Merge branch 'development' into sha3

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>

ChangeLog.d/add-rsa-pss-rsae-support-for-tls12.txt

@@ -1,8 +0,0 @@
-Features
-   * When GnuTLS/Openssl server is configured in TLS 1.2 mode with a certificate
-     declaring an RSA public key and Mbed TLS is configured in hybrid mode, if
-     `rsa_pss_rsae_*` algorithms are before `rsa_pkcs1_*` ones in this list then
-     the GnuTLS/Openssl server chooses an `rsa_pss_rsae_*` signature algorithm
-     for its signature in the key exchange message. As Mbed TLS 1.2 does not
-     support them, the handshake fails. Add `rsa_pss_rsae_*` support for TLS 1.2
-     to resolve the compitablity issue.

ChangeLog.d/alignment-perf.txt

@@ -0,0 +1,8 @@
+Features
+   * General performance improvements by accessing multiple bytes at a time.
+     Fixes #1666.
+   * Improvements to use of unaligned and byte-swapped memory, reducing code
+     size and improving performance (depending on compiler and target
+     architecture).
+Changes
+   * Mixed-endian systems are explicitly not supported any more.

ChangeLog.d/bn_mul-fix-x86-pic-compilation-for-gcc-4.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * Fix a long-standing build failure when building x86 PIC code with old
-     gcc (4.x). The code will be slower, but will compile. We do however
-     recommend upgrading to a more recent compiler instead. Fixes #1910.

ChangeLog.d/c-build-helper-hostcc.txt

@@ -0,0 +1,4 @@
+Features
+   * Use HOSTCC (if it is set) when compiling C code during generation of the
+     configuration-independent files. This allows them to be generated when
+     CC is set for cross compilation.

ChangeLog.d/cmake-install.txt

@@ -0,0 +1,3 @@
+Changes
+  * Install the .cmake files into CMAKE_INSTALL_LIBDIR/cmake/MbedTLS,
+    typically /usr/lib/cmake/MbedTLS.

ChangeLog.d/conditionalize-mbedtls_mpi_sub_abs-memcpy.txt

@@ -0,0 +1,4 @@
+Bugfix
+   * Fix potential undefined behavior in mbedtls_mpi_sub_abs().  Reported by
+     Pascal Cuoq using TrustInSoft Analyzer in #6701; observed independently by
+     Aaron Ucko under Valgrind.

ChangeLog.d/crypto_config_ccm_star.txt

@@ -0,0 +1,3 @@
+Bugfix
+   * List PSA_WANT_ALG_CCM_STAR_NO_TAG in psa/crypto_config.h so that it can
+     be toggled with config.py.

ChangeLog.d/csr_v3_extensions.txt

@@ -0,0 +1,3 @@
+Features
+   * Add parsing of V3 extensions (key usage, Netscape cert-type,
+     Subject Alternative Names) in x509 Certificate Sign Requests.

ChangeLog.d/driver-only-hashes.txt

@@ -1,20 +0,0 @@
-Features
-   * Some crypto modules that previously depended on MD or a low-level hash
-     module, either unconditionally (RSA, PK, PKCS5, PKCS12, EC J-PAKE), or
-     for some features (PEM for encrypted files), are now able to use PSA
-     Crypto instead when the legacy API is not available. This means it is
-     now possible to use all features from those modules in configurations
-     where the built-in implementations of hashes are excluded and the hashes
-     are only provided by PSA drivers. In these configurations, you need to
-     call `psa_crypto_init()` before you call any function from those
-     modules; this is not required in configurations where the built-in
-     implementation is still available. Note that some crypto modules and
-     features still depend on the built-in implementation of hashes:
-     MBEDTLS_HKDF_C (but the PSA HKDF function do not depend on it),
-     MBEDTLS_ENTROPY_C, MBEDTLS_HMAC_DRBG_C and MBEDTLS_ECDSA_DETERMINISTIC.
-     In particular, for now, compiling without built-in hashes requires use
-     of MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG.
-   * When MBEDTLS_USE_PSA_CRYPTO is enabled, X.509, TLS 1.2 and TLS 1.3 no
-     longer depend on MD. This means it is now possible to use them in
-     configurations where the built-in implementations of hashes are excluded
-     and the hashes are only provided by PSA drivers.

ChangeLog.d/ecjpake_to_pms.txt

@@ -1,5 +0,0 @@
-API changes
-   * Add an ad-hoc key derivation function handling ECJPAKE to PMS
-     calculation that can be used to derive the session secret in TLS 1.2,
-     as described in draft-cragie-tls-ecjpake-01. This can be achieved by
-     using PSA_ALG_TLS12_ECJPAKE_TO_PMS as the key derivation algorithm.

ChangeLog.d/extend-query_compile_time_config-to-psa_want.txt

@@ -1,2 +0,0 @@
-Changes
-   * Add the ability to query PSA_WANT_xxx macros to query_compile_time_config

ChangeLog.d/fix-aes-shallow-copying.txt

@@ -1,2 +0,0 @@
-Bugfix
-   * Refactor mbedtls_aes_context to support shallow-copying. Fixes #2147.

ChangeLog.d/fix-ctr-drbg-may-free-invalid-aes-context.txt

@@ -1,4 +0,0 @@
-Bugfix
-    * Fix mbedtls_ctr_drbg_free() on an initialized but unseeded context. When
-      MBEDTLS_AES_ALT is enabled, it could call mbedtls_aes_free() on an
-      uninitialized context.

ChangeLog.d/fix-example-programs-no-args.txt

@@ -0,0 +1,4 @@
+Bugfix
+   * Fix behavior of certain sample programs which could, when run with no
+     arguments, access uninitialized memory in some cases. Fixes #6700 (which
+     was found by TrustInSoft Analyzer during REDOCS'22) and #1120.

ChangeLog.d/fix-gettimeofday-overflow.txt

@@ -0,0 +1,3 @@
+Bugfix
+   * Fix possible integer overflow in mbedtls_timing_hardclock(), which
+     could cause a crash in programs/test/benchmark.

ChangeLog.d/fix-iar-warnings.txt

@@ -0,0 +1,2 @@
+Bugfix
+   * Fix IAR compiler warnings. Contributed by Glenn Strauss in #3835.

ChangeLog.d/fix-rsaalt-test-guards.txt

@@ -0,0 +1,3 @@
+Bugfix
+   * Fix compile error where MBEDTLS_RSA_C and MBEDTLS_X509_CRT_WRITE_C are
+     defined, but MBEDTLS_PK_RSA_ALT_SUPPORT is not defined. Fixes #3174.

ChangeLog.d/fix_build_error_for_mbedtls_deprecated_removed.txt

@@ -1,3 +0,0 @@
-Bugfix
-    * Fix build error due to missing prototype
-      warning when MBEDTLS_DEPRECATED_REMOVED is enabled

ChangeLog.d/fix_build_for_directory_names_containing_spaces.txt

@@ -0,0 +1,4 @@
+Bugfix
+   * Fix a bug in the build where directory names containing spaces were
+     causing generate_errors.pl to error out resulting in a build failure.
+     Fixes issue #6879.

ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt

@@ -1,4 +0,0 @@
-Bugfix
-    * Fix bugs and missing dependencies when
-      building and testing configurations with
-      only one encryption type enabled in TLS 1.2.

ChangeLog.d/fix_cmake_gen_files

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix an issue in releases with GEN_FILES turned off whereby missing
-     generated files could be turned into symlinks to themselves.

ChangeLog.d/fix_cmake_using_iar_toolchain.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fixed an issue that cause compile error using CMake IAR toolchain.
-     Fixes #5964.

ChangeLog.d/fix_hard_link_across_drives

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix a build issue on Windows where the source and build directory could not be on
-     different drives (#5751).

ChangeLog.d/fix_psa_crypto_cipher_h_include.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * Use double quotes to include private header file psa_crypto_cipher.h.
-     Fixes 'file not found with <angled> include' error
-     when building with Xcode.

ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt

@@ -0,0 +1,19 @@
+Bugfix
+   * mbedtls_x509write_crt_set_serial() now explicitly rejects serial numbers
+     whose binary representation is longer than 20 bytes. This was already
+     forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being
+     enforced also at code level.
+
+New deprecations
+   * mbedtls_x509write_crt_set_serial() is now being deprecated in favor of
+     mbedtls_x509write_crt_set_serial_raw(). The goal here is to remove any
+     direct dependency of X509 on BIGNUM_C.
+
+Changes
+   * programs/x509/cert_write:
+     - now it accepts the serial number in 2 different formats: decimal and
+       hex. They cannot be used simultaneously
+     - "serial" is used for the decimal format and it's limted in size to
+       unsigned long long int
+     - "serial_hex" is used for the hex format; max length here is
+       MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN*2

ChangeLog.d/make_sha224_sha384_independent_from_sha256_sha512.txt

@@ -0,0 +1,4 @@
+Features
+   * SHA224_C/SHA384_C are now independent from SHA384_C/SHA512_C respectively.
+     This helps in saving code size when some of the above hashes are not
+     required.

ChangeLog.d/mbedtls_ecp_point_read_binary-compressed-fmt.txt

@@ -0,0 +1,6 @@
+Features
+   * Add support for reading points in compressed format
+     (MBEDTLS_ECP_PF_COMPRESSED) with mbedtls_ecp_point_read_binary()
+     (and callers) for Short Weierstrass curves with prime p where p = 3 mod 4
+     (all mbedtls MBEDTLS_ECP_DP_SECP* and MBEDTLS_ECP_DP_BP* curves
+      except MBEDTLS_ECP_DP_SECP224R1 and MBEDTLS_ECP_DP_SECP224K1)

ChangeLog.d/muladdc_microblaze.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
-     Contributed by Kazuyuki Kimura to fix #2020.

ChangeLog.d/nonversioned-library-soname.txt

@@ -1,5 +0,0 @@
-Features
-   * make: enable building unversioned shared library, with e.g.:
-     "SHARED=1 SOEXT_TLS=so SOEXT_X509=so SOEXT_CRYPTO=so make lib"
-     resulting in library names like "libmbedtls.so" rather than
-     "libmbedcrypto.so.11".

ChangeLog.d/pk-sign-restartable.txt

@@ -0,0 +1,5 @@
+Changes
+   * When MBEDTLS_USE_PSA_CRYPTO and MBEDTLS_ECDSA_DETERMINISTIC are both
+     defined, mbedtls_pk_sign() now use deterministic ECDSA for ECDSA
+     signatures. This aligns the behaviour with MBEDTLS_USE_PSA_CRYPTO to
+     the behaviour without it, where deterministic ECDSA was already used.

ChangeLog.d/psa_alg_tls12_ecjpake_to_pms-reject_ka.txt

@@ -0,0 +1,4 @@
+Bugfix
+   * The key derivation algorithm PSA_ALG_TLS12_ECJPAKE_TO_PMS cannot be
+     used on a shared secret from a key agreement since its input must be
+     an ECC public key. Reject this properly.

ChangeLog.d/psa_crypto_pake.txt

@@ -1,4 +0,0 @@
-Features
-    * Expose the EC J-PAKE functionality through the Draft PSA PAKE Crypto API.
-      Only the ECC primitive with secp256r1 curve and SHA-256 hash algorithm
-      are supported in this implementation.

ChangeLog.d/remove_ssl_session_compression.txt

@@ -1,5 +0,0 @@
-Removals
-   * Remove compression property from SSL session struct.
-     MBEDTLS_SSL_COMPRESS_NULL is now the only supported
-     compression option and can be used for compatibility
-     reasons. Changes requested in #4223.

ChangeLog.d/tls13_sig_alg_selection.txt

@@ -1,3 +0,0 @@
-Features
-   * Add support for opaque keys as the private keys associated to certificates
-     for authentication in TLS 1.3.

ChangeLog.d/vs2013.txt

@@ -0,0 +1,4 @@
+Changes
+  * Visual Studio: Rename the directory containing Visual Studio files from
+    visualc/VS2010 to visualc/VS2013 as we do not support building with versions
+    older than 2013. Update the solution file to specify VS2013 as a minimum.

ChangeLog.d/workaround_gnutls_anti_replay_fail.txt

@@ -0,0 +1,7 @@
+Bugfix
+    * In TLS 1.3, when using a ticket for session resumption, tweak its age
+      calculation on the client side. It prevents a server with more accurate
+      ticket timestamps (typically timestamps in milliseconds) compared to the
+      Mbed TLS ticket timestamps (in seconds) to compute a ticket age smaller
+      than the age computed and transmitted by the client and thus potentially
+      reject the ticket. Fix #6623.

ChangeLog.d/x509-broken-symlink-handling.txt

@@ -1,5 +0,0 @@
-Bugfix
-   * Fix handling of broken symlinks when loading certificates using
-     mbedtls_x509_crt_parse_path(). Instead of returning an error as soon as a
-     broken link is encountered, skip the broken link and continue parsing
-     other certificate files. Contributed by Eduardo Silva in #2602.