Add documentation warnings for weak algorithms

MD2, MD4, MD5, DES and SHA-1 are considered weak and their use constitutes a security risk. If possible, we recommend avoiding dependencies on them, and considering stronger message digests and ciphers instead.
2025-11-05 08:10:38 +03:00 · 2017-09-25 14:53:51 +01:00
parent 3b8fbaab87
commit bbca8c5d3c
9 changed files with 482 additions and 5 deletions
--- a/include/mbedtls/cipher.h
+++ b/include/mbedtls/cipher.h
@@ -68,6 +68,13 @@
 extern "C" {
 #endif

+/**
+ * \brief     An enumeration of supported ciphers.
+ *
+ * \warning   ARC4 and DES are considered weak ciphers and their use
+ *            constitutes a security risk. We recommend considering stronger
+ *            ciphers instead.
+ */
 typedef enum {
    MBEDTLS_CIPHER_ID_NONE = 0,
    MBEDTLS_CIPHER_ID_NULL,
@@ -79,6 +86,13 @@ typedef enum {
    MBEDTLS_CIPHER_ID_ARC4,
 } mbedtls_cipher_id_t;

+/**
+ * \brief     An enumeration of supported (cipher, mode) pairs.
+ *
+ * \warning   ARC4 and DES are considered weak ciphers and their use
+ *            constitutes a security risk. We recommend considering stronger
+ *            ciphers instead.
+ */
 typedef enum {
    MBEDTLS_CIPHER_NONE = 0,
    MBEDTLS_CIPHER_NULL,