Assemble Changelog

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>

69 files changed, 260 insertions, 323 deletions

diff --git a/ChangeLog b/ChangeLog
index 28f2654..3237b76 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,265 @@
 Mbed TLS ChangeLog (Sorted per branch, date)
 
+= Mbed TLS x.x.x branch released xxxx-xx-xx
+
+API changes
+   * Remove `tls13_` in mbedtls_ssl_tls13_conf_early_data() and
+     mbedtls_ssl_tls13_conf_max_early_data_size() API names. Early data
+     feature may not be TLS 1.3 specific in the future. Fixes #6909.
+
+Default behavior changes
+   * psa_import_key() now only accepts RSA keys in the PSA standard formats.
+     The undocumented ability to import other formats (PKCS#8, SubjectPublicKey,
+     PEM) accepted by the pkparse module has been removed. Applications that
+     need these formats can call mbedtls_pk_parse_{public,}key() followed by
+     mbedtls_pk_import_into_psa().
+
+Requirement changes
+   * Drop support for Visual Studio 2013 and 2015, and Arm Compiler 5.
+
+New deprecations
+    * Rename the MBEDTLS_SHA256_USE_A64_CRYPTO_xxx config options to
+      MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_xxx. The old names may still
+      be used, but are deprecated.
+   * In the PSA API, domain parameters are no longer used for anything.
+     They are deprecated and will be removed in a future version of the
+     library.
+   * mbedtls_ecp_write_key() is deprecated in favor of
+     mbedtls_ecp_write_key_ext().
+
+Removals
+   * In the PSA API, the experimental way to encode the public exponent of
+     an RSA key as a domain parameter is no longer supported. Use
+     psa_generate_key_ext() instead.
+   * Temporary function mbedtls_pk_wrap_as_opaque() is removed. To mimic the
+     same behavior mbedtls_pk_get_psa_attributes() and
+     mbedtls_pk_import_into_psa() can be used to import a PK key into PSA,
+     while mbedtls_pk_setup_opaque() can be used to wrap a PSA key into a opaque
+     PK context.
+
+Features
+   * Added an example program showing how to hash with the PSA API.
+    * Support Armv8-A Crypto Extension acceleration for SHA-256
+      when compiling for Thumb (T32) or 32-bit Arm (A32).
+   *  AES-NI is now supported in Windows builds with clang and clang-cl.
+      Resolves #8372.
+   * Add new mbedtls_x509_csr_parse_der_with_ext_cb() routine which allows
+     parsing unsupported certificate extensions via user provided callback.
+   * Enable the new option MBEDTLS_BLOCK_CIPHER_NO_DECRYPT to omit
+     the decryption direction of block ciphers (AES, ARIA, Camellia).
+     This affects both the low-level modules and the high-level APIs
+     (the cipher and PSA interfaces). This option is incompatible with modes
+     that use the decryption direction (ECB in PSA, CBC, XTS, KW) and with DES.
+   * Support use of Armv8-A Cryptographic Extensions for hardware acclerated
+     AES when compiling for Thumb (T32) or 32-bit Arm (A32).
+   * If a cipher or AEAD mechanism has a PSA driver, you can now build the
+     library without the corresponding built-in implementation. Generally
+     speaking that requires both the key type and algorithm to be accelerated
+     or they'll both be built in. However, for CCM and GCM the built-in
+     implementation is able to take advantage of a driver that only
+     accelerates the key type (that is, the block cipher primitive). See
+     docs/driver-only-builds.md for full details and current limitations.
+   * The CTR_DRBG module will now use AES from a PSA driver if MBEDTLS_AES_C is
+     disabled. This requires PSA_WANT_ALG_ECB_NO_PADDING in addition to
+     MBEDTLS_PSA_CRYPTO_C and PSA_WANT_KEY_TYPE_AES.
+   * Fewer modules depend on MBEDTLS_CIPHER_C, making it possible to save code
+     size by disabling it in more circumstances. In particular, the CCM and
+     GCM modules no longer depend on MBEDTLS_CIPHER_C. Also,
+     MBEDTLS_PSA_CRYPTO can now be enabled without MBEDTLS_CIPHER_C if all
+     unauthenticated (non-AEAD) ciphers are disabled, or if they're all
+     fully provided by drivers. See docs/driver-only-builds.md for full
+     details and current limitations; in particular, NIST_KW and PKCS5/PKCS12
+     decryption still unconditionally depend on MBEDTLS_CIPHER_C.
+   * Add support for record size limit extension as defined by RFC 8449
+     and configured with MBEDTLS_SSL_RECORD_SIZE_LIMIT.
+     Application data sent and received will be fragmented according to
+     Record size limits negotiated during handshake.
+   * Improve performance of AES-GCM, AES-CTR and CTR-DRBG when
+     hardware accelerated AES is not present (around 13-23% on 64-bit Arm).
+   * Add functions mbedtls_ecc_group_to_psa() and mbedtls_ecc_group_from_psa()
+     to convert between Mbed TLS and PSA curve identifiers.
+   * Add utility functions to manipulate mbedtls_ecp_keypair objects, filling
+     gaps made by making its fields private: mbedtls_ecp_set_public_key(),
+     mbedtls_ecp_write_public_key(), mbedtls_ecp_keypair_calc_public(),
+     mbedtls_ecp_keypair_get_group_id(). Fixes #5017, #5441, #8367, #8652.
+   * Add functions mbedtls_md_psa_alg_from_type() and
+     mbedtls_md_type_from_psa_alg() to convert between mbedtls_md_type_t and
+     psa_algorithm_t.
+   * Add partial platform support for z/OS.
+   * Improve performance for gcc (versions older than 9.3.0) and IAR.
+   * Add functions mbedtls_ecdsa_raw_to_der() and mbedtls_ecdsa_der_to_raw() to
+     convert ECDSA signatures between raw and DER (ASN.1) formats.
+   * Add support for using AES-CBC 128, 192, and 256 bit schemes
+     with PKCS#5 PBES2. Keys encrypted this way can now be parsed by PK parse.
+   * The new function mbedtls_rsa_get_bitlen() returns the length of the modulus
+     in bits, i.e. the key size for an RSA key.
+   * Add pc files for pkg-config, e.g.:
+     pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509)
+   * Add getter (mbedtls_ssl_session_get_ticket_creation_time()) to access
+     `mbedtls_ssl_session.ticket_creation_time`.
+   * The new functions mbedtls_pk_get_psa_attributes() and
+     mbedtls_pk_import_into_psa() provide a uniform way to create a PSA
+     key from a PK key.
+   * The benchmark program now reports times for both ephemeral and static
+     ECDH in all ECDH configurations.
+    * Add support for 8-bit GCM tables for Shoup's algorithm to speedup GCM
+      operations when hardware accelerated AES is not present. Improves
+      performance by around 30% on 64-bit Intel; 125% on Armv7-M.
+   * The new function psa_generate_key_ext() allows generating an RSA
+     key pair with a custom public exponent.
+   * The new function mbedtls_ecp_write_key_ext() is similar to
+     mbedtls_ecp_write_key(), but can be used without separately calculating
+     the output length.
+   * Add new accessor to expose the private group id member of
+     `mbedtls_ecdh_context` structure.
+   * Add new accessor to expose the `MBEDTLS_PRIVATE(ca_istrue)` member of
+     `mbedtls_x509_crt` structure. This requires setting
+     the MBEDTLS_X509_EXT_BASIC_CONSTRAINTS bit in the certificate's
+     ext_types field.
+   * mbedtls_psa_get_random() is always available as soon as
+     MBEDTLS_PSA_CRYPTO_CLIENT is enabled at build time and psa_crypto_init() is
+     called at runtime. This together with MBEDTLS_PSA_RANDOM_STATE can be
+     used as random number generator function (f_rng) and context (p_rng) in
+     legacy functions.
+   * The new functions mbedtls_pk_copy_from_psa() and
+     mbedtls_pk_copy_public_from_psa() provide ways to set up a PK context
+     with the same content as a PSA key.
+   * Add new accessors to expose the private session-id,
+     session-id length, and ciphersuite-id members of
+     `mbedtls_ssl_session` structure.
+     Add new accessor to expose the ciphersuite-id of
+     `mbedtls_ssl_ciphersuite_t` structure.Design ref: #8529
+   * Mbed TLS now supports the writing and reading of TLS 1.3 early data (see
+     docs/tls13-early-data.md). The support enablement is controlled at build
+     time by the MBEDTLS_SSL_EARLY_DATA configuration option and at runtime by
+     the mbedtls_ssl_conf_early_data() API (by default disabled in both cases).
+   * Add protection for multithreaded access to the PSA keystore and protection
+     for multithreaded access to the the PSA global state, including
+     concurrently calling psa_crypto_init() when MBEDTLS_THREADING_C and
+     MBEDTLS_THREADING_PTHREAD are defined. See
+     docs/architecture/psa-thread-safety/psa-thread-safety.md for more details.
+     Resolves issues #3263 and #7945.
+
+Security
+   * Fix a stack buffer overread (less than 256 bytes) when parsing a TLS 1.3
+     ClientHello in a TLS 1.3 server supporting some PSK key exchange mode. A
+     malicious client could cause information disclosure or a denial of service.
+   * Passing buffers that are stored in untrusted memory as arguments
+     to PSA functions is now secure by default.
+     The PSA core now protects against modification of inputs or exposure
+     of intermediate outputs during operations. This is currently implemented
+     by copying buffers.
+     This feature increases code size and memory usage. If buffers passed to
+     PSA functions are owned exclusively by the PSA core for the duration of
+     the function call (i.e. no buffer parameters are in shared memory),
+     copying may be disabled by setting MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS.
+     Note that setting this option will cause input-output buffer overlap to
+     be only partially supported (#3266).
+     Fixes CVE-2024-28960
+   * Restore the maximum TLS version to be negotiated to the configured one
+     when an SSL context is reset with the mbedtls_ssl_session_reset() API.
+     An attacker was able to prevent an Mbed TLS server from establishing any
+     TLS 1.3 connection potentially resulting in a Denial of Service or forced
+     version downgrade from TLS 1.3 to TLS 1.2. Fixes #8654 reported by hey3e.
+     Fixes CVE-2024-28755.
+   * When negotiating TLS version on server side, do not fall back to the
+     TLS 1.2 implementation of the protocol if it is disabled.
+     - If the TLS 1.2 implementation was disabled at build time, a TLS 1.2
+       client could put the TLS 1.3-only server in an infinite loop processing
+       a TLS 1.2 ClientHello, resulting in a denial of service. Reported by
+       Matthias Mucha and Thomas Blattmann, SICK AG.
+     - If the TLS 1.2 implementation was disabled at runtime, a TLS 1.2 client
+       was able to successfully establish a TLS 1.2 connection with the server.
+       Reported by alluettiv on GitHub.
+    Fixes CVE-2024-28836.
+
+Bugfix
+   * Fix the build with CMake when Everest or P256-m is enabled through
+     a user configuration file or the compiler command line. Fixes #8165.
+   * Fix compilation error in C++ programs when MBEDTLS_ASN1_PARSE_C is
+     disabled.
+   * Fix possible NULL dereference issue in X509 cert_req program if an entry
+     in the san parameter is not separated by a colon.
+   * Fix possible NULL dereference issue in X509 cert_write program if an entry
+     in the san parameter is not separated by a colon.
+  * Fix an inconsistency between implementations and usages of `__cpuid`,
+    which mainly causes failures when building Windows target using
+    mingw or clang. Fixes #8334 & #8332.
+   * Fix build failure in conda-forge.  Fixes #8422.
+   * Fix parsing of CSRs with critical extensions.
+    * Switch to milliseconds as the unit for ticket creation and reception time
+      instead of seconds. That avoids rounding errors when computing the age of
+      tickets compared to peer using a millisecond clock (observed with GnuTLS).
+      Fixes #6623.
+   * Fix TLS server accepting TLS 1.2 handshake while TLS 1.2
+     is disabled at runtime. Fixes #8593.
+   * Remove accidental introduction of RSA signature algorithms
+     in TLS Suite B Profile. Fixes #8221.
+   * Fix unsupported PSA asymmetric encryption and decryption
+     (psa_asymmetric_[en|de]crypt) with opaque keys.
+     Resolves #8461.
+   * On Linux on ARMv8, fix a build error with SHA-256 and SHA-512
+     acceleration detection when the libc headers do not define the
+     corresponding constant. Reported by valord577.
+   * Correct initial capacities for key derivation algorithms:TLS12_PRF,
+     TLS12_PSK_TO_MS, PBKDF2-HMAC, PBKDF2-CMAC
+   * Fix mbedtls_pk_get_bitlen() for RSA keys whose size is not a
+     multiple of 8. Fixes #868.
+   * Avoid segmentation fault caused by releasing not initialized
+     entropy resource in gen_key example. Fixes #8809.
+   * mbedtls_pem_read_buffer() now performs a check on the padding data of
+     decrypted keys and it rejects invalid ones.
+   * Fix mbedtls_pk_sign(), mbedtls_pk_verify(), mbedtls_pk_decrypt() and
+     mbedtls_pk_encrypt() on non-opaque RSA keys to honor the padding mode in
+     the RSA context. Before, if MBEDTLS_USE_PSA_CRYPTO was enabled and the
+     RSA context was configured for PKCS#1 v2.1 (PSS/OAEP), the sign/verify
+     functions performed a PKCS#1 v1.5 signature instead and the
+     encrypt/decrypt functions returned an error. Fixes #8824.
+   * Fix missing bitflags in SSL session serialization headers. Their absence
+     allowed SSL sessions saved in one configuration to be loaded in a
+     different, incompatible configuration.
+   * In TLS 1.3 clients, fix an interoperability problem due to the client
+     generating a new random after a HelloRetryRequest. Fixes #8669.
+   * Fix the restoration of the ALPN when loading serialized connection with
+   * the mbedtls_ssl_context_load() API.
+   * Fix NULL pointer dereference in mbedtls_pk_verify_ext() when called using
+     an opaque RSA context and specifying MBEDTLS_PK_RSASSA_PSS as key type.
+   * Fix RSA opaque keys always using PKCS1 v1.5 algorithms instead of the
+     primary algorithm of the wrapped PSA key.
+   * Fully support arbitrary overlap between inputs and outputs of PSA
+     functions. Note that overlap is still only partially supported when
+     MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set (#3266).
+
+Changes
+   * Use heap memory to allocate DER encoded public/private key.
+     This reduces stack usage significantly for writing a public/private
+     key to a PEM string.
+    * PSA_WANT_ALG_CCM and PSA_WANT_ALG_CCM_STAR_NO_TAG are no more synonyms and
+      they are now treated separately. This means that they should be
+      individually enabled in order to enable respective support; also the
+      corresponding MBEDTLS_PSA_ACCEL symbol should be defined in case
+      acceleration is required.
+    * Moved declaration of functions mbedtls_ecc_group_to_psa and
+      mbedtls_ecc_group_of_psa from psa/crypto_extra.h to mbedtls/psa_util.h
+   * mbedtls_pk_sign_ext() is now always available, not just when
+     PSA (MBEDTLS_PSA_CRYPTO_C) is enabled.
+   * Extended PSA Crypto configurations options for FFDH by making it possible
+     to select only some of the parameters / groups, with the macros
+     PSA_WANT_DH_RFC7919_XXXX. You now need to defined the corresponding macro
+     for each size you want to support. Also, if you have an FFDH accelerator,
+     you'll need to define the appropriate MBEDTLS_PSA_ACCEL macros to signal
+     support for these domain parameters.
+   * RSA support in PSA no longer auto-enables the pkparse and pkwrite modules,
+     saving code size when those are not otherwise enabled.
+   * mbedtls_mpi_exp_mod and code that uses it, notably RSA and DHM operations,
+     have changed their speed/memory compromise as part of a proactive security
+     improvement. The new default value of MBEDTLS_MPI_WINDOW_SIZE roughly
+     preserves the current speed, at the expense of increasing memory
+     consumption.
+   * Rename directory containing Visual Studio files from visualc/VS2013 to
+     visualc/VS2017.
+   * The TLS 1.3 protocol is now enabled in the default configuration.
+
 = Mbed TLS 3.5.2 branch released 2024-01-26
 
 Security
diff --git a/ChangeLog.d/7764.txt b/ChangeLog.d/7764.txt
deleted file mode 100644
index 4cd2079..0000000
--- a/ChangeLog.d/7764.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
-   * Add functions mbedtls_ecc_group_to_psa() and mbedtls_ecc_group_from_psa()
-     to convert between Mbed TLS and PSA curve identifiers.
diff --git a/ChangeLog.d/7765.txt b/ChangeLog.d/7765.txt
deleted file mode 100644
index 3dd6b5d..0000000
--- a/ChangeLog.d/7765.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
-   * Add functions mbedtls_ecdsa_raw_to_der() and mbedtls_ecdsa_der_to_raw() to
-     convert ECDSA signatures between raw and DER (ASN.1) formats.
diff --git a/ChangeLog.d/8030.txt b/ChangeLog.d/8030.txt
deleted file mode 100644
index d99c9e7..0000000
--- a/ChangeLog.d/8030.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-Changes
-   * Extended PSA Crypto configurations options for FFDH by making it possible
-     to select only some of the parameters / groups, with the macros
-     PSA_WANT_DH_RFC7919_XXXX. You now need to defined the corresponding macro
-     for each size you want to support. Also, if you have an FFDH accelerator,
-     you'll need to define the appropriate MBEDTLS_PSA_ACCEL macros to signal
-     support for these domain parameters.
diff --git a/ChangeLog.d/8340.txt b/ChangeLog.d/8340.txt
deleted file mode 100644
index 5664bf1..0000000
--- a/ChangeLog.d/8340.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Features
-   * Add functions mbedtls_md_psa_alg_from_type() and
-     mbedtls_md_type_from_psa_alg() to convert between mbedtls_md_type_t and
-     psa_algorithm_t.
diff --git a/ChangeLog.d/8372.txt b/ChangeLog.d/8372.txt
deleted file mode 100644
index 4a72edf..0000000
--- a/ChangeLog.d/8372.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
-   *  AES-NI is now supported in Windows builds with clang and clang-cl.
-      Resolves #8372.
diff --git a/ChangeLog.d/8461.txt b/ChangeLog.d/8461.txt
deleted file mode 100644
index d6a65f0..0000000
--- a/ChangeLog.d/8461.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
-   * Fix unsupported PSA asymmetric encryption and decryption
-     (psa_asymmetric_[en|de]crypt) with opaque keys.
-     Resolves #8461.
diff --git a/ChangeLog.d/8482.txt b/ChangeLog.d/8482.txt
deleted file mode 100644
index a392232..0000000
--- a/ChangeLog.d/8482.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Changes
-    * PSA_WANT_ALG_CCM and PSA_WANT_ALG_CCM_STAR_NO_TAG are no more synonyms and
-      they are now treated separately. This means that they should be
-      individually enabled in order to enable respective support; also the
-      corresponding MBEDTLS_PSA_ACCEL symbol should be defined in case
-      acceleration is required.
diff --git a/ChangeLog.d/8647.txt b/ChangeLog.d/8647.txt
deleted file mode 100644
index 98326dc..0000000
--- a/ChangeLog.d/8647.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-Default behavior changes
-   * psa_import_key() now only accepts RSA keys in the PSA standard formats.
-     The undocumented ability to import other formats (PKCS#8, SubjectPublicKey,
-     PEM) accepted by the pkparse module has been removed. Applications that
-     need these formats can call mbedtls_pk_parse_{public,}key() followed by
-     mbedtls_pk_import_into_psa().
-
-Changes
-   * RSA support in PSA no longer auto-enables the pkparse and pkwrite modules,
-     saving code size when those are not otherwise enabled.
diff --git a/ChangeLog.d/8709.txt b/ChangeLog.d/8709.txt
deleted file mode 100644
index e0bea44..0000000
--- a/ChangeLog.d/8709.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Features
-   * The new functions mbedtls_pk_copy_from_psa() and
-     mbedtls_pk_copy_public_from_psa() provide ways to set up a PK context
-     with the same content as a PSA key.
diff --git a/ChangeLog.d/8726.txt b/ChangeLog.d/8726.txt
deleted file mode 100644
index c1e5a40..0000000
--- a/ChangeLog.d/8726.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Features
-   * Add partial platform support for z/OS.
diff --git a/ChangeLog.d/8799.txt b/ChangeLog.d/8799.txt
deleted file mode 100644
index 50e7c11..0000000
--- a/ChangeLog.d/8799.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * mbedtls_pem_read_buffer() now performs a check on the padding data of
-     decrypted keys and it rejects invalid ones.
diff --git a/ChangeLog.d/8824.txt b/ChangeLog.d/8824.txt
deleted file mode 100644
index 6d6bcb7..0000000
--- a/ChangeLog.d/8824.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-Bugfix
-   * Fix mbedtls_pk_sign(), mbedtls_pk_verify(), mbedtls_pk_decrypt() and
-     mbedtls_pk_encrypt() on non-opaque RSA keys to honor the padding mode in
-     the RSA context. Before, if MBEDTLS_USE_PSA_CRYPTO was enabled and the
-     RSA context was configured for PKCS#1 v2.1 (PSS/OAEP), the sign/verify
-     functions performed a PKCS#1 v1.5 signature instead and the
-     encrypt/decrypt functions returned an error. Fixes #8824.
-
diff --git a/ChangeLog.d/8825.txt b/ChangeLog.d/8825.txt
deleted file mode 100644
index 914bd08..0000000
--- a/ChangeLog.d/8825.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Features
-   * mbedtls_psa_get_random() is always available as soon as
-     MBEDTLS_PSA_CRYPTO_CLIENT is enabled at build time and psa_crypto_init() is
-     called at runtime. This together with MBEDTLS_PSA_RANDOM_STATE can be
-     used as random number generator function (f_rng) and context (p_rng) in
-     legacy functions.
diff --git a/ChangeLog.d/8848.txt b/ChangeLog.d/8848.txt
deleted file mode 100644
index 71bb7e3..0000000
--- a/ChangeLog.d/8848.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Removals
-   * Temporary function mbedtls_pk_wrap_as_opaque() is removed. To mimic the
-     same behavior mbedtls_pk_get_psa_attributes() and
-     mbedtls_pk_import_into_psa() can be used to import a PK key into PSA,
-     while mbedtls_pk_setup_opaque() can be used to wrap a PSA key into a opaque
-     PK context.
diff --git a/ChangeLog.d/8938.txt b/ChangeLog.d/8938.txt
deleted file mode 100644
index 68a1c08..0000000
--- a/ChangeLog.d/8938.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix RSA opaque keys always using PKCS1 v1.5 algorithms instead of the
-     primary algorithm of the wrapped PSA key.
diff --git a/ChangeLog.d/add-aes-cbc-to-pkcs5-pbes2.txt b/ChangeLog.d/add-aes-cbc-to-pkcs5-pbes2.txt
deleted file mode 100644
index 7f0fbc7..0000000
--- a/ChangeLog.d/add-aes-cbc-to-pkcs5-pbes2.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
-   * Add support for using AES-CBC 128, 192, and 256 bit schemes
-     with PKCS#5 PBES2. Keys encrypted this way can now be parsed by PK parse.
diff --git a/ChangeLog.d/add-block-cipher-no-decrypt.txt b/ChangeLog.d/add-block-cipher-no-decrypt.txt
deleted file mode 100644
index d05bf86..0000000
--- a/ChangeLog.d/add-block-cipher-no-decrypt.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Features
-   * Enable the new option MBEDTLS_BLOCK_CIPHER_NO_DECRYPT to omit
-     the decryption direction of block ciphers (AES, ARIA, Camellia).
-     This affects both the low-level modules and the high-level APIs
-     (the cipher and PSA interfaces). This option is incompatible with modes
-     that use the decryption direction (ECB in PSA, CBC, XTS, KW) and with DES.
diff --git a/ChangeLog.d/add-psa-example-program-hash.txt b/ChangeLog.d/add-psa-example-program-hash.txt
deleted file mode 100644
index ba4da20..0000000
--- a/ChangeLog.d/add-psa-example-program-hash.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Features
-   * Added an example program showing how to hash with the PSA API.
diff --git a/ChangeLog.d/add-record-size-limit-extension-support.txt b/ChangeLog.d/add-record-size-limit-extension-support.txt
deleted file mode 100644
index 3562b85..0000000
--- a/ChangeLog.d/add-record-size-limit-extension-support.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Features
-   * Add support for record size limit extension as defined by RFC 8449
-     and configured with MBEDTLS_SSL_RECORD_SIZE_LIMIT.
-     Application data sent and received will be fragmented according to
-     Record size limits negotiated during handshake.
diff --git a/ChangeLog.d/add_get_ecp_group_id.txt b/ChangeLog.d/add_get_ecp_group_id.txt
deleted file mode 100644
index 3328062..0000000
--- a/ChangeLog.d/add_get_ecp_group_id.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
-   * Add new accessor to expose the private group id member of
-     `mbedtls_ecdh_context` structure.
diff --git a/ChangeLog.d/add_ssl_session_accessors.txt b/ChangeLog.d/add_ssl_session_accessors.txt
deleted file mode 100644
index 516a3bf..0000000
--- a/ChangeLog.d/add_ssl_session_accessors.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Features
-   * Add new accessors to expose the private session-id,
-     session-id length, and ciphersuite-id members of
-     `mbedtls_ssl_session` structure.
-     Add new accessor to expose the ciphersuite-id of
-     `mbedtls_ssl_ciphersuite_t` structure.Design ref: #8529
diff --git a/ChangeLog.d/add_threading_changelog.txt b/ChangeLog.d/add_threading_changelog.txt
deleted file mode 100644
index e9f6cc7..0000000
--- a/ChangeLog.d/add_threading_changelog.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-Features
-   * Add protection for multithreaded access to the PSA keystore and protection
-     for multithreaded access to the the PSA global state, including
-     concurrently calling psa_crypto_init() when MBEDTLS_THREADING_C and
-     MBEDTLS_THREADING_PTHREAD are defined. See
-     docs/architecture/psa-thread-safety/psa-thread-safety.md for more details.
-     Resolves issues #3263 and #7945.
diff --git a/ChangeLog.d/armv8-aesce.txt b/ChangeLog.d/armv8-aesce.txt
deleted file mode 100644
index ec5889c..0000000
--- a/ChangeLog.d/armv8-aesce.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
-   * Support use of Armv8-A Cryptographic Extensions for hardware acclerated
-     AES when compiling for Thumb (T32) or 32-bit Arm (A32).
diff --git a/ChangeLog.d/benchmark-ecdh.txt b/ChangeLog.d/benchmark-ecdh.txt
deleted file mode 100644
index ef243b8..0000000
--- a/ChangeLog.d/benchmark-ecdh.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
-   * The benchmark program now reports times for both ephemeral and static
-     ECDH in all ECDH configurations.
diff --git a/ChangeLog.d/binder-overread.txt b/ChangeLog.d/binder-overread.txt
deleted file mode 100644
index c0ed4b7..0000000
--- a/ChangeLog.d/binder-overread.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Security
-   * Fix a stack buffer overread (less than 256 bytes) when parsing a TLS 1.3
-     ClientHello in a TLS 1.3 server supporting some PSK key exchange mode. A
-     malicious client could cause information disclosure or a denial of service.
diff --git a/ChangeLog.d/ctr-perf.txt b/ChangeLog.d/ctr-perf.txt
deleted file mode 100644
index bc04080..0000000
--- a/ChangeLog.d/ctr-perf.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
-   * Improve performance of AES-GCM, AES-CTR and CTR-DRBG when
-     hardware accelerated AES is not present (around 13-23% on 64-bit Arm).
diff --git a/ChangeLog.d/domain_parameters.txt b/ChangeLog.d/domain_parameters.txt
deleted file mode 100644
index d860cc4..0000000
--- a/ChangeLog.d/domain_parameters.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-New deprecations
-   * In the PSA API, domain parameters are no longer used for anything.
-     They are deprecated and will be removed in a future version of the
-     library.
-
-Removals
-   * In the PSA API, the experimental way to encode the public exponent of
-     an RSA key as a domain parameter is no longer supported. Use
-     psa_generate_key_ext() instead.
diff --git a/ChangeLog.d/driver-only-cipher.txt b/ChangeLog.d/driver-only-cipher.txt
deleted file mode 100644
index 331b2f9..0000000
--- a/ChangeLog.d/driver-only-cipher.txt
+++ /dev/null
@@ -1,11 +0,0 @@
-Features
-   * If a cipher or AEAD mechanism has a PSA driver, you can now build the
-     library without the corresponding built-in implementation. Generally
-     speaking that requires both the key type and algorithm to be accelerated
-     or they'll both be built in. However, for CCM and GCM the built-in
-     implementation is able to take advantage of a driver that only
-     accelerates the key type (that is, the block cipher primitive). See
-     docs/driver-only-builds.md for full details and current limitations.
-   * The CTR_DRBG module will now use AES from a PSA driver if MBEDTLS_AES_C is
-     disabled. This requires PSA_WANT_ALG_ECB_NO_PADDING in addition to
-     MBEDTLS_PSA_CRYPTO_C and PSA_WANT_KEY_TYPE_AES.
diff --git a/ChangeLog.d/drop-msvc-2015-and-armcc-5.txt b/ChangeLog.d/drop-msvc-2015-and-armcc-5.txt
deleted file mode 100644
index 435cc98..0000000
--- a/ChangeLog.d/drop-msvc-2015-and-armcc-5.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Requirement changes
-   * Drop support for Visual Studio 2013 and 2015, and Arm Compiler 5.
-Changes
-   * Rename directory containing Visual Studio files from visualc/VS2013 to
-     visualc/VS2017.
diff --git a/ChangeLog.d/early-data.txt b/ChangeLog.d/early-data.txt
deleted file mode 100644
index 3c3826c..0000000
--- a/ChangeLog.d/early-data.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Features
-   * Mbed TLS now supports the writing and reading of TLS 1.3 early data (see
-     docs/tls13-early-data.md). The support enablement is controlled at build
-     time by the MBEDTLS_SSL_EARLY_DATA configuration option and at runtime by
-     the mbedtls_ssl_conf_early_data() API (by default disabled in both cases).
diff --git a/ChangeLog.d/ecp-keypair-utilities.txt b/ChangeLog.d/ecp-keypair-utilities.txt
deleted file mode 100644
index 6f9714a..0000000
--- a/ChangeLog.d/ecp-keypair-utilities.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Features
-   * Add utility functions to manipulate mbedtls_ecp_keypair objects, filling
-     gaps made by making its fields private: mbedtls_ecp_set_public_key(),
-     mbedtls_ecp_write_public_key(), mbedtls_ecp_keypair_calc_public(),
-     mbedtls_ecp_keypair_get_group_id(). Fixes #5017, #5441, #8367, #8652.
diff --git a/ChangeLog.d/ecp_write_key.txt b/ChangeLog.d/ecp_write_key.txt
deleted file mode 100644
index 73354c8..0000000
--- a/ChangeLog.d/ecp_write_key.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-Features
-   * The new function mbedtls_ecp_write_key_ext() is similar to
-     mbedtls_ecp_write_key(), but can be used without separately calculating
-     the output length.
-
-New deprecations
-   * mbedtls_ecp_write_key() is deprecated in favor of
-     mbedtls_ecp_write_key_ext().
diff --git a/ChangeLog.d/enable-tls13-by-default.txt b/ChangeLog.d/enable-tls13-by-default.txt
deleted file mode 100644
index 636078c..0000000
--- a/ChangeLog.d/enable-tls13-by-default.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Changes
-   * The TLS 1.3 protocol is now enabled in the default configuration.
diff --git a/ChangeLog.d/fix-alpn-negotiating-bug.txt b/ChangeLog.d/fix-alpn-negotiating-bug.txt
deleted file mode 100644
index 3bceb37..0000000
--- a/ChangeLog.d/fix-alpn-negotiating-bug.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix the restoration of the ALPN when loading serialized connection with
-   * the mbedtls_ssl_context_load() API.
diff --git a/ChangeLog.d/fix-cmake-3rdparty-custom-config.txt b/ChangeLog.d/fix-cmake-3rdparty-custom-config.txt
deleted file mode 100644
index ec543aa..0000000
--- a/ChangeLog.d/fix-cmake-3rdparty-custom-config.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix the build with CMake when Everest or P256-m is enabled through
-     a user configuration file or the compiler command line. Fixes #8165.
diff --git a/ChangeLog.d/fix-cpp-compilation-error.txt b/ChangeLog.d/fix-cpp-compilation-error.txt
deleted file mode 100644
index 32d86dc..0000000
--- a/ChangeLog.d/fix-cpp-compilation-error.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix compilation error in C++ programs when MBEDTLS_ASN1_PARSE_C is
-     disabled.
diff --git a/ChangeLog.d/fix-csr-parsing-with-critical-fields-fails.txt b/ChangeLog.d/fix-csr-parsing-with-critical-fields-fails.txt
deleted file mode 100644
index 5b15512..0000000
--- a/ChangeLog.d/fix-csr-parsing-with-critical-fields-fails.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Features
-   * Add new mbedtls_x509_csr_parse_der_with_ext_cb() routine which allows
-     parsing unsupported certificate extensions via user provided callback.
-
-Bugfix
-   * Fix parsing of CSRs with critical extensions.
diff --git a/ChangeLog.d/fix-issue-x509-cert_req.txt b/ChangeLog.d/fix-issue-x509-cert_req.txt
deleted file mode 100644
index 3a5171b..0000000
--- a/ChangeLog.d/fix-issue-x509-cert_req.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix possible NULL dereference issue in X509 cert_req program if an entry
-     in the san parameter is not separated by a colon.
diff --git a/ChangeLog.d/fix-issue-x509-cert_write.txt b/ChangeLog.d/fix-issue-x509-cert_write.txt
deleted file mode 100644
index 43d67c2..0000000
--- a/ChangeLog.d/fix-issue-x509-cert_write.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix possible NULL dereference issue in X509 cert_write program if an entry
-     in the san parameter is not separated by a colon.
diff --git a/ChangeLog.d/fix-linux-builds-in-conda-forge.txt b/ChangeLog.d/fix-linux-builds-in-conda-forge.txt
deleted file mode 100644
index 5cfee85..0000000
--- a/ChangeLog.d/fix-linux-builds-in-conda-forge.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Bugfix
-   * Fix build failure in conda-forge.  Fixes #8422.
diff --git a/ChangeLog.d/fix-mingw32-build.txt b/ChangeLog.d/fix-mingw32-build.txt
deleted file mode 100644
index feef0a2..0000000
--- a/ChangeLog.d/fix-mingw32-build.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
-  * Fix an inconsistency between implementations and usages of `__cpuid`,
-    which mainly causes failures when building Windows target using
-    mingw or clang. Fixes #8334 & #8332.
diff --git a/ChangeLog.d/fix-new-rn-on-hrr.txt b/ChangeLog.d/fix-new-rn-on-hrr.txt
deleted file mode 100644
index 1b4f5e6..0000000
--- a/ChangeLog.d/fix-new-rn-on-hrr.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * In TLS 1.3 clients, fix an interoperability problem due to the client
-     generating a new random after a HelloRetryRequest. Fixes #8669.
diff --git a/ChangeLog.d/fix-null-dereference-verify-ext.txt b/ChangeLog.d/fix-null-dereference-verify-ext.txt
deleted file mode 100644
index 4654178..0000000
--- a/ChangeLog.d/fix-null-dereference-verify-ext.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix NULL pointer dereference in mbedtls_pk_verify_ext() when called using
-     an opaque RSA context and specifying MBEDTLS_PK_RSASSA_PSS as key type.
diff --git a/ChangeLog.d/fix-ssl-session-serialization-config.txt b/ChangeLog.d/fix-ssl-session-serialization-config.txt
deleted file mode 100644
index ca1cc81..0000000
--- a/ChangeLog.d/fix-ssl-session-serialization-config.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
-   * Fix missing bitflags in SSL session serialization headers. Their absence
-     allowed SSL sessions saved in one configuration to be loaded in a
-     different, incompatible configuration.
diff --git a/ChangeLog.d/fix-tls-SuiteB.txt b/ChangeLog.d/fix-tls-SuiteB.txt
deleted file mode 100644
index 0be753a..0000000
--- a/ChangeLog.d/fix-tls-SuiteB.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Remove accidental introduction of RSA signature algorithms
-     in TLS Suite B Profile. Fixes #8221.
diff --git a/ChangeLog.d/fix-tls13-server-min-version-check.txt b/ChangeLog.d/fix-tls13-server-min-version-check.txt
deleted file mode 100644
index 258ec6d..0000000
--- a/ChangeLog.d/fix-tls13-server-min-version-check.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix TLS server accepting TLS 1.2 handshake while TLS 1.2
-     is disabled at runtime. Fixes #8593.
diff --git a/ChangeLog.d/fix_kdf_incorrect_initial_capacity.txt b/ChangeLog.d/fix_kdf_incorrect_initial_capacity.txt
deleted file mode 100644
index 10e2795..0000000
--- a/ChangeLog.d/fix_kdf_incorrect_initial_capacity.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Correct initial capacities for key derivation algorithms:TLS12_PRF,
-     TLS12_PSK_TO_MS, PBKDF2-HMAC, PBKDF2-CMAC
diff --git a/ChangeLog.d/gcm-large-tables.txt b/ChangeLog.d/gcm-large-tables.txt
deleted file mode 100644
index f9bba5b..0000000
--- a/ChangeLog.d/gcm-large-tables.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Features
-    * Add support for 8-bit GCM tables for Shoup's algorithm to speedup GCM
-      operations when hardware accelerated AES is not present. Improves
-      performance by around 30% on 64-bit Intel; 125% on Armv7-M.
diff --git a/ChangeLog.d/gen-key-segfault.txt b/ChangeLog.d/gen-key-segfault.txt
deleted file mode 100644
index fefc702..0000000
--- a/ChangeLog.d/gen-key-segfault.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Avoid segmentation fault caused by releasing not initialized
-     entropy resource in gen_key example. Fixes #8809.
diff --git a/ChangeLog.d/get_ticket_creation_time.txt b/ChangeLog.d/get_ticket_creation_time.txt
deleted file mode 100644
index 7b5166c..0000000
--- a/ChangeLog.d/get_ticket_creation_time.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
-   * Add getter (mbedtls_ssl_session_get_ticket_creation_time()) to access
-     `mbedtls_ssl_session.ticket_creation_time`.
diff --git a/ChangeLog.d/gnutls_anti_replay_fail.txt b/ChangeLog.d/gnutls_anti_replay_fail.txt
deleted file mode 100644
index cb35284..0000000
--- a/ChangeLog.d/gnutls_anti_replay_fail.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
-    * Switch to milliseconds as the unit for ticket creation and reception time
-      instead of seconds. That avoids rounding errors when computing the age of
-      tickets compared to peer using a millisecond clock (observed with GnuTLS).
-      Fixes #6623.
diff --git a/ChangeLog.d/iar-gcc-perf.txt b/ChangeLog.d/iar-gcc-perf.txt
deleted file mode 100644
index fb0fbb1..0000000
--- a/ChangeLog.d/iar-gcc-perf.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Features
-   * Improve performance for gcc (versions older than 9.3.0) and IAR.
diff --git a/ChangeLog.d/linux-aarch64-hwcap.txt b/ChangeLog.d/linux-aarch64-hwcap.txt
deleted file mode 100644
index 23af878..0000000
--- a/ChangeLog.d/linux-aarch64-hwcap.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
-   * On Linux on ARMv8, fix a build error with SHA-256 and SHA-512
-     acceleration detection when the libc headers do not define the
-     corresponding constant. Reported by valord577.
diff --git a/ChangeLog.d/mbedtls_pk_import_into_psa.txt b/ChangeLog.d/mbedtls_pk_import_into_psa.txt
deleted file mode 100644
index c294f44..0000000
--- a/ChangeLog.d/mbedtls_pk_import_into_psa.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Features
-   * The new functions mbedtls_pk_get_psa_attributes() and
-     mbedtls_pk_import_into_psa() provide a uniform way to create a PSA
-     key from a PK key.
diff --git a/ChangeLog.d/move-mbedtls-ecc-psa-helpers.txt b/ChangeLog.d/move-mbedtls-ecc-psa-helpers.txt
deleted file mode 100644
index 85d970c..0000000
--- a/ChangeLog.d/move-mbedtls-ecc-psa-helpers.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Changes
-    * Moved declaration of functions mbedtls_ecc_group_to_psa and
-      mbedtls_ecc_group_of_psa from psa/crypto_extra.h to mbedtls/psa_util.h
diff --git a/ChangeLog.d/no-cipher.txt b/ChangeLog.d/no-cipher.txt
deleted file mode 100644
index 87f2f6d..0000000
--- a/ChangeLog.d/no-cipher.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-Features
-   * Fewer modules depend on MBEDTLS_CIPHER_C, making it possible to save code
-     size by disabling it in more circumstances. In particular, the CCM and
-     GCM modules no longer depend on MBEDTLS_CIPHER_C. Also,
-     MBEDTLS_PSA_CRYPTO can now be enabled without MBEDTLS_CIPHER_C if all
-     unauthenticated (non-AEAD) ciphers are disabled, or if they're all
-     fully provided by drivers. See docs/driver-only-builds.md for full
-     details and current limitations; in particular, NIST_KW and PKCS5/PKCS12
-     decryption still unconditionally depend on MBEDTLS_CIPHER_C.
diff --git a/ChangeLog.d/non-psa-pk-implementation.txt b/ChangeLog.d/non-psa-pk-implementation.txt
deleted file mode 100644
index 535bbf5..0000000
--- a/ChangeLog.d/non-psa-pk-implementation.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Changes
-   * mbedtls_pk_sign_ext() is now always available, not just when
-     PSA (MBEDTLS_PSA_CRYPTO_C) is enabled.
diff --git a/ChangeLog.d/pkg-config-files-addition.txt b/ChangeLog.d/pkg-config-files-addition.txt
deleted file mode 100644
index e459470..0000000
--- a/ChangeLog.d/pkg-config-files-addition.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Features
-   * Add pc files for pkg-config, e.g.:
-     pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509)
-
diff --git a/ChangeLog.d/pkwrite-pem-use-heap.txt b/ChangeLog.d/pkwrite-pem-use-heap.txt
deleted file mode 100644
index 11db7b6..0000000
--- a/ChangeLog.d/pkwrite-pem-use-heap.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Changes
-   * Use heap memory to allocate DER encoded public/private key.
-     This reduces stack usage significantly for writing a public/private
-     key to a PEM string.
diff --git a/ChangeLog.d/psa-shared-memory-protection.txt b/ChangeLog.d/psa-shared-memory-protection.txt
deleted file mode 100644
index 09779b7..0000000
--- a/ChangeLog.d/psa-shared-memory-protection.txt
+++ /dev/null
@@ -1,17 +0,0 @@
-Security
-   * Passing buffers that are stored in untrusted memory as arguments
-     to PSA functions is now secure by default.
-     The PSA core now protects against modification of inputs or exposure
-     of intermediate outputs during operations. This is currently implemented
-     by copying buffers.
-     This feature increases code size and memory usage. If buffers passed to
-     PSA functions are owned exclusively by the PSA core for the duration of
-     the function call (i.e. no buffer parameters are in shared memory),
-     copying may be disabled by setting MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS.
-     Note that setting this option will cause input-output buffer overlap to
-     be only partially supported (#3266).
-     Fixes CVE-2024-28960
-Bugfix
-   * Fully support arbitrary overlap between inputs and outputs of PSA
-     functions. Note that overlap is still only partially supported when
-     MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set (#3266).
diff --git a/ChangeLog.d/psa_generate_key_ext.txt b/ChangeLog.d/psa_generate_key_ext.txt
deleted file mode 100644
index 8340f01..0000000
--- a/ChangeLog.d/psa_generate_key_ext.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
-   * The new function psa_generate_key_ext() allows generating an RSA
-     key pair with a custom public exponent.
diff --git a/ChangeLog.d/rename-conf-early-data-API.txt b/ChangeLog.d/rename-conf-early-data-API.txt
deleted file mode 100644
index d436811..0000000
--- a/ChangeLog.d/rename-conf-early-data-API.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-API changes
-   * Remove `tls13_` in mbedtls_ssl_tls13_conf_early_data() and
-     mbedtls_ssl_tls13_conf_max_early_data_size() API names. Early data
-     feature may not be TLS 1.3 specific in the future. Fixes #6909.
diff --git a/ChangeLog.d/rsa-bitlen.txt b/ChangeLog.d/rsa-bitlen.txt
deleted file mode 100644
index bcd185f..0000000
--- a/ChangeLog.d/rsa-bitlen.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-Bugfix
-   * Fix mbedtls_pk_get_bitlen() for RSA keys whose size is not a
-     multiple of 8. Fixes #868.
-
-Features
-   * The new function mbedtls_rsa_get_bitlen() returns the length of the modulus
-     in bits, i.e. the key size for an RSA key.
diff --git a/ChangeLog.d/sha256-armce-arm.txt b/ChangeLog.d/sha256-armce-arm.txt
deleted file mode 100644
index 5b18eb3..0000000
--- a/ChangeLog.d/sha256-armce-arm.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-Features
-    * Support Armv8-A Crypto Extension acceleration for SHA-256
-      when compiling for Thumb (T32) or 32-bit Arm (A32).
-New deprecations
-    * Rename the MBEDTLS_SHA256_USE_A64_CRYPTO_xxx config options to
-      MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_xxx. The old names may still
-      be used, but are deprecated.
diff --git a/ChangeLog.d/tls-max-version-reset.txt b/ChangeLog.d/tls-max-version-reset.txt
deleted file mode 100644
index b7c81eb..0000000
--- a/ChangeLog.d/tls-max-version-reset.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-Security
-   * Restore the maximum TLS version to be negotiated to the configured one
-     when an SSL context is reset with the mbedtls_ssl_session_reset() API.
-     An attacker was able to prevent an Mbed TLS server from establishing any
-     TLS 1.3 connection potentially resulting in a Denial of Service or forced
-     version downgrade from TLS 1.3 to TLS 1.2. Fixes #8654 reported by hey3e.
-     Fixes CVE-2024-28755.
diff --git a/ChangeLog.d/tls13-only-server.txt b/ChangeLog.d/tls13-only-server.txt
deleted file mode 100644
index 736896e..0000000
--- a/ChangeLog.d/tls13-only-server.txt
+++ /dev/null
@@ -1,11 +0,0 @@
-Security
-   * When negotiating TLS version on server side, do not fall back to the
-     TLS 1.2 implementation of the protocol if it is disabled.
-     - If the TLS 1.2 implementation was disabled at build time, a TLS 1.2
-       client could put the TLS 1.3-only server in an infinite loop processing
-       a TLS 1.2 ClientHello, resulting in a denial of service. Reported by
-       Matthias Mucha and Thomas Blattmann, SICK AG.
-     - If the TLS 1.2 implementation was disabled at runtime, a TLS 1.2 client
-       was able to successfully establish a TLS 1.2 connection with the server.
-       Reported by alluettiv on GitHub.
-    Fixes CVE-2024-28836.
diff --git a/ChangeLog.d/use_exp_mod_core.txt b/ChangeLog.d/use_exp_mod_core.txt
deleted file mode 100644
index 8f7193a..0000000
--- a/ChangeLog.d/use_exp_mod_core.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Changes
-   * mbedtls_mpi_exp_mod and code that uses it, notably RSA and DHM operations,
-     have changed their speed/memory compromise as part of a proactive security
-     improvement. The new default value of MBEDTLS_MPI_WINDOW_SIZE roughly
-     preserves the current speed, at the expense of increasing memory
-     consumption.
diff --git a/ChangeLog.d/x509-add-ca_istrue.txt b/ChangeLog.d/x509-add-ca_istrue.txt
deleted file mode 100644
index c950dbc..0000000
--- a/ChangeLog.d/x509-add-ca_istrue.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Features
-   * Add new accessor to expose the `MBEDTLS_PRIVATE(ca_istrue)` member of
-     `mbedtls_x509_crt` structure. This requires setting
-     the MBEDTLS_X509_EXT_BASIC_CONSTRAINTS bit in the certificate's
-     ext_types field.