From d9d035a5b5210d508fae487d1609207318e9714a Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Thu, 6 May 2021 11:53:06 +0200 Subject: [PATCH] Corrections of the migration guide from the code review. Signed-off-by: TRodziewicz --- ...move_deprecated_functions_and_constants.md | 32 ++++++++++++------- 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/docs/3.0-migration-guide.d/remove_deprecated_functions_and_constants.md b/docs/3.0-migration-guide.d/remove_deprecated_functions_and_constants.md index 8791649de..b18b3109d 100644 --- a/docs/3.0-migration-guide.d/remove_deprecated_functions_and_constants.md +++ b/docs/3.0-migration-guide.d/remove_deprecated_functions_and_constants.md @@ -1,9 +1,16 @@ Deprecated functions were removed from AES ------------------------------------------ -The functions `mbedtls_aes_encrypt()` and `mbedtls_aes_decrypt()` were removed. -Please use `mbedtls_internal_aes_encrypt()` and `mbedtls_internal_aes_decrypt()` -respectively. +The functions `mbedtls_aes_encrypt()` and `mbedtls_aes_decrypt()` were +removed. + +If you're simply using the AES module, you should be calling the higher-level +functions `mbedtls_aes_crypt_xxx()`. + +If you're providing an alternative implementation using +`MBEDTLS_AES_ENCRYPT_ALT` or `MBEDTLS_AES_DECRYPT_ALT`, you should be +replacing the removed functions with `mbedtls_internal_aes_encrypt()` and +`mbedtls_internal_aes_decrypt()` respectively. Deprecated functions were removed from bignum --------------------------------------------- @@ -20,7 +27,7 @@ The functions `mbedtls_cipher_auth_encrypt()` and `mbedtls_cipher_auth_encrypt_ext()` and `mbedtls_cipher_auth_decrypt_ext()` respectively which additionally support key wrapping algorithms such as NIST_KW. - + Deprecated functions were removed from DRBGs -------------------------------------------- @@ -39,11 +46,11 @@ respectively. Deprecated functions were removed from SSL ------------------------------------------ -The functions `mbedtls_ssl_conf_dh_param()` and -`mbedtls_ssl_get_max_frag_len()` were removed. Please use -`mbedtls_ssl_conf_dh_param_bin()` or `mbedtls_ssl_conf_dh_param_ctx()` and -`mbedtls_ssl_get_output_max_frag_len()` instead. +The function `mbedtls_ssl_conf_dh_param()` was removed. Please use +`mbedtls_ssl_conf_dh_param_bin()` or `mbedtls_ssl_conf_dh_param_ctx()` instead. +The function `mbedtls_ssl_get_max_frag_len()` was removed. Please use +`mbedtls_ssl_get_output_max_frag_len()` instead. Deprecated hex-encoded primes were removed from DHM --------------------------------------------------- @@ -52,13 +59,14 @@ The macros `MBEDTLS_DHM_RFC5114_MODP_2048_P`, `MBEDTLS_DHM_RFC5114_MODP_2048_G`, `MBEDTLS_DHM_RFC3526_MODP_2048_P`, `MBEDTLS_DHM_RFC3526_MODP_2048_G`, `MBEDTLS_DHM_RFC3526_MODP_3072_P`, `MBEDTLS_DHM_RFC3526_MODP_3072_G`, `MBEDTLS_DHM_RFC3526_MODP_4096_P `and `MBEDTLS_DHM_RFC3526_MODP_4096_G` were -removed. The hex-encoded primes from RFC 5114 are deprecated because their -derivation is not documented and therefore their usage constitutes a security -risk. They are removed from the library without replacement. +removed. The primes from RFC 5114 are deprecated because their derivation is not +documented and therefore their usage constitutes a security risk; they are fully +removed from the library. Please use parameters from RFC3526 (still in the +library, only in binary form) or RFC 7919 (also available in the library) or +other trusted sources instead. Deprecated net.h file was removed --------------------------------- The file `include/mbedtls/net.h` was removed because its only function was to include `mbedtls/net_sockets.h` which now should be included directly. -