Fix errors in migration guide

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
This commit is contained in:
Dave Rodgman 2021-06-29 15:55:08 +01:00
parent 1aea40427f
commit 759c0109f2

View File

@ -10,6 +10,7 @@ Here's the list of breaking changes; each entry should help you answer these
two questions: (1) am I affected? (2) if yes, what's my migration path?
The changes are detailed below, and include:
- Removal of many insecure / obsolete features
- Tidying up of configuration options (including removing some less useful options)
- Changing function signatures (e.g., adding return codes or extra parameters); introducing const to arguments.
@ -36,7 +37,7 @@ used by the Mbed TLS release whose `MBEDTLS_VERSION_NUMBER` has the same
value.
The only value supported by Mbed TLS 3.0.0 is `0x03000000`.
Remove suport for TLS 1.0, 1.1 and DTLS 1.0
Remove support for TLS 1.0, 1.1 and DTLS 1.0
-------------------------------------------
This change affects users of the TLS 1.0, 1.1 and DTLS 1.0 protocols.
@ -53,7 +54,7 @@ also removed, as it was a work-around for a weakness in this particular
version. There is no migration path since the feature is no longer relevant.
As a consequence of currently supporting only one version of (D)TLS (and in the
future 1.3 which will have a different version negociation mechanism), support
future 1.3 which will have a different version negotiation mechanism), support
for fallback SCSV (RFC 7507) was also removed. There is no migration path as
it's no longer useful with TLS 1.2 and later.
@ -260,7 +261,6 @@ and still relied on `compat-1.3.h` in their code.
Please use the new names directly in your code; `scripts/rename.pl` (from any
of the 2.x releases - no longer included in 3.0) might help you do that.
Remove 3DES ciphersuites
--
@ -270,7 +270,8 @@ because the 3DES ciphersuites were disabled by that.
3DES has weaknesses/limitations and there are better alternatives, and more and
more standard bodies are recommending against its use in TLS.
The migration path here is to chose from the recomended in literature alternatives.
The migration path here is to chose from the recommended in literature alternatives.
CCM interface changes: impact for alternative implementations
-------------------------------------------------------------
@ -280,6 +281,7 @@ mbedtls_ccm_starts(), mbedtls_ccm_set_lengths(),
mbedtls_ccm_update_ad(), mbedtls_ccm_update() and mbedtls_ccm_finish().
Alternative implementations of CCM (`MBEDTLS_CCM_ALT`) have now to
implement those additional five API functions.
Calling `mbedtls_cipher_finish()` is mandatory for all multi-part operations
----------------------------------------------------------------------------
@ -295,6 +297,7 @@ please add it and be prepared to get as much as 15 bytes of output.
Currently the output is always 0 bytes, but it may be more when alternative
implementations of the underlying primitives are in use, or with future
versions of the library.
Combine the `MBEDTLS_SSL_CID_PADDING_GRANULARITY` and `MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY` options
--
@ -309,6 +312,7 @@ code maintenance.
The new single option `MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY` can be used
for both DTLS-CID and TLS 1.3.
Change the API to allow adding critical extensions to CSRs
------------------------------------------------------------------
@ -316,7 +320,7 @@ This affects applications that call the `mbedtls_x509write_csr_set_extension`
function.
The API is changed to include the parameter `critical` which allow to mark an
extension included in a CSR as critical. To get the previous behaviour pass
extension included in a CSR as critical. To get the previous behavior pass TODO
TLS now favors faster curves over larger curves
-----------------------------------------------
@ -324,6 +328,7 @@ TLS now favors faster curves over larger curves
The default preference order for curves in TLS now favors resource usage (performance and memory consumption) over size. The exact order is unspecified and may change, but generally you can expect 256-bit curves to be preferred over larger curves.
If you prefer a different order, call `mbedtls_ssl_conf_curves()` when configuring a TLS connection.
GCM interface changes: impact for alternative implementations
-------------------------------------------------------------
@ -334,6 +339,7 @@ The GCM multipart interface has changed as described in [“GCM multipart interf
* Always return the partial output immediately, even if it does not consist of a whole number of blocks.
* Buffer the data for the last partial block, to be returned in the next call to `mbedtls_gcm_update()` or `mbedtls_gcm_finish()`.
* `mbedtls_gcm_finish()` now takes an extra output buffer for the last partial block if needed.
GCM multipart interface: application changes
--------------------------------------------
@ -346,6 +352,7 @@ Applications using one-shot GCM or using GCM via the `mbedtls_cipher_xxx` or `ps
* As long as the input remains block-aligned, the output length is exactly the input length, as before.
* If the length of the last input is not a multiple of 16, alternative implementations may return the last partial block in the call to `mbedtls_gcm_finish()` instead of returning it in the last call to `mbedtls_gcm_update()`.
* `mbedtls_gcm_finish()` now takes an extra output buffer for the last partial block. This is needed for alternative implementations that can only process a whole block at a time.
SSL key export interface change
-------------------------------
@ -382,6 +389,7 @@ handshake transcript hashes which can be obtained from the raw data
on the wire. Such users are also encouraged to reach out to the
Mbed TLS team on the mailing list, to let the team know about their
use case.
The RNG parameter is now mandatory for all functions that accept one
--------------------------------------------------------------------
@ -422,6 +430,7 @@ who were explicitly setting this option.
This was a trade-off between code size and counter-measures; it is no longer
relevant as the counter-measure is now always on at no cost in code size.
Remove MaximumFragmentLength (MFL) query API
-----------------------------------------------------------------
@ -433,7 +442,8 @@ outgoing record.
Users should switch to `mbedtls_ssl_get_max_{in,out}_record_payload()`
instead, which also provides such upper bounds but takes more factors
than just the MFL configuration into account.
Change MBEDTLS_ECP_FIXED_POINT_OPTIM behaviour
Change MBEDTLS_ECP_FIXED_POINT_OPTIM behavior
------------------------------------------------------
The option `MBEDTLS_ECP_FIXED_POINT_OPTIM` now increase code size and it does
@ -456,6 +466,7 @@ MBEDTLS_SHA512_NO_SHA384, then just remove the MBEDTLS_SHA512_NO_SHA384.
If you were using a config file with MBEDTLS_SHA512_C and without
MBEDTLS_SHA512_NO_SHA384 and you need the SHA-384 algorithm, then add
`#define MBEDTLS_SHA384_C` to your config file.
Move part of timing module out of the library
--
@ -465,6 +476,7 @@ The change affects users who use any of the following functions:
If you were relying on these functions, you'll now need to change to using your
platform's corresponding functions directly.
Extra parameter for the output buffer size
------------------------------------------
@ -474,6 +486,7 @@ The following functions now take an extra parameter indicating the size of the o
* `mbedtls_pk_sign()`, `mbedtls_pk_sign_restartable()`
The requirements for the output buffer have not changed, but passing a buffer that is too small now reliably causes the functions to return an error, rather than overflowing the buffer.
Relaxed semantics for PSK configuration
-----------------------------------------------------------------
@ -492,6 +505,7 @@ users calling `mbedtls_ssl_conf_[opaque_]psk()` multiple times should
remove all but the last call, so that only one call to _either_
`mbedtls_ssl_conf_psk()` _or_ `mbedtls_ssl_conf_psk_opaque()`
remains.
Remove the configuration to enable weak ciphersuites in SSL / TLS
-----------------------------------------------------------------
@ -504,6 +518,7 @@ and if your peer doesn't support any, encourage them to upgrade their software.
If you were using a ciphersuite without encryption, you just have to
enable MBEDTLS_CIPHER_NULL_CIPHER now.
Remove the `MBEDTLS_SSL_MAX_CONTENT_LEN` configuration option
-------------------------------------------------------------
@ -514,6 +529,7 @@ which can save memory by reducing the size of the TLS I/O buffers.
This option is replaced by the more fine-grained options
`MBEDTLS_SSL_IN_CONTENT_LEN` and `MBEDTLS_SSL_OUT_CONTENT_LEN` that set
the maximum incoming and outgoing plaintext fragment lengths, respectively.
Remove the option to build the library without any entropy sources
------------------------------------------------------------------
@ -525,6 +541,7 @@ doesn't have any entropy source, you should use `MBEDTLS_ENTROPY_NV_SEED`
and make sure your device is provisioned with a strong random seed.
Alternatively, for testing purposes only, you can create and register a fake
entropy function.
Remove the mode parameter from RSA functions
--------------------------------------------
@ -561,7 +578,7 @@ This affects two classes of users:
Migration paths:
1. Mbed TLS 3.0 does not offer a migration path for the usecase 1: Like many
1. Mbed TLS 3.0 does not offer a migration path for the use case 1: Like many
other Mbed TLS structures, the structure of `mbedtls_ssl_session` is no
longer part of the public API in Mbed TLS 3.0, and direct structure field
access is no longer supported. Please see the corresponding migration guide.
@ -569,10 +586,11 @@ Migration paths:
2. Users should replace calls to `mbedtls_ssl_get_session_pointer()` by
calls to `mbedtls_ssl_get_session()` as demonstrated in the example
program `programs/ssl/ssl_client2.c`.
Remove the config option MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
Remove the config option MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
--------------------------------------------------------------------------
This change does not affect users of the default configuration; it only affect
This change does not affect users of the default configuration; it only affects
users who enable this option.
The X.509 standard says that implementations must reject critical extensions that
@ -586,6 +604,7 @@ equivalent to `mbedtls_x509_crt_parse_der()`, and/or
`mbedtls_x509_crt_parse_der_nocopy()` but it calls the callback with every
unsupported certificate extension and additionally the "certificate policies"
extension if it contains any unsupported certificate policies.
Remove `MBEDTLS_X509_CHECK_*_KEY_USAGE` options from `mbedtls_config.h`
-------------------------------------------------------------------
@ -604,6 +623,7 @@ disabling it can cause security issues and it is thus not recommended. If the
verification is for some reason undesirable, it can still be disabled by means
of the verification callback function passed to `mbedtls_x509_crt_verify()` (see
the documentation of this function for more information).
Remove MD2, MD4, RC4, Blowfish and XTEA algorithms
--
@ -612,6 +632,7 @@ This change affects users of the MD2, MD4, RC4, Blowfish and XTEA algorithms.
They are already niche or obsolete and most of them are weak or broken. For
those reasons possible users should consider switching to modern and safe
alternatives to be found in literature.
Remove MBEDTLS_SSL_DTLS_BADMAC_LIMIT option
-------------------------------------------
@ -623,6 +644,7 @@ users who didn't need that feature to avoid paying the cost in code size, by
disabling it.
This option is no longer present, but its functionality is now always enabled.
Deprecated functions were removed from AES
------------------------------------------
@ -697,6 +719,7 @@ Deprecated net.h file was removed
The file `include/mbedtls/net.h` was removed because its only function was to
include `mbedtls/net_sockets.h` which now should be included directly.
Remove MBEDTLS_CHECK_PARAMS option
----------------------------------
@ -730,6 +753,7 @@ Validation of enum-like values is somewhat useful, but not extremely important,
because the parameters concerned are usually constants in applications.
For more information see issue #4313.
Remove MBEDTLS_SSL_RECORD_CHECKING option and enable its action by default
--------------------------------------------------------------------------
@ -743,6 +767,7 @@ However, the same effect can be achieve by using link-time garbage collection.
Users who changed the default setting of the option need to change the config/
build system to remove that change.
Remove the `MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3` option
--
@ -798,8 +823,6 @@ and include the `compat_2.x.h` header file which holds macros with proper
renaming or to rename those function in their code according to the list from
mentioned header file.
Signature functions now require the hash length to match the expected value
---------------------------------------------------------------------------
@ -824,6 +847,7 @@ The signature functions in the PK module no longer accept 0 as the `hash_len` pa
* `mbedtls_pk_verify_ext`
The migration path is to pass the correct value to those functions.
Remove the padding parameters from mbedtls_rsa_init()
-----------------------------------------------------
@ -853,6 +877,7 @@ To use PKCS#1 v1.5 padding, instead of
```C
mbedtls_rsa_init(ctx);
```
Separated MBEDTLS_SHA224_C and MBEDTLS_SHA256_C
-----------------------------------------------------------------
@ -864,6 +889,7 @@ If you were using custom config file with MBEDTLS_SHA256_C enabled, then
you will need to add `#define MBEDTLS_SHA224_C` option your config.
Current version of the library does not support enabling MBEDTLS_SHA256_C
without MBEDTLS_SHA224_C.
Session Cache API Change
-----------------------------------------------------------------
@ -890,8 +916,9 @@ Since the structure of `mbedtls_ssl_session` is no longer public from 3.0
onwards, portable session cache implementations must not access fields of
`mbedtls_ssl_session`. See the corresponding migration guide. Users that
find themselves unable to migrate their session cache functionality without
accessing fields of `mbedtls_ssl_session` should describe their usecase
accessing fields of `mbedtls_ssl_session` should describe their use case
on the Mbed TLS mailing list.
SHA-512 and SHA-256 output type change
--------------------------
@ -905,6 +932,7 @@ Removal of some SSL error codes
-----------------------------------------------------------------
This affects users manually checking for the following error codes:
- `MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED`
- `MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH`
- `MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE`
@ -915,18 +943,24 @@ This affects users manually checking for the following error codes:
Migration paths:
- `MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED` and `MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH`
should never be returned from Mbed TLS, and there is no need to check for it.
Users should simply remove manual checks for those codes, and let the Mbed TLS
team know if -- contrary to the team's understanding -- there is in fact a situation
where one of them was ever returned.
- `MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE` has been removed, and
`MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` is returned instead if the user's own certificate
is too large to fit into the output buffers. Users should check for
`MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` instead, and potentially compare the size of their
own certificate against the configured size of the output buffer to understand if
the error is due to an overly large certificate.
-`MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN`, `MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE` and all codes of the form `MBEDTLS_ERR_SSL_BAD_HS_XXX` have been replaced by `MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE`.
is too large to fit into the output buffers.
Users should check for `MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` instead, and potentially
compare the size of their own certificate against the configured size of the output buffer to
understand if the error is due to an overly large certificate.
- `MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN` and `MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE` have been replaced by `MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE`
Modified semantics of mbedtls_ssl_{get,set}_session()
- all codes of the form `MBEDTLS_ERR_SSL_BAD_HS_XXX` have been replaced by various alternatives.
Modified semantics of mbedtls_ssl_{get,set}_session()
-----------------------------------------------------------------
This affects users who call `mbedtls_ssl_get_session()` or
@ -954,10 +988,10 @@ Migration path:
data instead.
- Calling `mbedtls_ssl_set_session()` multiple times in Mbed TLS 2.x
is not useful since subsequent calls overwrite the effect of previous
calls. Applications achieve equivalent functional behaviour by
calls. Applications achieve equivalent functional behavior by
issuing only the very last call to `mbedtls_ssl_set_session()`.
Turn MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE configuration option into a runtime option
Turn MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE configuration option into a runtime option
--
This change affects users who were enabling MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE