lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-30 22:43:08 +03:00
Code Activity

Fllow-up of the review: ChangeLog expansion, mmigration guides added and comments fixed

Browse Source 
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
This commit is contained in:
TRodziewicz
2021-05-06 00:53:22 +02:00
parent 0bc3938551
commit c1c479fbe9
6 changed files with 80 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
ChangeLog.d/issue4282.txt
View File

@ -1,2 +1,13 @@
Removals Removals
* Remove deprecated functions and constants. Fix #4282 * Remove the following deprecated functions and constants of hex-encoded
primes based on RFC 5114 and RFC 3526 from library code and tests:
mbedtls_aes_encrypt(), mbedtls_aes_decrypt(), mbedtls_mpi_is_prime(),
mbedtls_cipher_auth_encrypt(), mbedtls_cipher_auth_decrypt(),
mbedtls_ctr_drbg_update(), mbedtls_hmac_drbg_update(),
mbedtls_ecdsa_write_signature_det(), mbedtls_ecdsa_sign_det(),
mbedtls_ssl_conf_dh_param(), mbedtls_ssl_get_max_frag_len(),
MBEDTLS_DHM_RFC5114_MODP_2048_P, MBEDTLS_DHM_RFC5114_MODP_2048_G,
MBEDTLS_DHM_RFC3526_MODP_2048_P, MBEDTLS_DHM_RFC3526_MODP_2048_G,
MBEDTLS_DHM_RFC3526_MODP_3072_P, MBEDTLS_DHM_RFC3526_MODP_3072_G,
MBEDTLS_DHM_RFC3526_MODP_4096_P, MBEDTLS_DHM_RFC3526_MODP_4096_G.
Remove the deprecated file: include/mbedtls/net.h. Fixes #4282.

6
configs/config-psa-crypto.h
View File

@ -397,12 +397,6 @@
* of mbedtls_sha1_context, so your implementation of mbedtls_sha1_process must be compatible * of mbedtls_sha1_context, so your implementation of mbedtls_sha1_process must be compatible
* with this definition. * with this definition.
* *
* \note Because of a signature change, the core AES encryption and decryption routines are
* currently named mbedtls_aes_internal_encrypt and mbedtls_aes_internal_decrypt,
* respectively. When setting up alternative implementations, these functions should
* be overridden, but the wrapper functions mbedtls_internal_aes_decrypt and
* mbedtls_internal_aes_encrypt must stay untouched.
*
* \note If you use the AES_xxx_ALT macros, then is is recommended to also set * \note If you use the AES_xxx_ALT macros, then is is recommended to also set
* MBEDTLS_AES_ROM_TABLES in order to help the linker garbage-collect the AES * MBEDTLS_AES_ROM_TABLES in order to help the linker garbage-collect the AES
* tables. * tables.

64
docs/3.0-migration-guide.d/remove_deprecated_functions_and_constants.md Normal file
View File

@ -0,0 +1,64 @@
Deprecated functions were removed from AES
------------------------------------------
The functions `mbedtls_aes_encrypt()` and `mbedtls_aes_decrypt()` were removed.
Please use `mbedtls_internal_aes_encrypt()` and `mbedtls_internal_aes_decrypt()`
respectively.
Deprecated functions were removed from bignum
---------------------------------------------
The function `mbedtls_mpi_is_prime()` was removed. Please use
`mbedtls_mpi_is_prime_ext()` instead which additionally allows specifying the
number of Miller-Rabin rounds.
Deprecated functions were removed from cipher
---------------------------------------------
The functions `mbedtls_cipher_auth_encrypt()` and
`mbedtls_cipher_auth_decrypt()` were removed. They were superseded by
`mbedtls_cipher_auth_encrypt_ext()` and `mbedtls_cipher_auth_decrypt_ext()`
respectively which additionally support key wrapping algorithms such as
NIST_KW.
Deprecated functions were removed from DRBGs
--------------------------------------------
The functions `mbedtls_ctr_drbg_update()` and `mbedtls_hmac_drbg_update()`
were removed. They were superseded by `mbedtls_ctr_drbg_update_ret()` and
`mbedtls_hmac_drbg_update_ret()` respectively.
Deprecated functions were removed from ECDSA
--------------------------------------------
The functions `mbedtls_ecdsa_write_signature_det()` and
`mbedtls_ecdsa_sign_det()` were removed. They were superseded by
`mbedtls_ecdsa_write_signature()` and `mbedtls_ecdsa_sign_det_ext()`
respectively.
Deprecated functions were removed from SSL
------------------------------------------
The functions `mbedtls_ssl_conf_dh_param()` and
`mbedtls_ssl_get_max_frag_len()` were removed. Please use
`mbedtls_ssl_conf_dh_param_bin()` or `mbedtls_ssl_conf_dh_param_ctx()` and
`mbedtls_ssl_get_output_max_frag_len()` instead.
Deprecated hex-encoded primes were removed from DHM
---------------------------------------------------
The macros `MBEDTLS_DHM_RFC5114_MODP_2048_P`, `MBEDTLS_DHM_RFC5114_MODP_2048_G`,
`MBEDTLS_DHM_RFC3526_MODP_2048_P`, `MBEDTLS_DHM_RFC3526_MODP_2048_G`,
`MBEDTLS_DHM_RFC3526_MODP_3072_P`, `MBEDTLS_DHM_RFC3526_MODP_3072_G`,
`MBEDTLS_DHM_RFC3526_MODP_4096_P `and `MBEDTLS_DHM_RFC3526_MODP_4096_G` were
removed. The hex-encoded primes from RFC 5114 are deprecated because their
derivation is not documented and therefore their usage constitutes a security
risk. They are removed from the library without replacement.
Deprecated net.h file was removed
---------------------------------
The file `include/mbedtls/net.h` was removed because its only function was to
include `mbedtls/net_sockets.h` which now should be included directly.

10
include/mbedtls/config.h
View File

@ -421,12 +421,6 @@
* of mbedtls_sha1_context, so your implementation of mbedtls_sha1_process must be compatible * of mbedtls_sha1_context, so your implementation of mbedtls_sha1_process must be compatible
* with this definition. * with this definition.
* *
* \note Because of a signature change, the core AES encryption and decryption routines are
* currently named mbedtls_aes_internal_encrypt and mbedtls_aes_internal_decrypt,
* respectively. When setting up alternative implementations, these functions should
* be overridden, but the wrapper functions mbedtls_internal_aes_decrypt and
* mbedtls_internal_aes_encrypt must stay untouched.
*
* \note If you use the AES_xxx_ALT macros, then is is recommended to also set * \note If you use the AES_xxx_ALT macros, then is is recommended to also set
* MBEDTLS_AES_ROM_TABLES in order to help the linker garbage-collect the AES * MBEDTLS_AES_ROM_TABLES in order to help the linker garbage-collect the AES
* tables. * tables.
@ -445,9 +439,7 @@
* alternative implementations should use the RNG only for generating * alternative implementations should use the RNG only for generating
* the ephemeral key and nothing else. If this is not possible, then * the ephemeral key and nothing else. If this is not possible, then
* MBEDTLS_ECDSA_DETERMINISTIC should be disabled and an alternative * MBEDTLS_ECDSA_DETERMINISTIC should be disabled and an alternative
* implementation should be provided for mbedtls_ecdsa_sign_det_ext() * implementation should be provided for mbedtls_ecdsa_sign_det_ext().
* (and for mbedtls_ecdsa_sign_det_ext() too if backward compatibility
* is desirable).
* *
*/ */
//#define MBEDTLS_MD2_PROCESS_ALT //#define MBEDTLS_MD2_PROCESS_ALT

4
library/ecdsa.c
View File

@ -685,7 +685,9 @@ int mbedtls_ecdsa_write_signature_restartable( mbedtls_ecdsa_context *ctx,
ECDSA_VALIDATE_RET( hash != NULL ); ECDSA_VALIDATE_RET( hash != NULL );
ECDSA_VALIDATE_RET( sig != NULL ); ECDSA_VALIDATE_RET( sig != NULL );
ECDSA_VALIDATE_RET( slen != NULL ); ECDSA_VALIDATE_RET( slen != NULL );
ECDSA_VALIDATE_RET( f_rng != NULL );
if( f_rng == NULL )
return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
mbedtls_mpi_init( &r ); mbedtls_mpi_init( &r );
mbedtls_mpi_init( &s ); mbedtls_mpi_init( &s );

5
tests/suites/test_suite_cipher.function
View File

@ -1008,11 +1008,6 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv,
* of AEAD decryption and AEAD encryption. Check that * of AEAD decryption and AEAD encryption. Check that
* this results in the expected plaintext, and that * this results in the expected plaintext, and that
* decryption and encryption are inverse to one another. * decryption and encryption are inverse to one another.
*
* Do that twice:
* - once with legacy functions auth_decrypt/auth_encrypt
* - once with new functions auth_decrypt_ext/auth_encrypt_ext
* This allows testing both without duplicating test cases.
*/ */
int ret; int ret;