Prepare ChangeLog for 3.5.0 release

```
./scripts/assemble_changelog.py
```

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>

74 files changed, 286 insertions, 356 deletions

diff --git a/ChangeLog b/ChangeLog
index bc1d32e4d..1758e7d37 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,291 @@
 Mbed TLS ChangeLog (Sorted per branch, date)
 
+= Mbed TLS x.x.x branch released xxxx-xx-xx
+
+API changes
+   * Mbed TLS 3.4 introduced support for omitting the built-in implementation
+     of ECDSA and/or EC J-PAKE when those are provided by a driver. However,
+     their was a flaw in the logic checking if the built-in implementation, in
+     that if failed to check if all the relevant curves were supported by the
+     accelerator. As a result, it was possible to declare no curves as
+     accelerated and still have the built-in implementation compiled out.
+     Starting with this release, it is necessary to declare which curves are
+     accelerated (using MBEDTLS_PSA_ACCEL_ECC_xxx macros), or they will be
+     considered not accelerated, and the built-in implementation of the curves
+     and any algorithm possible using them will be included in the build.
+   * Add new millisecond time type `mbedtls_ms_time_t` and `mbedtls_ms_time()`
+     function, needed for TLS 1.3 ticket lifetimes. Alternative implementations
+     can be created using an ALT interface.
+
+Requirement changes
+   * Officially require Python 3.8 now that earlier versions are out of support.
+   * Minimum required Windows version is now Windows Vista, or
+     Windows Server 2008.
+
+New deprecations
+   * PSA_WANT_KEY_TYPE_xxx_KEY_PAIR and
+     MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR, where xxx is either ECC or RSA,
+     are now being deprecated in favor of PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
+     MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy. Here yyy can be: BASIC,
+     IMPORT, EXPORT, GENERATE, DERIVE. The goal is to have a finer detail about
+     the capabilities of the PSA side for either key.
+   * MBEDTLS_CIPHER_BLKSIZE_MAX is deprecated in favor of
+     MBEDTLS_MAX_BLOCK_LENGTH (if you intended what the name suggests:
+     maximum size of any supported block cipher) or the new name
+     MBEDTLS_CMAC_MAX_BLOCK_SIZE (if you intended the actual semantics:
+     maximum size of a block cipher supported by the CMAC module).
+   * mbedtls_pkcs5_pbes2() and mbedtls_pkcs12_pbe() functions are now
+     deprecated in favor of mbedtls_pkcs5_pbes2_ext() and
+     mbedtls_pkcs12_pbe_ext() as they offer more security by checking
+     for overflow of the output buffer and reporting the actual length
+     of the output.
+
+Features
+   * All modules that use hashes or HMAC can now take advantage of PSA Crypto
+     drivers when MBEDTLS_PSA_CRYPTO_C is enabled and psa_crypto_init() has
+     been called. Previously (in 3.3), this was restricted to a few modules,
+     and only in builds where MBEDTLS_MD_C was disabled; in particular the
+     entropy module was not covered which meant an external RNG had to be
+     provided - these limitations are lifted in this version. A new set of
+     feature macros, MBEDTLS_MD_CAN_xxx, has been introduced that can be used
+     to check for availability of hash algorithms, regardless of whether
+     they're provided by a built-in implementation, a driver or both. See
+     docs/driver-only-builds.md.
+   * When a PSA driver for ECDH is present, it is now possible to disable
+     MBEDTLS_ECDH_C in the build in order to save code size. For TLS 1.2
+     key exchanges based on ECDH(E) to work, this requires
+     MBEDTLS_USE_PSA_CRYPTO. Restartable/interruptible ECDHE operations in
+     TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet,
+     as PSA does not have an API for restartable ECDH yet.
+   * When all of ECDH, ECDSA and EC J-PAKE are either disabled or provided by
+     a driver, it is possible to disable MBEDTLS_ECP_C (and MBEDTLS_BIGNUM_C
+     if not required by another module) and still get support for ECC keys and
+     algorithms in PSA, with some limitations. See docs/driver-only-builds.txt
+     for details.
+   * Add parsing of directoryName subtype for subjectAltName extension in
+     x509 certificates.
+   * Add support for server-side TLS version negotiation. If both TLS 1.2 and
+     TLS 1.3 protocols are enabled, the TLS server now selects TLS 1.2 or
+     TLS 1.3 depending on the capabilities and preferences of TLS clients.
+     Fixes #6867.
+   * X.509 hostname verification now supports IPAddress Subject Alternate Names.
+   * Add support for reading and writing X25519 and X448
+     public and private keys in RFC 8410 format using the existing PK APIs.
+   * When parsing X.509 certificates, support the extensions
+     SignatureKeyIdentifier and AuthorityKeyIdentifier.
+   * Don't include the PSA dispatch functions for PAKEs (psa_pake_setup() etc)
+     if no PAKE algorithms are requested
+   * Add support for the FFDH algorithm and DH key types in PSA, with
+     parameters from RFC 7919. This includes a built-in implementation based
+     on MBEDTLS_BIGNUM_C, and a driver dispatch layer enabling alternative
+     implementations of FFDH through the driver entry points.
+   * It is now possible to generate certificates with SubjectAltNames.
+     Currently supported subtypes: DnsName, UniformResourceIdentifier,
+     IP address, OtherName, and DirectoryName, as defined in RFC 5280.
+     See mbedtls_x509write_crt_set_subject_alternative_name for
+     more information.
+   * X.509 hostname verification now partially supports URI Subject Alternate
+     Names. Only exact matching, without any normalization procedures
+     described in 7.4 of RFC5280, will result in a positive URI verification.
+   * Add function mbedtls_oid_from_numeric_string() to parse an OID from a
+     string to a DER-encoded mbedtls_asn1_buf.
+    * Add SHA-3 family hash functions.
+   * Add support to restrict AES to 128-bit keys in order to save code size.
+     A new configuration option, MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH, can be
+     used to enable this feature.
+   * AES performance improvements. Uplift varies by platform,
+     toolchain, optimisation flags and mode.
+     Aarch64, gcc -Os and CCM, GCM and XTS benefit the most.
+     On Aarch64, uplift is typically around 20 - 110%.
+     When compiling with gcc -Os on Aarch64, AES-XTS improves
+     by 4.5x.
+   * Add support for PBKDF2-HMAC through the PSA API.
+   * New symbols PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
+     MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy (where xxx is either ECC, RSA
+     or DH) were introduced in order to have finer accuracy in defining the
+     PSA capabilities for each key. These capabilities, named yyy above, can be
+     any of: BASIC, IMPORT, EXPORT, GENERATE, DERIVE.
+     - DERIVE is only available for ECC keys, not for RSA or DH ones.
+     - implementations are free to enable more than what it was strictly
+       requested. For example BASIC internally enables IMPORT and EXPORT
+       (useful for testing purposes), but this might change in the future.
+   * Add support for FFDH key exchange in TLS 1.3.
+     This is automatically enabled as soon as PSA_WANT_ALG_FFDH
+     and the ephemeral or psk-ephemeral key exchange mode are enabled.
+     By default, all groups are offered; the list of groups can be
+     configured using the existing API function mbedtls_ssl_conf_groups().
+   * Improve mbedtls_x509_time performance and reduce memory use.
+   * Reduce syscalls to time() during certificate verification.
+   * Allow MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE to be set by
+     setting the CMake variable of the same name at configuration time.
+   * Add getter (mbedtls_ssl_cache_get_timeout()) to access
+     `mbedtls_ssl_cache_context.timeout`.
+   * Add getter (mbedtls_ssl_get_hostname()) to access
+     `mbedtls_ssl_context.hostname`.
+   * Add getter (mbedtls_ssl_conf_get_endpoint()) to access
+     `mbedtls_ssl_config.endpoint`.
+   * Support for "opaque" (PSA-held) ECC keys in the PK module has been
+     extended: it is now possible to use mbedtls_pk_write_key_der(),
+     mbedtls_pk_write_key_pem(), mbedtls_pk_check_pair(), and
+     mbedtls_pk_verify() with opaque ECC keys (provided the PSA attributes
+     allow it).
+   * The documentation of mbedtls_ecp_group now describes the optimized
+     representation of A for some curves. Fixes #8045.
+   * Add a possibility to generate CSR's with RCF822 and directoryName subtype
+     of subjectAltName extension in x509 certificates.
+   * Add support for PBKDF2-CMAC through the PSA API.
+   * New configuration option MBEDTLS_AES_USE_HARDWARE_ONLY introduced. When
+     using CPU-accelerated AES (e.g., Arm Crypto Extensions), this option
+     disables the plain C implementation and the run-time detection for the
+     CPU feature, which reduces code size and avoids the vulnerability of the
+     plain C implementation.
+   * Accept arbitrary AttributeType and AttributeValue in certificate
+     Distinguished Names using RFC 4514 syntax.
+   * Applications using ECC over secp256r1 through the PSA API can use a
+     new implementation with a much smaller footprint, but some minor
+     usage restrictions. See the documentation of the new configuration
+     option MBEDTLS_PSA_P256M_DRIVER_ENABLED for details.
+
+Security
+   * Fix a case where potentially sensitive information held in memory would not
+     be completely zeroized during TLS 1.2 handshake, in both server and client
+     configurations.
+   * In configurations with ARIA or Camellia but not AES, the value of
+     MBEDTLS_CIPHER_BLKSIZE_MAX was 8, rather than 16 as the name might
+     suggest. This did not affect any library code, because this macro was
+     only used in relation with CMAC which does not support these ciphers.
+     This may affect application code that uses this macro.
+   * Developers using mbedtls_pkcs5_pbes2() or mbedtls_pkcs12_pbe() should
+     review the size of the output buffer passed to this function, and note
+     that the output after decryption may include CBC padding. Consider moving
+     to the new functions mbedtls_pkcs5_pbes2_ext() or mbedtls_pkcs12_pbe_ext()
+     which checks for overflow of the output buffer and reports the actual
+     length of the output.
+   * Improve padding calculations in CBC decryption, NIST key unwrapping and
+     RSA OAEP decryption. With the previous implementation, some compilers
+     (notably recent versions of Clang and IAR) could produce non-constant
+     time code, which could allow a padding oracle attack if the attacker
+     has access to precise timing measurements.
+   * Updates to constant-time C code so that compilers are less likely to use
+     conditional instructions, which can have an observable difference in
+     timing. (Clang has been seen to do this.) Also introduce assembly
+     implementations for 32- and 64-bit Arm and for x86 and x86-64, which are
+     guaranteed not to use conditional instructions.
+   * Fix definition of MBEDTLS_MD_MAX_BLOCK_SIZE, which was too
+     small when MBEDTLS_SHA384_C was defined and MBEDTLS_SHA512_C was
+     undefined. Mbed TLS itself was unaffected by this, but user code
+     which used MBEDTLS_MD_MAX_BLOCK_SIZE could be affected. The only
+     release containing this bug was Mbed TLS 3.4.0.
+   * Fix a buffer overread when parsing short TLS application data records in
+     null-cipher cipher suites. Credit to OSS-Fuzz.
+   * Fix a remotely exploitable heap buffer overflow in TLS handshake parsing.
+     In TLS 1.3, all configurations are affected except PSK-only ones, and
+     both clients and servers are affected.
+     In TLS 1.2, the affected configurations are those with
+     MBEDTLS_USE_PSA_CRYPTO and ECDH enabled but DHM and RSA disabled,
+     and only servers are affected, not clients.
+     Credit to OSS-Fuzz.
+
+Bugfix
+   * Fix proper sizing for PSA_EXPORT_[KEY_PAIR/PUBLIC_KEY]_MAX_SIZE and
+     PSA_SIGNATURE_MAX_SIZE buffers when at least one accelerated EC is bigger
+     than all built-in ones and RSA is disabled.
+     Resolves #6622.
+   * Add missing md.h includes to some of the external programs from
+     the programs directory. Without this, even though the configuration
+     was sufficient for a particular program to work, it would only print
+     a message that one of the required defines is missing.
+   * Fix declaration of mbedtls_ecdsa_sign_det_restartable() function
+     in the ecdsa.h header file. There was a build warning when the
+     configuration macro MBEDTLS_ECDSA_SIGN_ALT was defined.
+     Resolves #7407.
+   * Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not
+     MBEDTLS_ECDSA_VERIFY_ALT, causing ecdsa verify to fail. Fixes #7498.
+   * Fix missing PSA initialization in sample programs when
+     MBEDTLS_USE_PSA_CRYPTO is enabled.
+   * Fix the J-PAKE driver interface for user and peer to accept any values
+     (previously accepted values were limited to "client" or "server").
+   * Fix clang and armclang compilation error when targeting certain Arm
+     M-class CPUs (Cortex-M0, Cortex-M0+, Cortex-M1, Cortex-M23,
+     SecurCore SC000). Fixes #1077.
+   * Fix "unterminated '#pragma clang attribute push'" in sha256/sha512.c when
+     built with MBEDTLS_SHAxxx_USE_A64_CRYPTO_IF_PRESENT but don't have a
+     way to detect the crypto extensions required. A warning is still issued.
+   * Fixed an issue that caused compile errors when using CMake and the IAR
+     toolchain.
+   * Fix very high stack usage in SSL debug code. Reported by Maximilian
+     Gerhardt in #7804.
+   * Fix a compilation failure in the constant_time module when
+     building for arm64_32 (e.g., for watchos). Reported by Paulo
+     Coutinho in #7787.
+   * Fix crypt_and_hash decryption fail when used with a stream cipher
+     mode of operation due to the input not being multiple of block size.
+     Resolves #7417.
+   * Fix a bug in which mbedtls_x509_string_to_names() would return success
+     when given a invalid name string if it did not contain '=' or ','.
+   * Fix compilation warnings in aes.c, which prevented the
+     example TF-M configuration in configs/ from building cleanly:
+     tfm_mbedcrypto_config_profile_medium.h with
+     crypto_config_profile_medium.h.
+   * In TLS 1.3, fix handshake failure when a client in its ClientHello
+     proposes an handshake based on PSK only key exchange mode or at least
+     one of the key exchange modes using ephemeral keys to a server that
+     supports only the PSK key exchange mode.
+   * Fix CCM* with no tag being not supported in a build with CCM as the only
+     symmetric encryption algorithm and the PSA configuration enabled.
+   * Fix the build with MBEDTLS_PSA_INJECT_ENTROPY. Fixes #7516.
+   * Fix a compilation error on some platforms when including mbedtls/ssl.h
+     with all TLS support disabled. Fixes #6628.
+   * Fix x509 certificate generation to conform to RFC 5480 / RFC 5758 when
+     using ECC key. The certificate was rejected by some crypto frameworks.
+     Fixes #2924.
+   * Fix a potential corruption of the passed-in IV when mbedtls_aes_crypt_cbc()
+     is called with zero length and padlock is not enabled.
+   * Fix compile failure due to empty enum in cipher_wrap.c, when building
+     with a very minimal configuration. Fixes #7625.
+   * Fix some cases where mbedtls_mpi_mod_exp, RSA key construction or ECDSA
+     signature can silently return an incorrect result in low memory conditions.
+   * Don't try to include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE when
+     MBEDTLS_PSA_CRYPTO_CONFIG is disabled.
+   * Fix IAR compiler warnings.
+   * Fix an issue when parsing an otherName subject alternative name into a
+     mbedtls_x509_san_other_name struct. The type-id of the otherName was not
+     copied to the struct. This meant that the struct had incomplete
+     information about the otherName SAN and contained uninitialized memory.
+   * Fix the detection of HardwareModuleName otherName SANs. These were being
+     detected by comparing the wrong field and the check was erroneously
+     inverted.
+   * Fix a build error in some configurations with MBEDTLS_PSA_CRYPTO_CONFIG
+     enabled, where some low-level modules required by requested PSA crypto
+     features were not getting automatically enabled. Fixes #7420.
+   * Fix undefined symbols in some builds using TLS 1.3 with a custom
+     configuration file.
+   * Fix log level for the got supported group message. Fixes #6765
+   * Functions in the ssl_cache module now return a negative MBEDTLS_ERR_xxx
+     error code on failure. Before, they returned 1 to indicate failure in
+     some cases involving a missing entry or a full cache.
+   * mbedtls_pk_parse_key() now rejects trailing garbage in encrypted keys.
+
+Changes
+   * Enable Arm / Thumb bignum assembly for most Arm platforms when
+     compiling with gcc, clang or armclang and -O0.
+   * Enforce minimum RSA key size when generating a key
+     to avoid accidental misuse.
+   * Use heap memory to allocate DER encoded RSA private key.
+     This reduces stack usage significantly for RSA signature
+     operations when MBEDTLS_PSA_CRYPTO_C is defined.
+   * Update Windows code to use BCryptGenRandom and wcslen, and
+     ensure that conversions between size_t, ULONG, and int are
+     always done safely.  Original contribution by Kevin Kane #635, #730
+     followed by Simon Butcher #1453.
+   * Users intergrating their own PSA drivers should be aware that
+     the file library/psa_crypto_driver_wrappers.c has been renamed
+     to psa_crypto_driver_wrappers_no_static.c.
+   * When using CBC with the cipher module, the requirement to call
+     mbedtls_cipher_set_padding_mode() is now enforced. Previously, omitting
+     this call accidentally applied a default padding mode chosen at compile
+     time.
+
 = Mbed TLS 3.4.1 branch released 2023-08-04
 
 Bugfix
diff --git a/ChangeLog.d/Define-PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy.txt b/ChangeLog.d/Define-PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy.txt
deleted file mode 100644
index 014eec657..000000000
--- a/ChangeLog.d/Define-PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy.txt
+++ /dev/null
@@ -1,18 +0,0 @@
-New deprecations
-   * PSA_WANT_KEY_TYPE_xxx_KEY_PAIR and
-     MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR, where xxx is either ECC or RSA,
-     are now being deprecated in favor of PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
-     MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy. Here yyy can be: BASIC,
-     IMPORT, EXPORT, GENERATE, DERIVE. The goal is to have a finer detail about
-     the capabilities of the PSA side for either key.
-
-Features
-   * New symbols PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
-     MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy (where xxx is either ECC, RSA
-     or DH) were introduced in order to have finer accuracy in defining the
-     PSA capabilities for each key. These capabilities, named yyy above, can be
-     any of: BASIC, IMPORT, EXPORT, GENERATE, DERIVE.
-     - DERIVE is only available for ECC keys, not for RSA or DH ones.
-     - implementations are free to enable more than what it was strictly
-       requested. For example BASIC internally enables IMPORT and EXPORT
-       (useful for testing purposes), but this might change in the future.
diff --git a/ChangeLog.d/MBEDTLS_CIPHER_BLKSIZE_MAX.txt b/ChangeLog.d/MBEDTLS_CIPHER_BLKSIZE_MAX.txt
deleted file mode 100644
index e4e564cdb..000000000
--- a/ChangeLog.d/MBEDTLS_CIPHER_BLKSIZE_MAX.txt
+++ /dev/null
@@ -1,13 +0,0 @@
-New deprecations
-   * MBEDTLS_CIPHER_BLKSIZE_MAX is deprecated in favor of
-     MBEDTLS_MAX_BLOCK_LENGTH (if you intended what the name suggests:
-     maximum size of any supported block cipher) or the new name
-     MBEDTLS_CMAC_MAX_BLOCK_SIZE (if you intended the actual semantics:
-     maximum size of a block cipher supported by the CMAC module).
-
-Security
-   * In configurations with ARIA or Camellia but not AES, the value of
-     MBEDTLS_CIPHER_BLKSIZE_MAX was 8, rather than 16 as the name might
-     suggest. This did not affect any library code, because this macro was
-     only used in relation with CMAC which does not support these ciphers.
-     This may affect application code that uses this macro.
diff --git a/ChangeLog.d/MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND.txt b/ChangeLog.d/MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND.txt
deleted file mode 100644
index 6f091bb9f..000000000
--- a/ChangeLog.d/MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
-   * Functions in the ssl_cache module now return a negative MBEDTLS_ERR_xxx
-     error code on failure. Before, they returned 1 to indicate failure in
-     some cases involving a missing entry or a full cache.
diff --git a/ChangeLog.d/Switch-pkparse-to-new-pbe-funsctions.txt b/ChangeLog.d/Switch-pkparse-to-new-pbe-funsctions.txt
deleted file mode 100644
index d819e8293..000000000
--- a/ChangeLog.d/Switch-pkparse-to-new-pbe-funsctions.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-New deprecations
-   * mbedtls_pkcs5_pbes2() and mbedtls_pkcs12_pbe() functions are now
-     deprecated in favor of mbedtls_pkcs5_pbes2_ext() and
-     mbedtls_pkcs12_pbe_ext() as they offer more security by checking
-     for overflow of the output buffer and reporting the actual length
-     of the output.
-
-Bugfix
-   * mbedtls_pk_parse_key() now rejects trailing garbage in encrypted keys.
diff --git a/ChangeLog.d/X509Parse_SignatureKeyId_AuthorityKeyId.txt b/ChangeLog.d/X509Parse_SignatureKeyId_AuthorityKeyId.txt
deleted file mode 100644
index 9aa3ff91d..000000000
--- a/ChangeLog.d/X509Parse_SignatureKeyId_AuthorityKeyId.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
-   * When parsing X.509 certificates, support the extensions
-     SignatureKeyIdentifier and AuthorityKeyIdentifier.
diff --git a/ChangeLog.d/add-aes-128bit-only.txt b/ChangeLog.d/add-aes-128bit-only.txt
deleted file mode 100644
index b080cac5e..000000000
--- a/ChangeLog.d/add-aes-128bit-only.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Features
-   * Add support to restrict AES to 128-bit keys in order to save code size.
-     A new configuration option, MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH, can be
-     used to enable this feature.
diff --git a/ChangeLog.d/add-aes-hardware-only-option.txt b/ChangeLog.d/add-aes-hardware-only-option.txt
deleted file mode 100644
index a185aff2a..000000000
--- a/ChangeLog.d/add-aes-hardware-only-option.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Features
-   * New configuration option MBEDTLS_AES_USE_HARDWARE_ONLY introduced. When
-     using CPU-accelerated AES (e.g., Arm Crypto Extensions), this option
-     disables the plain C implementation and the run-time detection for the
-     CPU feature, which reduces code size and avoids the vulnerability of the
-     plain C implementation.
diff --git a/ChangeLog.d/add-directoryname-san.txt b/ChangeLog.d/add-directoryname-san.txt
deleted file mode 100644
index e11629878..000000000
--- a/ChangeLog.d/add-directoryname-san.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
-   * Add parsing of directoryName subtype for subjectAltName extension in
-     x509 certificates.
diff --git a/ChangeLog.d/add-getters-for-some-fields.txt b/ChangeLog.d/add-getters-for-some-fields.txt
deleted file mode 100644
index 6a6fbad67..000000000
--- a/ChangeLog.d/add-getters-for-some-fields.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-Features
-   * Add getter (mbedtls_ssl_cache_get_timeout()) to access
-     `mbedtls_ssl_cache_context.timeout`.
-   * Add getter (mbedtls_ssl_get_hostname()) to access
-     `mbedtls_ssl_context.hostname`.
-   * Add getter (mbedtls_ssl_conf_get_endpoint()) to access
-     `mbedtls_ssl_config.endpoint`.
diff --git a/ChangeLog.d/add-milliseconds-time-api.txt b/ChangeLog.d/add-milliseconds-time-api.txt
deleted file mode 100644
index d9e939fad..000000000
--- a/ChangeLog.d/add-milliseconds-time-api.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-API changes
-   * Add new millisecond time type `mbedtls_ms_time_t` and `mbedtls_ms_time()`
-     function, needed for TLS 1.3 ticket lifetimes. Alternative implementations
-     can be created using an ALT interface.
-
diff --git a/ChangeLog.d/add-missing-md-includes.txt b/ChangeLog.d/add-missing-md-includes.txt
deleted file mode 100644
index 408c3615e..000000000
--- a/ChangeLog.d/add-missing-md-includes.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
-   * Add missing md.h includes to some of the external programs from
-     the programs directory. Without this, even though the configuration
-     was sufficient for a particular program to work, it would only print
-     a message that one of the required defines is missing.
diff --git a/ChangeLog.d/add-new-pkcs5-pbe2-ext-fun.txt b/ChangeLog.d/add-new-pkcs5-pbe2-ext-fun.txt
deleted file mode 100644
index f2e7a4a2c..000000000
--- a/ChangeLog.d/add-new-pkcs5-pbe2-ext-fun.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-Security
-   * Developers using mbedtls_pkcs5_pbes2() or mbedtls_pkcs12_pbe() should
-     review the size of the output buffer passed to this function, and note
-     that the output after decryption may include CBC padding. Consider moving
-     to the new functions mbedtls_pkcs5_pbes2_ext() or mbedtls_pkcs12_pbe_ext()
-     which checks for overflow of the output buffer and reports the actual
-     length of the output.
diff --git a/ChangeLog.d/add-pbkdf2-cmac.txt b/ChangeLog.d/add-pbkdf2-cmac.txt
deleted file mode 100644
index 0ed84ea51..000000000
--- a/ChangeLog.d/add-pbkdf2-cmac.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Features
-   * Add support for PBKDF2-CMAC through the PSA API.
diff --git a/ChangeLog.d/add-pbkdf2-hmac.txt b/ChangeLog.d/add-pbkdf2-hmac.txt
deleted file mode 100644
index 2708098a3..000000000
--- a/ChangeLog.d/add-pbkdf2-hmac.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Features
-   * Add support for PBKDF2-HMAC through the PSA API.
diff --git a/ChangeLog.d/add-psa_want_alg_some_pake.txt b/ChangeLog.d/add-psa_want_alg_some_pake.txt
deleted file mode 100644
index 00b3002b6..000000000
--- a/ChangeLog.d/add-psa_want_alg_some_pake.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
-   * Don't include the PSA dispatch functions for PAKEs (psa_pake_setup() etc)
-     if no PAKE algorithms are requested
diff --git a/ChangeLog.d/add-rfc822-directoryname-csr-gen.txt b/ChangeLog.d/add-rfc822-directoryname-csr-gen.txt
deleted file mode 100644
index ff8693c40..000000000
--- a/ChangeLog.d/add-rfc822-directoryname-csr-gen.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
-   * Add a possibility to generate CSR's with RCF822 and directoryName subtype
-     of subjectAltName extension in x509 certificates.
diff --git a/ChangeLog.d/add-subjectAltName-certs.txt b/ChangeLog.d/add-subjectAltName-certs.txt
deleted file mode 100644
index 487e5c656..000000000
--- a/ChangeLog.d/add-subjectAltName-certs.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Features
-   * It is now possible to generate certificates with SubjectAltNames.
-     Currently supported subtypes: DnsName, UniformResourceIdentifier,
-     IP address, OtherName, and DirectoryName, as defined in RFC 5280.
-     See mbedtls_x509write_crt_set_subject_alternative_name for
-     more information.
diff --git a/ChangeLog.d/aes-perf.txt b/ChangeLog.d/aes-perf.txt
deleted file mode 100644
index ab716bce8..000000000
--- a/ChangeLog.d/aes-perf.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-Features
-   * AES performance improvements. Uplift varies by platform,
-     toolchain, optimisation flags and mode.
-     Aarch64, gcc -Os and CCM, GCM and XTS benefit the most.
-     On Aarch64, uplift is typically around 20 - 110%.
-     When compiling with gcc -Os on Aarch64, AES-XTS improves
-     by 4.5x.
diff --git a/ChangeLog.d/armclang-compile-fix.txt b/ChangeLog.d/armclang-compile-fix.txt
deleted file mode 100644
index 59ae1cd9d..000000000
--- a/ChangeLog.d/armclang-compile-fix.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-Bugfix
-   * Fix clang and armclang compilation error when targeting certain Arm
-     M-class CPUs (Cortex-M0, Cortex-M0+, Cortex-M1, Cortex-M23,
-     SecurCore SC000). Fixes #1077.
-Changes
-   * Enable Arm / Thumb bignum assembly for most Arm platforms when
-     compiling with gcc, clang or armclang and -O0.
diff --git a/ChangeLog.d/basic-uri-verification.txt b/ChangeLog.d/basic-uri-verification.txt
deleted file mode 100644
index aa039ea29..000000000
--- a/ChangeLog.d/basic-uri-verification.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Features
-   * X.509 hostname verification now partially supports URI Subject Alternate
-     Names. Only exact matching, without any normalization procedures
-     described in 7.4 of RFC5280, will result in a positive URI verification.
diff --git a/ChangeLog.d/bugfix_iar_typo.txt b/ChangeLog.d/bugfix_iar_typo.txt
deleted file mode 100644
index 95f97b1cb..000000000
--- a/ChangeLog.d/bugfix_iar_typo.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fixed an issue that caused compile errors when using CMake and the IAR
-     toolchain.
diff --git a/ChangeLog.d/check-set_padding-is-called.txt b/ChangeLog.d/check-set_padding-is-called.txt
deleted file mode 100644
index 2c26de89f..000000000
--- a/ChangeLog.d/check-set_padding-is-called.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Changes
-   * When using CBC with the cipher module, the requirement to call
-     mbedtls_cipher_set_padding_mode() is now enforced. Previously, omitting
-     this call accidentally applied a default padding mode chosen at compile
-     time.
diff --git a/ChangeLog.d/cmake-pass-through-config-defines.txt b/ChangeLog.d/cmake-pass-through-config-defines.txt
deleted file mode 100644
index 6122f37d2..000000000
--- a/ChangeLog.d/cmake-pass-through-config-defines.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
-   * Allow MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE to be set by
-     setting the CMake variable of the same name at configuration time.
diff --git a/ChangeLog.d/config_psa-include-order.txt b/ChangeLog.d/config_psa-include-order.txt
deleted file mode 100644
index 674c28653..000000000
--- a/ChangeLog.d/config_psa-include-order.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
-   * Fix a build error in some configurations with MBEDTLS_PSA_CRYPTO_CONFIG
-     enabled, where some low-level modules required by requested PSA crypto
-     features were not getting automatically enabled. Fixes #7420.
diff --git a/ChangeLog.d/driver-ffdh.txt b/ChangeLog.d/driver-ffdh.txt
deleted file mode 100644
index a9fa6414e..000000000
--- a/ChangeLog.d/driver-ffdh.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Features
-   * Add support for the FFDH algorithm and DH key types in PSA, with
-     parameters from RFC 7919. This includes a built-in implementation based
-     on MBEDTLS_BIGNUM_C, and a driver dispatch layer enabling alternative
-     implementations of FFDH through the driver entry points.
diff --git a/ChangeLog.d/driver-only-ecc.txt b/ChangeLog.d/driver-only-ecc.txt
deleted file mode 100644
index 887808511..000000000
--- a/ChangeLog.d/driver-only-ecc.txt
+++ /dev/null
@@ -1,23 +0,0 @@
-Features
-   * When a PSA driver for ECDH is present, it is now possible to disable
-     MBEDTLS_ECDH_C in the build in order to save code size. For TLS 1.2
-     key exchanges based on ECDH(E) to work, this requires
-     MBEDTLS_USE_PSA_CRYPTO. Restartable/interruptible ECDHE operations in
-     TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet,
-     as PSA does not have an API for restartable ECDH yet.
-   * When all of ECDH, ECDSA and EC J-PAKE are either disabled or provided by
-     a driver, it is possible to disable MBEDTLS_ECP_C (and MBEDTLS_BIGNUM_C
-     if not required by another module) and still get support for ECC keys and
-     algorithms in PSA, with some limitations. See docs/driver-only-builds.txt
-     for details.
-API changes
-   * Mbed TLS 3.4 introduced support for omitting the built-in implementation
-     of ECDSA and/or EC J-PAKE when those are provided by a driver. However,
-     their was a flaw in the logic checking if the built-in implementation, in
-     that if failed to check if all the relevant curves were supported by the
-     accelerator. As a result, it was possible to declare no curves as
-     accelerated and still have the built-in implementation compiled out.
-     Starting with this release, it is necessary to declare which curves are
-     accelerated (using MBEDTLS_PSA_ACCEL_ECC_xxx macros), or they will be
-     considered not accelerated, and the built-in implementation of the curves
-     and any algorithm possible using them will be included in the build.
diff --git a/ChangeLog.d/driver-only-hashes.txt b/ChangeLog.d/driver-only-hashes.txt
deleted file mode 100644
index cd1e030d1..000000000
--- a/ChangeLog.d/driver-only-hashes.txt
+++ /dev/null
@@ -1,11 +0,0 @@
-Features
-   * All modules that use hashes or HMAC can now take advantage of PSA Crypto
-     drivers when MBEDTLS_PSA_CRYPTO_C is enabled and psa_crypto_init() has
-     been called. Previously (in 3.3), this was restricted to a few modules,
-     and only in builds where MBEDTLS_MD_C was disabled; in particular the
-     entropy module was not covered which meant an external RNG had to be
-     provided - these limitations are lifted in this version. A new set of
-     feature macros, MBEDTLS_MD_CAN_xxx, has been introduced that can be used
-     to check for availability of hash algorithms, regardless of whether
-     they're provided by a built-in implementation, a driver or both. See
-     docs/driver-only-builds.md.
diff --git a/ChangeLog.d/ec_jpake_user_peer_2.txt b/ChangeLog.d/ec_jpake_user_peer_2.txt
deleted file mode 100644
index 9572ac7c1..000000000
--- a/ChangeLog.d/ec_jpake_user_peer_2.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix the J-PAKE driver interface for user and peer to accept any values
-     (previously accepted values were limited to "client" or "server").
diff --git a/ChangeLog.d/enforce-min-RSA-key-size.txt b/ChangeLog.d/enforce-min-RSA-key-size.txt
deleted file mode 100644
index 06cd2a276..000000000
--- a/ChangeLog.d/enforce-min-RSA-key-size.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Changes
-   * Enforce minimum RSA key size when generating a key
-     to avoid accidental misuse.
diff --git a/ChangeLog.d/extend-distinguished-names.txt b/ChangeLog.d/extend-distinguished-names.txt
deleted file mode 100644
index b148424cf..000000000
--- a/ChangeLog.d/extend-distinguished-names.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
-   * Accept arbitrary AttributeType and AttributeValue in certificate
-     Distinguished Names using RFC 4514 syntax.
diff --git a/ChangeLog.d/extend-pk-opaque-ecc.txt b/ChangeLog.d/extend-pk-opaque-ecc.txt
deleted file mode 100644
index ad5bdc096..000000000
--- a/ChangeLog.d/extend-pk-opaque-ecc.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Features
-   * Support for "opaque" (PSA-held) ECC keys in the PK module has been
-     extended: it is now possible to use mbedtls_pk_write_key_der(),
-     mbedtls_pk_write_key_pem(), mbedtls_pk_check_pair(), and
-     mbedtls_pk_verify() with opaque ECC keys (provided the PSA attributes
-     allow it).
diff --git a/ChangeLog.d/ffdh-tls-1-3.txt b/ChangeLog.d/ffdh-tls-1-3.txt
deleted file mode 100644
index c5d07d69f..000000000
--- a/ChangeLog.d/ffdh-tls-1-3.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Features
-   * Add support for FFDH key exchange in TLS 1.3.
-     This is automatically enabled as soon as PSA_WANT_ALG_FFDH
-     and the ephemeral or psk-ephemeral key exchange mode are enabled.
-     By default, all groups are offered; the list of groups can be
-     configured using the existing API function mbedtls_ssl_conf_groups().
diff --git a/ChangeLog.d/fix-a-few-unchecked-return.txt b/ChangeLog.d/fix-a-few-unchecked-return.txt
deleted file mode 100644
index aadde3631..000000000
--- a/ChangeLog.d/fix-a-few-unchecked-return.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix some cases where mbedtls_mpi_mod_exp, RSA key construction or ECDSA
-     signature can silently return an incorrect result in low memory conditions.
diff --git a/ChangeLog.d/fix-aes-cbc-iv-corruption.txt b/ChangeLog.d/fix-aes-cbc-iv-corruption.txt
deleted file mode 100644
index 11eb9463e..000000000
--- a/ChangeLog.d/fix-aes-cbc-iv-corruption.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix a potential corruption of the passed-in IV when mbedtls_aes_crypt_cbc()
-     is called with zero length and padlock is not enabled.
diff --git a/ChangeLog.d/fix-crypt_and_hash-decrypt-issue.txt b/ChangeLog.d/fix-crypt_and_hash-decrypt-issue.txt
deleted file mode 100644
index ded9b2d47..000000000
--- a/ChangeLog.d/fix-crypt_and_hash-decrypt-issue.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
-   * Fix crypt_and_hash decryption fail when used with a stream cipher
-     mode of operation due to the input not being multiple of block size.
-     Resolves #7417.
diff --git a/ChangeLog.d/fix-declaration-of-mbedtls_ecdsa_sign_det_restartable-function.txt b/ChangeLog.d/fix-declaration-of-mbedtls_ecdsa_sign_det_restartable-function.txt
deleted file mode 100644
index c30e07451..000000000
--- a/ChangeLog.d/fix-declaration-of-mbedtls_ecdsa_sign_det_restartable-function.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
-   * Fix declaration of mbedtls_ecdsa_sign_det_restartable() function
-     in the ecdsa.h header file. There was a build warning when the
-     configuration macro MBEDTLS_ECDSA_SIGN_ALT was defined.
-     Resolves #7407.
diff --git a/ChangeLog.d/fix-empty-enum.txt b/ChangeLog.d/fix-empty-enum.txt
deleted file mode 100644
index 458d58f3b..000000000
--- a/ChangeLog.d/fix-empty-enum.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix compile failure due to empty enum in cipher_wrap.c, when building
-     with a very minimal configuration. Fixes #7625.
diff --git a/ChangeLog.d/fix-hrr-in-psk-kem.txt b/ChangeLog.d/fix-hrr-in-psk-kem.txt
deleted file mode 100644
index 037771184..000000000
--- a/ChangeLog.d/fix-hrr-in-psk-kem.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
-   * In TLS 1.3, fix handshake failure when a client in its ClientHello
-     proposes an handshake based on PSK only key exchange mode or at least
-     one of the key exchange modes using ephemeral keys to a server that
-     supports only the PSK key exchange mode.
diff --git a/ChangeLog.d/fix-iar-compiler-warnings.txt b/ChangeLog.d/fix-iar-compiler-warnings.txt
deleted file mode 100644
index 0dc2623f8..000000000
--- a/ChangeLog.d/fix-iar-compiler-warnings.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Bugfix
-   * Fix IAR compiler warnings.
diff --git a/ChangeLog.d/fix-ilp32.txt b/ChangeLog.d/fix-ilp32.txt
deleted file mode 100644
index 3f18ac5c5..000000000
--- a/ChangeLog.d/fix-ilp32.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
-   * Fix a compilation failure in the constant_time module when
-     building for arm64_32 (e.g., for watchos). Reported by Paulo
-     Coutinho in #7787.
diff --git a/ChangeLog.d/fix-log-level-msg.txt b/ChangeLog.d/fix-log-level-msg.txt
deleted file mode 100644
index 4e82ad150..000000000
--- a/ChangeLog.d/fix-log-level-msg.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Bugfix
-   * Fix log level for the got supported group message. Fixes #6765
diff --git a/ChangeLog.d/fix-string-to-names-retcode.txt b/ChangeLog.d/fix-string-to-names-retcode.txt
deleted file mode 100644
index ac4b3d176..000000000
--- a/ChangeLog.d/fix-string-to-names-retcode.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix a bug in which mbedtls_x509_string_to_names() would return success
-     when given a invalid name string if it did not contain '=' or ','.
diff --git a/ChangeLog.d/fix-tfm-build.txt b/ChangeLog.d/fix-tfm-build.txt
deleted file mode 100644
index 64cb837ae..000000000
--- a/ChangeLog.d/fix-tfm-build.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
-   * Fix compilation warnings in aes.c, which prevented the
-     example TF-M configuration in configs/ from building cleanly:
-     tfm_mbedcrypto_config_profile_medium.h with
-     crypto_config_profile_medium.h.
diff --git a/ChangeLog.d/fix-tls-padbuf-zeroization.txt b/ChangeLog.d/fix-tls-padbuf-zeroization.txt
deleted file mode 100644
index 36451cb4b..000000000
--- a/ChangeLog.d/fix-tls-padbuf-zeroization.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Security
-   * Fix a case where potentially sensitive information held in memory would not
-     be completely zeroized during TLS 1.2 handshake, in both server and client
-     configurations.
diff --git a/ChangeLog.d/fix-unterminated-pragma-clang-attribute-push.txt b/ChangeLog.d/fix-unterminated-pragma-clang-attribute-push.txt
deleted file mode 100644
index 7fcb5ec29..000000000
--- a/ChangeLog.d/fix-unterminated-pragma-clang-attribute-push.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
-   * Fix "unterminated '#pragma clang attribute push'" in sha256/sha512.c when
-     built with MBEDTLS_SHAxxx_USE_A64_CRYPTO_IF_PRESENT but don't have a
-     way to detect the crypto extensions required. A warning is still issued.
diff --git a/ChangeLog.d/improve-doc-on-ecp-curve-optimized-representation.txt b/ChangeLog.d/improve-doc-on-ecp-curve-optimized-representation.txt
deleted file mode 100644
index 8fdc588b1..000000000
--- a/ChangeLog.d/improve-doc-on-ecp-curve-optimized-representation.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
-   * The documentation of mbedtls_ecp_group now describes the optimized
-     representation of A for some curves. Fixes #8045.
diff --git a/ChangeLog.d/initialize-struct-get-other-name.txt b/ChangeLog.d/initialize-struct-get-other-name.txt
deleted file mode 100644
index dc8395d40..000000000
--- a/ChangeLog.d/initialize-struct-get-other-name.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-Bugfix
-   * Fix an issue when parsing an otherName subject alternative name into a
-     mbedtls_x509_san_other_name struct. The type-id of the otherName was not
-     copied to the struct. This meant that the struct had incomplete
-     information about the otherName SAN and contained uninitialized memory.
-   * Fix the detection of HardwareModuleName otherName SANs. These were being
-     detected by comparing the wrong field and the check was erroneously
-     inverted.
diff --git a/ChangeLog.d/inject-entropy.txt b/ChangeLog.d/inject-entropy.txt
deleted file mode 100644
index 762662969..000000000
--- a/ChangeLog.d/inject-entropy.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Bugfix
-   * Fix the build with MBEDTLS_PSA_INJECT_ENTROPY. Fixes #7516.
diff --git a/ChangeLog.d/mbedtls_ecdsa_can_do-unconditional-define.txt b/ChangeLog.d/mbedtls_ecdsa_can_do-unconditional-define.txt
deleted file mode 100644
index 22e8adbc5..000000000
--- a/ChangeLog.d/mbedtls_ecdsa_can_do-unconditional-define.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not
-     MBEDTLS_ECDSA_VERIFY_ALT, causing ecdsa verify to fail. Fixes #7498.
diff --git a/ChangeLog.d/mbedtls_x509_time.txt b/ChangeLog.d/mbedtls_x509_time.txt
deleted file mode 100644
index 557f1910d..000000000
--- a/ChangeLog.d/mbedtls_x509_time.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
-   * Improve mbedtls_x509_time performance and reduce memory use.
-   * Reduce syscalls to time() during certificate verification.
diff --git a/ChangeLog.d/misc-from-psa-crypto.txt b/ChangeLog.d/misc-from-psa-crypto.txt
deleted file mode 100644
index 40a043a4f..000000000
--- a/ChangeLog.d/misc-from-psa-crypto.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix CCM* with no tag being not supported in a build with CCM as the only
-     symmetric encryption algorithm and the PSA configuration enabled.
diff --git a/ChangeLog.d/oid-parse-from-numeric-string.txt b/ChangeLog.d/oid-parse-from-numeric-string.txt
deleted file mode 100644
index 82ed2fd71..000000000
--- a/ChangeLog.d/oid-parse-from-numeric-string.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
-   * Add function mbedtls_oid_from_numeric_string() to parse an OID from a
-     string to a DER-encoded mbedtls_asn1_buf.
diff --git a/ChangeLog.d/p256-m.txt b/ChangeLog.d/p256-m.txt
deleted file mode 100644
index e47358052..000000000
--- a/ChangeLog.d/p256-m.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Features
-   * Applications using ECC over secp256r1 through the PSA API can use a
-     new implementation with a much smaller footprint, but some minor
-     usage restrictions. See the documentation of the new configuration
-     option MBEDTLS_PSA_P256M_DRIVER_ENABLED for details.
diff --git a/ChangeLog.d/padding-ct-changelog.txt b/ChangeLog.d/padding-ct-changelog.txt
deleted file mode 100644
index 3e2c7e2e8..000000000
--- a/ChangeLog.d/padding-ct-changelog.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Security
-   * Improve padding calculations in CBC decryption, NIST key unwrapping and
-     RSA OAEP decryption. With the previous implementation, some compilers
-     (notably recent versions of Clang and IAR) could produce non-constant
-     time code, which could allow a padding oracle attack if the attacker
-     has access to precise timing measurements.
diff --git a/ChangeLog.d/programs_psa_fix.txt b/ChangeLog.d/programs_psa_fix.txt
deleted file mode 100644
index fe2099ecc..000000000
--- a/ChangeLog.d/programs_psa_fix.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix missing PSA initialization in sample programs when
-     MBEDTLS_USE_PSA_CRYPTO is enabled.
diff --git a/ChangeLog.d/psa_crypto_user_config_file.txt b/ChangeLog.d/psa_crypto_user_config_file.txt
deleted file mode 100644
index f538f4707..000000000
--- a/ChangeLog.d/psa_crypto_user_config_file.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Don't try to include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE when
-     MBEDTLS_PSA_CRYPTO_CONFIG is disabled.
diff --git a/ChangeLog.d/python3.8.txt b/ChangeLog.d/python3.8.txt
deleted file mode 100644
index 32a7c09a8..000000000
--- a/ChangeLog.d/python3.8.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Requirement changes
-   * Officially require Python 3.8 now that earlier versions are out of support.
diff --git a/ChangeLog.d/rename_psa_crypto_driver_wrappers.txt b/ChangeLog.d/rename_psa_crypto_driver_wrappers.txt
deleted file mode 100644
index a0710963b..000000000
--- a/ChangeLog.d/rename_psa_crypto_driver_wrappers.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Changes
-   * Users intergrating their own PSA drivers should be aware that
-     the file library/psa_crypto_driver_wrappers.c has been renamed
-     to psa_crypto_driver_wrappers_no_static.c.
-
diff --git a/ChangeLog.d/rfc8410.txt b/ChangeLog.d/rfc8410.txt
deleted file mode 100644
index e2984ee4b..000000000
--- a/ChangeLog.d/rfc8410.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
-   * Add support for reading and writing X25519 and X448
-     public and private keys in RFC 8410 format using the existing PK APIs.
diff --git a/ChangeLog.d/safer-ct.txt b/ChangeLog.d/safer-ct.txt
deleted file mode 100644
index 0a5b632ab..000000000
--- a/ChangeLog.d/safer-ct.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Security
-   * Updates to constant-time C code so that compilers are less likely to use
-     conditional instructions, which can have an observable difference in
-     timing. (Clang has been seen to do this.) Also introduce assembly
-     implementations for 32- and 64-bit Arm and for x86 and x86-64, which are
-     guaranteed not to use conditional instructions.
diff --git a/ChangeLog.d/sha3.txt b/ChangeLog.d/sha3.txt
deleted file mode 100644
index 9426f879f..000000000
--- a/ChangeLog.d/sha3.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
-    * Add SHA-3 family hash functions.
-
diff --git a/ChangeLog.d/sha384-blocksize.txt b/ChangeLog.d/sha384-blocksize.txt
deleted file mode 100644
index 4917eb2c2..000000000
--- a/ChangeLog.d/sha384-blocksize.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Security
-   * Fix definition of MBEDTLS_MD_MAX_BLOCK_SIZE, which was too
-     small when MBEDTLS_SHA384_C was defined and MBEDTLS_SHA512_C was
-     undefined. Mbed TLS itself was unaffected by this, but user code
-     which used MBEDTLS_MD_MAX_BLOCK_SIZE could be affected. The only
-     release containing this bug was Mbed TLS 3.4.0.
diff --git a/ChangeLog.d/some-max-size-macro-are-too-small-when-psa-ecc-is-accelerated.txt b/ChangeLog.d/some-max-size-macro-are-too-small-when-psa-ecc-is-accelerated.txt
deleted file mode 100644
index 8cc6e5eab..000000000
--- a/ChangeLog.d/some-max-size-macro-are-too-small-when-psa-ecc-is-accelerated.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
-   * Fix proper sizing for PSA_EXPORT_[KEY_PAIR/PUBLIC_KEY]_MAX_SIZE and
-     PSA_SIGNATURE_MAX_SIZE buffers when at least one accelerated EC is bigger
-     than all built-in ones and RSA is disabled.
-     Resolves #6622.
diff --git a/ChangeLog.d/ssl_debug_helpers-stack_usage.txt b/ChangeLog.d/ssl_debug_helpers-stack_usage.txt
deleted file mode 100644
index e2c24759f..000000000
--- a/ChangeLog.d/ssl_debug_helpers-stack_usage.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix very high stack usage in SSL debug code. Reported by Maximilian
-     Gerhardt in #7804.
diff --git a/ChangeLog.d/ssl_decrypt_buf-short_record.txt b/ChangeLog.d/ssl_decrypt_buf-short_record.txt
deleted file mode 100644
index c2af1ec2a..000000000
--- a/ChangeLog.d/ssl_decrypt_buf-short_record.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Security
-   * Fix a buffer overread when parsing short TLS application data records in
-     null-cipher cipher suites. Credit to OSS-Fuzz.
diff --git a/ChangeLog.d/ssl_premaster_secret-empty.txt b/ChangeLog.d/ssl_premaster_secret-empty.txt
deleted file mode 100644
index 0ce5f36ea..000000000
--- a/ChangeLog.d/ssl_premaster_secret-empty.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix a compilation error on some platforms when including mbedtls/ssl.h
-     with all TLS support disabled. Fixes #6628.
diff --git a/ChangeLog.d/tls13-custom-config.txt b/ChangeLog.d/tls13-custom-config.txt
deleted file mode 100644
index da2e25d95..000000000
--- a/ChangeLog.d/tls13-custom-config.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix undefined symbols in some builds using TLS 1.3 with a custom
-     configuration file.
diff --git a/ChangeLog.d/tls13-server-version-negotiation.txt b/ChangeLog.d/tls13-server-version-negotiation.txt
deleted file mode 100644
index 989018b40..000000000
--- a/ChangeLog.d/tls13-server-version-negotiation.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Features
-   * Add support for server-side TLS version negotiation. If both TLS 1.2 and
-     TLS 1.3 protocols are enabled, the TLS server now selects TLS 1.2 or
-     TLS 1.3 depending on the capabilities and preferences of TLS clients.
-     Fixes #6867.
diff --git a/ChangeLog.d/updated_windows_apis.txt b/ChangeLog.d/updated_windows_apis.txt
deleted file mode 100644
index 73b17df9d..000000000
--- a/ChangeLog.d/updated_windows_apis.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-Requirement changes
-   * Minimum required Windows version is now Windows Vista, or
-     Windows Server 2008.
-
-Changes
-   * Update Windows code to use BCryptGenRandom and wcslen, and
-     ensure that conversions between size_t, ULONG, and int are
-     always done safely.  Original contribution by Kevin Kane #635, #730
-     followed by Simon Butcher #1453.
diff --git a/ChangeLog.d/use_heap_rsa_signature.txt b/ChangeLog.d/use_heap_rsa_signature.txt
deleted file mode 100644
index e6d7b1255..000000000
--- a/ChangeLog.d/use_heap_rsa_signature.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Changes
-   * Use heap memory to allocate DER encoded RSA private key.
-     This reduces stack usage significantly for RSA signature
-     operations when MBEDTLS_PSA_CRYPTO_C is defined.
diff --git a/ChangeLog.d/verify-ip-sans-properly.txt b/ChangeLog.d/verify-ip-sans-properly.txt
deleted file mode 100644
index 00203a8ca..000000000
--- a/ChangeLog.d/verify-ip-sans-properly.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Features
-   * X.509 hostname verification now supports IPAddress Subject Alternate Names.
diff --git a/ChangeLog.d/x509-ec-algorithm-identifier-fix.txt b/ChangeLog.d/x509-ec-algorithm-identifier-fix.txt
deleted file mode 100644
index c1de491e6..000000000
--- a/ChangeLog.d/x509-ec-algorithm-identifier-fix.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
-   * Fix x509 certificate generation to conform to RFC 5480 / RFC 5758 when
-     using ECC key. The certificate was rejected by some crypto frameworks.
-     Fixes #2924.
diff --git a/ChangeLog.d/xxx_psa_peerkey.txt b/ChangeLog.d/xxx_psa_peerkey.txt
deleted file mode 100644
index d25e4ecbf..000000000
--- a/ChangeLog.d/xxx_psa_peerkey.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-Security
-   * Fix a remotely exploitable heap buffer overflow in TLS handshake parsing.
-     In TLS 1.3, all configurations are affected except PSK-only ones, and
-     both clients and servers are affected.
-     In TLS 1.2, the affected configurations are those with
-     MBEDTLS_USE_PSA_CRYPTO and ECDH enabled but DHM and RSA disabled,
-     and only servers are affected, not clients.
-     Credit to OSS-Fuzz.