Update Changelog for 2.26.0

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>

ChangeLog

@@ -1,5 +1,116 @@
 mbed TLS ChangeLog (Sorted per branch, date)
 
+= mbed TLS 2.26.0 branch released 2021-03-08
+
+API changes
+   * Renamed the PSA Crypto API output buffer size macros to bring them in line
+     with version 1.0.0 of the specification.
+   * The API glue function mbedtls_ecc_group_of_psa() now takes the curve size
+     in bits rather than bytes, with an additional flag to indicate if the
+     size may have been rounded up to a whole number of bytes.
+   * Renamed the PSA Crypto API AEAD tag length macros to bring them in line
+     with version 1.0.0 of the specification.
+
+Default behavior changes
+   * In mbedtls_rsa_context objects, the ver field was formerly documented
+     as always 0. It is now reserved for internal purposes and may take
+     different values.
+
+New deprecations
+   * PSA_KEY_EXPORT_MAX_SIZE, PSA_HASH_SIZE, PSA_MAC_FINAL_SIZE,
+     PSA_BLOCK_CIPHER_BLOCK_SIZE, PSA_MAX_BLOCK_CIPHER_BLOCK_SIZE and
+     PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN have been renamed, and the old names
+     deprecated.
+   * PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH and PSA_ALG_AEAD_WITH_TAG_LENGTH
+     have been renamed, and the old names deprecated.
+
+Features
+   * The PSA crypto subsystem can now use HMAC_DRBG instead of CTR_DRBG.
+     CTR_DRBG is used by default if it is available, but you can override
+     this choice by setting MBEDTLS_PSA_HMAC_DRBG_MD_TYPE at compile time.
+     Fix #3354.
+   * Automatic fallback to a software implementation of ECP when
+     MBEDTLS_ECP_xxx_ALT accelerator hooks are in use can now be turned off
+     through setting the new configuration flag MBEDTLS_ECP_NO_FALLBACK.
+   * The PSA crypto subsystem can now be configured to use less static RAM by
+     tweaking the setting for the maximum amount of keys simultaneously in RAM.
+     MBEDTLS_PSA_KEY_SLOT_COUNT sets the maximum number of volatile keys that
+     can exist simultaneously. It has a sensible default if not overridden.
+   * Partial implementation of the PSA crypto driver interface: Mbed TLS can
+     now use an external random generator instead of the library's own
+     entropy collection and DRBG code. Enable MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
+     and see the documentation of mbedtls_psa_external_get_random() for details.
+   * Applications using both mbedtls_xxx and psa_xxx functions (for example,
+     applications using TLS and MBEDTLS_USE_PSA_CRYPTO) can now use the PSA
+     random generator with mbedtls_xxx functions. See the documentation of
+     mbedtls_psa_get_random() for details.
+   * In the PSA API, the policy for a MAC or AEAD algorithm can specify a
+     minimum MAC or tag length thanks to the new wildcards
+     PSA_ALG_AT_LEAST_THIS_LENGTH_MAC and
+     PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG.
+
+Security
+   * Fix a security reduction in CTR_DRBG when the initial seeding obtained a
+     nonce from entropy. Applications were affected if they called
+     mbedtls_ctr_drbg_set_nonce_len(), if they called
+     mbedtls_ctr_drbg_set_entropy_len() with a size that was 3/2 times the key
+     length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256.
+     In such cases, a random nonce was necessary to achieve the advertised
+     security strength, but the code incorrectly used a constant instead of
+     entropy from the nonce.
+     Found by John Stroebel in #3819 and fixed in #3973.
+   * Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
+     |A| - |B| where |B| is larger than |A| and has more limbs (so the
+     function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only
+     applications calling mbedtls_mpi_sub_abs() directly are affected:
+     all calls inside the library were safe since this function is
+     only called with |A| >= |B|. Reported by Guido Vranken in #4042.
+   * Fix an errorneous estimation for an internal buffer in
+     mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd
+     value the function might fail to write a private RSA keys of the largest
+     supported size.
+     Found by Daniel Otte, reported in #4093 and fixed in #4094.
+   * Fix a stack buffer overflow with mbedtls_net_poll() and
+     mbedtls_net_recv_timeout() when given a file descriptor that is
+     beyond FD_SETSIZE. Reported by FigBug in #4169.
+   * Guard against strong local side channel attack against base64 tables by
+     making access aceess to them use constant flow code.
+
+Bugfix
+   * Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c
+   * Fix memory leak that occured when calling psa_close_key() on a
+     wrapped key with MBEDTLS_PSA_CRYPTO_SE_C defined.
+   * Fix an incorrect error code if an RSA private operation glitched.
+   * Fix a memory leak in an error case in psa_generate_derived_key_internal().
+   * Fix a resource leak in CTR_DRBG and HMAC_DRBG when MBEDTLS_THREADING_C
+     is enabled, on platforms where initializing a mutex allocates resources.
+     This was a regression introduced in the previous release. Reported in
+     #4017, #4045 and #4071.
+   * Ensure that calling mbedtls_rsa_free() or mbedtls_entropy_free()
+     twice is safe. This happens for RSA when some Mbed TLS library functions
+     fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
+     enabled on platforms where freeing a mutex twice is not safe.
+   * Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
+     when MBEDTLS_THREADING_C is enabled on platforms where initializing
+     a mutex allocates resources.
+   * Fixes a bug where, if the library was configured to include support for
+     both the old SE interface and the new PSA driver interface, external keys were
+     not loaded from storage. This was fixed by #3996.
+   * This change makes 'mbedtls_x509write_crt_set_basic_constraints'
+     consistent with RFC 5280 4.2.1.9 which says: "Conforming CAs MUST
+     include this extension in all CA certificates that contain public keys
+     used to validate digital signatures on certificates and MUST mark the
+     extension as critical in such certificates." Previous to this change,
+     the extension was always marked as non-critical. This was fixed by
+     #3698.
+
+Changes
+   * A new library C file psa_crypto_client.c has been created to contain
+     the PSA code needed by a PSA crypto client when the PSA crypto
+     implementation is not included into the library.
+   * On recent enough versions of FreeBSD and DragonFlyBSD, the entropy module
+     now uses the getrandom syscall instead of reading from /dev/urandom.
+
 = mbed TLS 2.25.0 branch released 2020-12-11
 
 API changes

ChangeLog.d/basic-constraints-critical.txt

@@ -1,8 +0,0 @@
-Bugfix
-   * This change makes 'mbedtls_x509write_crt_set_basic_constraints'
-     consistent with RFC 5280 4.2.1.9 which says: "Conforming CAs MUST
-     include this extension in all CA certificates that contain public keys
-     used to validate digital signatures on certificates and MUST mark the
-     extension as critical in such certificates." Previous to this change,
-     the extension was always marked as non-critical. This was fixed by
-     #3698.

ChangeLog.d/drbg-mutex.txt

@@ -1,5 +0,0 @@
-Bugfix
-   * Fix a resource leak in CTR_DRBG and HMAC_DRBG when MBEDTLS_THREADING_C
-     is enabled, on platforms where initializing a mutex allocates resources.
-     This was a regression introduced in the previous release. Reported in
-     #4017, #4045 and #4071.

ChangeLog.d/external-wrapped-keys.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * Fixes a bug where, if the library was configured to include support for
-     both the old SE interface and the new PSA driver interface, external keys were
-     not loaded from storage. This was fixed by #3996.

ChangeLog.d/fix_psa_crypto_leak.txt

@@ -1,2 +0,0 @@
-Bugfix
-   * Fix a memory leak in an error case in psa_generate_derived_key_internal().

ChangeLog.d/getentropy.txt

@@ -1,3 +0,0 @@
-Changes
-   * On recent enough versions of FreeBSD and DragonFlyBSD, the entropy module
-     now uses the getrandom syscall instead of reading from /dev/urandom.

ChangeLog.d/issue3819.txt

@@ -1,10 +0,0 @@
-Security
-   * Fix a security reduction in CTR_DRBG when the initial seeding obtained a
-     nonce from entropy. Applications were affected if they called
-     mbedtls_ctr_drbg_set_nonce_len(), if they called
-     mbedtls_ctr_drbg_set_entropy_len() with a size that was 3/2 times the key
-     length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256.
-     In such cases, a random nonce was necessary to achieve the advertised
-     security strength, but the code incorrectly used a constant instead of
-     entropy from the nonce.
-     Found by John Stroebel in #3819 and fixed in #3973.

ChangeLog.d/issue4093.txt

@@ -1,6 +0,0 @@
-Security
-   * Fix an errorneous estimation for an internal buffer in
-     mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd
-     value the function might fail to write a private RSA keys of the largest
-     supported size.
-     Found by Daniel Otte, reported in #4093 and fixed in #4094.

ChangeLog.d/make_base64_table_access_constant_flow.txt

@@ -1,4 +0,0 @@
-Security
-   * Guard against strong local side channel attack against base64 tables by
-     making access aceess to them use constant flow code.
-

ChangeLog.d/mbedtls_ecc_group_of_psa.txt

@@ -1,4 +0,0 @@
-API changes
-   * The API glue function mbedtls_ecc_group_of_psa() now takes the curve size
-     in bits rather than bytes, with an additional flag to indicate if the
-     size may have been rounded up to a whole number of bytes.

ChangeLog.d/mbedtls_psa_get_random.txt

@@ -1,9 +0,0 @@
-Features
-   * Partial implementation of the PSA crypto driver interface: Mbed TLS can
-     now use an external random generator instead of the library's own
-     entropy collection and DRBG code. Enable MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
-     and see the documentation of mbedtls_psa_external_get_random() for details.
-   * Applications using both mbedtls_xxx and psa_xxx functions (for example,
-     applications using TLS and MBEDTLS_USE_PSA_CRYPTO) can now use the PSA
-     random generator with mbedtls_xxx functions. See the documentation of
-     mbedtls_psa_get_random() for details.

ChangeLog.d/mpi_sub_abs.txt

@@ -1,7 +0,0 @@
-Security
-   * Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
-     |A| - |B| where |B| is larger than |A| and has more limbs (so the
-     function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only
-     applications calling mbedtls_mpi_sub_abs() directly are affected:
-     all calls inside the library were safe since this function is
-     only called with |A| >= |B|. Reported by Guido Vranken in #4042.

ChangeLog.d/net_poll-fd_setsize.txt

@@ -1,4 +0,0 @@
-Security
-   * Fix a stack buffer overflow with mbedtls_net_poll() and
-     mbedtls_net_recv_timeout() when given a file descriptor that is
-     beyond FD_SETSIZE. Reported by FigBug in #4169.

ChangeLog.d/no_ecp_fallback.txt

@@ -1,4 +0,0 @@
-Features
-   * Automatic fallback to a software implementation of ECP when
-     MBEDTLS_ECP_xxx_ALT accelerator hooks are in use can now be turned off
-     through setting the new configuration flag MBEDTLS_ECP_NO_FALLBACK.

ChangeLog.d/programs-ssl-use-after-scope.txt

@@ -1,2 +0,0 @@
-Bugfix
-   * Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c

ChangeLog.d/psa-crypto-api-rename-aead-tag-length-macros.txt

@@ -1,7 +0,0 @@
-API changes
-   * Renamed the PSA Crypto API AEAD tag length macros to bring them in line
-     with version 1.0.0 of the specification.
-
-New deprecations
-   * PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH and PSA_ALG_AEAD_WITH_TAG_LENGTH
-     have been renamed, and the old names deprecated.

ChangeLog.d/psa-crypto-client.txt

@@ -1,4 +0,0 @@
-Changes
-   * A new library C file psa_crypto_client.c has been created to contain
-     the PSA code needed by a PSA crypto client when the PSA crypto
-     implementation is not included into the library.

ChangeLog.d/psa-crypto-hmac-drbg.txt

@@ -1,5 +0,0 @@
-Features
-   * The PSA crypto subsystem can now use HMAC_DRBG instead of CTR_DRBG.
-     CTR_DRBG is used by default if it is available, but you can override
-     this choice by setting MBEDTLS_PSA_HMAC_DRBG_MD_TYPE at compile time.
-     Fix #3354.

ChangeLog.d/psa-crypto-new-wildcard-policies.txt

@@ -1,5 +0,0 @@
-Features
-   * In the PSA API, the policy for a MAC or AEAD algorithm can specify a
-     minimum MAC or tag length thanks to the new wildcards
-     PSA_ALG_AT_LEAST_THIS_LENGTH_MAC and
-     PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG.

ChangeLog.d/psa-crypto-rename-output-buffer-size-macros.txt

@@ -1,9 +0,0 @@
-API changes
-   * Renamed the PSA Crypto API output buffer size macros to bring them in line
-     with version 1.0.0 of the specification.
-
-New deprecations
-   * PSA_KEY_EXPORT_MAX_SIZE, PSA_HASH_SIZE, PSA_MAC_FINAL_SIZE,
-     PSA_BLOCK_CIPHER_BLOCK_SIZE, PSA_MAX_BLOCK_CIPHER_BLOCK_SIZE and
-     PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN have been renamed, and the old names
-     deprecated.

ChangeLog.d/psa_allow_tweaking_library_configuration.txt

@@ -1,5 +0,0 @@
-Features
-   * The PSA crypto subsystem can now be configured to use less static RAM by
-     tweaking the setting for the maximum amount of keys simultaneously in RAM.
-     MBEDTLS_PSA_KEY_SLOT_COUNT sets the maximum number of volatile keys that
-     can exist simultaneously. It has a sensible default if not overridden.

ChangeLog.d/psa_close_key_memory_leak_fix.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix memory leak that occured when calling psa_close_key() on a
-     wrapped key with MBEDTLS_PSA_CRYPTO_SE_C defined.

ChangeLog.d/rsa-mutex.txt

@@ -1,13 +0,0 @@
-Bugfix
-   * Ensure that calling mbedtls_rsa_free() or mbedtls_entropy_free()
-     twice is safe. This happens for RSA when some Mbed TLS library functions
-     fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
-     enabled on platforms where freeing a mutex twice is not safe.
-   * Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
-     when MBEDTLS_THREADING_C is enabled on platforms where initializing
-     a mutex allocates resources.
-
-Default behavior changes
-   * In mbedtls_rsa_context objects, the ver field was formerly documented
-     as always 0. It is now reserved for internal purposes and may take
-     different values.

ChangeLog.d/rsa_private-ret.txt

@@ -1,2 +0,0 @@
-Bugfix
-   * Fix an incorrect error code if an RSA private operation glitched.