From c998e43eb4c62d145e29e6e33d8bd8d09d0eaeca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 15 Sep 2022 12:26:32 +0200 Subject: [PATCH] Add ChangeLog entry about driver-only hashes. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit (The first entry will need editing if support for ENTROPY_C is sorted out before the next release.) Signed-off-by: Manuel Pégourié-Gonnard --- ChangeLog.d/driver-only-hashes.txt | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 ChangeLog.d/driver-only-hashes.txt diff --git a/ChangeLog.d/driver-only-hashes.txt b/ChangeLog.d/driver-only-hashes.txt new file mode 100644 index 0000000000..2062bcb57d --- /dev/null +++ b/ChangeLog.d/driver-only-hashes.txt @@ -0,0 +1,20 @@ +Features + * Some crypto modules that previously depended on MD or a low-level hash + module, either unconditionally (RSA, PK, PKCS5, PKCS12, EC J-PAKE), or + for some features (PEM for encrypted files), are now able to use PSA + Crypto instead when the legacy API is not available. This means it is + now possible to use all features from those modules in configurations + where the built-in implementations of hashes are excluded and the hashes + are only provided by PSA drivers. In these configurations, you need to + call `psa_crypto_init()` before you call any function from those + modules; this is not required in configurations where the built-in + implementation is still available. Note that some crypto modules and + features still depend on the built-in implementation of hashes: + MBEDTLS_HKDF_C (but the PSA HKDF function do not depend on it), + MBEDTLS_ENTROPY_C, MBEDTLS_HMAC_DRBG_C and MBEDTLS_ECDSA_DETERMINISTIC. + In particular, for now, compiling without built-in hashes requires use + of MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. + * When MBEDTLS_USE_PSA_CRYPTO is enabled, X.509, TLS 1.2 and TLS 1.3 no + longer depend on MD. This means it is now possible to use them in + configurations where the built-in implementations of hashes are excluded + and the hashes are only provided by PSA drivers.