required. A warning is still issued.

ChangeLog.d/improve-doc-on-ecp-curve-optimized-representation.txt

@@ -1,3 +0,0 @@
-Features
-   * The documentation of mbedtls_ecp_group now describes the optimized
-     representation of A for some curves. Fixes #8045.

ChangeLog.d/initialize-struct-get-other-name.txt

@@ -1,8 +0,0 @@
-Bugfix
-   * Fix an issue when parsing an otherName subject alternative name into a
-     mbedtls_x509_san_other_name struct. The type-id of the otherName was not
-     copied to the struct. This meant that the struct had incomplete
-     information about the otherName SAN and contained uninitialized memory.
-   * Fix the detection of HardwareModuleName otherName SANs. These were being
-     detected by comparing the wrong field and the check was erroneously
-     inverted.

ChangeLog.d/inject-entropy.txt

@@ -1,2 +0,0 @@
-Bugfix
-   * Fix the build with MBEDTLS_PSA_INJECT_ENTROPY. Fixes #7516.

ChangeLog.d/mbedtls_ecdsa_can_do-unconditional-define.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not
-     MBEDTLS_ECDSA_VERIFY_ALT, causing ecdsa verify to fail. Fixes #7498.

ChangeLog.d/mbedtls_x509_time.txt

@@ -1,3 +0,0 @@
-Features
-   * Improve mbedtls_x509_time performance and reduce memory use.
-   * Reduce syscalls to time() during certificate verification.

ChangeLog.d/misc-from-psa-crypto.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix CCM* with no tag being not supported in a build with CCM as the only
-     symmetric encryption algorithm and the PSA configuration enabled.

ChangeLog.d/oid-parse-from-numeric-string.txt

@@ -1,3 +0,0 @@
-Features
-   * Add function mbedtls_oid_from_numeric_string() to parse an OID from a
-     string to a DER-encoded mbedtls_asn1_buf.

ChangeLog.d/p256-m.txt

@@ -1,5 +0,0 @@
-Features
-   * Applications using ECC over secp256r1 through the PSA API can use a
-     new implementation with a much smaller footprint, but some minor
-     usage restrictions. See the documentation of the new configuration
-     option MBEDTLS_PSA_P256M_DRIVER_ENABLED for details.

ChangeLog.d/padding-ct-changelog.txt

@@ -1,6 +0,0 @@
-Security
-   * Improve padding calculations in CBC decryption, NIST key unwrapping and
-     RSA OAEP decryption. With the previous implementation, some compilers
-     (notably recent versions of Clang and IAR) could produce non-constant
-     time code, which could allow a padding oracle attack if the attacker
-     has access to precise timing measurements.

ChangeLog.d/programs_psa_fix.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix missing PSA initialization in sample programs when
-     MBEDTLS_USE_PSA_CRYPTO is enabled.

ChangeLog.d/psa_crypto_user_config_file.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Don't try to include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE when
-     MBEDTLS_PSA_CRYPTO_CONFIG is disabled.

ChangeLog.d/python3.8.txt

@@ -1,2 +0,0 @@
-Requirement changes
-   * Officially require Python 3.8 now that earlier versions are out of support.

ChangeLog.d/rename_psa_crypto_driver_wrappers.txt

@@ -1,5 +0,0 @@
-Changes
-   * Users intergrating their own PSA drivers should be aware that
-     the file library/psa_crypto_driver_wrappers.c has been renamed
-     to psa_crypto_driver_wrappers_no_static.c.
-

ChangeLog.d/rfc8410.txt

@@ -1,3 +0,0 @@
-Features
-   * Add support for reading and writing X25519 and X448
-     public and private keys in RFC 8410 format using the existing PK APIs.

ChangeLog.d/safer-ct.txt

@@ -1,6 +0,0 @@
-Security
-   * Updates to constant-time C code so that compilers are less likely to use
-     conditional instructions, which can have an observable difference in
-     timing. (Clang has been seen to do this.) Also introduce assembly
-     implementations for 32- and 64-bit Arm and for x86 and x86-64, which are
-     guaranteed not to use conditional instructions.

ChangeLog.d/sha3.txt

@@ -1,3 +0,0 @@
-Features
-    * Add SHA-3 family hash functions.
-

ChangeLog.d/sha384-blocksize.txt

@@ -1,6 +0,0 @@
-Security
-   * Fix definition of MBEDTLS_MD_MAX_BLOCK_SIZE, which was too
-     small when MBEDTLS_SHA384_C was defined and MBEDTLS_SHA512_C was
-     undefined. Mbed TLS itself was unaffected by this, but user code
-     which used MBEDTLS_MD_MAX_BLOCK_SIZE could be affected. The only
-     release containing this bug was Mbed TLS 3.4.0.

ChangeLog.d/some-max-size-macro-are-too-small-when-psa-ecc-is-accelerated.txt

@@ -1,5 +0,0 @@
-Bugfix
-   * Fix proper sizing for PSA_EXPORT_[KEY_PAIR/PUBLIC_KEY]_MAX_SIZE and
-     PSA_SIGNATURE_MAX_SIZE buffers when at least one accelerated EC is bigger
-     than all built-in ones and RSA is disabled.
-     Resolves #6622.

ChangeLog.d/ssl_debug_helpers-stack_usage.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix very high stack usage in SSL debug code. Reported by Maximilian
-     Gerhardt in #7804.

ChangeLog.d/ssl_decrypt_buf-short_record.txt

@@ -1,3 +0,0 @@
-Security
-   * Fix a buffer overread when parsing short TLS application data records in
-     null-cipher cipher suites. Credit to OSS-Fuzz.

ChangeLog.d/ssl_premaster_secret-empty.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix a compilation error on some platforms when including mbedtls/ssl.h
-     with all TLS support disabled. Fixes #6628.

ChangeLog.d/tls13-custom-config.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix undefined symbols in some builds using TLS 1.3 with a custom
-     configuration file.

ChangeLog.d/tls13-server-version-negotiation.txt

@@ -1,5 +0,0 @@
-Features
-   * Add support for server-side TLS version negotiation. If both TLS 1.2 and
-     TLS 1.3 protocols are enabled, the TLS server now selects TLS 1.2 or
-     TLS 1.3 depending on the capabilities and preferences of TLS clients.
-     Fixes #6867.

ChangeLog.d/updated_windows_apis.txt

@@ -1,9 +0,0 @@
-Requirement changes
-   * Minimum required Windows version is now Windows Vista, or
-     Windows Server 2008.
-
-Changes
-   * Update Windows code to use BCryptGenRandom and wcslen, and
-     ensure that conversions between size_t, ULONG, and int are
-     always done safely.  Original contribution by Kevin Kane #635, #730
-     followed by Simon Butcher #1453.

ChangeLog.d/use_heap_rsa_signature.txt

@@ -1,4 +0,0 @@
-Changes
-   * Use heap memory to allocate DER encoded RSA private key.
-     This reduces stack usage significantly for RSA signature
-     operations when MBEDTLS_PSA_CRYPTO_C is defined.

ChangeLog.d/verify-ip-sans-properly.txt

@@ -1,2 +0,0 @@
-Features
-   * X.509 hostname verification now supports IPAddress Subject Alternate Names.

ChangeLog.d/x509-ec-algorithm-identifier-fix.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * Fix x509 certificate generation to conform to RFC 5480 / RFC 5758 when
-     using ECC key. The certificate was rejected by some crypto frameworks.
-     Fixes #2924.

ChangeLog.d/xxx_psa_peerkey.txt

@@ -1,8 +0,0 @@
-Security
-   * Fix a remotely exploitable heap buffer overflow in TLS handshake parsing.
-     In TLS 1.3, all configurations are affected except PSK-only ones, and
-     both clients and servers are affected.
-     In TLS 1.2, the affected configurations are those with
-     MBEDTLS_USE_PSA_CRYPTO and ECDH enabled but DHM and RSA disabled,
-     and only servers are affected, not clients.
-     Credit to OSS-Fuzz.