mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-02-05 18:40:01 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #9457 from gilles-peskine-arm/announce-4.0-removals-202408

Browse Source 
3.6 only: Announce the main removals planned for 4.0
This commit is contained in:
Janos Follath 2024-08-12 12:41:37 +00:00 committed by GitHub
commit 5435850017
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 39 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
ChangeLog.d/announce-4.0-removals.txt Normal file
View File

@ -0,0 +1,39 @@
New deprecations
* The following cryptographic mechanisms are planned to be removed
in Mbed TLS 4.0:
- DES (including 3DES).
- PKCS#1v1.5 encryption/decryption (RSAES-PKCS1-v1_5).
(OAEP, PSS, and PKCS#1v1.5 signature are staying.)
- Finite-field Diffie-Hellman with custom groups.
(RFC 7919 groups remain supported.)
- Elliptic curves of size 225 bits or less.
* The following cipher suites are planned to be removed from (D)TLS 1.2
in Mbed TLS 4.0:
- TLS_RSA_* (including TLS_RSA_PSK_*), i.e. cipher suites using
RSA decryption.
(RSA signatures, i.e. TLS_ECDHE_RSA_*, are staying.)
- TLS_ECDH_*, i.e. cipher suites using static ECDH.
(Ephemeral ECDH, i.e. TLS_ECDHE_*, is staying.)
- TLS_DHE_*, i.e. cipher suites using finite-field Diffie-Hellman.
(Ephemeral ECDH, i.e. TLS_ECDHE_*, is staying.)
- TLS_*CBC*, i.e. all cipher suites using CBC.
* The following low-level application interfaces are planned to be removed
from the public API in Mbed TLS 4.0:
- Hashes: hkdf.h, md5.h, ripemd160.h, sha1.h, sha3.h, sha256.h, sha512.h;
- Random generation: ctr_drbg.h, hmac_drbg.h, entropy.h;
- Ciphers and modes: aes.h, aria.h, camellia.h, chacha20.h, chachapoly.h,
cipher.h, cmac.h, gcm.h, poly1305.h;
- Private key encryption mechanisms: pkcs5.h, pkcs12.h.
- Asymmetric cryptography: bignum.h, dhm.h, ecdh.h, ecdsa.h, ecjpake.h,
ecp.h, rsa.h.
The cryptographic mechanisms remain present, but they will only be
accessible via the PSA API (psa_xxx functions introduced gradually
starting with Mbed TLS 2.17) and, where relevant, `pk.h`.
For guidance on migrating application code to the PSA API, please consult
the PSA transition guide (docs/psa-transition.md).
* The following integration interfaces are planned to be removed
in Mbed TLS 4.0:
- MBEDTLS_xxx_ALT replacement of cryptographic modules and functions.
Use PSA transparent drivers instead.
- MBEDTLS_PK_RSA_ALT and MBEDTLS_PSA_CRYPTO_SE_C.
Use PSA opaque drivers instead.