Assemble changelog

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>

46 files changed, 206 insertions, 240 deletions

diff --git a/ChangeLog b/ChangeLog
index 80b86175f..d79a0506c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,211 @@
 Mbed TLS ChangeLog (Sorted per branch, date)
 
+= Mbed TLS 3.3.0 branch released 2022-12-14
+
+API changes
+   * Add an ad-hoc key derivation function handling EC J-PAKE to PMS
+     calculation that can be used to derive the session secret in TLS 1.2,
+     as described in draft-cragie-tls-ecjpake-01. This can be achieved by
+     using PSA_ALG_TLS12_ECJPAKE_TO_PMS as the key derivation algorithm.
+
+Default behavior changes
+   * Previously the macro MBEDTLS_SSL_DTLS_CONNECTION_ID implemented version 05
+     of the IETF draft, and was marked experimental and disabled by default.
+     It is now no longer experimental, and implements the final version from
+     RFC 9146, which is not interoperable with the draft-05 version.
+     If you need to communicate with peers that use earlier versions of
+     Mbed TLS, then you need to define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT
+     to 1, but then you won't be able to communicate with peers that use the
+     standard (non-draft) version.
+     If you need to interoperate with both classes of peers with the
+     same build of Mbed TLS, please let us know about your situation on the
+     mailing list or GitHub.
+
+Requirement changes
+   * When building with PSA drivers using generate_driver_wrappers.py, or
+     when building the library from the development branch rather than
+     from a release, the Python module jsonschema is now necessary, in
+     addition to jinja2. The official list of required Python modules is
+     maintained in scripts/basic.requirements.txt and may change again
+     in the future.
+
+New deprecations
+   * Deprecate mbedtls_asn1_free_named_data().
+     Use mbedtls_asn1_free_named_data_list()
+     or mbedtls_asn1_free_named_data_list_shallow().
+
+Features
+   * Support rsa_pss_rsae_* signature algorithms in TLS 1.2.
+   * make: enable building unversioned shared library, with e.g.:
+     "SHARED=1 SOEXT_TLS=so SOEXT_X509=so SOEXT_CRYPTO=so make lib"
+     resulting in library names like "libmbedtls.so" rather than
+     "libmbedcrypto.so.11".
+   * Expose the EC J-PAKE functionality through the Draft PSA PAKE Crypto API.
+     Only the ECC primitive with secp256r1 curve and SHA-256 hash algorithm
+     are supported in this implementation.
+   * Some modules can now use PSA drivers for hashes, including with no
+     built-in implementation present, but only in some configurations.
+     - RSA OAEP and PSS (PKCS#1 v2.1), PKCS5, PKCS12 and EC J-PAKE now use
+       hashes from PSA when (and only when) MBEDTLS_MD_C is disabled.
+     - PEM parsing of encrypted files now uses MD-5 from PSA when (and only
+       when) MBEDTLS_MD5_C is disabled.
+     See the documentation of the corresponding macros in mbedtls_config.h for
+     details.
+     Note that some modules are not able to use hashes from PSA yet, including
+     the entropy module. As a consequence, for now the only way to build with
+     all hashes only provided by drivers (no built-in hash) is to use
+     MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG.
+   * When MBEDTLS_USE_PSA_CRYPTO is enabled, X.509, TLS 1.2 and TLS 1.3 now
+     properly negotiate/accept hashes based on their availability in PSA.
+     As a consequence, they now work in configurations where the built-in
+     implementations of (some) hashes are excluded and those hashes are only
+     provided by PSA drivers. (See previous entry for limitation on RSA-PSS
+     though: that module only use hashes from PSA when MBEDTLS_MD_C is off).
+   * Add support for opaque keys as the private keys associated to certificates
+     for authentication in TLS 1.3.
+   * Add the LMS post-quantum-safe stateful-hash asymmetric signature scheme.
+     Signature verification is production-ready, but generation is for testing
+     purposes only. This currently only supports one parameter set
+     (LMS_SHA256_M32_H10), meaning that each private key can be used to sign
+     1024 messages. As such, it is not intended for use in TLS, but instead
+     for verification of assets transmitted over an insecure channel,
+     particularly firmware images.
+   * Add the LM-OTS post-quantum-safe one-time signature scheme, which is
+     required for LMS. This can be used independently, but each key can only
+     be used to sign one message so is impractical for most circumstances.
+   * Mbed TLS now supports TLS 1.3 key establishment via pre-shared keys.
+     The pre-shared keys can be provisioned externally or via the ticket
+     mechanism (session resumption).
+     The ticket mechanism is supported when the configuration option
+     MBEDTLS_SSL_SESSION_TICKETS is enabled.
+     New options MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_xxx_ENABLED
+     control the support for the three possible TLS 1.3 key exchange modes.
+   * cert_write: support for setting extended key usage attributes. A
+     corresponding new public API call has been added in the library,
+     mbedtls_x509write_crt_set_ext_key_usage().
+   * cert_write: support for writing certificate files in either PEM
+     or DER format.
+   * The PSA driver wrapper generator generate_driver_wrappers.py now
+     supports a subset of the driver description language, including
+     the following entry points: import_key, export_key, export_public_key,
+     get_builtin_key, copy_key.
+   * The new functions mbedtls_asn1_free_named_data_list() and
+     mbedtls_asn1_free_named_data_list_shallow() simplify the management
+     of memory in named data lists in X.509 structures.
+   * The TLS 1.2 EC J-PAKE key exchange can now use the PSA Crypto API.
+     Additional PSA key slots will be allocated in the process of such key
+     exchange for builds that enable MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED and
+     MBEDTLS_USE_PSA_CRYPTO.
+   * Add support for DTLS Connection ID as defined by RFC 9146, controlled by
+     MBEDTLS_SSL_DTLS_CONNECTION_ID (enabled by default) and configured with
+     mbedtls_ssl_set_cid().
+   * Add a driver dispatch layer for raw key agreement, enabling alternative
+     implementations of raw key agreement through the key_agreement driver
+     entry point. This entry point is specified in the proposed PSA driver
+     interface, but had not yet been implemented.
+
+Security
+   * Fix potential heap buffer overread and overwrite in DTLS if
+     MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and
+     MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX.
+   * An adversary with access to precise enough information about memory
+     accesses (typically, an untrusted operating system attacking a secure
+     enclave) could recover an RSA private key after observing the victim
+     performing a single private-key operation if the window size used for the
+     exponentiation was 3 or smaller. Found and reported by Zili KOU,
+     Wenjian HE, Sharad Sinha, and Wei ZHANG. See "Cache Side-channel Attacks
+     and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation
+     and Test in Europe 2023.
+
+Bugfix
+   * Refactor mbedtls_aes_context to support shallow-copying. Fixes #2147.
+   * Fix an issue with in-tree CMake builds in releases with GEN_FILES
+     turned off: if a shipped file was missing from the working directory,
+     it could be turned into a symbolic link to itself.
+   * Fix a long-standing build failure when building x86 PIC code with old
+     gcc (4.x). The code will be slower, but will compile. We do however
+     recommend upgrading to a more recent compiler instead. Fixes #1910.
+   * Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
+     Contributed by Kazuyuki Kimura to fix #2020.
+   * Use double quotes to include private header file psa_crypto_cipher.h.
+     Fixes 'file not found with <angled> include' error
+     when building with Xcode.
+   * Fix handling of broken symlinks when loading certificates using
+     mbedtls_x509_crt_parse_path(). Instead of returning an error as soon as a
+     broken link is encountered, skip the broken link and continue parsing
+     other certificate files. Contributed by Eduardo Silva in #2602.
+   * Fix an interoperability failure between an Mbed TLS client with both
+     TLS 1.2 and TLS 1.3 support, and a TLS 1.2 server that supports
+     rsa_pss_rsae_* signature algorithms. This failed because Mbed TLS
+     advertised support for PSS in both TLS 1.2 and 1.3, but only
+     actually supported PSS in TLS 1.3.
+   * Fix a compilation error when using CMake with an IAR toolchain.
+     Fixes #5964.
+   * Fix a build error due to a missing prototype warning when
+     MBEDTLS_DEPRECATED_REMOVED is enabled.
+   * Fix mbedtls_ctr_drbg_free() on an initialized but unseeded context. When
+     MBEDTLS_AES_ALT is enabled, it could call mbedtls_aes_free() on an
+     uninitialized context.
+   * Fix a build issue on Windows using CMake where the source and build
+     directories could not be on different drives. Fixes #5751.
+   * Fix bugs and missing dependencies when building and testing
+     configurations with only one encryption type enabled in TLS 1.2.
+   * Provide the missing definition of mbedtls_setbuf() in some configurations
+     with MBEDTLS_PLATFORM_C disabled. Fixes #6118, #6196.
+   * Fix compilation errors when trying to build with
+     PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305).
+   * Fix memory leak in ssl_parse_certificate_request() caused by
+     mbedtls_x509_get_name() not freeing allocated objects in case of error.
+     Change mbedtls_x509_get_name() to clean up allocated objects on error.
+   * Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not
+     MBEDTLS_USE_PSA_CRYPTO or MBEDTLS_PK_WRITE_C. Fixes #6408.
+   * Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not
+     MBEDTLS_PK_PARSE_C. Fixes #6409.
+   * Fix ECDSA verification, where it was not always validating the
+     public key. This bug meant that it was possible to verify a
+     signature with an invalid public key, in some cases. Reported by
+     Guido Vranken using Cryptofuzz in #4420.
+   * Fix a possible null pointer dereference if a memory allocation fails
+     in TLS PRF code. Reported by Michael Madsen in #6516.
+   * Fix TLS 1.3 session resumption. Fixes #6488.
+   * Add a configuration check to exclude optional client authentication
+     in TLS 1.3 (where it is forbidden).
+   * Fix a bug in which mbedtls_x509_crt_info() would produce non-printable
+     bytes when parsing certificates containing a binary RFC 4108
+     HardwareModuleName as a Subject Alternative Name extension. Hardware
+     serial numbers are now rendered in hex format. Fixes #6262.
+   * Fix bug in error reporting in dh_genprime.c where upon failure,
+     the error code returned by mbedtls_mpi_write_file() is overwritten
+     and therefore not printed.
+   * In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A)
+     with A > 0 created an unintended representation of the value 0 which was
+     not processed correctly by some bignum operations. Fix this. This had no
+     consequence on cryptography code, but might affect applications that call
+     bignum directly and use negative numbers.
+   * Fix a bug whereby the list of signature algorithms sent as part of
+     the TLS 1.2 server certificate request would get corrupted, meaning the
+     first algorithm would not get sent and an entry consisting of two random
+     bytes would be sent instead. Found by Serban Bejan and Dudek Sebastian.
+   * Fix undefined behavior (typically harmless in practice) of
+     mbedtls_mpi_add_mpi(), mbedtls_mpi_add_abs() and mbedtls_mpi_add_int()
+     when both operands are 0 and the left operand is represented with 0 limbs.
+   * Fix undefined behavior (typically harmless in practice) when some bignum
+     functions receive the most negative value of mbedtls_mpi_sint. Credit
+     to OSS-Fuzz. Fixes #6597.
+   * Fix undefined behavior (typically harmless in practice) in PSA ECB
+     encryption and decryption.
+   * Move some SSL-specific code out of libmbedcrypto where it had been placed
+     accidentally.
+   * Fix a build error when compiling the bignum module for some Arm platforms.
+     Fixes #6089, #6124, #6217.
+
+Changes
+   * Add the ability to query PSA_WANT_xxx macros to query_compile_time_config.
+   * Calling AEAD tag-specific functions for non-AEAD algorithms (which
+     should not be done - they are documented for use only by AES-GCM and
+     ChaCha20+Poly1305) now returns MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
+     instead of success (0).
+
 = Mbed TLS 3.2.1 branch released 2022-07-12
 
 Bugfix
diff --git a/ChangeLog.d/LMS.txt b/ChangeLog.d/LMS.txt
deleted file mode 100644
index 785bfcf84..000000000
--- a/ChangeLog.d/LMS.txt
+++ /dev/null
@@ -1,11 +0,0 @@
-Features
-    * Add the LMS post-quantum-safe stateful-hash asymmetric signature scheme.
-      Signature verification is production-ready, but generation is for testing
-      purposes only. This currently only supports one parameter set
-      (LMS_SHA256_M32_H10), meaning that each private key can be used to sign
-      1024 messages. As such, it is not intended for use in TLS, but instead
-      for verification of assets transmitted over an insecure channel,
-      particularly firmware images.
-    * Add the LM-OTS post-quantum-safe one-time signature scheme, which is
-      required for LMS. This can be used independently, but each key can only
-      be used to sign one message so is impractical for most circumstances.
diff --git a/ChangeLog.d/add-rsa-pss-rsae-support-for-tls12.txt b/ChangeLog.d/add-rsa-pss-rsae-support-for-tls12.txt
deleted file mode 100644
index 0d409688e..000000000
--- a/ChangeLog.d/add-rsa-pss-rsae-support-for-tls12.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-Features
-   * Support rsa_pss_rsae_* signature algorithms in TLS 1.2.
-Bugfix
-   * Fix an interoperability failure between an Mbed TLS client with both
-     TLS 1.2 and TLS 1.3 support, and a TLS 1.2 server that supports
-     rsa_pss_rsae_* signature algorithms. This failed because Mbed TLS
-     advertised support for PSS in both TLS 1.2 and 1.3, but only
-     actually supported PSS in TLS 1.3.
diff --git a/ChangeLog.d/bn_mul-fix-x86-pic-compilation-for-gcc-4.txt b/ChangeLog.d/bn_mul-fix-x86-pic-compilation-for-gcc-4.txt
deleted file mode 100644
index 1d59c2277..000000000
--- a/ChangeLog.d/bn_mul-fix-x86-pic-compilation-for-gcc-4.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
-   * Fix a long-standing build failure when building x86 PIC code with old
-     gcc (4.x). The code will be slower, but will compile. We do however
-     recommend upgrading to a more recent compiler instead. Fixes #1910.
diff --git a/ChangeLog.d/cert_write-set-extended-key-usages.txt b/ChangeLog.d/cert_write-set-extended-key-usages.txt
deleted file mode 100644
index 18b7b040d..000000000
--- a/ChangeLog.d/cert_write-set-extended-key-usages.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Features
-   * cert_write: support for setting extended key usage attributes. A
-     corresponding new public API call has been added in the library,
-     mbedtls_x509write_crt_set_ext_key_usage().
-   * cert_write: support for writing certificate files in either PEM
-     or DER format.
diff --git a/ChangeLog.d/driver-only-hashes.txt b/ChangeLog.d/driver-only-hashes.txt
deleted file mode 100644
index 6ccd199ba..000000000
--- a/ChangeLog.d/driver-only-hashes.txt
+++ /dev/null
@@ -1,19 +0,0 @@
-Features
-   * Some modules can now use PSA drivers for hashes, including with no
-     built-in implementation present, but only in some configurations.
-     - RSA OAEP and PSS (PKCS#1 v2.1), PKCS5, PKCS12 and EC J-PAKE now use
-       hashes from PSA when (and only when) MBEDTLS_MD_C is disabled.
-     - PEM parsing of encrypted files now uses MD-5 from PSA when (and only
-       when) MBEDTLS_MD5_C is disabled.
-     See the documentation of the corresponding macros in mbedtls_config.h for
-     details.
-     Note that some modules are not able to use hashes from PSA yet, including
-     the entropy module. As a consequence, for now the only way to build with
-     all hashes only provided by drivers (no built-in hash) is to use
-     MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG.
-   * When MBEDTLS_USE_PSA_CRYPTO is enabled, X.509, TLS 1.2 and TLS 1.3 now
-     properly negotiate/accept hashes based on their availability in PSA.
-     As a consequence, they now work in configurations where the built-in
-     implementations of (some) hashes are excluded and those hashes are only
-     provided by PSA drivers. (See previous entry for limitation on RSA-PSS
-     though: that module only use hashes from PSA when MBEDTLS_MD_C is off).
diff --git a/ChangeLog.d/dtls-connection-id.txt b/ChangeLog.d/dtls-connection-id.txt
deleted file mode 100644
index 840f837d8..000000000
--- a/ChangeLog.d/dtls-connection-id.txt
+++ /dev/null
@@ -1,17 +0,0 @@
-Features
-   * Add support for DTLS Connection ID as defined by RFC 9146, controlled by
-     MBEDTLS_SSL_DTLS_CONNECTION_ID (enabled by default) and configured with
-     mbedtls_ssl_set_cid().
-
-Default behavior changes
-   * Previously the macro MBEDTLS_SSL_DTLS_CONNECTION_ID implemented version 05
-     of the IETF draft, and was marked experimental and disabled by default.
-     It is now no longer experimental, and implements the final version from
-     RFC 9146, which is not interoperable with the draft-05 version.
-     If you need to communicate with peers that use earlier versions of
-     Mbed TLS, then you need to define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT
-     to 1, but then you won't be able to communicate with peers that use the
-     standard (non-draft) version.
-     If you need to interoperate with both classes of peers with the
-     same build of Mbed TLS, please let us know about your situation on the
-     mailing list or GitHub.
diff --git a/ChangeLog.d/ecdsa-verify-fixes.txt b/ChangeLog.d/ecdsa-verify-fixes.txt
deleted file mode 100644
index b41b0461a..000000000
--- a/ChangeLog.d/ecdsa-verify-fixes.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
-   * Fix ECDSA verification, where it was not always validating the
-     public key. This bug meant that it was possible to verify a
-     signature with an invalid public key, in some cases. Reported by
-     Guido Vranken using Cryptofuzz in #4420.
diff --git a/ChangeLog.d/ecjpake-in-tls.txt b/ChangeLog.d/ecjpake-in-tls.txt
deleted file mode 100644
index b84caab86..000000000
--- a/ChangeLog.d/ecjpake-in-tls.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Features
-   * The TLS 1.2 EC J-PAKE key exchange can now use the PSA Crypto API.
-     Additional PSA key slots will be allocated in the process of such key
-     exchange for builds that enable MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED and
-     MBEDTLS_USE_PSA_CRYPTO.
diff --git a/ChangeLog.d/ecjpake_to_pms.txt b/ChangeLog.d/ecjpake_to_pms.txt
deleted file mode 100644
index 4dd2075de..000000000
--- a/ChangeLog.d/ecjpake_to_pms.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-API changes
-   * Add an ad-hoc key derivation function handling ECJPAKE to PMS
-     calculation that can be used to derive the session secret in TLS 1.2,
-     as described in draft-cragie-tls-ecjpake-01. This can be achieved by
-     using PSA_ALG_TLS12_ECJPAKE_TO_PMS as the key derivation algorithm.
diff --git a/ChangeLog.d/extend-query_compile_time_config-to-psa_want.txt b/ChangeLog.d/extend-query_compile_time_config-to-psa_want.txt
deleted file mode 100644
index 99b2ec4ee..000000000
--- a/ChangeLog.d/extend-query_compile_time_config-to-psa_want.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Changes
-   * Add the ability to query PSA_WANT_xxx macros to query_compile_time_config.
diff --git a/ChangeLog.d/fix-aes-shallow-copying.txt b/ChangeLog.d/fix-aes-shallow-copying.txt
deleted file mode 100644
index 0c119d628..000000000
--- a/ChangeLog.d/fix-aes-shallow-copying.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Bugfix
-   * Refactor mbedtls_aes_context to support shallow-copying. Fixes #2147.
diff --git a/ChangeLog.d/fix-ctr-drbg-may-free-invalid-aes-context.txt b/ChangeLog.d/fix-ctr-drbg-may-free-invalid-aes-context.txt
deleted file mode 100644
index fe62c28ed..000000000
--- a/ChangeLog.d/fix-ctr-drbg-may-free-invalid-aes-context.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
-    * Fix mbedtls_ctr_drbg_free() on an initialized but unseeded context. When
-      MBEDTLS_AES_ALT is enabled, it could call mbedtls_aes_free() on an
-      uninitialized context.
diff --git a/ChangeLog.d/fix-in-cid-buffer-size.txt b/ChangeLog.d/fix-in-cid-buffer-size.txt
deleted file mode 100644
index 8a6c85023..000000000
--- a/ChangeLog.d/fix-in-cid-buffer-size.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Security
-    * Fix potential heap buffer overread and overwrite in DTLS if
-      MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and
-      MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX.
diff --git a/ChangeLog.d/fix-possible-false-success-in-mbedtls_cipher_check_tag.txt b/ChangeLog.d/fix-possible-false-success-in-mbedtls_cipher_check_tag.txt
deleted file mode 100644
index 1f9e0aa35..000000000
--- a/ChangeLog.d/fix-possible-false-success-in-mbedtls_cipher_check_tag.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Changes
-   * Calling AEAD tag-specific functions for non-AEAD algorithms (which
-     should not be done - they are documented for use only by AES-GCM and
-     ChaCha20+Poly1305) now returns MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
-     instead of success (0).
diff --git a/ChangeLog.d/fix-tls12server-sent-sigalgs.txt b/ChangeLog.d/fix-tls12server-sent-sigalgs.txt
deleted file mode 100644
index b74c6ec20..000000000
--- a/ChangeLog.d/fix-tls12server-sent-sigalgs.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
-    * Fix a bug whereby the list of signature algorithms sent as part of
-      the TLS 1.2 server certificate request would get corrupted, meaning the
-      first algorithm would not get sent and an entry consisting of two random
-      bytes would be sent instead. Found by Serban Bejan and Dudek Sebastian.
diff --git a/ChangeLog.d/fix_aead_psa_driver_build.txt b/ChangeLog.d/fix_aead_psa_driver_build.txt
deleted file mode 100644
index a6d11d38d..000000000
--- a/ChangeLog.d/fix_aead_psa_driver_build.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix compilation errors when trying to build with
-     PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305).
diff --git a/ChangeLog.d/fix_arm_compile_erorr.txt b/ChangeLog.d/fix_arm_compile_erorr.txt
deleted file mode 100644
index 28c1d45e2..000000000
--- a/ChangeLog.d/fix_arm_compile_erorr.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-    * Fix a build error when compiling the bignum module for some Arm platforms.
-      Fixes #6089, #6124, #6217.
diff --git a/ChangeLog.d/fix_build_error_for_mbedtls_deprecated_removed.txt b/ChangeLog.d/fix_build_error_for_mbedtls_deprecated_removed.txt
deleted file mode 100644
index f0fa00046..000000000
--- a/ChangeLog.d/fix_build_error_for_mbedtls_deprecated_removed.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-    * Fix a build error due to a missing prototype warning when
-      MBEDTLS_DEPRECATED_REMOVED is enabled.
diff --git a/ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt b/ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt
deleted file mode 100644
index c7d269142..000000000
--- a/ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-    * Fix bugs and missing dependencies when building and testing
-      configurations with only one encryption type enabled in TLS 1.2.
diff --git a/ChangeLog.d/fix_cmake_gen_files.txt b/ChangeLog.d/fix_cmake_gen_files.txt
deleted file mode 100644
index cdec6e8a6..000000000
--- a/ChangeLog.d/fix_cmake_gen_files.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
-   * Fix an issue with in-tree CMake builds in releases with GEN_FILES
-     turned off: if a shipped file was missing from the working directory,
-     it could be turned into a symbolic link to itself.
diff --git a/ChangeLog.d/fix_cmake_using_iar_toolchain.txt b/ChangeLog.d/fix_cmake_using_iar_toolchain.txt
deleted file mode 100644
index 9ec6e0d6b..000000000
--- a/ChangeLog.d/fix_cmake_using_iar_toolchain.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix a compilation error when using CMake with an IAR toolchain.
-     Fixes #5964.
diff --git a/ChangeLog.d/fix_dh_genprime_error_reporting.txt b/ChangeLog.d/fix_dh_genprime_error_reporting.txt
deleted file mode 100644
index 1c98947f3..000000000
--- a/ChangeLog.d/fix_dh_genprime_error_reporting.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
-   * Fix bug in error reporting in dh_genprime.c where upon failure,
-     the error code returned by mbedtls_mpi_write_file() is overwritten
-     and therefore not printed.
diff --git a/ChangeLog.d/fix_hard_link_across_drives.txt b/ChangeLog.d/fix_hard_link_across_drives.txt
deleted file mode 100644
index 46d05c0cf..000000000
--- a/ChangeLog.d/fix_hard_link_across_drives.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix a build issue on Windows using CMake where the source and build
-     directories could not be on different drives. Fixes #5751.
diff --git a/ChangeLog.d/fix_psa_crypto_cipher_h_include.txt b/ChangeLog.d/fix_psa_crypto_cipher_h_include.txt
deleted file mode 100644
index bf2e65dd4..000000000
--- a/ChangeLog.d/fix_psa_crypto_cipher_h_include.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
-   * Use double quotes to include private header file psa_crypto_cipher.h.
-     Fixes 'file not found with <angled> include' error
-     when building with Xcode.
diff --git a/ChangeLog.d/fix_tls13_session_resumption_fail_when_hostname_is_not_localhost.txt b/ChangeLog.d/fix_tls13_session_resumption_fail_when_hostname_is_not_localhost.txt
deleted file mode 100644
index 9f5c6499d..000000000
--- a/ChangeLog.d/fix_tls13_session_resumption_fail_when_hostname_is_not_localhost.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
-    * Fix TLS 1.3 session resumption. Fixes #6488.
-    * Add a configuration check to exclude optional client authentication
-      in TLS 1.3 (where it is forbidden).
diff --git a/ChangeLog.d/fix_x509_get_name_mem_leak.txt b/ChangeLog.d/fix_x509_get_name_mem_leak.txt
deleted file mode 100644
index 358d1afa7..000000000
--- a/ChangeLog.d/fix_x509_get_name_mem_leak.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
-    * Fix memory leak in ssl_parse_certificate_request() caused by
-      mbedtls_x509_get_name() not freeing allocated objects in case of error.
-      Change mbedtls_x509_get_name() to clean up allocated objects on error.
diff --git a/ChangeLog.d/fix_x509_info_hwmodulename.txt b/ChangeLog.d/fix_x509_info_hwmodulename.txt
deleted file mode 100644
index 8b227cec3..000000000
--- a/ChangeLog.d/fix_x509_info_hwmodulename.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
-   * Fix a bug in which mbedtls_x509_crt_info() would produce non-printable
-     bytes when parsing certificates containing a binary RFC 4108
-     HardwareModuleName as a Subject Alternative Name extension. Hardware
-     serial numbers are now rendered in hex format. Fixes #6262.
diff --git a/ChangeLog.d/fix_zeroization.txt b/ChangeLog.d/fix_zeroization.txt
deleted file mode 100644
index 8b00dcc98..000000000
--- a/ChangeLog.d/fix_zeroization.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix a possible null pointer dereference if a memory allocation fails
-     in TLS PRF code. Reported by Michael Madsen in #6516.
diff --git a/ChangeLog.d/mbedtls_asn1_type_free.txt b/ChangeLog.d/mbedtls_asn1_type_free.txt
deleted file mode 100644
index 3459bbe2d..000000000
--- a/ChangeLog.d/mbedtls_asn1_type_free.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-Features
-   * The new functions mbedtls_asn1_free_named_data_list() and
-     mbedtls_asn1_free_named_data_list_shallow() simplify the management
-     of memory in named data lists in X.509 structures.
-New deprecations
-   * Deprecate mbedtls_asn1_free_named_data().
-     Use mbedtls_asn1_free_named_data_list()
-     or mbedtls_asn1_free_named_data_list_shallow().
diff --git a/ChangeLog.d/move-ssl-modules.txt b/ChangeLog.d/move-ssl-modules.txt
deleted file mode 100644
index f00e5ad83..000000000
--- a/ChangeLog.d/move-ssl-modules.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Move some SSL-specific code out of libmbedcrypto where it had been placed
-     accidentally.
diff --git a/ChangeLog.d/mpi-add-0-ub.txt b/ChangeLog.d/mpi-add-0-ub.txt
deleted file mode 100644
index 9f131a430..000000000
--- a/ChangeLog.d/mpi-add-0-ub.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
-   * Fix undefined behavior (typically harmless in practice) of
-     mbedtls_mpi_add_mpi(), mbedtls_mpi_add_abs() and mbedtls_mpi_add_int()
-     when both operands are 0 and the left operand is represented with 0 limbs.
diff --git a/ChangeLog.d/mpi-most-negative-sint.txt b/ChangeLog.d/mpi-most-negative-sint.txt
deleted file mode 100644
index 5e775c482..000000000
--- a/ChangeLog.d/mpi-most-negative-sint.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
-   * Fix undefined behavior (typically harmless in practice) when some bignum
-     functions receive the most negative value of mbedtls_mpi_sint. Credit
-     to OSS-Fuzz. Fixes #6597.
diff --git a/ChangeLog.d/muladdc_microblaze.txt b/ChangeLog.d/muladdc_microblaze.txt
deleted file mode 100644
index 70fdff020..000000000
--- a/ChangeLog.d/muladdc_microblaze.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
-     Contributed by Kazuyuki Kimura to fix #2020.
diff --git a/ChangeLog.d/negative-zero-from-add.txt b/ChangeLog.d/negative-zero-from-add.txt
deleted file mode 100644
index 107d858d3..000000000
--- a/ChangeLog.d/negative-zero-from-add.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Bugfix
-   * In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A)
-     with A > 0 created an unintended representation of the value 0 which was
-     not processed correctly by some bignum operations. Fix this. This had no
-     consequence on cryptography code, but might affect applications that call
-     bignum directly and use negative numbers.
diff --git a/ChangeLog.d/nonversioned-library-soname.txt b/ChangeLog.d/nonversioned-library-soname.txt
deleted file mode 100644
index 8d83a2d6d..000000000
--- a/ChangeLog.d/nonversioned-library-soname.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Features
-   * make: enable building unversioned shared library, with e.g.:
-     "SHARED=1 SOEXT_TLS=so SOEXT_X509=so SOEXT_CRYPTO=so make lib"
-     resulting in library names like "libmbedtls.so" rather than
-     "libmbedcrypto.so.11".
diff --git a/ChangeLog.d/platform-setbuf.txt b/ChangeLog.d/platform-setbuf.txt
deleted file mode 100644
index 844f70cf2..000000000
--- a/ChangeLog.d/platform-setbuf.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Provide the missing definition of mbedtls_setbuf() in some configurations
-     with MBEDTLS_PLATFORM_C disabled. Fixes #6118, #6196.
diff --git a/ChangeLog.d/psa-ecb-ub.txt b/ChangeLog.d/psa-ecb-ub.txt
deleted file mode 100644
index 9d725ac70..000000000
--- a/ChangeLog.d/psa-ecb-ub.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix undefined behavior (typically harmless in practice) in PSA ECB
-     encryption and decryption.
diff --git a/ChangeLog.d/psa_crypto_code_gen_1_1.txt b/ChangeLog.d/psa_crypto_code_gen_1_1.txt
deleted file mode 100644
index e10a81c9a..000000000
--- a/ChangeLog.d/psa_crypto_code_gen_1_1.txt
+++ /dev/null
@@ -1,13 +0,0 @@
-Features
-    * The PSA driver wrapper generator generate_driver_wrappers.py now
-      supports a subset of the driver description language, including
-      the following entry points: import_key, export_key, export_public_key,
-      get_builtin_key, copy_key.
-
-Requirement changes
-   * When building with PSA drivers using generate_driver_wrappers.py, or
-     when building the library from the development branch rather than
-     from a release, the Python module jsonschema is now necessary, in
-     addition to jinja2. The official list of required Python modules is
-     maintained in scripts/basic.requirements.txt and may change again
-     in the future.
diff --git a/ChangeLog.d/psa_crypto_pake.txt b/ChangeLog.d/psa_crypto_pake.txt
deleted file mode 100644
index e0ae04638..000000000
--- a/ChangeLog.d/psa_crypto_pake.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Features
-    * Expose the EC J-PAKE functionality through the Draft PSA PAKE Crypto API.
-      Only the ECC primitive with secp256r1 curve and SHA-256 hash algorithm
-      are supported in this implementation.
diff --git a/ChangeLog.d/psa_driver_wrapper_for_raw_key_agreement.txt b/ChangeLog.d/psa_driver_wrapper_for_raw_key_agreement.txt
deleted file mode 100644
index b9c78a645..000000000
--- a/ChangeLog.d/psa_driver_wrapper_for_raw_key_agreement.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Features
-   * Add a driver dispatch layer for raw key agreement, enabling alternative
-     implementations of raw key agreement through the key_agreement driver
-     entry point. This entry point is specified in the proposed PSA driver
-     interface, but had not yet been implemented.
diff --git a/ChangeLog.d/psa_rsa_needs_pk.txt b/ChangeLog.d/psa_rsa_needs_pk.txt
deleted file mode 100644
index 995963d7e..000000000
--- a/ChangeLog.d/psa_rsa_needs_pk.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
-   * Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not
-     MBEDTLS_USE_PSA_CRYPTO or MBEDTLS_PK_WRITE_C. Fixes #6408.
-   * Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not
-     MBEDTLS_PK_PARSE_C. Fixes #6409.
diff --git a/ChangeLog.d/rsa-fix-priviliged-side-channel.txt b/ChangeLog.d/rsa-fix-priviliged-side-channel.txt
deleted file mode 100644
index bafe18d30..000000000
--- a/ChangeLog.d/rsa-fix-priviliged-side-channel.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-Security
-   * An adversary with access to precise enough information about memory
-     accesses (typically, an untrusted operating system attacking a secure
-     enclave) could recover an RSA private key after observing the victim
-     performing a single private-key operation if the window size used for the
-     exponentiation was 3 or smaller. Found and reported by Zili KOU,
-     Wenjian HE, Sharad Sinha, and Wei ZHANG. See "Cache Side-channel Attacks
-     and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation
-     and Test in Europe 2023.
-
diff --git a/ChangeLog.d/tls13-misc.txt b/ChangeLog.d/tls13-misc.txt
deleted file mode 100644
index 673317328..000000000
--- a/ChangeLog.d/tls13-misc.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-Features
-   * Mbed TLS now supports TLS 1.3 key establishment via pre-shared keys.
-     The pre-shared keys can be provisioned externally or via the ticket
-     mechanism (session resumption).
-     The ticket mechanism is supported when the configuration option
-     MBEDTLS_SSL_SESSION_TICKETS is enabled.
-     New options MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_xxx_ENABLED
-     control the support for the three possible TLS 1.3 key exchange modes.
diff --git a/ChangeLog.d/tls13_sig_alg_selection.txt b/ChangeLog.d/tls13_sig_alg_selection.txt
deleted file mode 100644
index 8857750b4..000000000
--- a/ChangeLog.d/tls13_sig_alg_selection.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
-   * Add support for opaque keys as the private keys associated to certificates
-     for authentication in TLS 1.3.
diff --git a/ChangeLog.d/x509-broken-symlink-handling.txt b/ChangeLog.d/x509-broken-symlink-handling.txt
deleted file mode 100644
index 52288dc08..000000000
--- a/ChangeLog.d/x509-broken-symlink-handling.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
-   * Fix handling of broken symlinks when loading certificates using
-     mbedtls_x509_crt_parse_path(). Instead of returning an error as soon as a
-     broken link is encountered, skip the broken link and continue parsing
-     other certificate files. Contributed by Eduardo Silva in #2602.