Merge branch 'development' into sha3

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>

ChangeLog.d/add-directoryname-san.txt

@@ -0,0 +1,3 @@
+Features
+   * Add parsing of directoryName subtype for subjectAltName extension in
+     x509 certificates.

ChangeLog.d/add-milliseconds-time-api.txt

@@ -0,0 +1,5 @@
+API changes
+   * Add new millisecond time type `mbedtls_ms_time_t` and `mbedtls_ms_time()`
+     function, needed for TLS 1.3 ticket lifetimes. Alternative implementations
+     can be created using an ALT interface.
+

ChangeLog.d/add-missing-md-includes.txt

@@ -0,0 +1,5 @@
+Bugfix
+   * Add missing md.h includes to some of the external programs from
+     the programs directory. Without this, even though the configuration
+     was sufficient for a particular program to work, it would only print
+     a message that one of the required defines is missing.

ChangeLog.d/add-uri-san.txt

@@ -1,3 +0,0 @@
-Features
-   * Add parsing of uniformResourceIdentifier subtype for subjectAltName
-     extension in x509 certificates.

ChangeLog.d/add_interruptible_sign_hash

@@ -1,5 +0,0 @@
-Features
-   * Add an interruptible version of sign and verify hash to the PSA interface,
-     backed by internal library support for ECDSA signing and verification.
-
-

ChangeLog.d/alignment-perf.txt

@@ -1,8 +0,0 @@
-Features
-   * General performance improvements by accessing multiple bytes at a time.
-     Fixes #1666.
-   * Improvements to use of unaligned and byte-swapped memory, reducing code
-     size and improving performance (depending on compiler and target
-     architecture).
-Changes
-   * Mixed-endian systems are explicitly not supported any more.

ChangeLog.d/c-build-helper-hostcc.txt

@@ -1,4 +0,0 @@
-Features
-   * Use HOSTCC (if it is set) when compiling C code during generation of the
-     configuration-independent files. This allows them to be generated when
-     CC is set for cross compilation.

ChangeLog.d/cmake-install.txt

@@ -1,3 +0,0 @@
-Changes
-  * Install the .cmake files into CMAKE_INSTALL_LIBDIR/cmake/MbedTLS,
-    typically /usr/lib/cmake/MbedTLS.

ChangeLog.d/coding-style.txt

@@ -1,5 +0,0 @@
-Changes
-   * The C code follows a new coding style. This is transparent for users but
-     affects contributors and maintainers of local patches. For more
-     information, see
-     https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/

ChangeLog.d/conditionalize-mbedtls_mpi_sub_abs-memcpy.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * Fix potential undefined behavior in mbedtls_mpi_sub_abs().  Reported by
-     Pascal Cuoq using TrustInSoft Analyzer in #6701; observed independently by
-     Aaron Ucko under Valgrind.

ChangeLog.d/crypto_config_ccm_star.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * List PSA_WANT_ALG_CCM_STAR_NO_TAG in psa/crypto_config.h so that it can
-     be toggled with config.py.

ChangeLog.d/csr_v3_extensions.txt

@@ -1,3 +0,0 @@
-Features
-   * Add parsing of V3 extensions (key usage, Netscape cert-type,
-     Subject Alternative Names) in x509 Certificate Sign Requests.

ChangeLog.d/driver-only-ecdh.txt

@@ -0,0 +1,7 @@
+Features
+   * When a PSA driver for ECDH is present, it is now possible to disable
+     MBEDTLS_ECDH_C in the build in order to save code size. For TLS 1.2
+     key exchanges based on ECDH(E) to work, this requires
+     MBEDTLS_USE_PSA_CRYPTO. Restartable/interruptible ECDHE operations in
+     TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet,
+     as PSA does not have an API for restartable ECDH yet.

ChangeLog.d/driver-only-hashes.txt

@@ -0,0 +1,10 @@
+Features
+   * All modules that use hashes or HMAC can now take advantage of PSA Crypto
+     drivers when MBEDTLS_PSA_CRYPTO_C is enabled and psa_crypto_init() has
+     been called. Previously (in 3.3), this was restricted to a few modules,
+     and only in builds where MBEDTLS_MD_C was disabled; in particular the
+     entropy module was not covered which meant an external RNG had to be
+     provided - these limitations are lifted in this version. A new set of
+     feature macros, MBEDTLS_MD_CAN_xxx, has been introduced that can be used
+     to check for availability of hash algorithms, regardless of whether
+     they're provided by a built-in implementation, a driver or both.

ChangeLog.d/ec_jpake_user_peer_2.txt

@@ -0,0 +1,3 @@
+Bugfix
+   * Fix the J-PAKE driver interface for user and peer to accept any values
+     (previously accepted values were limited to "client" or "server").

ChangeLog.d/empty-retval-description.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Silence warnings from clang -Wdocumentation about empty \retval
-     descriptions, which started appearing with Clang 15. Fixes #6960.

ChangeLog.d/fix-declaration-of-mbedtls_ecdsa_sign_det_restartable-function.txt

@@ -0,0 +1,5 @@
+Bugfix
+   * Fix declaration of mbedtls_ecdsa_sign_det_restartable() function
+     in the ecdsa.h header file. There was a build warning when the
+     configuration macro MBEDTLS_ECDSA_SIGN_ALT was defined.
+     Resolves #7407.

ChangeLog.d/fix-example-programs-no-args.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * Fix behavior of certain sample programs which could, when run with no
-     arguments, access uninitialized memory in some cases. Fixes #6700 (which
-     was found by TrustInSoft Analyzer during REDOCS'22) and #1120.

ChangeLog.d/fix-gettimeofday-overflow.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix possible integer overflow in mbedtls_timing_hardclock(), which
-     could cause a crash in programs/test/benchmark.

ChangeLog.d/fix-iar-warnings.txt

@@ -1,2 +0,0 @@
-Bugfix
-   * Fix IAR compiler warnings. Fixes #6924.

ChangeLog.d/fix-oid-to-string-bugs.txt

@@ -1,6 +0,0 @@
-Bugfix
-   * Fix bug in conversion from OID to string in
-     mbedtls_oid_get_numeric_string(). OIDs such as 2.40.0.25 are now printed
-     correctly.
-   * Reject OIDs with overlong-encoded subidentifiers when converting
-     OID-to-string.

ChangeLog.d/fix-rsaalt-test-guards.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix compile error where MBEDTLS_RSA_C and MBEDTLS_X509_CRT_WRITE_C are
-     defined, but MBEDTLS_PK_RSA_ALT_SUPPORT is not defined. Fixes #3174.

ChangeLog.d/fix_build_for_directory_names_containing_spaces.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * Fix a bug in the build where directory names containing spaces were
-     causing generate_errors.pl to error out resulting in a build failure.
-     Fixes issue #6879.

ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt

@@ -1,19 +0,0 @@
-Bugfix
-   * mbedtls_x509write_crt_set_serial() now explicitly rejects serial numbers
-     whose binary representation is longer than 20 bytes. This was already
-     forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being
-     enforced also at code level.
-
-New deprecations
-   * mbedtls_x509write_crt_set_serial() is now being deprecated in favor of
-     mbedtls_x509write_crt_set_serial_raw(). The goal here is to remove any
-     direct dependency of X509 on BIGNUM_C.
-
-Changes
-   * programs/x509/cert_write:
-     - now it accepts the serial number in 2 different formats: decimal and
-       hex. They cannot be used simultaneously
-     - "serial" is used for the decimal format and it's limted in size to
-       unsigned long long int
-     - "serial_hex" is used for the hex format; max length here is
-       MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN*2

ChangeLog.d/make_sha224_sha384_independent_from_sha256_sha512.txt

@@ -1,4 +0,0 @@
-Features
-   * SHA224_C/SHA384_C are now independent from SHA384_C/SHA512_C respectively.
-     This helps in saving code size when some of the above hashes are not
-     required.

ChangeLog.d/mbedtls_ecdsa_can_do-unconditional-define.txt

@@ -0,0 +1,3 @@
+Bugfix
+   * Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not
+     MBEDTLS_ECDSA_VERIFY_ALT, causing ecdsa verify to fail. Fixes #7498.

ChangeLog.d/mbedtls_ecp_point_read_binary-compressed-fmt.txt

@@ -1,6 +0,0 @@
-Features
-   * Add support for reading points in compressed format
-     (MBEDTLS_ECP_PF_COMPRESSED) with mbedtls_ecp_point_read_binary()
-     (and callers) for Short Weierstrass curves with prime p where p = 3 mod 4
-     (all mbedtls MBEDTLS_ECP_DP_SECP* and MBEDTLS_ECP_DP_BP* curves
-      except MBEDTLS_ECP_DP_SECP224R1 and MBEDTLS_ECP_DP_SECP224K1)

ChangeLog.d/mpi-window-perf

@@ -1,7 +0,0 @@
-Changes
-   * Changed the default MBEDTLS_ECP_WINDOW_SIZE from 6 to 2.
-     As tested in issue 6790, the correlation between this define and
-     RSA decryption performance has changed lately due to security fixes.
-     To fix the performance degradation when using default values the
-     window was reduced from 6 to 2, a value that gives the best or close
-     to best results when tested on Cortex-M4 and Intel i7.

ChangeLog.d/pk-sign-restartable.txt

@@ -1,5 +0,0 @@
-Changes
-   * When MBEDTLS_USE_PSA_CRYPTO and MBEDTLS_ECDSA_DETERMINISTIC are both
-     defined, mbedtls_pk_sign() now use deterministic ECDSA for ECDSA
-     signatures. This aligns the behaviour with MBEDTLS_USE_PSA_CRYPTO to
-     the behaviour without it, where deterministic ECDSA was already used.

ChangeLog.d/pk_ext-pss_options-public.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * Make the fields of mbedtls_pk_rsassa_pss_options public. This makes it
-     possible to verify RSA PSS signatures with the pk module, which was
-     inadvertently broken since Mbed TLS 3.0.

ChangeLog.d/programs_psa_fix.txt

@@ -0,0 +1,3 @@
+Bugfix
+   * Fix missing PSA initialization in sample programs when
+     MBEDTLS_USE_PSA_CRYPTO is enabled.

ChangeLog.d/psa-alt-headers.txt

@@ -1,4 +0,0 @@
-Features
-   * The configuration macros MBEDTLS_PSA_CRYPTO_PLATFORM_FILE and
-     MBEDTLS_PSA_CRYPTO_STRUCT_FILE specify alternative locations for
-     the headers "psa/crypto_platform.h" and "psa/crypto_struct.h".

ChangeLog.d/psa_alg_tls12_ecjpake_to_pms-reject_ka.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * The key derivation algorithm PSA_ALG_TLS12_ECJPAKE_TO_PMS cannot be
-     used on a shared secret from a key agreement since its input must be
-     an ECC public key. Reject this properly.

ChangeLog.d/rfc8410.txt

@@ -0,0 +1,3 @@
+Features
+   * Add support for reading and writing X25519 and X448
+     public and private keys in RFC 8410 format using the existing PK APIs.

ChangeLog.d/san_rfc822Name.txt

@@ -1,3 +0,0 @@
-Features
-   * Add parsing of rfc822Name subtype for subjectAltName
-     extension in x509 certificates.

ChangeLog.d/some-max-size-macro-are-too-small-when-psa-ecc-is-accelerated.txt

@@ -0,0 +1,5 @@
+Bugfix
+   * Fix proper sizing for PSA_EXPORT_[KEY_PAIR/PUBLIC_KEY]_MAX_SIZE and
+     PSA_SIGNATURE_MAX_SIZE buffers when at least one accelerated EC is bigger
+     than all built-in ones and RSA is disabled.
+     Resolves #6622.

ChangeLog.d/tls13-only-renegotiation.txt

@@ -1,5 +0,0 @@
-Bugfix
-   * Fix the handling of renegotiation attempts in TLS 1.3. They are now
-     systematically rejected.
-   * Fix an unused-variable warning in TLS 1.3-only builds if
-     MBEDTLS_SSL_RENEGOTIATION was enabled. Fixes #6200.

ChangeLog.d/tls13-server-version-negotiation.txt

@@ -0,0 +1,5 @@
+Features
+   * Add support for server-side TLS version negotiation. If both TLS 1.2 and
+     TLS 1.3 protocols are enabled, the TLS server now selects TLS 1.2 or
+     TLS 1.3 depending on the capabilities and preferences of TLS clients.
+     Fixes #6867.

ChangeLog.d/verify-ip-sans-properly.txt

@@ -0,0 +1,2 @@
+Features
+   * X.509 hostname verification now supports IPAddress Subject Alternate Names.

ChangeLog.d/vs2013.txt

@@ -1,4 +0,0 @@
-Changes
-  * Visual Studio: Rename the directory containing Visual Studio files from
-    visualc/VS2010 to visualc/VS2013 as we do not support building with versions
-    older than 2013. Update the solution file to specify VS2013 as a minimum.

ChangeLog.d/workaround_gnutls_anti_replay_fail.txt

@@ -1,7 +0,0 @@
-Bugfix
-    * In TLS 1.3, when using a ticket for session resumption, tweak its age
-      calculation on the client side. It prevents a server with more accurate
-      ticket timestamps (typically timestamps in milliseconds) compared to the
-      Mbed TLS ticket timestamps (in seconds) to compute a ticket age smaller
-      than the age computed and transmitted by the client and thus potentially
-      reject the ticket. Fix #6623.

ChangeLog.d/x509-subaltname-ext

@@ -1,5 +0,0 @@
-Bugfix
-   * Fix parsing of X.509 SubjectAlternativeName extension. Previously,
-     malformed alternative name components were not caught during initial
-     certificate parsing, but only on subsequent calls to
-     mbedtls_x509_parse_subject_alt_name(). Fixes #2838.