Minor updates to migration guide

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
This commit is contained in:
Dave Rodgman 2021-06-29 18:05:04 +01:00
parent 1cb2331495
commit 949c21b336

View file

@ -11,8 +11,8 @@ two questions: (1) am I affected? (2) if yes, what's my migration path?
The changes are detailed below, and include:
- Removal of many insecure / obsolete features
- Tidying up of configuration options (including removing some less useful options)
- Removal of many insecure or obsolete features
- Tidying up of configuration options (including removing some less useful options).
- Changing function signatures (e.g., adding return codes or extra parameters); introducing const to arguments.
- Removal of functions marked as deprecated in 2.x
@ -258,7 +258,7 @@ This only affects people who've been using Mbed TLS since before version 2.0
and still relied on `compat-1.3.h` in their code.
Please use the new names directly in your code; `scripts/rename.pl` (from any
of the 2.x releases - no longer included in 3.0) might help you do that.
of the 2.x releases no longer included in 3.0) might help you do that.
Remove 3DES ciphersuites
--
@ -289,7 +289,7 @@ using the multi-part API.
Previously, the documentation didn't state explicitly if it was OK to call
`mbedtls_cipher_check_tag()` or `mbedtls_cipher_write_tag()` directly after
the last call to `mbedtls_cipher_update()` - that is, without calling
the last call to `mbedtls_cipher_update()` that is, without calling
`mbedtls_cipher_finish()` in-between. If you code was missing that call,
please add it and be prepared to get as much as 15 bytes of output.
@ -378,8 +378,8 @@ the previous key export API in the following ways:
shutting down the TLS connection.
For users which do not rely on raw keys and IV, adjusting to the new
callback type should be straightforward - see the example programs
programs/ssl/ssl_client2 and programs/ssl/ssl_server2 for callbacks
callback type should be straightforward see the example programs
`programs/ssl/ssl_client2` and `programs/ssl/ssl_server2` for callbacks
for NSSKeylog, EAP-TLS and DTLS-SRTP.
Users which require access to the raw keys used to secure application
@ -418,7 +418,7 @@ This affects users of the following functions: `mbedtls_ecp_check_pub_priv()`,
`mbedtls_pk_parse_keyfile()`.
You now need to pass a properly seeded, cryptographically secure RNG when
calling these functions. It is used for blinding, a counter-measure against
calling these functions. It is used for blinding, a countermeasure against
side-channel attacks.
The configuration option `MBEDTLS_ECP_NO_INTERNAL_RNG` was removed
@ -427,8 +427,8 @@ The configuration option `MBEDTLS_ECP_NO_INTERNAL_RNG` was removed
This doesn't affect users of the default configuration; it only affects people
who were explicitly setting this option.
This was a trade-off between code size and counter-measures; it is no longer
relevant as the counter-measure is now always on at no cost in code size.
This was a trade-off between code size and countermeasures; it is no longer
relevant as the countermeasure is now always on at no cost in code size.
Remove MaximumFragmentLength (MFL) query API
-----------------------------------------------------------------
@ -944,7 +944,7 @@ Migration paths:
should never be returned from Mbed TLS, and there is no need to check for it.
Users should simply remove manual checks for those codes, and let the Mbed TLS
team know if -- contrary to the team's understanding -- there is in fact a situation
team know if — contrary to the team's understanding — there is in fact a situation
where one of them was ever returned.
- `MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE` has been removed, and