Merge remote-tracking branch 'origin/development' into update-restricted-2023-08-30

ChangeLog.d/00README.md

@@ -21,6 +21,9 @@ We generally don't include changelog entries for:
 * Performance improvements, unless they are particularly significant.
 * Changes to parts of the code base that users don't interact with directly,
   such as test code and test data.
+* Fixes for compiler warnings. Releases typically contain a number of fixes
+  of this kind, so we will only mention them in the Changelog if they are
+  particularly significant.
 
 Until Mbed TLS 2.24.0, we required changelog entries in more cases.
 Looking at older changelog entries is good practice for how to write a

ChangeLog.d/Define-PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy.txt

@@ -2,13 +2,17 @@ New deprecations
    * PSA_WANT_KEY_TYPE_xxx_KEY_PAIR and
      MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR, where xxx is either ECC or RSA,
      are now being deprecated in favor of PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
-     MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy. Here yyy can be: USE, IMPORT,
-     EXPORT, GENERATE, DERIVE. The goal is to have a finer detail about the
-     capabilities of the PSA side for either key.
+     MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy. Here yyy can be: BASIC,
+     IMPORT, EXPORT, GENERATE, DERIVE. The goal is to have a finer detail about
+     the capabilities of the PSA side for either key.
 
 Features
    * New symbols PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
      MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy (where xxx is either ECC, RSA
      or DH) were introduced in order to have finer accuracy in defining the
      PSA capabilities for each key. These capabilities, named yyy above, can be
-     any of: USE, IMPORT, EXPORT, GENERATE, DERIVE.
+     any of: BASIC, IMPORT, EXPORT, GENERATE, DERIVE.
+     - DERIVE is only available for ECC keys, not for RSA or DH ones.
+     - implementations are free to enable more than what it was strictly
+       requested. For example BASIC internally enables IMPORT and EXPORT
+       (useful for testing purposes), but this might change in the future.

ChangeLog.d/add-aes-hardware-only-option.txt

@@ -0,0 +1,6 @@
+Features
+   * New configuration option MBEDTLS_AES_USE_HARDWARE_ONLY introduced. When
+     using CPU-accelerated AES (e.g., Arm Crypto Extensions), this option
+     disables the plain C implementation and the run-time detection for the
+     CPU feature, which reduces code size and avoids the vulnerability of the
+     plain C implementation.

ChangeLog.d/add-pbkdf2-cmac.txt

@@ -0,0 +1,2 @@
+Features
+   * Add support for PBKDF2-CMAC through the PSA API.

ChangeLog.d/add-rfc822-directoryname-csr-gen.txt

@@ -0,0 +1,3 @@
+Features
+   * Add a possibility to generate CSR's with RCF822 and directoryName subtype
+     of subjectAltName extension in x509 certificates.

ChangeLog.d/driver-only-ecc.txt

@@ -5,3 +5,6 @@ Features
      MBEDTLS_USE_PSA_CRYPTO. Restartable/interruptible ECDHE operations in
      TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet,
      as PSA does not have an API for restartable ECDH yet.
+   * When all of ECDH, ECDSA and EC J-PAKE are either disabled or provided by
+     a driver, it is possible to disable MBEDTLS_ECP_C and still get support
+     for ECC keys and algorithms in PSA. See docs/driver-only-builds.txt.

ChangeLog.d/enforce-min-RSA-key-size.txt

@@ -0,0 +1,3 @@
+Changes
+   * Enforce minimum RSA key size when generating a key
+     to avoid accidental misuse.

ChangeLog.d/extend-pk-opaque-ecc.txt

@@ -0,0 +1,6 @@
+Features
+   * Support for "opaque" (PSA-held) ECC keys in the PK module has been
+     extended: it is now possible to use mbedtls_pk_write_key_der(),
+     mbedtls_pk_write_key_pem(), mbedtls_pk_check_pair(), and
+     mbedtls_pk_verify() with opaque ECC keys (provided the PSA attributes
+     allow it).

ChangeLog.d/fix-a-few-unchecked-return.txt

@@ -0,0 +1,3 @@
+Bugfix
+   * Fix some cases where mbedtls_mpi_mod_exp, RSA key construction or ECDSA
+     signature can silently return an incorrect result in low memory conditions.

ChangeLog.d/fix-aes-cbc-iv-corruption

@@ -0,0 +1,3 @@
+Bugfix
+   * Fix a potential corruption of the passed-in IV when mbedtls_aes_crypt_cbc()
+     is called with zero length and padlock is not enabled.

ChangeLog.d/fix-empty-enum.txt

@@ -0,0 +1,3 @@
+Bugfix
+   * Fix compile failure due to empty enum in cipher_wrap.c, when building
+     with a very minimal configuration. Fixes #7625.

ChangeLog.d/fix-iar-compiler-warnings.txt

@@ -0,0 +1,2 @@
+Bugfix
+   * Fix IAR compiler warnings.

ChangeLog.d/improve-doc-on-ecp-curve-optimized-representation.txt

@@ -0,0 +1,3 @@
+Features
+   * The documentation of mbedtls_ecp_group now describes the optimized
+     representation of A for some curves. Fixes #8045.

ChangeLog.d/inject-entropy.txt

@@ -0,0 +1,2 @@
+Bugfix
+   * Fix the build with MBEDTLS_PSA_INJECT_ENTROPY. Fixes #7516.

ChangeLog.d/misc-from-psa-crypto.txt

@@ -0,0 +1,3 @@
+Bugfix
+   * Fix CCM* with no tag being not supported in a build with CCM as the only
+     symmetric encryption algorithm and the PSA configuration enabled.

ChangeLog.d/psa_crypto_user_config_file.txt

@@ -0,0 +1,3 @@
+Bugfix
+   * Don't try to include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE when
+     MBEDTLS_PSA_CRYPTO_CONFIG is disabled.

ChangeLog.d/ssl_premaster_secret-empty.txt

@@ -0,0 +1,3 @@
+Bugfix
+   * Fix a compilation error on some platforms when including mbedtls/ssl.h
+     with all TLS support disabled. Fixes #6628.

ChangeLog.d/use_heap_rsa_signature.txt

@@ -0,0 +1,4 @@
+Changes
+   * Use heap memory to allocate DER encoded RSA private key.
+     This reduces stack usage significantly for RSA signature
+     operations when MBEDTLS_PSA_CRYPTO_C is defined.

ChangeLog.d/x509-ec-algorithm-identifier-fix.txt

@@ -0,0 +1,4 @@
+Bugfix
+   * Fix x509 certificate generation to conform to RFC 5480 / RFC 5758 when
+     using ECC key. The certificate was rejected by some crypto frameworks.
+     Fixes #2924.