From 9fc5910bdc8d027f33ae80d2fddbd93f7a688c1b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 10 Oct 2025 15:48:06 +0200 Subject: [PATCH 1/7] Remove 3.0 migration guide Migrating from 2.x to 3.0 is no longer relevant: some of the advice wouldn't work with 4.0. We don't really need a migration guide from 3.x any longer since 2.x is no longer officially supported. Signed-off-by: Gilles Peskine --- docs/3.0-migration-guide.md | 1039 ----------------------------------- 1 file changed, 1039 deletions(-) delete mode 100644 docs/3.0-migration-guide.md diff --git a/docs/3.0-migration-guide.md b/docs/3.0-migration-guide.md deleted file mode 100644 index e927667b7e..0000000000 --- a/docs/3.0-migration-guide.md +++ /dev/null @@ -1,1039 +0,0 @@ -# Migrating from Mbed TLS 2.x to Mbed TLS 3.0 - -This guide details the steps required to migrate from Mbed TLS version 2.x to -Mbed TLS version 3.0 or greater. Unlike normal releases, Mbed TLS 3.0 breaks -compatibility with previous versions, so users (and alt implementers) might -need to change their own code in order to make it work with Mbed TLS 3.0. - -Here's the list of breaking changes; each entry should help you answer these -two questions: (1) am I affected? (2) if yes, what's my migration path? - -The changes are detailed below, and include: - -- Removal of many insecure or obsolete features -- Tidying up of configuration options (including removing some less useful options). -- Changing function signatures, e.g. adding return codes, adding extra parameters, or making some arguments const. -- Removal of functions, macros, and types previously marked as deprecated. - -Much of the information needed to determine a migration path can be found in the Mbed TLS 2.x documentation. - - -## Accessing the Mbed TLS 2.x documentation - -For features previously marked as deprecated, Mbed TLS 2.x documentation may -explain how to upgrade, and should be referred to when migrating code. Where a -migration path is not provided in prior documentation, changes made and the -upgrade steps required will be explained later in this guide. - -It's best to use the latest version of Mbed TLS 2.x for this purpose, which is the 2.28 LTS release. -So to generate the documentation, checkout the `mbedtls-2.28` branch and follow -the instructions in the [Documentation section of the README](https://github.com/Mbed-TLS/mbedtls/blob/mbedtls-2.28/README.md#documentation). -Then browse `apidoc/deprecated.html` for guidance on upgrading deprecated code. - -For some deprecated functions, 2.x documentation will suggest using a variant -suffixed with `_ret`. In Mbed TLS 3.x, this change may not be required, as most -of these variants have been renamed without the suffix. The section -[Rename mbedtls_*_ret...](#rename-mbedtls__ret-cryptography-functions-whose-deprecated-variants-have-been-removed) -has further detail on which functions this applies to. - - -## General changes - -### Introduce a level of indirection and versioning in the config files - -`config.h` was split into `build_info.h` and `mbedtls_config.h`. - -* In code, use `#include `. Don't include `mbedtls/config.h` and don't refer to `MBEDTLS_CONFIG_FILE`. -* In build tools, edit `mbedtls_config.h`, or edit `MBEDTLS_CONFIG_FILE` as before. -* If you had a tool that parsed the library version from `include/mbedtls/version.h`, this has moved to `include/mbedtls/build_info.h`. From C code, both headers now define the `MBEDTLS_VERSION_xxx` macros. - -Also, if you have a custom configuration file: - -* Don't include `check_config.h` or `config_psa.h` anymore. -* Don't define `MBEDTLS_CONFIG_H` anymore. - -A config file version symbol, `MBEDTLS_CONFIG_VERSION` was introduced. -Defining it to a particular value will ensure that Mbed TLS interprets -the config file in a way that's compatible with the config file format -used by the Mbed TLS release whose `MBEDTLS_VERSION_NUMBER` has the same -value. -The only value supported by Mbed TLS 3.0.0 is `0x03000000`. - -### Most structure fields are now private - -Direct access to fields of structures (`struct` types) declared in public headers is no longer supported. In Mbed TLS 3, the layout of structures is not considered part of the stable API, and minor versions (3.1, 3.2, etc.) may add, remove, rename, reorder or change the type of structure fields. - -There is a small number of exceptions where some fields are guaranteed to remain stable throughout the lifetime of Mbed TLS 3.x. These fields are explicitly documented as public. Please note that even if all the fields of a structure are public, future versions may add new fields. Also, as before, some public fields should be considered read-only, since modifying them may make the structure inconsistent; check the documentation in each case. - -Attempting to access a private field directly will result in a compilation error. - -If you were accessing structure fields directly, and these fields are not documented as public, you need to change your code. If an accessor (getter/setter) function exists, use that. Direct accessor functions are usually called `mbedtls__{get,set}_` or `mbedtls___{get,set}_`. Accessor functions that change the format may use different verbs, for example `read`/`write` for functions that import/export data from/to a text or byte string. - -If no accessor function exists, please open an [enhancement request against Mbed TLS](https://github.com/Mbed-TLS/mbedtls/issues/new?template=feature_request.md) and describe your use case. The Mbed TLS development team is aware that some useful accessor functions are missing in the 3.0 release, and we expect to add them to the first minor release(s) (3.1, etc.). - -As a last resort, you can access the field `foo` of a structure `bar` by writing `bar.MBEDTLS_PRIVATE(foo)`. Note that you do so at your own risk, since such code is likely to break in a future minor version of Mbed TLS. In the Mbed TLS 3.6 LTS this will tend to be safer than in a normal minor release because LTS versions try to maintain ABI stability. - -### Move part of timing module out of the library - -The change affects users who use any of the following functions: -`mbedtls_timing_self_test()`, `mbedtls_hardclock_poll()`, -`mbedtls_timing_hardclock()` and `mbedtls_set_alarm()`. - -If you were relying on these functions, you'll now need to change to using your -platform's corresponding functions directly. - -### Deprecated net.h file was removed - -The file `include/mbedtls/net.h` was removed because its only function was to -include `mbedtls/net_sockets.h` which now should be included directly. - -### Remove `MBEDTLS_CHECK_PARAMS` option - -This change does not affect users who use the default configuration; it only -affects users who enabled that option. - -The option `MBEDTLS_CHECK_PARAMS` (disabled by default) enabled certain kinds -of “parameter validation”. It covered two kinds of validations: - -- In some functions that require a valid pointer, “parameter validation” checks -that the pointer is non-null. With the feature disabled, a null pointer is not -treated differently from any other invalid pointer, and typically leads to a -runtime crash. 90% of the uses of the feature are of this kind. -- In some functions that take an enum-like argument, “parameter validation” -checks that the value is a valid one. With the feature disabled, an invalid -value causes a silent default to one of the valid values. - -The default reaction to a failed check was to call a function -`mbedtls_param_failed()` which the application had to provide. If this function -returned, its caller returned an error `MBEDTLS_ERR_xxx_BAD_INPUT_DATA`. - -This feature was only used in some classic (non-PSA) cryptography modules. It was -not used in X.509, TLS or in PSA crypto, and it was not implemented in all -classic crypto modules. - -This feature has been removed. The library no longer checks for NULL pointers; -checks for enum-like arguments will be kept or re-introduced on a case-by-case -basis, but their presence will no longer be dependent on a compile-time option. - -Validation of enum-like values is somewhat useful, but not extremely important, -because the parameters concerned are usually constants in applications. - -For more information see issue #4313. - -### Remove the `MBEDTLS_TEST_NULL_ENTROPY` configuration option - -This does not affect users who use the default `mbedtls_config.h`, as this option was -already off by default. - -If you were using the `MBEDTLS_TEST_NULL_ENTROPY` option and your platform -doesn't have any entropy source, you should use `MBEDTLS_ENTROPY_NV_SEED` -and make sure your device is provisioned with a strong random seed. -Alternatively, for testing purposes only, you can create and register a fake -entropy function. - -### Remove the HAVEGE module - -This doesn't affect people using the default configuration as it was already -disabled by default. - -This only affects users who called the HAVEGE modules directly (not -recommended), or users who used it through the entropy module but had it as the -only source of entropy. If you're in that case, please declare OS or hardware -RNG interfaces with `mbedtls_entropy_add_source()` and/or use an entropy seed -file created securely during device provisioning. See - for more -information. - -### Remove helpers for the transition from Mbed TLS 1.3 to Mbed TLS 2.0 - -This only affects people who've been using Mbed TLS since before version 2.0 -and still relied on `compat-1.3.h` in their code. - -Please use the new names directly in your code; `scripts/rename.pl` (from any -of the 2.x releases — no longer included in 3.0) might help you do that. - - -## Low-level crypto - -Please also refer to the section [High-level crypto](#high-level-crypto) for -changes that could sit in either category. - -### Deprecated functions were removed from bignum - -The function `mbedtls_mpi_is_prime()` was removed. Please use -`mbedtls_mpi_is_prime_ext()` instead which additionally allows specifying the -number of Miller-Rabin rounds. - -### Deprecated functions were removed from DRBGs - -The functions `mbedtls_ctr_drbg_update_ret()` and `mbedtls_hmac_drbg_update_ret()` -were renamed to replace the corresponding functions without `_ret` appended. Please call -the name without `_ret` appended and check the return value. - -### Deprecated hex-encoded primes were removed from DHM - -The macros `MBEDTLS_DHM_RFC5114_MODP_2048_P`, `MBEDTLS_DHM_RFC5114_MODP_2048_G`, -`MBEDTLS_DHM_RFC3526_MODP_2048_P`, `MBEDTLS_DHM_RFC3526_MODP_2048_G`, -`MBEDTLS_DHM_RFC3526_MODP_3072_P`, `MBEDTLS_DHM_RFC3526_MODP_3072_G`, -`MBEDTLS_DHM_RFC3526_MODP_4096_P `and `MBEDTLS_DHM_RFC3526_MODP_4096_G` were -removed. The primes from RFC 5114 are deprecated because their derivation is not -documented and therefore their usage constitutes a security risk; they are fully -removed from the library. Please use parameters from RFC 3526 (still in the -library, only in binary form) or RFC 7919 (also available in the library) or -other trusted sources instead. - -### Deprecated functions were removed from hashing modules - -Modules: MD5, SHA1, SHA256, SHA512, MD. - -- The functions `mbedtls_xxx_starts_ret()`, `mbedtls_xxx_update_ret()`, - `mbedtls_xxx_finish_ret()` and `mbedtls_xxx_ret()` were renamed to replace - the corresponding functions without `_ret` appended. Please call the name without `_ret` appended and check the return value. -- The function `mbedtls_md_init_ctx()` was removed; please use - `mbedtls_md_setup()` instead. -- The functions `mbedtls_xxx_process()` were removed. You normally don't need - to call that from application code. However if you do (or if you want to - provide your own version of that function), please use - `mbedtls_internal_xxx_process()` instead, and check the return value. - -### Change `MBEDTLS_ECP_FIXED_POINT_OPTIM` behavior - -The option `MBEDTLS_ECP_FIXED_POINT_OPTIM` now increases code size and it does -not increase peak RAM usage anymore. - -If you are limited by code size, you can define `MBEDTLS_ECP_FIXED_POINT_OPTIM` -to `0` in your config file. The impact depends on the number and size of -enabled curves. For example, for P-256 the difference is 1KB; see the documentation -of this option for details. - -### Separated `MBEDTLS_SHA224_C` and `MBEDTLS_SHA256_C` - -This does not affect users who use the default `mbedtls_config.h`. `MBEDTLS_SHA256_C` -was enabled by default. Now both `MBEDTLS_SHA256_C` and `MBEDTLS_SHA224_C` are -enabled. - -If you were using custom config file with `MBEDTLS_SHA256_C` enabled, then -you will need to add `#define MBEDTLS_SHA224_C` option to your config. -Current version of the library does not support enabling `MBEDTLS_SHA256_C` -without `MBEDTLS_SHA224_C`. - -### Replaced `MBEDTLS_SHA512_NO_SHA384` with `MBEDTLS_SHA384_C` - -This does not affect users who use the default `mbedtls_config.h`. -`MBEDTLS_SHA512_NO_SHA384` was disabled by default, now `MBEDTLS_SHA384_C` is -enabled by default. - -If you were using a config file with both `MBEDTLS_SHA512_C` and -MBEDTLS_SHA512_NO_SHA384, then just remove the `MBEDTLS_SHA512_NO_SHA384`. -If you were using a config file with `MBEDTLS_SHA512_C` and without -`MBEDTLS_SHA512_NO_SHA384` and you need the SHA-384 algorithm, then add -`#define MBEDTLS_SHA384_C` to your config file. - -### GCM multipart interface: application changes - -The GCM module now supports arbitrary chunked input in the multipart interface. -This changes the interface for applications using the GCM module directly for multipart operations. -Applications using one-shot GCM or using GCM via the `mbedtls_cipher_xxx` or `psa_aead_xxx` interfaces do not require any changes. - -* `mbedtls_gcm_starts()` now only sets the mode and the nonce (IV). Call the new function `mbedtls_gcm_update_ad()` to pass the associated data. -* `mbedtls_gcm_update()` now takes an extra parameter to indicate the actual output length. In Mbed TLS 2.x, applications had to pass inputs consisting of whole 16-byte blocks except for the last block (this limitation has been lifted). In this case: - * As long as the input remains block-aligned, the output length is exactly the input length, as before. - * If the length of the last input is not a multiple of 16, alternative implementations may return the last partial block in the call to `mbedtls_gcm_finish()` instead of returning it in the last call to `mbedtls_gcm_update()`. -* `mbedtls_gcm_finish()` now takes an extra output buffer for the last partial block. This is needed for alternative implementations that can only process a whole block at a time. - -### GCM interface changes: impact for alternative implementations - -The GCM multipart interface has changed as described in [“GCM multipart interface: application changes”](#gcm-multipart-interface-application-changes). The consequences for an alternative implementation of GCM (`MBEDTLS_GCM_ALT`) are as follows: - -* `mbedtls_gcm_starts()` now only sets the mode and the nonce (IV). The new function `mbedtls_gcm_update_ad()` receives the associated data. It may be called multiple times. -* `mbedtls_gcm_update()` now allows arbitrary-length inputs, takes an extra parameter to indicate the actual output length. Alternative implementations may choose between two modes: - * Always return the partial output immediately, even if it does not consist of a whole number of blocks. - * Buffer the data for the last partial block, to be returned in the next call to `mbedtls_gcm_update()` or `mbedtls_gcm_finish()`. -* `mbedtls_gcm_finish()` now takes an extra output buffer for the last partial block if needed. - -### The configuration option `MBEDTLS_ECP_NO_INTERNAL_RNG` was removed - -This doesn't affect users of the default configuration; it only affects people -who were explicitly setting this option. - -This was a trade-off between code size and countermeasures; it is no longer -relevant as the countermeasure is now always on at no cost in code size. - -### SHA-512 and SHA-256 output type change - -The output parameter of `mbedtls_sha256_finish()`, `mbedtls_sha256()`, `mbedtls_sha512_finish()`, `mbedtls_sha512()` now has a pointer type rather than array type. This makes no difference in terms of C semantics, but removes spurious warnings in some compilers when outputting a SHA-384 hash into a 48-byte buffer or a SHA-224 hash into a 28-byte buffer. - -This makes no difference to a vast majority of applications. If your code takes a pointer to one of these functions, you may need to change the type of the pointer. - -Alternative implementations of the SHA256 and SHA512 modules must adjust their functions' prototype accordingly. - -### Deprecated error codes for hardware failures were removed - -- The macros `MBEDTLS_ERR_xxx_FEATURE_UNAVAILABLE` from various crypto modules - were removed; `MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED` is now used - instead. -- The macro `MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION` was removed; - `MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED` is now used instead. -- The macros `MBEDTLS_ERR_xxx_HW_ACCEL_FAILED` from various crypto modules - were removed; `MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED` is now used instead. - -### Deprecated error codes for invalid input data were removed - -- The macros `MBEDTLS_ERR_xxx_INVALID_KEY_LENGTH` from ARIA and Camellia - modules were removed; `MBEDTLS_ERR_xxx_BAD_INPUT_DATA` is now used instead. - -### Remove the mode parameter from RSA functions - -This affects all users who use the RSA encrypt, decrypt, sign and -verify APIs. - -The RSA module no longer supports private-key operations with the public key or -vice versa. As a consequence, RSA operation functions no longer have a mode -parameter. If you were calling RSA operations with the normal mode (public key -for verification or encryption, private key for signature or decryption), remove -the `MBEDTLS_RSA_PUBLIC` or `MBEDTLS_RSA_PRIVATE` argument. If you were calling -RSA operations with the wrong mode, which rarely makes sense from a security -perspective, this is no longer supported. - -### Deprecated functions were removed from AES - -The functions `mbedtls_aes_encrypt()` and `mbedtls_aes_decrypt()` were -removed. - -If you're simply using the AES module, you should be calling the higher-level -functions `mbedtls_aes_crypt_xxx()`. - -If you're providing an alternative implementation using -`MBEDTLS_AES_ENCRYPT_ALT` or `MBEDTLS_AES_DECRYPT_ALT`, you should be -replacing the removed functions with `mbedtls_internal_aes_encrypt()` and -`mbedtls_internal_aes_decrypt()` respectively. - -### Deprecated functions were removed from ECDSA - -The functions `mbedtls_ecdsa_write_signature_det()` and -`mbedtls_ecdsa_sign_det()` were removed. They were superseded by -`mbedtls_ecdsa_write_signature()` and `mbedtls_ecdsa_sign_det_ext()` -respectively. - -### Rename `mbedtls_*_ret()` cryptography functions whose deprecated variants have been removed - -This change affects users who were using the `mbedtls_*_ret()` cryptography -functions. - -Those functions were created based on now-deprecated functions according to a -requirement that a function needs to return a value. This change brings back the -original names of those functions. The renamed functions are: - -| name before this change | after the change | -|--------------------------------|----------------------------| -| `mbedtls_ctr_drbg_update_ret` | `mbedtls_ctr_drbg_update` | -| `mbedtls_hmac_drbg_update_ret` | `mbedtls_hmac_drbg_update` | -| `mbedtls_md5_starts_ret` | `mbedtls_md5_starts` | -| `mbedtls_md5_update_ret` | `mbedtls_md5_update` | -| `mbedtls_md5_finish_ret` | `mbedtls_md5_finish` | -| `mbedtls_md5_ret` | `mbedtls_md5` | -| `mbedtls_ripemd160_starts_ret` | `mbedtls_ripemd160_starts` | -| `mbedtls_ripemd160_update_ret` | `mbedtls_ripemd160_update` | -| `mbedtls_ripemd160_finish_ret` | `mbedtls_ripemd160_finish` | -| `mbedtls_ripemd160_ret` | `mbedtls_ripemd160` | -| `mbedtls_sha1_starts_ret` | `mbedtls_sha1_starts` | -| `mbedtls_sha1_update_ret` | `mbedtls_sha1_update` | -| `mbedtls_sha1_finish_ret` | `mbedtls_sha1_finish` | -| `mbedtls_sha1_ret` | `mbedtls_sha1` | -| `mbedtls_sha256_starts_ret` | `mbedtls_sha256_starts` | -| `mbedtls_sha256_update_ret` | `mbedtls_sha256_update` | -| `mbedtls_sha256_finish_ret` | `mbedtls_sha256_finish` | -| `mbedtls_sha256_ret` | `mbedtls_sha256` | -| `mbedtls_sha512_starts_ret` | `mbedtls_sha512_starts` | -| `mbedtls_sha512_update_ret` | `mbedtls_sha512_update` | -| `mbedtls_sha512_finish_ret` | `mbedtls_sha512_finish` | -| `mbedtls_sha512_ret` | `mbedtls_sha512` | - -To migrate to this change the user can keep the `*_ret` names in their code -and include the `compat_2.x.h` header file which holds macros with proper -renaming or to rename those functions in their code according to the list from -mentioned header file. - -### Remove the RNG parameter from RSA verify functions - -RSA verification functions also no longer take random generator arguments (this -was only needed when using a private key). This affects all applications using -the RSA verify functions. - -### Remove the padding parameters from `mbedtls_rsa_init()` - -This affects all users who use the RSA encrypt, decrypt, sign and -verify APIs. - -The function `mbedtls_rsa_init()` no longer supports selecting the PKCS#1 v2.1 -encoding and its hash. It just selects the PKCS#1 v1.5 encoding by default. If -you were using the PKCS#1 v2.1 encoding you now need, subsequently to the call -to `mbedtls_rsa_init()`, to call `mbedtls_rsa_set_padding()` to set it. - -To choose the padding type when initializing a context, instead of - -```C - mbedtls_rsa_init(ctx, padding, hash_id); -``` - -use - -```C - mbedtls_rsa_init(ctx); - mbedtls_rsa_set_padding(ctx, padding, hash_id); -``` - -To use PKCS#1 v1.5 padding, instead of - -```C - mbedtls_rsa_init(ctx, MBEDTLS_RSA_PKCS_V15, ); -``` - -just use - -```C - mbedtls_rsa_init(ctx); -``` - - -## High-level crypto - -Please also refer to the section [Low-level crypto](#low-level-crypto) for -changes that could sit in either category. - -### Calling `mbedtls_cipher_finish()` is mandatory for all multi-part operations - -This only affects people who use the cipher module to perform AEAD operations -using the multi-part API. - -Previously, the documentation didn't state explicitly if it was OK to call -`mbedtls_cipher_check_tag()` or `mbedtls_cipher_write_tag()` directly after -the last call to `mbedtls_cipher_update()` — that is, without calling -`mbedtls_cipher_finish()` in-between. If your code was missing that call, -please add it and be prepared to get as much as 15 bytes of output. - -Currently the output is always 0 bytes, but it may be more when alternative -implementations of the underlying primitives are in use, or with future -versions of the library. - -### Remove MD2, MD4, RC4, Blowfish and XTEA algorithms - -This change affects users of the MD2, MD4, RC4, Blowfish and XTEA algorithms. - -They are already niche or obsolete and most of them are weak or broken. For -those reasons possible users should consider switching to modern and safe -alternatives to be found in the literature. - -### Deprecated functions were removed from cipher - -The functions `mbedtls_cipher_auth_encrypt()` and -`mbedtls_cipher_auth_decrypt()` were removed. They were superseded by -`mbedtls_cipher_auth_encrypt_ext()` and `mbedtls_cipher_auth_decrypt_ext()` -respectively which additionally support key wrapping algorithms such as -NIST_KW. - -### Extra parameter for the output buffer size - -The following functions now take an extra parameter indicating the size of the output buffer: - -* `mbedtls_ecdsa_write_signature()`, `mbedtls_ecdsa_write_signature_restartable()` -* `mbedtls_pk_sign()`, `mbedtls_pk_sign_restartable()` - -The requirements for the output buffer have not changed, but passing a buffer that is too small now reliably causes the functions to return an error, rather than overflowing the buffer. - -### Signature functions now require the hash length to match the expected value - -This affects users of the PK API as well as users of the low-level API in the RSA module. Users of the PSA API or of the ECDSA module are unaffected. - -All the functions in the RSA module that accept a `hashlen` parameter used to -ignore it unless the `md_alg` parameter was `MBEDTLS_MD_NONE`, indicating raw -data was signed. The `hashlen` parameter is now always the size that is read -from the `hash` input buffer. This length must be equal to the output size of -the hash algorithm used when signing a hash. (The requirements when signing -raw data are unchanged.) This affects the following functions: - -* `mbedtls_rsa_pkcs1_sign`, `mbedtls_rsa_pkcs1_verify` -* `mbedtls_rsa_rsassa_pkcs1_v15_sign`, `mbedtls_rsa_rsassa_pkcs1_v15_verify` -* `mbedtls_rsa_rsassa_pss_sign`, `mbedtls_rsa_rsassa_pss_verify` -* `mbedtls_rsa_rsassa_pss_sign_ext`, `mbedtls_rsa_rsassa_pss_verify_ext` - -The signature functions in the PK module no longer accept 0 as the `hash_len` parameter. The `hash_len` parameter is now always the size that is read from the `hash` input buffer. This affects the following functions: - -* `mbedtls_pk_sign`, `mbedtls_pk_verify` -* `mbedtls_pk_sign_restartable`, `mbedtls_pk_verify_restartable` -* `mbedtls_pk_verify_ext` - -The migration path is to pass the correct value to those functions. - -### Some function parameters were made const - -Various functions in the PK and ASN.1 modules had a `const` qualifier added to -some of their parameters. - -This normally doesn't affect your code, unless you use pointers to reference -those functions. In this case, you'll need to update the type of your pointers -in order to match the new signature. - -### The RNG parameter is now mandatory for all functions that accept one - -This change affects all users who called a function accepting a `f_rng` -parameter with `NULL` as the value of this argument; this is no longer -supported. - -The changed functions are: the X.509 CRT and CSR writing functions; the PK and -RSA sign and decrypt functions; `mbedtls_rsa_private()`; the functions in DHM -and ECDH that compute the shared secret; the scalar multiplication functions in -ECP. - -You now need to pass a properly seeded, cryptographically secure RNG to all -functions that accept a `f_rng` parameter. It is of course still possible to -pass `NULL` as the context pointer `p_rng` if your RNG function doesn't need a -context. - -Alternative implementations of a module (enabled with the `MBEDTLS_module_ALT` -configuration options) may have their own internal and are free to ignore the -`f_rng` argument but must allow users to pass one anyway. - -### Some functions gained an RNG parameter - -This affects users of the following functions: `mbedtls_ecp_check_pub_priv()`, -`mbedtls_pk_check_pair()`, `mbedtls_pk_parse_key()`, and -`mbedtls_pk_parse_keyfile()`. - -You now need to pass a properly seeded, cryptographically secure RNG when -calling these functions. It is used for blinding, a countermeasure against -side-channel attacks. - - -## PSA - -### Deprecated names for PSA constants and types were removed - -Some constants and types that were present in beta versions of the PSA Crypto -API were removed from version 1.0 of specification. Please switch to the new -names provided by the 1.0 specification instead. - - -## Changes that only affect alternative implementations - -### Internal / alt-focused headers were moved to a private location - -This shouldn't affect users who took care not to include headers that -were documented as internal, despite being in the public include directory. - -If you're providing alt implementations of ECP or RSA, you'll need to add our -`library` directory to your include path when building your alt -implementations, and note that `ecp_internal.h` and `rsa_internal.h` have been -renamed to `ecp_internal_alt.h` and `rsa_alt_helpers.h` respectively. - -If you're a library user and used to rely on having access to a structure or -function that's now in a private header, please reach out on the mailing list -and explain your need; we'll consider adding a new API in a future version. - -### CCM interface changes: impact for alternative implementations - -The CCM interface has changed with the addition of support for -multi-part operations. Five new API functions have been defined: - `mbedtls_ccm_starts()`, `mbedtls_ccm_set_lengths()`, - `mbedtls_ccm_update_ad()`, `mbedtls_ccm_update()` and `mbedtls_ccm_finish()`. -Alternative implementations of CCM (`MBEDTLS_CCM_ALT`) have now to -implement those additional five API functions. - - -## X.509 - -### Remove the certs module from the library - -This should not affect production use of the library, as the certificates and -keys included there were never suitable for production use. - -However it might affect you if you relied on them for testing purposes. In -that case, please embed your own test certificates in your test code; now that -`certs.c` is out of the library there is no longer any stability guaranteed -and it may change in incompatible ways at any time. - -### Change the API to allow adding critical extensions to CSRs - -This affects applications that call the `mbedtls_x509write_csr_set_extension` -function. - -The API is changed to include the parameter `critical` which enables marking an -extension included in a CSR as critical. To get the previous behavior pass 0. - -### Remove the config option `MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION` - -This change does not affect users of the default configuration; it only affects -users who enable this option. - -The X.509 standard says that implementations must reject critical extensions that -they don't recognize, and this is what Mbed TLS does by default. This option -allowed to continue parsing those certificates but didn't provide a convenient -way to handle those extensions. - -The migration path from that option is to use the -`mbedtls_x509_crt_parse_der_with_ext_cb()` function which is functionally -equivalent to `mbedtls_x509_crt_parse_der()`, and/or -`mbedtls_x509_crt_parse_der_nocopy()` but it calls the callback with every -unsupported certificate extension and additionally the "certificate policies" -extension if it contains any unsupported certificate policies. - -### Remove `MBEDTLS_X509_CHECK_*_KEY_USAGE` options from `mbedtls_config.h` - -This change affects users who have chosen the configuration options to disable the -library's verification of the `keyUsage` and `extendedKeyUsage` fields of X.509 -certificates. - -The `MBEDTLS_X509_CHECK_KEY_USAGE` and `MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE` -configuration options are removed and the X.509 code now behaves as if they were -always enabled. It is consequently not possible anymore to disable at compile -time the verification of the `keyUsage` and `extendedKeyUsage` fields of X.509 -certificates. - -The verification of the `keyUsage` and `extendedKeyUsage` fields is important, -disabling it can cause security issues and it is thus not recommended. If the -verification is for some reason undesirable, it can still be disabled by means -of the verification callback function passed to `mbedtls_x509_crt_verify()` (see -the documentation of this function for more information). - -### Remove the `MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3` option - -This change does not affect users who were using the default configuration, as -this option was already disabled by default. Also, it does not affect users who -are working with current V3 X.509 certificates. - -Extensions were added in V3 of the X.509 specification, so pre-V3 certificates -containing extensions were never compliant. Mbed TLS now rejects them with a -parsing error in all configurations, as it did previously in the default -configuration. - -If you are working with the pre-V3 certificates you need to switch to the -current ones. - -### Strengthen default algorithm selection for X.509 - -This is described in the section [Strengthen default algorithm selection for X.509 and TLS](#strengthen-default-algorithm-selection-for-x.509-and-tls). - -### Remove wrapper for libpkcs11-helper - -This doesn't affect people using the default configuration as it was already -disabled by default. - -If you used to rely on this module in order to store your private keys -securely, please have a look at the key management facilities provided by the -PSA crypto API. If you have a use case that's not covered yet by this API, -please reach out on the mailing list. - - -## SSL - -### Remove support for TLS 1.0, 1.1 and DTLS 1.0 - -This change affects users of the TLS 1.0, 1.1 and DTLS 1.0 protocols. - -These versions have been deprecated by RFC 8996. -Keeping them in the library creates opportunities for misconfiguration -and possibly downgrade attacks. More generally, more code means a larger attack -surface, even if the code is supposedly not used. - -The migration path is to adopt the latest versions of the protocol. - -As a consequence of removing TLS 1.0, support for CBC record splitting was -also removed, as it was a work-around for a weakness in this particular -version. There is no migration path since the feature is no longer relevant. - -As a consequence of currently supporting only one version of (D)TLS (and in the -future 1.3 which will have a different version negotiation mechanism), support -for fallback SCSV (RFC 7507) was also removed. There is no migration path as -it's no longer useful with TLS 1.2 and later. - -As a consequence of currently supporting only one version of (D)TLS (and in the -future 1.3 which will have a different concept of ciphersuites), support for -configuring ciphersuites separately for each version via -`mbedtls_ssl_conf_ciphersuites_for_version()` was removed. Use -`mbedtls_ssl_conf_ciphersuites()` to configure ciphersuites to use with (D)TLS -1.2; in the future a different API will be added for (D)TLS 1.3. - -### Remove support for SSL 3.0 - -This doesn't affect people using the default configuration as it was already -disabled by default. - -This only affects TLS users who explicitly enabled `MBEDTLS_SSL_PROTO_SSL3` -and relied on that version in order to communicate with peers that are not up -to date. If one of your peers is in that case, please try contacting them and -encouraging them to upgrade their software. - -### Remove support for parsing SSLv2 ClientHello - -This doesn't affect people using the default configuration as it was already -disabled by default. - -This only affects TLS servers that have clients who send an SSLv2 ClientHello. -These days clients are very unlikely to do that. If you have a client that -does, please try contacting them and encouraging them to upgrade their -software. - -### Remove support for truncated HMAC - -This affects users of truncated HMAC, that is, users who called -`mbedtls_ssl_conf_truncated_hmac( ..., MBEDTLS_SSL_TRUNC_HMAC_ENABLED)`, -regardless of whether the standard version was used or compatibility version -(`MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT`). - -The recommended migration path for people who want minimal overhead is to use a -CCM-8 ciphersuite. - -### Remove support for TLS record-level compression - -This doesn't affect people using the default configuration as it was already -disabled by default. - -This only affects TLS users who enabled `MBEDTLS_ZLIB_SUPPORT`. This will not -cause any failures however if you used to enable TLS record-level compression -you may find that your bandwidth usage increases without compression. There's -no general solution to this problem; application protocols might have their -own compression mechanisms and are in a better position than the TLS stack to -avoid variants of the CRIME and BREACH attacks. - -### Remove support for TLS RC4-based ciphersuites - -This does not affect people who used the default `mbedtls_config.h` and the default -list of ciphersuites, as RC4-based ciphersuites were already not negotiated in -that case. - -Please switch to any of the modern, recommended ciphersuites (based on -AES-GCM, AES-CCM or ChachaPoly for example) and if your peer doesn't support -any, encourage them to upgrade their software. - -### Remove support for TLS single-DES ciphersuites - -This doesn't affect people using the default configuration as it was already -disabled by default. - -Please switch to any of the modern, recommended ciphersuites (based on -AES-GCM, AES-CCM or ChachaPoly for example) and if your peer doesn't support -any, encourage them to upgrade their software. - -### Remove support for TLS record-level hardware acceleration - -This doesn't affect people using the default configuration as it was already -disabled by default. - -This feature had been broken for a while so we doubt anyone still used it. -However if you did, please reach out on the mailing list and let us know about -your use case. - -### Remove config option `MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME` - -This doesn't affect people using the default configuration. - -This option has not had any effect for a long time. Please use the `lifetime` -parameter of `mbedtls_ssl_ticket_setup()` instead. - -### Combine the `MBEDTLS_SSL_CID_PADDING_GRANULARITY` and `MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY` options - -This change affects users who modified the default `mbedtls_config.h` padding granularity -settings, i.e. enabled at least one of the options. - -The `mbedtls_config.h` options `MBEDTLS_SSL_CID_PADDING_GRANULARITY` and -`MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY` were combined into one option because -they used exactly the same padding mechanism and hence their respective padding -granularities can be used in exactly the same way. This change simplifies the -code maintenance. - -The new single option `MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY` can be used -for both DTLS-CID and TLS 1.3. - -### TLS now favors faster curves over larger curves - -The default preference order for curves in TLS now favors resource usage (performance and memory consumption) over size. The exact order is unspecified and may change, but generally you can expect 256-bit curves to be preferred over larger curves. - -If you prefer a different order, call `mbedtls_ssl_conf_groups()` when configuring a TLS connection. - -### SSL key export interface change - -This affects users of the SSL key export APIs: -``` - mbedtls_ssl_conf_export_keys_cb() - mbedtls_ssl_conf_export_keys_ext_cb() -``` - -Those APIs have been removed and replaced by the new API -`mbedtls_ssl_set_export_keys_cb()`. This API differs from -the previous key export API in the following ways: - -- It is no longer bound to an SSL configuration, but to an - SSL context. This allows users to more easily identify the - connection an exported key belongs to. -- It no longer exports raw keys and IV. -- A secret type parameter has been added to identify which key - is being exported. For TLS 1.2, only the master secret is - exported, but upcoming TLS 1.3 support will add other kinds of keys. -- The callback now specifies a void return type, rather than - returning an error code. It is the responsibility of the application - to handle failures in the key export callback, for example by - shutting down the TLS connection. - -For users which do not rely on raw keys and IV, adjusting to the new -callback type should be straightforward — see the example programs -`programs/ssl/ssl_client2` and `programs/ssl/ssl_server2` for callbacks -for NSSKeylog, EAP-TLS and DTLS-SRTP. - -Users which require access to the raw keys used to secure application -traffic may derive those by hand based on the master secret and the -handshake transcript hashes which can be obtained from the raw data -on the wire. Such users are also encouraged to reach out to the -Mbed TLS team on the mailing list, to let the team know about their -use case. - -### Remove MaximumFragmentLength (MFL) query API - -This affects users which use the MFL query APIs -`mbedtls_ssl_get_{input,output}_max_frag_len()` to -infer upper bounds on the plaintext size of incoming and -outgoing record. - -Users should switch to `mbedtls_ssl_get_max_{in,out}_record_payload()` -instead, which also provides such upper bounds but takes more factors -than just the MFL configuration into account. - -### Relaxed semantics for PSK configuration - -This affects users which call the PSK configuration APIs -`mbedtls_ssl_conf_psk()` and `mbedtls_ssl_conf_psk_opaque()` -multiple times on the same SSL configuration. - -In Mbed TLS 2.x, users would observe later calls overwriting -the effect of earlier calls, with the prevailing PSK being -the one that has been configured last. In Mbed TLS 3.0, -calling `mbedtls_ssl_conf_psk[_opaque]()` multiple times -will return an error, leaving the first PSK intact. - -To achieve equivalent functionality when migrating to Mbed TLS 3.0, -users calling `mbedtls_ssl_conf_psk[_opaque]()` multiple times should -remove all but the last call, so that only one call to _either_ -`mbedtls_ssl_conf_psk()` _or_ `mbedtls_ssl_conf_psk_opaque()` -remains. - -### Remove the configuration to enable weak ciphersuites in SSL / TLS - -This does not affect users who use the default `mbedtls_config.h`, as this option was -already off by default. - -If you were using a weak cipher, please switch to any of the modern, -recommended ciphersuites (based on AES-GCM, AES-CCM or ChachaPoly for example) -and if your peer doesn't support any, encourage them to upgrade their software. - -If you were using a ciphersuite without encryption, you just have to -enable `MBEDTLS_CIPHER_NULL_CIPHER` now. - -### Remove the `MBEDTLS_SSL_MAX_CONTENT_LEN` configuration option - -This affects users who use the `MBEDTLS_SSL_MAX_CONTENT_LEN` option to -set the maximum length of incoming and outgoing plaintext fragments, -which can save memory by reducing the size of the TLS I/O buffers. - -This option is replaced by the more fine-grained options -`MBEDTLS_SSL_IN_CONTENT_LEN` and `MBEDTLS_SSL_OUT_CONTENT_LEN` that set -the maximum incoming and outgoing plaintext fragment lengths, respectively. - -### Remove the SSL API `mbedtls_ssl_get_session_pointer()` - -This affects two classes of users: - -1. Users who manually inspect parts of the current session through - direct structure field access. - -2. Users of session resumption who query the current session - via `mbedtls_ssl_get_session_pointer()` prior to saving or exporting - it via `mbedtls_ssl_session_copy()` or `mbedtls_ssl_session_save()`, - respectively. - -Migration paths: - -1. Mbed TLS 3.0 does not offer a migration path for the use case 1: Like many - other Mbed TLS structures, the structure of `mbedtls_ssl_session` is no - longer part of the public API in Mbed TLS 3.0, and direct structure field - access is no longer supported. Please see the [section on private structure fields](#most-structure-fields-are-now-private) for more details. - -2. Users should replace calls to `mbedtls_ssl_get_session_pointer()` by - calls to `mbedtls_ssl_get_session()` as demonstrated in the example - program `programs/ssl/ssl_client2.c`. - -### Remove `MBEDTLS_SSL_DTLS_BADMAC_LIMIT` option - -This change does not affect users who used the default `mbedtls_config.h`, as the option -`MBEDTLS_SSL_DTLS_BADMAC_LIMIT` was already on by default. - -This option was a trade-off between functionality and code size: it allowed -users who didn't need that feature to avoid paying the cost in code size, by -disabling it. - -This option is no longer present, but its functionality is now always enabled. - -### Deprecated functions were removed from SSL - -The function `mbedtls_ssl_conf_dh_param()` was removed. Please use -`mbedtls_ssl_conf_dh_param_bin()` or `mbedtls_ssl_conf_dh_param_ctx()` instead. - -The function `mbedtls_ssl_get_max_frag_len()` was removed. Please use -`mbedtls_ssl_get_max_out_record_payload()` and -`mbedtls_ssl_get_max_in_record_payload()` -instead. - -### Remove `MBEDTLS_SSL_RECORD_CHECKING` option and enable its action by default - -This change does not affect users who use the default `mbedtls_config.h`, as the -option `MBEDTLS_SSL_RECORD_CHECKING` was already on by default. - -This option was added only to control compilation of one function, - `mbedtls_ssl_check_record()`, which is only useful in some specific cases, so it -was made optional to allow users who don't need it to save some code space. -However, the same effect can be achieved by using link-time garbage collection. - -Users who changed the default setting of the option need to change the config/ -build system to remove that change. - -### Session Cache API Change - -This affects users who use `mbedtls_ssl_conf_session_cache()` -to configure a custom session cache implementation different -from the one Mbed TLS implements in `library/ssl_cache.c`. - -Those users will need to modify the API of their session cache -implementation to that of a key-value store with keys being -session IDs and values being instances of `mbedtls_ssl_session`: - -```C -typedef int mbedtls_ssl_cache_get_t( void *data, - unsigned char const *session_id, - size_t session_id_len, - mbedtls_ssl_session *session ); -typedef int mbedtls_ssl_cache_set_t( void *data, - unsigned char const *session_id, - size_t session_id_len, - const mbedtls_ssl_session *session ); -``` - -Since the structure of `mbedtls_ssl_session` is no longer public from 3.0 -onwards, portable session cache implementations must not access fields of -`mbedtls_ssl_session`. See the corresponding migration guide. Users that -find themselves unable to migrate their session cache functionality without -accessing fields of `mbedtls_ssl_session` should describe their use case -on the Mbed TLS mailing list. - -### Changes in the SSL error code space - -This affects users manually checking for the following error codes: - -- `MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED` -- `MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH` -- `MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE` -- `MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN` -- `MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE` -- `MBEDTLS_ERR_SSL_BAD_HS_XXX` - -Migration paths: -- `MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE` has been removed, and - `MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` is returned instead if the user's own certificate - is too large to fit into the output buffers. - - Users should check for `MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` instead, and potentially - compare the size of their own certificate against the configured size of the output buffer to - understand if the error is due to an overly large certificate. - -- `MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN` and `MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE` have been - replaced by `MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE`. - -- All codes of the form `MBEDTLS_ERR_SSL_BAD_HS_XXX` have been replaced by various alternatives, which give more information about the type of error raised. - - Users should check for the newly introduced generic error codes - - * `MBEDTLS_ERR_SSL_DECODE_ERROR` - * `MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER`, - * `MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE` - * `MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION` - * `MBEDTLS_ERR_SSL_BAD_CERTIFICATE` - * `MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME` - * `MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION` - * `MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL` - - and the pre-existing generic error codes - - * `MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE` - * `MBEDTLS_ERR_SSL_INTERNAL_ERROR` - - instead. - -### Modified semantics of `mbedtls_ssl_{get,set}_session()` - -This affects users who call `mbedtls_ssl_get_session()` or -`mbedtls_ssl_set_session()` multiple times on the same SSL context -representing an established TLS 1.2 connection. -Those users will now observe the second call to fail with -`MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE`. - -Migration path: -- Exporting the same TLS 1.2 connection multiple times via - `mbedtls_ssl_get_session()` leads to multiple copies of - the same session. This use of `mbedtls_ssl_get_session()` - is discouraged, and the following should be considered: - * If the various session copies are later loaded into - fresh SSL contexts via `mbedtls_ssl_set_session()`, - export via `mbedtls_ssl_get_session()` only once and - load the same session into different contexts via - `mbedtls_ssl_set_session()`. Since `mbedtls_ssl_set_session()` - makes a copy of the session that's being loaded, this - is functionally equivalent. - * If the various session copies are later serialized - via `mbedtls_ssl_session_save()`, export and serialize - the session only once via `mbedtls_ssl_get_session()` and - `mbedtls_ssl_session_save()` and make copies of the raw - data instead. -- Calling `mbedtls_ssl_set_session()` multiple times in Mbed TLS 2.x - is not useful since subsequent calls overwrite the effect of previous - calls. Applications achieve equivalent functional behavior by - issuing only the very last call to `mbedtls_ssl_set_session()`. - -### Turn `MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE` configuration option into a runtime option - -This change affects users who were enabling `MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE` -option in the `mbedtls_config.h` - -This option has been removed and a new function with similar functionality has -been introduced into the SSL API. - -This new function `mbedtls_ssl_conf_preference_order()` can be used to -change the preferred order of ciphersuites on the server to those used on the client, -e.g.: `mbedtls_ssl_conf_preference_order(ssl_config, MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT)` -has the same effect as enabling the removed option. The default state is to use -the server order of suites. - -### Strengthen default algorithm selection for X.509 and TLS - -The default X.509 verification profile (`mbedtls_x509_crt_profile_default`) and the default curve and hash selection in TLS have changed. They are now aligned, except that the X.509 profile only lists curves that support signature verification. - -Hashes and curves weaker than 255 bits (security strength less than 128 bits) are no longer accepted by default. The following hashes have been removed: SHA-1 (formerly only accepted for key exchanges but not for certificate signatures), SHA-224 (weaker hashes were already not accepted). The following curves have been removed: secp192r1, secp224r1, secp192k1, secp224k1. - -The compile-time options `MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES` and `MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE` are no longer available. - -The curve secp256k1 has also been removed from the default X.509 and TLS profiles. [RFC 8422](https://datatracker.ietf.org/doc/html/rfc8422#section-5.1.1) deprecates it in TLS, and it is very rarely used, although it is not known to be weak at the time of writing. - -If you still need to accept certificates signed with algorithms that have been removed from the default profile, call `mbedtls_x509_crt_verify_with_profile` instead of `mbedtls_x509_crt_verify` and pass a profile that allows the curves and hashes you want. For example, to allow SHA-224: -```C -mbedtls_x509_crt_profile my_profile = mbedtls_x509_crt_profile_default; -my_profile.allowed_mds |= MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ); -``` - -If you still need to allow hashes and curves in TLS that have been removed from the default configuration, call `mbedtls_ssl_conf_sig_hashes()` and `mbedtls_ssl_conf_groups()` with the desired lists. - -### Remove 3DES ciphersuites - -This change does not affect users using default settings for 3DES in `mbedtls_config.h` -because the 3DES ciphersuites were disabled by that. - -3DES has weaknesses/limitations and there are better alternatives, and more and -more standard bodies are recommending against its use in TLS. - -The migration path here is to chose from the alternatives recommended in the -literature, such as AES. From e79923c65de283ddf4a871b2d1f8f346ebdf3a39 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 10 Oct 2025 15:50:20 +0200 Subject: [PATCH 2/7] Consolidate migration guide chapters into a single file Signed-off-by: Gilles Peskine --- docs/4.0-migration-guide.md | 599 ++++++++++++++++++ docs/4.0-migration-guide/configuration.md | 44 -- .../deprecated-removals.md | 14 - docs/4.0-migration-guide/error-codes.md | 37 -- docs/4.0-migration-guide/feature-removals.md | 152 ----- .../function-prototype-changes.md | 89 --- docs/4.0-migration-guide/oid.md | 7 - docs/4.0-migration-guide/private-decls.md | 33 - docs/4.0-migration-guide/psa-only.md | 23 - docs/4.0-migration-guide/repo-split.md | 200 ------ 10 files changed, 599 insertions(+), 599 deletions(-) create mode 100644 docs/4.0-migration-guide.md delete mode 100644 docs/4.0-migration-guide/configuration.md delete mode 100644 docs/4.0-migration-guide/deprecated-removals.md delete mode 100644 docs/4.0-migration-guide/error-codes.md delete mode 100644 docs/4.0-migration-guide/feature-removals.md delete mode 100644 docs/4.0-migration-guide/function-prototype-changes.md delete mode 100644 docs/4.0-migration-guide/oid.md delete mode 100644 docs/4.0-migration-guide/private-decls.md delete mode 100644 docs/4.0-migration-guide/psa-only.md delete mode 100644 docs/4.0-migration-guide/repo-split.md diff --git a/docs/4.0-migration-guide.md b/docs/4.0-migration-guide.md new file mode 100644 index 0000000000..83ec90ca92 --- /dev/null +++ b/docs/4.0-migration-guide.md @@ -0,0 +1,599 @@ +## CMake as the only build system +Mbed TLS now uses CMake exclusively to configure and drive its build process. +Support for the GNU Make and Microsoft Visual Studio project-based build systems has been removed. + +The previous `.sln` and `.vcxproj` files are no longer distributed or generated. + +See the `Compiling` section in README.md for instructions on building the Mbed TLS libraries and tests with CMake. +If you develop in Microsoft Visual Studio, you could either generate a Visual Studio solution using a CMake generator, or open the CMake project directly in Visual Studio. + +### Translating Make commands to CMake + +With the removal of GNU Make support, all build, test, and installation operations must now be performed using CMake. +This section provides a quick reference for translating common `make` commands into their CMake equivalents. + +#### Basic build workflow + +Run `cmake -S . -B build` once before building to configure the build and generate native build files (e.g., Makefiles) in the `build` directory. +This sets up an out-of-tree build, which is recommended. + +| Make command | CMake equivalent | Description | +|----------------|------------------------------------------------|--------------------------------------------------------------------| +| `make` | `cmake --build build` | Build the libraries, programs, and tests in the `build` directory. | +| `make test` | `ctest --test-dir build` | Run the tests produced by the previous build. | +| `make clean` | `cmake --build build --target clean` | Remove build artifacts produced by the previous build. | +| `make install` | `cmake --install build --prefix build/install` | Install the built libraries, headers, and tests to `build/install`. | + +#### Building specific targets + +Unless otherwise specified, the CMake command in the table below should be preceded by a `cmake -S . -B build` call to configure the build and generate build files in the `build` directory. + +| Make command | CMake equivalent | Description | +|-----------------|---------------------------------------------------------------------|---------------------------| +| `make lib` | `cmake --build build --target lib` | Build only the libraries. | +| `make tests` | `cmake -S . -B build -DENABLE_PROGRAMS=Off && cmake --build build` | Build test suites. | +| `make programs` | `cmake --build build --target programs` | Build example programs. | +| `make apidoc` | `cmake --build build --target mbedtls-apidoc` | Build documentation. | + +Target names may differ slightly; use `cmake --build build --target help` to list all available CMake targets. + +There is no CMake equivalent for `make generated_files` or `make neat`. +Generated files are automatically created in the build tree with `cmake --build build` and removed with `cmake --build build --target clean`. +If you need to build the generated files in the source tree without involving CMake, you can call `framework/scripts/make_generated_files.py`. + +There is currently no equivalent for `make uninstall` in the Mbed TLS CMake build system. + +#### Common build options + +The following table illustrates the approximate CMake equivalents of common make commands. +Most CMake examples show only the configuration step, others (like installation) correspond to different stages of the build process. + +| Make usage | CMake usage | Description | +|----------------------------|-------------------------------------------------------|----------------------| +| `make DEBUG=1` | `cmake -S . -B build -DCMAKE_BUILD_TYPE=Debug` | Build in debug mode. | +| `make SHARED=1` | `cmake -S . -B build -DUSE_SHARED_MBEDTLS_LIBRARY=On` | Also build shared libraries. | +| `make GEN_FILES=""` | `cmake -S . -B build -DGEN_FILES=OFF` | Skip generating files (not a strict equivalent). | +| `make DESTDIR=install_dir` | `cmake --install build --prefix install_dir` | Specify installation path. | +| `make CC=clang` | `cmake -S . -B build -DCMAKE_C_COMPILER=clang` | Set the compiler. | +| `make CFLAGS='-O2 -Wall'` | `cmake -S . -B build -DCMAKE_C_FLAGS="-O2 -Wall"` | Set compiler flags. | + +## Repository split +In Mbed TLS 4.0, the project was split into two repositories: +- [Mbed TLS](https://github.com/Mbed-TLS/mbedtls): provides TLS and X.509 functionality. +- [TF-PSA-Crypto](https://github.com/Mbed-TLS/TF-PSA-Crypto): provides the standalone cryptography library, implementing the PSA Cryptography API. +Mbed TLS consumes TF-PSA-Crypto as a submodule. +You should stay with Mbed TLS if you use TLS or X.509 functionality. You still have direct access to the cryptography library. + +### File and directory relocations + +The following table summarizes the file and directory relocations resulting from the repository split between Mbed TLS and TF-PSA-Crypto. +These changes reflect the move of cryptographic, cryptographic-adjacent, and platform components from Mbed TLS into the new TF-PSA-Crypto repository. + +| Original location | New location(s) | Notes | +|-----------------------------------------|--------------------------------------------------------------------------------------|-------| +| `library/*` () | `tf-psa-crypto/core/`
`tf-psa-crypto/drivers/builtin/src/` | Contains cryptographic, cryptographic-adjacent (e.g., ASN.1, Base64), and platform C modules and headers. | +| `include/mbedtls/*` () | `tf-psa-crypto/include/mbedtls/`
`tf-psa-crypto/drivers/builtin/include/private/` | Public headers moved to `include/mbedtls`; now internal headers moved to `include/private`. | +| `include/psa` | `tf-psa-crypto/include/psa` | All PSA headers consolidated here. | +| `3rdparty/everest`
`3rdparty/p256-m` | `tf-psa-crypto/drivers/everest`
`tf-psa-crypto/drivers/p256-m` | Third-party crypto driver implementations. | + +() The `library` and `include/mbedtls` directories still exist in Mbed TLS, but now contain only TLS and X.509 components. + +### Configuration file split +Cryptography and platform configuration options have been moved from `include/mbedtls/mbedtls_config.h` to `tf-psa-crypto/include/psa/crypto_config.h`, which is now mandatory. +See [Compile-time configuration](#compile-time-configuration). + +The header `include/mbedtls/mbedtls_config.h` still exists and now contains only the TLS and X.509 configuration options. + +If you use the Python script `scripts/config.py` to adjust your configuration, you do not need to modify your scripts to specify which configuration file to edit, the script automatically updates the correct file. + +There have been significant changes in the configuration options, primarily affecting cryptography. + +#### Cryptography configuration +- See [psa-transition.md](https://github.com/Mbed-TLS/TF-PSA-Crypto/blob/development/docs/psa-transition.md#compile-time-configuration). +- See also the following sections in the TF-PSA-Crypto 1.0 migration guide: + - *PSA as the Only Cryptography API* and its sub-section *Impact on the Library Configuration* + - *Random Number Generation Configuration* + +#### TLS configuration +For details about TLS-related changes, see [Changes to TLS options](#changes-to-tls-options). + +### Impact on some usages of the library + +#### Checking out a branch or a tag +After checking out a branch or tag of the Mbed TLS repository, you must now recursively update the submodules, as TF-PSA-Crypto contains itself a nested submodule: +``` +git submodule update --init --recursive +``` + +#### Linking directly to a built library + +The Mbed TLS CMake build system still provides the cryptography libraries under their legacy name, `libmbedcrypto.`, so you can continue linking against them. +These libraries are still located in the `library` directory within the build tree. + +The cryptography libraries are also now provided as `libtfpsacrypto.`, consistent with the naming used in the TF-PSA-Crypto repository. + +You may need to update include paths to the public header files, see [File and Directory Relocations](#file-and-directory-relocations) for details. + +#### Using Mbed TLS as a CMake subproject + +The base name of the libraries are now `tfpsacrypto` (formely `mbedcrypto`), `mbedx509` and `mbedtls`. +As before, these base names are also the names of CMake targets to build each library. +If your CMake scripts reference a cryptography library target, you need to update its name accordingly. + +For example, the following CMake code: +``` +target_link_libraries(mytarget PRIVATE mbedcrypto) +``` +should be updated to: +``` +target_link_libraries(mytarget PRIVATE tfpsacrypto) +``` + +You can refer to the following example demonstrating how to consume Mbed TLS as a CMake subproject: +- `programs/test/cmake_subproject` + +#### Using Mbed TLS as a CMake package + +The same renaming applies to the cryptography library targets declared as part of the Mbed TLS CMake package, use `MbedTLS::tfpsacrypto` instead of `MbedTLS::mbedcrypto`. + +For example, the following CMake code: +``` +find_package(MbedTLS REQUIRED) +target_link_libraries(myapp PRIVATE MbedTLS::mbedcrypto) +``` +should be updated to: +``` +find_package(MbedTLS REQUIRED) +target_link_libraries(myapp PRIVATE MbedTLS::tfpsacrypto) +``` +You can also refer to the following example programs demonstrating how to consume Mbed TLS as a CMake package: +- `programs/test/cmake_package` +- `programs/test/cmake_package_install` + +#### Using the Mbed TLS Crypto pkg-config file + +The Mbed TLS CMake build system still provides the pkg-config file mbedcrypto.pc, so you can continue using it. +Internally, it now references the tfpsacrypto library. + +A new pkg-config file, `tfpsacrypto.pc`, is also provided. +Both `mbedcrypto.pc` and `tfpsacrypto.pc` are functionally equivalent, providing the same compiler and linker flags. + +#### Using Mbed TLS as an installed library + +The Mbed TLS CMake build system still installs the cryptography libraries under their legacy name, `libmbedcrypto.`, so you can continue linking against them. +The cryptography library is also now provided as `libtfpsacrypto.`. + +Regarding the headers, the main change is the relocation of some headers to subdirectories called `private`. +These headers are installed primarily to satisfy compiler dependencies. +Others remain for historical reasons and may be cleaned up in later versions of the library. + +We strongly recommend not relying on the declarations in these headers, as they may be removed or modified without notice. +See the section Private Declarations in the TF-PSA-Crypto 1.0 migration guide for more information. + +Finally, note the new `include/tf-psa-crypto` directory, which contains the TF-PSA-Crypto version and build-time configuration headers. + +### Audience-Specific Notes + +#### Application Developers using a distribution package +- See [Impact on usages of the library](#impact-on-some-usages-of-the-library) for the possible impacts on: + - Linking against the cryptography library or CMake targets. + - Using the Mbed TLS Crypto pkg-config file. + - Using Mbed TLS as an installed library + +### Developer or package maintainers +If you build or distribute Mbed TLS: +- The build system is now CMake only, Makefiles and Visual Studio projects are removed. +- You may need to adapt packaging scripts to handle the TF-PSA-Crypto submodule. +- You should update submodules recursively after checkout. +- Review [File and directory relocations](#file-and-directory-relocations) for updated paths. +- See [Impact on usages of the library](#impact-on-some-usages-of-the-library) for the possible impacts on: + - Linking against the cryptography library or CMake targets. + - Using the Mbed TLS Crypto pkg-config file (`mbedcrypto.pc` or `tfpsacrypto.pc`). + - Using Mbed TLS as an installed library +- Configuration note: cryptography and platform options are now in `crypto_config.h` (see [Configuration file split](#configuration-file-split)). + +### Platform Integrators +If you integrate Mbed TLS with a platform or hardware drivers: +- TF-PSA-Crypto is now a submodule, update integration scripts to initialize submodules recursively. +- The PSA driver wrapper is now generated in TF-PSA-Crypto. +- Platform-specific configuration are now handled in `crypto_config.h`. +- See [Repository split](#repository-split) for how platform components moved to TF-PSA-Crypto. +## Compile-time configuration + +### Configuration file split + +All configuration options that are relevant to TF-PSA-Crypto must now be configured in one of its configuration files, namely: + +* `TF_PSA_CRYPTO_CONFIG_FILE`, if set on the preprocessor command line; +* otherwise ``; +* additionally `TF_PSA_CRYPTO_USER_CONFIG_FILE`, if set. + +Configuration options that are relevant to X.509 or TLS should still be set in the Mbed TLS configuration file (`MBEDTLS_CONFIG_FILE` or ``, plus `MBEDTLS_USER_CONFIG_FILE` if it is set). However, you can define all options in the crypto configuration, and Mbed TLS will pick them up. + +Generally speaking, the options that must be configured in TF-PSA-Crypto are: + +* options related to platform settings; +* options related to the choice of cryptographic mechanisms included in the build; +* options related to the inner workings of cryptographic mechanisms, such as size/memory/performance compromises; +* options related to crypto-adjacent features, such as ASN.1 and Base64. + +See `include/psa/crypto_config.h` in TF-PSA-Crypto and `include/mbedtls/mbedtls_config.h` in Mbed TLS for details. + +Notably, `` is no longer limited to `PSA_WANT_xxx` options. + +Note that many options related to cryptography have changed; see the TF-PSA-Crypto migration guide for details. + +### Split of `build_info.h` and `version.h` + +The header file ``, which includes the configuration file and provides the adjusted configuration macros, now has an similar file `` in TF-PSA-Crypto. The Mbed TLS header includes the TF-PSA-Crypto header, so including `` remains sufficient to obtain information about the crypto configuration. + +TF-PSA-Crypto exposes its version through ``, similar to `` in Mbed TLS. + +### Removal of `check_config.h` + +The header `mbedtls/check_config.h` is no longer present. Including it from user configuration files was already obsolete in Mbed TLS 3.x, since it enforces properties the configuration as adjusted by `mbedtls/build_info.h`, not properties that the user configuration is expected to meet. + +### Changes to TLS options + +#### Enabling null cipher suites + +The option to enable null cipher suites in TLS 1.2 has been renamed from `MBEDTLS_CIPHER_NULL_CIPHER` to `MBEDTLS_SSL_NULL_CIPHERSUITES`. It remains disabled in the default configuration. + +#### Removal of backward compatibility options + +The option `MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT` has been removed. Only the version standardized in RFC 9146 is supported now. +## PSA as the only cryptography API + +The PSA API is now the only API for cryptographic primitives. + +### Impact on application code + +The X.509, PKCS7 and SSL modules always use PSA for cryptography, with a few exceptions documented in the [PSA limitations](../architecture/psa-migration/psa-limitations.md) document. (These limitations are mostly transparent unless you want to leverage PSA accelerator drivers.) This corresponds to the behavior of Mbed TLS 3.x when `MBEDTLS_USE_PSA_CRYPTO` is enabled. In effect, `MBEDTLS_USE_PSA_CRYPTO` is now always enabled. + +`psa_crypto_init()` must be called before performing any cryptographic operation, including indirect requests such as parsing a key or certificate or starting a TLS handshake. + +A few functions take different parameters to migrate them to the PSA API. See “[Function prototype changes](#function-prototype-changes)”. + +### No random generator instantiation + +Formerly, applications using TLS, asymmetric cryptography operations involving a private key, or other features needing random numbers, needed to provide a random generator, generally by instantiating an entropy context (`mbedtls_entropy_context`) and a DRBG context (`mbedtls_ctr_drbg_context` or `mbedtls_hmac_drbg_context`). This is no longer necessary, or possible. All features that require a random generator (RNG) now use the one provided by the PSA subsystem. + +Instead, applications that use random generators or keys (even public keys) need to call `psa_crypto_init()` before any cryptographic operation or key management operation. + +See also [function prototype changes](#function-prototype-changes), many of which are related to the move from RNG callbacks to a global RNG. + +### Impact on the library configuration + +Mbed TLS follows the configuration of TF-PSA-Crypto with respect to cryptographic mechanisms. They are now based on `PSA_WANT_xxx` macros instead of legacy configuration macros such as `MBEDTLS_RSA_C`, `MBEDTLS_PKCS1_V15`, etc. The configuration of X.509 and TLS is not directly affected by the configuration. However, applications and middleware that rely on these configuration symbols to know which cryptographic mechanisms to support will need to migrate to `PSA_WANT_xxx` macros. For more information, consult the PSA transition guide in TF-PSA-Crypto. +## Private declarations + +Since Mbed TLS 3.0, some things that are declared in a public header are not part of the stable application programming interface (API), but instead are considered private. Private elements may be removed or may have their semantics changed in a future minor release without notice. + +### Understanding private declarations in public headers + +In Mbed TLS 4.x, private elements in header files include: + +* Anything appearing in a header file whose path contains `/private` (unless re-exported and documented in another non-private header). +* Structure and union fields declared with `MBEDTLS_PRIVATE(field_name)` in the source code, and appearing as `private_field_name` in the rendered documentation. (This was already the case since Mbed TLS 3.0.) +* Any preprocessor macro that is not documented with a Doxygen comment. + In the source code, Doxygen comments start with `/**` or `/*!`. If a macro only has a comment above that starts with `/*`, the macro is considered private. + In the rendered documentation, private macros appear with only an automatically rendered parameter list, value and location, but no custom text. +* Any declaration that is guarded by the preprocessor macro `MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS`. + +### Usage of private declarations + +Some private declarations are present in public headers for technical reasons, because they need to be visible to the compiler. Others are present for historical reasons and may be cleaned up in later versions of the library. We strongly recommend against relying on these declarations, since they may be removed or may have their semantics changed without notice. + +Note that Mbed TLS 4.0 still relies on some private interfaces of TF-PSA-Crypto 1.0. We expect to remove this reliance gradually in future minor releases. + +Sample programs have not been fully updated yet and some of them might still +use APIs that are no longer public. You can recognize them by the fact that they +define the macro `MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS` (or +`MBEDTLS_ALLOW_PRIVATE_ACCESS`) at the very top (before including headers). When +you see one of these two macros in a sample program, be aware it has not been +updated and parts of it do not demonstrate current practice. + +We strongly recommend against defining `MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS` or +`MBEDTLS_ALLOW_PRIVATE_ACCESS` in your own application. If you do so, your code +may not compile or work with future minor releases. If there's something you +want to do that you feel can only be achieved by using one of these two macros, +please reach out on github or the mailing list. +## Error codes + +### Unified error code space + +The convention still applies that functions return 0 for success and a negative value between -32767 and -1 on error. PSA functions (`psa_xxx()` or `mbedtls_psa_xxx()`) still return a `PSA_ERROR_xxx` error codes. Non-PSA functions (`mbedtls_xxx()` excluding `mbedtls_psa_xxx()`) can return either `PSA_ERROR_xxx` or `MBEDTLS_ERR_xxx` error codes. + +There may be cases where an `MBEDTLS_ERR_xxx` constant has the same numerical value as a `PSA_ERROR_xxx`. In such cases, they have the same meaning: they are different names for the same error condition. + +### Simplified legacy error codes + +All values returned by a function to indicate an error now have a defined constant named `MBEDTLS_ERR_xxx` or `PSA_ERROR_xxx`. Functions no longer return the sum of a “low-level” and a “high-level” error code. + +Generally, functions that used to return the sum of two error codes now return the low-level code. However, as before, the exact error code returned in a given scenario can change without notice unless the condition is specifically described in the function's documentation and no other condition is applicable. + +As a consequence, the functions `mbedtls_low_level_strerr()` and `mbedtls_high_level_strerr()` no longer exist. + +### Removed error code names + +Many legacy error codes have been removed in favor of PSA error codes. Generally, functions that returned a legacy error code in the table below in Mbed TLS 3.6 now return the PSA error code listed on the same row. Similarly, callbacks should apply the same changes to error code, unless there has been a relevant change to the callback's interface. + +| Legacy constant (Mbed TLS 3.6) | PSA constant (Mbed TLS 4.0) | +|-----------------------------------------|---------------------------------| +| `MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED` | `PSA_ERROR_CORRUPTION_DETECTED` | +| `MBEDTLS_ERR_ERROR_GENERIC_ERROR` | `PSA_ERROR_GENERIC_ERROR` | +| `MBEDTLS_ERR_NET_BUFFER_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` | +| `MBEDTLS_ERR_OID_BUF_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` | +| `MBEDTLS_ERR_OID_NOT_FOUND` | `PSA_ERROR_NOT_SUPPORTED` | +| `MBEDTLS_ERR_PKCS7_ALLOC_FAILED` | `PSA_ERROR_INSUFFICIENT_MEMORY` | +| `MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA` | `PSA_ERROR_INVALID_ARGUMENT` | +| `MBEDTLS_ERR_PKCS7_VERIFY_FAIL` | `PSA_ERROR_INVALID_SIGNATURE` | +| `MBEDTLS_ERR_SSL_ALLOC_FAILED` | `PSA_ERROR_INSUFFICIENT_MEMORY` | +| `MBEDTLS_ERR_SSL_BAD_INPUT_DATA` | `PSA_ERROR_INVALID_ARGUMENT` | +| `MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` | +| `MBEDTLS_ERR_X509_ALLOC_FAILED` | `PSA_ERROR_INSUFFICIENT_MEMORY` | +| `MBEDTLS_ERR_X509_BUFFER_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` | + +See also the corresponding section in the TF-PSA-Crypto migration guide, which lists error codes from cryptography modules. +## Removal of deprecated functions + +### Removal of deprecated X.509 functions + +The deprecated function `mbedtls_x509write_crt_set_serial()` has been removed. The function was superseded by `mbedtls_x509write_crt_set_serial_raw()`. + +### Removal of deprecated SSL functions + +The deprecated function `mbedtls_ssl_conf_curves()` has been removed. +The function was superseded by `mbedtls_ssl_conf_groups()`. + +### Removal of `compat-2.x.h` + +The header `compat-2.x.h`, containing some definitions for backward compatibility with Mbed TLS 2.x, has been removed. +## Removed features + +### Removal of obsolete key exchanges methods in (D)TLS 1.2 + +Mbed TLS 4.0 no longer supports key exchange methods that rely on finite-field Diffie-Hellman (DHE) in TLS 1.2 and DTLS 1.2. (Only ephemeral Diffie-Hellman was ever supported, Mbed TLS 3.x already did not support static Diffie-Hellman.) Finite-field Diffie-Hellman remains supported in TLS 1.3. + +Mbed TLS 4.0 no longer supports key exchange methods that rely on RSA decryption (without forward secrecy). RSA signatures remain supported. This affects TLS 1.2 and DTLS 1.2 (TLS 1.3 does not have key exchanges using RSA decryption). + +That is, the following key exchange types are no longer supported: + +* RSA-PSK; +* RSA (i.e. cipher suites using only RSA decryption: cipher suites using RSA signatures remain supported); +* DHE-PSK (except in TLS 1.3); +* DHE-RSA (except in TLS 1.3). +* static ECDH (ECDH-RSA and ECDH-ECDSA, as opposed to ephemeral ECDH (ECDHE) which remains supported). + +The full list of removed cipher suites is: + +``` +TLS-DHE-PSK-WITH-AES-128-CBC-SHA +TLS-DHE-PSK-WITH-AES-128-CBC-SHA256 +TLS-DHE-PSK-WITH-AES-128-CCM +TLS-DHE-PSK-WITH-AES-128-CCM-8 +TLS-DHE-PSK-WITH-AES-128-GCM-SHA256 +TLS-DHE-PSK-WITH-AES-256-CBC-SHA +TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 +TLS-DHE-PSK-WITH-AES-256-CCM +TLS-DHE-PSK-WITH-AES-256-CCM-8 +TLS-DHE-PSK-WITH-AES-256-GCM-SHA384 +TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256 +TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256 +TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384 +TLS-DHE-PSK-WITH-ARIA-256-GCM-SHA384 +TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256 +TLS-DHE-PSK-WITH-CAMELLIA-128-GCM-SHA256 +TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384 +TLS-DHE-PSK-WITH-CAMELLIA-256-GCM-SHA384 +TLS-DHE-PSK-WITH-CHACHA20-POLY1305-SHA256 +TLS-DHE-PSK-WITH-NULL-SHA +TLS-DHE-PSK-WITH-NULL-SHA256 +TLS-DHE-PSK-WITH-NULL-SHA384 +TLS-DHE-RSA-WITH-AES-128-CBC-SHA +TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 +TLS-DHE-RSA-WITH-AES-128-CCM +TLS-DHE-RSA-WITH-AES-128-CCM-8 +TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 +TLS-DHE-RSA-WITH-AES-256-CBC-SHA +TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 +TLS-DHE-RSA-WITH-AES-256-CCM +TLS-DHE-RSA-WITH-AES-256-CCM-8 +TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 +TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256 +TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256 +TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384 +TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384 +TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA +TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 +TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256 +TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA +TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256 +TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384 +TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 +TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA +TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256 +TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256 +TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA +TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384 +TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384 +TLS-ECDH-ECDSA-WITH-ARIA-128-CBC-SHA256 +TLS-ECDH-ECDSA-WITH-ARIA-128-GCM-SHA256 +TLS-ECDH-ECDSA-WITH-ARIA-256-CBC-SHA384 +TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384 +TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256 +TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 +TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 +TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 +TLS-ECDH-ECDSA-WITH-NULL-SHA +TLS-ECDH-RSA-WITH-AES-128-CBC-SHA +TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256 +TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256 +TLS-ECDH-RSA-WITH-AES-256-CBC-SHA +TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384 +TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384 +TLS-ECDH-RSA-WITH-ARIA-128-CBC-SHA256 +TLS-ECDH-RSA-WITH-ARIA-128-GCM-SHA256 +TLS-ECDH-RSA-WITH-ARIA-256-CBC-SHA384 +TLS-ECDH-RSA-WITH-ARIA-256-GCM-SHA384 +TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256 +TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256 +TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA384 +TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384 +TLS-ECDH-RSA-WITH-NULL-SHA +TLS-RSA-PSK-WITH-AES-128-CBC-SHA +TLS-RSA-PSK-WITH-AES-128-CBC-SHA256 +TLS-RSA-PSK-WITH-AES-128-GCM-SHA256 +TLS-RSA-PSK-WITH-AES-256-CBC-SHA +TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 +TLS-RSA-PSK-WITH-AES-256-GCM-SHA384 +TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256 +TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256 +TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384 +TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384 +TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256 +TLS-RSA-PSK-WITH-CAMELLIA-128-GCM-SHA256 +TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384 +TLS-RSA-PSK-WITH-CAMELLIA-256-GCM-SHA384 +TLS-RSA-PSK-WITH-CHACHA20-POLY1305-SHA256 +TLS-RSA-PSK-WITH-NULL-SHA +TLS-RSA-PSK-WITH-NULL-SHA256 +TLS-RSA-PSK-WITH-NULL-SHA384 +TLS-RSA-WITH-AES-128-CBC-SHA +TLS-RSA-WITH-AES-128-CBC-SHA256 +TLS-RSA-WITH-AES-128-CCM +TLS-RSA-WITH-AES-128-CCM-8 +TLS-RSA-WITH-AES-128-GCM-SHA256 +TLS-RSA-WITH-AES-256-CBC-SHA +TLS-RSA-WITH-AES-256-CBC-SHA256 +TLS-RSA-WITH-AES-256-CCM +TLS-RSA-WITH-AES-256-CCM-8 +TLS-RSA-WITH-AES-256-GCM-SHA384 +TLS-RSA-WITH-ARIA-128-CBC-SHA256 +TLS-RSA-WITH-ARIA-128-GCM-SHA256 +TLS-RSA-WITH-ARIA-256-CBC-SHA384 +TLS-RSA-WITH-ARIA-256-GCM-SHA384 +TLS-RSA-WITH-CAMELLIA-128-CBC-SHA +TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256 +TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256 +TLS-RSA-WITH-CAMELLIA-256-CBC-SHA +TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256 +TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 +TLS-RSA-WITH-NULL-MD5 +TLS-RSA-WITH-NULL-SHA +TLS-RSA-WITH-NULL-SHA256 +``` + +As a consequence of the removal of support for DHE in (D)TLS 1.2, the following functions are no longer useful and have been removed: + +``` +mbedtls_ssl_conf_dh_param_bin() +mbedtls_ssl_conf_dh_param_ctx() +mbedtls_ssl_conf_dhm_min_bitlen() +``` + +### Removal of elliptic curves + +Following their removal from the crypto library, elliptic curves of less than 250 bits (secp192r1, secp192k1, secp224r1, secp224k1) are no longer supported in certificates and in TLS. + +### Removal of deprecated functions + +The deprecated functions `mbedtls_ssl_conf_min_version()` and `mbedtls_ssl_conf_max_version()`, and the associated constants `MBEDTLS_SSL_MAJOR_VERSION_3`, `MBEDTLS_SSL_MINOR_VERSION_3` and `MBEDTLS_SSL_MINOR_VERSION_4` have been removed. Use `mbedtls_ssl_conf_min_tls_version()` and `mbedtls_ssl_conf_max_tls_version()` with `MBEDTLS_SSL_VERSION_TLS1_2` or `MBEDTLS_SSL_VERSION_TLS1_3` instead. + +The deprecated function `mbedtls_ssl_conf_sig_hashes()` has been removed. Use `mbedtls_ssl_conf_sig_algs()` instead. +## Function prototype changes + +A number of existing functions now take a different list of arguments, mostly to migrate them to the PSA API. + +### Public functions no longer take a RNG callback + +Functions that need randomness no longer take an RNG callback in the form of `f_rng, p_rng` arguments. Instead, they use the PSA Crypto random generator (accessible as `psa_generate_random()`). All software using the X.509 or SSL modules must call `psa_crypto_init()` before calling any of the functions listed here. + +### RNG removal in X.509 + +The following function prototypes have been changed in `mbedtls/x509_crt.h`: + +```c +int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng); + +int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng); +``` + +to + +```c +int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size); + +int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size); +``` + +The following function prototypes have been changed in `mbedtls/x509_csr.h`: +```c +int mbedtls_x509write_csr_der(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng); + +int mbedtls_x509write_csr_pem(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng); +``` + +to + +```c +int mbedtls_x509write_csr_der(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size); + +int mbedtls_x509write_csr_pem(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size); +``` + +### RNG removal in SSL + +The following function prototype has been changed in `mbedtls/ssl_cookie.h`: + +```c +int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng); +``` + +to + +```c +int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx); +``` + +### Removal of `mbedtls_ssl_conf_rng` + +`mbedtls_ssl_conf_rng()` has been removed from the library. Its sole purpose was to configure the RNG used for TLS, but now the PSA Crypto random generator is used throughout the library. + +### Changes to mbedtls_ssl_ticket_setup + +In the arguments of the function `mbedtls_ssl_ticket_setup()`, the `mbedtls_cipher_type_t` argument specifying the AEAD mechanism for ticket protection has been replaced by an equivalent PSA description consisting of a key type, a size and an algorithm. Also, the function no longer takes RNG arguments. + +The prototype in `mbedtls/ssl_ticket.h` has changed from + +```c +int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx, + mbedtls_f_rng_t *f_rng, void *p_rng, + mbedtls_cipher_type_t cipher, + uint32_t lifetime); +``` + +to + +```c +int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx, + psa_algorithm_t alg, psa_key_type_t key_type, psa_key_bits_t key_bits, + uint32_t lifetime); +``` +## OID module + +The compilation option `MBEDTLS_OID_C` no longer exists. OID tables are included in the build automatically as needed for parsing and writing X.509 data. + +Mbed TLS no longer offers interfaces to look up values by OID or OID by enum values (`mbedtls_oid_get_()` and `mbedtls_oid_get_oid_by_()`). + +The header `` now only provides functions to convert between binary and dotted string OID representations. These functions are now part of `libmbedx509` rather than the crypto library. The function `mbedtls_oid_get_numeric_string()` is guarded by `MBEDTLS_X509_USE_C`, and `mbedtls_oid_from_numeric_string()` by `MBEDTLS_X509_CREATE_C`. The header also still defines macros for OID strings that are relevant to X.509. diff --git a/docs/4.0-migration-guide/configuration.md b/docs/4.0-migration-guide/configuration.md deleted file mode 100644 index 25bddf44f9..0000000000 --- a/docs/4.0-migration-guide/configuration.md +++ /dev/null @@ -1,44 +0,0 @@ -## Compile-time configuration - -### Configuration file split - -All configuration options that are relevant to TF-PSA-Crypto must now be configured in one of its configuration files, namely: - -* `TF_PSA_CRYPTO_CONFIG_FILE`, if set on the preprocessor command line; -* otherwise ``; -* additionally `TF_PSA_CRYPTO_USER_CONFIG_FILE`, if set. - -Configuration options that are relevant to X.509 or TLS should still be set in the Mbed TLS configuration file (`MBEDTLS_CONFIG_FILE` or ``, plus `MBEDTLS_USER_CONFIG_FILE` if it is set). However, you can define all options in the crypto configuration, and Mbed TLS will pick them up. - -Generally speaking, the options that must be configured in TF-PSA-Crypto are: - -* options related to platform settings; -* options related to the choice of cryptographic mechanisms included in the build; -* options related to the inner workings of cryptographic mechanisms, such as size/memory/performance compromises; -* options related to crypto-adjacent features, such as ASN.1 and Base64. - -See `include/psa/crypto_config.h` in TF-PSA-Crypto and `include/mbedtls/mbedtls_config.h` in Mbed TLS for details. - -Notably, `` is no longer limited to `PSA_WANT_xxx` options. - -Note that many options related to cryptography have changed; see the TF-PSA-Crypto migration guide for details. - -### Split of `build_info.h` and `version.h` - -The header file ``, which includes the configuration file and provides the adjusted configuration macros, now has an similar file `` in TF-PSA-Crypto. The Mbed TLS header includes the TF-PSA-Crypto header, so including `` remains sufficient to obtain information about the crypto configuration. - -TF-PSA-Crypto exposes its version through ``, similar to `` in Mbed TLS. - -### Removal of `check_config.h` - -The header `mbedtls/check_config.h` is no longer present. Including it from user configuration files was already obsolete in Mbed TLS 3.x, since it enforces properties the configuration as adjusted by `mbedtls/build_info.h`, not properties that the user configuration is expected to meet. - -### Changes to TLS options - -#### Enabling null cipher suites - -The option to enable null cipher suites in TLS 1.2 has been renamed from `MBEDTLS_CIPHER_NULL_CIPHER` to `MBEDTLS_SSL_NULL_CIPHERSUITES`. It remains disabled in the default configuration. - -#### Removal of backward compatibility options - -The option `MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT` has been removed. Only the version standardized in RFC 9146 is supported now. diff --git a/docs/4.0-migration-guide/deprecated-removals.md b/docs/4.0-migration-guide/deprecated-removals.md deleted file mode 100644 index e74b1adc10..0000000000 --- a/docs/4.0-migration-guide/deprecated-removals.md +++ /dev/null @@ -1,14 +0,0 @@ -## Removal of deprecated functions - -### Removal of deprecated X.509 functions - -The deprecated function `mbedtls_x509write_crt_set_serial()` has been removed. The function was superseded by `mbedtls_x509write_crt_set_serial_raw()`. - -### Removal of deprecated SSL functions - -The deprecated function `mbedtls_ssl_conf_curves()` has been removed. -The function was superseded by `mbedtls_ssl_conf_groups()`. - -### Removal of `compat-2.x.h` - -The header `compat-2.x.h`, containing some definitions for backward compatibility with Mbed TLS 2.x, has been removed. diff --git a/docs/4.0-migration-guide/error-codes.md b/docs/4.0-migration-guide/error-codes.md deleted file mode 100644 index a2744679e0..0000000000 --- a/docs/4.0-migration-guide/error-codes.md +++ /dev/null @@ -1,37 +0,0 @@ -## Error codes - -### Unified error code space - -The convention still applies that functions return 0 for success and a negative value between -32767 and -1 on error. PSA functions (`psa_xxx()` or `mbedtls_psa_xxx()`) still return a `PSA_ERROR_xxx` error codes. Non-PSA functions (`mbedtls_xxx()` excluding `mbedtls_psa_xxx()`) can return either `PSA_ERROR_xxx` or `MBEDTLS_ERR_xxx` error codes. - -There may be cases where an `MBEDTLS_ERR_xxx` constant has the same numerical value as a `PSA_ERROR_xxx`. In such cases, they have the same meaning: they are different names for the same error condition. - -### Simplified legacy error codes - -All values returned by a function to indicate an error now have a defined constant named `MBEDTLS_ERR_xxx` or `PSA_ERROR_xxx`. Functions no longer return the sum of a “low-level” and a “high-level” error code. - -Generally, functions that used to return the sum of two error codes now return the low-level code. However, as before, the exact error code returned in a given scenario can change without notice unless the condition is specifically described in the function's documentation and no other condition is applicable. - -As a consequence, the functions `mbedtls_low_level_strerr()` and `mbedtls_high_level_strerr()` no longer exist. - -### Removed error code names - -Many legacy error codes have been removed in favor of PSA error codes. Generally, functions that returned a legacy error code in the table below in Mbed TLS 3.6 now return the PSA error code listed on the same row. Similarly, callbacks should apply the same changes to error code, unless there has been a relevant change to the callback's interface. - -| Legacy constant (Mbed TLS 3.6) | PSA constant (Mbed TLS 4.0) | -|-----------------------------------------|---------------------------------| -| `MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED` | `PSA_ERROR_CORRUPTION_DETECTED` | -| `MBEDTLS_ERR_ERROR_GENERIC_ERROR` | `PSA_ERROR_GENERIC_ERROR` | -| `MBEDTLS_ERR_NET_BUFFER_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` | -| `MBEDTLS_ERR_OID_BUF_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` | -| `MBEDTLS_ERR_OID_NOT_FOUND` | `PSA_ERROR_NOT_SUPPORTED` | -| `MBEDTLS_ERR_PKCS7_ALLOC_FAILED` | `PSA_ERROR_INSUFFICIENT_MEMORY` | -| `MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA` | `PSA_ERROR_INVALID_ARGUMENT` | -| `MBEDTLS_ERR_PKCS7_VERIFY_FAIL` | `PSA_ERROR_INVALID_SIGNATURE` | -| `MBEDTLS_ERR_SSL_ALLOC_FAILED` | `PSA_ERROR_INSUFFICIENT_MEMORY` | -| `MBEDTLS_ERR_SSL_BAD_INPUT_DATA` | `PSA_ERROR_INVALID_ARGUMENT` | -| `MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` | -| `MBEDTLS_ERR_X509_ALLOC_FAILED` | `PSA_ERROR_INSUFFICIENT_MEMORY` | -| `MBEDTLS_ERR_X509_BUFFER_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` | - -See also the corresponding section in the TF-PSA-Crypto migration guide, which lists error codes from cryptography modules. diff --git a/docs/4.0-migration-guide/feature-removals.md b/docs/4.0-migration-guide/feature-removals.md deleted file mode 100644 index b958f864fc..0000000000 --- a/docs/4.0-migration-guide/feature-removals.md +++ /dev/null @@ -1,152 +0,0 @@ -## Removed features - -### Removal of obsolete key exchanges methods in (D)TLS 1.2 - -Mbed TLS 4.0 no longer supports key exchange methods that rely on finite-field Diffie-Hellman (DHE) in TLS 1.2 and DTLS 1.2. (Only ephemeral Diffie-Hellman was ever supported, Mbed TLS 3.x already did not support static Diffie-Hellman.) Finite-field Diffie-Hellman remains supported in TLS 1.3. - -Mbed TLS 4.0 no longer supports key exchange methods that rely on RSA decryption (without forward secrecy). RSA signatures remain supported. This affects TLS 1.2 and DTLS 1.2 (TLS 1.3 does not have key exchanges using RSA decryption). - -That is, the following key exchange types are no longer supported: - -* RSA-PSK; -* RSA (i.e. cipher suites using only RSA decryption: cipher suites using RSA signatures remain supported); -* DHE-PSK (except in TLS 1.3); -* DHE-RSA (except in TLS 1.3). -* static ECDH (ECDH-RSA and ECDH-ECDSA, as opposed to ephemeral ECDH (ECDHE) which remains supported). - -The full list of removed cipher suites is: - -``` -TLS-DHE-PSK-WITH-AES-128-CBC-SHA -TLS-DHE-PSK-WITH-AES-128-CBC-SHA256 -TLS-DHE-PSK-WITH-AES-128-CCM -TLS-DHE-PSK-WITH-AES-128-CCM-8 -TLS-DHE-PSK-WITH-AES-128-GCM-SHA256 -TLS-DHE-PSK-WITH-AES-256-CBC-SHA -TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 -TLS-DHE-PSK-WITH-AES-256-CCM -TLS-DHE-PSK-WITH-AES-256-CCM-8 -TLS-DHE-PSK-WITH-AES-256-GCM-SHA384 -TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256 -TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256 -TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384 -TLS-DHE-PSK-WITH-ARIA-256-GCM-SHA384 -TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256 -TLS-DHE-PSK-WITH-CAMELLIA-128-GCM-SHA256 -TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384 -TLS-DHE-PSK-WITH-CAMELLIA-256-GCM-SHA384 -TLS-DHE-PSK-WITH-CHACHA20-POLY1305-SHA256 -TLS-DHE-PSK-WITH-NULL-SHA -TLS-DHE-PSK-WITH-NULL-SHA256 -TLS-DHE-PSK-WITH-NULL-SHA384 -TLS-DHE-RSA-WITH-AES-128-CBC-SHA -TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 -TLS-DHE-RSA-WITH-AES-128-CCM -TLS-DHE-RSA-WITH-AES-128-CCM-8 -TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 -TLS-DHE-RSA-WITH-AES-256-CBC-SHA -TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 -TLS-DHE-RSA-WITH-AES-256-CCM -TLS-DHE-RSA-WITH-AES-256-CCM-8 -TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 -TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256 -TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256 -TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384 -TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384 -TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA -TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 -TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256 -TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA -TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256 -TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384 -TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 -TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA -TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256 -TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256 -TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA -TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384 -TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384 -TLS-ECDH-ECDSA-WITH-ARIA-128-CBC-SHA256 -TLS-ECDH-ECDSA-WITH-ARIA-128-GCM-SHA256 -TLS-ECDH-ECDSA-WITH-ARIA-256-CBC-SHA384 -TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384 -TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256 -TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 -TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 -TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 -TLS-ECDH-ECDSA-WITH-NULL-SHA -TLS-ECDH-RSA-WITH-AES-128-CBC-SHA -TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256 -TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256 -TLS-ECDH-RSA-WITH-AES-256-CBC-SHA -TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384 -TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384 -TLS-ECDH-RSA-WITH-ARIA-128-CBC-SHA256 -TLS-ECDH-RSA-WITH-ARIA-128-GCM-SHA256 -TLS-ECDH-RSA-WITH-ARIA-256-CBC-SHA384 -TLS-ECDH-RSA-WITH-ARIA-256-GCM-SHA384 -TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256 -TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256 -TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA384 -TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384 -TLS-ECDH-RSA-WITH-NULL-SHA -TLS-RSA-PSK-WITH-AES-128-CBC-SHA -TLS-RSA-PSK-WITH-AES-128-CBC-SHA256 -TLS-RSA-PSK-WITH-AES-128-GCM-SHA256 -TLS-RSA-PSK-WITH-AES-256-CBC-SHA -TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 -TLS-RSA-PSK-WITH-AES-256-GCM-SHA384 -TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256 -TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256 -TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384 -TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384 -TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256 -TLS-RSA-PSK-WITH-CAMELLIA-128-GCM-SHA256 -TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384 -TLS-RSA-PSK-WITH-CAMELLIA-256-GCM-SHA384 -TLS-RSA-PSK-WITH-CHACHA20-POLY1305-SHA256 -TLS-RSA-PSK-WITH-NULL-SHA -TLS-RSA-PSK-WITH-NULL-SHA256 -TLS-RSA-PSK-WITH-NULL-SHA384 -TLS-RSA-WITH-AES-128-CBC-SHA -TLS-RSA-WITH-AES-128-CBC-SHA256 -TLS-RSA-WITH-AES-128-CCM -TLS-RSA-WITH-AES-128-CCM-8 -TLS-RSA-WITH-AES-128-GCM-SHA256 -TLS-RSA-WITH-AES-256-CBC-SHA -TLS-RSA-WITH-AES-256-CBC-SHA256 -TLS-RSA-WITH-AES-256-CCM -TLS-RSA-WITH-AES-256-CCM-8 -TLS-RSA-WITH-AES-256-GCM-SHA384 -TLS-RSA-WITH-ARIA-128-CBC-SHA256 -TLS-RSA-WITH-ARIA-128-GCM-SHA256 -TLS-RSA-WITH-ARIA-256-CBC-SHA384 -TLS-RSA-WITH-ARIA-256-GCM-SHA384 -TLS-RSA-WITH-CAMELLIA-128-CBC-SHA -TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256 -TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256 -TLS-RSA-WITH-CAMELLIA-256-CBC-SHA -TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256 -TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 -TLS-RSA-WITH-NULL-MD5 -TLS-RSA-WITH-NULL-SHA -TLS-RSA-WITH-NULL-SHA256 -``` - -As a consequence of the removal of support for DHE in (D)TLS 1.2, the following functions are no longer useful and have been removed: - -``` -mbedtls_ssl_conf_dh_param_bin() -mbedtls_ssl_conf_dh_param_ctx() -mbedtls_ssl_conf_dhm_min_bitlen() -``` - -### Removal of elliptic curves - -Following their removal from the crypto library, elliptic curves of less than 250 bits (secp192r1, secp192k1, secp224r1, secp224k1) are no longer supported in certificates and in TLS. - -### Removal of deprecated functions - -The deprecated functions `mbedtls_ssl_conf_min_version()` and `mbedtls_ssl_conf_max_version()`, and the associated constants `MBEDTLS_SSL_MAJOR_VERSION_3`, `MBEDTLS_SSL_MINOR_VERSION_3` and `MBEDTLS_SSL_MINOR_VERSION_4` have been removed. Use `mbedtls_ssl_conf_min_tls_version()` and `mbedtls_ssl_conf_max_tls_version()` with `MBEDTLS_SSL_VERSION_TLS1_2` or `MBEDTLS_SSL_VERSION_TLS1_3` instead. - -The deprecated function `mbedtls_ssl_conf_sig_hashes()` has been removed. Use `mbedtls_ssl_conf_sig_algs()` instead. diff --git a/docs/4.0-migration-guide/function-prototype-changes.md b/docs/4.0-migration-guide/function-prototype-changes.md deleted file mode 100644 index 52e37c7286..0000000000 --- a/docs/4.0-migration-guide/function-prototype-changes.md +++ /dev/null @@ -1,89 +0,0 @@ -## Function prototype changes - -A number of existing functions now take a different list of arguments, mostly to migrate them to the PSA API. - -### Public functions no longer take a RNG callback - -Functions that need randomness no longer take an RNG callback in the form of `f_rng, p_rng` arguments. Instead, they use the PSA Crypto random generator (accessible as `psa_generate_random()`). All software using the X.509 or SSL modules must call `psa_crypto_init()` before calling any of the functions listed here. - -### RNG removal in X.509 - -The following function prototypes have been changed in `mbedtls/x509_crt.h`: - -```c -int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, - int (*f_rng)(void *, unsigned char *, size_t), - void *p_rng); - -int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, - int (*f_rng)(void *, unsigned char *, size_t), - void *p_rng); -``` - -to - -```c -int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size); - -int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size); -``` - -The following function prototypes have been changed in `mbedtls/x509_csr.h`: -```c -int mbedtls_x509write_csr_der(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size, - int (*f_rng)(void *, unsigned char *, size_t), - void *p_rng); - -int mbedtls_x509write_csr_pem(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size, - int (*f_rng)(void *, unsigned char *, size_t), - void *p_rng); -``` - -to - -```c -int mbedtls_x509write_csr_der(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size); - -int mbedtls_x509write_csr_pem(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size); -``` - -### RNG removal in SSL - -The following function prototype has been changed in `mbedtls/ssl_cookie.h`: - -```c -int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx, - int (*f_rng)(void *, unsigned char *, size_t), - void *p_rng); -``` - -to - -```c -int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx); -``` - -### Removal of `mbedtls_ssl_conf_rng` - -`mbedtls_ssl_conf_rng()` has been removed from the library. Its sole purpose was to configure the RNG used for TLS, but now the PSA Crypto random generator is used throughout the library. - -### Changes to mbedtls_ssl_ticket_setup - -In the arguments of the function `mbedtls_ssl_ticket_setup()`, the `mbedtls_cipher_type_t` argument specifying the AEAD mechanism for ticket protection has been replaced by an equivalent PSA description consisting of a key type, a size and an algorithm. Also, the function no longer takes RNG arguments. - -The prototype in `mbedtls/ssl_ticket.h` has changed from - -```c -int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx, - mbedtls_f_rng_t *f_rng, void *p_rng, - mbedtls_cipher_type_t cipher, - uint32_t lifetime); -``` - -to - -```c -int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx, - psa_algorithm_t alg, psa_key_type_t key_type, psa_key_bits_t key_bits, - uint32_t lifetime); -``` diff --git a/docs/4.0-migration-guide/oid.md b/docs/4.0-migration-guide/oid.md deleted file mode 100644 index 875f062155..0000000000 --- a/docs/4.0-migration-guide/oid.md +++ /dev/null @@ -1,7 +0,0 @@ -## OID module - -The compilation option `MBEDTLS_OID_C` no longer exists. OID tables are included in the build automatically as needed for parsing and writing X.509 data. - -Mbed TLS no longer offers interfaces to look up values by OID or OID by enum values (`mbedtls_oid_get_()` and `mbedtls_oid_get_oid_by_()`). - -The header `` now only provides functions to convert between binary and dotted string OID representations. These functions are now part of `libmbedx509` rather than the crypto library. The function `mbedtls_oid_get_numeric_string()` is guarded by `MBEDTLS_X509_USE_C`, and `mbedtls_oid_from_numeric_string()` by `MBEDTLS_X509_CREATE_C`. The header also still defines macros for OID strings that are relevant to X.509. diff --git a/docs/4.0-migration-guide/private-decls.md b/docs/4.0-migration-guide/private-decls.md deleted file mode 100644 index ff974746c5..0000000000 --- a/docs/4.0-migration-guide/private-decls.md +++ /dev/null @@ -1,33 +0,0 @@ -## Private declarations - -Since Mbed TLS 3.0, some things that are declared in a public header are not part of the stable application programming interface (API), but instead are considered private. Private elements may be removed or may have their semantics changed in a future minor release without notice. - -### Understanding private declarations in public headers - -In Mbed TLS 4.x, private elements in header files include: - -* Anything appearing in a header file whose path contains `/private` (unless re-exported and documented in another non-private header). -* Structure and union fields declared with `MBEDTLS_PRIVATE(field_name)` in the source code, and appearing as `private_field_name` in the rendered documentation. (This was already the case since Mbed TLS 3.0.) -* Any preprocessor macro that is not documented with a Doxygen comment. - In the source code, Doxygen comments start with `/**` or `/*!`. If a macro only has a comment above that starts with `/*`, the macro is considered private. - In the rendered documentation, private macros appear with only an automatically rendered parameter list, value and location, but no custom text. -* Any declaration that is guarded by the preprocessor macro `MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS`. - -### Usage of private declarations - -Some private declarations are present in public headers for technical reasons, because they need to be visible to the compiler. Others are present for historical reasons and may be cleaned up in later versions of the library. We strongly recommend against relying on these declarations, since they may be removed or may have their semantics changed without notice. - -Note that Mbed TLS 4.0 still relies on some private interfaces of TF-PSA-Crypto 1.0. We expect to remove this reliance gradually in future minor releases. - -Sample programs have not been fully updated yet and some of them might still -use APIs that are no longer public. You can recognize them by the fact that they -define the macro `MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS` (or -`MBEDTLS_ALLOW_PRIVATE_ACCESS`) at the very top (before including headers). When -you see one of these two macros in a sample program, be aware it has not been -updated and parts of it do not demonstrate current practice. - -We strongly recommend against defining `MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS` or -`MBEDTLS_ALLOW_PRIVATE_ACCESS` in your own application. If you do so, your code -may not compile or work with future minor releases. If there's something you -want to do that you feel can only be achieved by using one of these two macros, -please reach out on github or the mailing list. diff --git a/docs/4.0-migration-guide/psa-only.md b/docs/4.0-migration-guide/psa-only.md deleted file mode 100644 index 7d7bfee193..0000000000 --- a/docs/4.0-migration-guide/psa-only.md +++ /dev/null @@ -1,23 +0,0 @@ -## PSA as the only cryptography API - -The PSA API is now the only API for cryptographic primitives. - -### Impact on application code - -The X.509, PKCS7 and SSL modules always use PSA for cryptography, with a few exceptions documented in the [PSA limitations](../architecture/psa-migration/psa-limitations.md) document. (These limitations are mostly transparent unless you want to leverage PSA accelerator drivers.) This corresponds to the behavior of Mbed TLS 3.x when `MBEDTLS_USE_PSA_CRYPTO` is enabled. In effect, `MBEDTLS_USE_PSA_CRYPTO` is now always enabled. - -`psa_crypto_init()` must be called before performing any cryptographic operation, including indirect requests such as parsing a key or certificate or starting a TLS handshake. - -A few functions take different parameters to migrate them to the PSA API. See “[Function prototype changes](#function-prototype-changes)”. - -### No random generator instantiation - -Formerly, applications using TLS, asymmetric cryptography operations involving a private key, or other features needing random numbers, needed to provide a random generator, generally by instantiating an entropy context (`mbedtls_entropy_context`) and a DRBG context (`mbedtls_ctr_drbg_context` or `mbedtls_hmac_drbg_context`). This is no longer necessary, or possible. All features that require a random generator (RNG) now use the one provided by the PSA subsystem. - -Instead, applications that use random generators or keys (even public keys) need to call `psa_crypto_init()` before any cryptographic operation or key management operation. - -See also [function prototype changes](#function-prototype-changes), many of which are related to the move from RNG callbacks to a global RNG. - -### Impact on the library configuration - -Mbed TLS follows the configuration of TF-PSA-Crypto with respect to cryptographic mechanisms. They are now based on `PSA_WANT_xxx` macros instead of legacy configuration macros such as `MBEDTLS_RSA_C`, `MBEDTLS_PKCS1_V15`, etc. The configuration of X.509 and TLS is not directly affected by the configuration. However, applications and middleware that rely on these configuration symbols to know which cryptographic mechanisms to support will need to migrate to `PSA_WANT_xxx` macros. For more information, consult the PSA transition guide in TF-PSA-Crypto. diff --git a/docs/4.0-migration-guide/repo-split.md b/docs/4.0-migration-guide/repo-split.md deleted file mode 100644 index 5ad741855b..0000000000 --- a/docs/4.0-migration-guide/repo-split.md +++ /dev/null @@ -1,200 +0,0 @@ -## CMake as the only build system -Mbed TLS now uses CMake exclusively to configure and drive its build process. -Support for the GNU Make and Microsoft Visual Studio project-based build systems has been removed. - -The previous `.sln` and `.vcxproj` files are no longer distributed or generated. - -See the `Compiling` section in README.md for instructions on building the Mbed TLS libraries and tests with CMake. -If you develop in Microsoft Visual Studio, you could either generate a Visual Studio solution using a CMake generator, or open the CMake project directly in Visual Studio. - -### Translating Make commands to CMake - -With the removal of GNU Make support, all build, test, and installation operations must now be performed using CMake. -This section provides a quick reference for translating common `make` commands into their CMake equivalents. - -#### Basic build workflow - -Run `cmake -S . -B build` once before building to configure the build and generate native build files (e.g., Makefiles) in the `build` directory. -This sets up an out-of-tree build, which is recommended. - -| Make command | CMake equivalent | Description | -|----------------|------------------------------------------------|--------------------------------------------------------------------| -| `make` | `cmake --build build` | Build the libraries, programs, and tests in the `build` directory. | -| `make test` | `ctest --test-dir build` | Run the tests produced by the previous build. | -| `make clean` | `cmake --build build --target clean` | Remove build artifacts produced by the previous build. | -| `make install` | `cmake --install build --prefix build/install` | Install the built libraries, headers, and tests to `build/install`. | - -#### Building specific targets - -Unless otherwise specified, the CMake command in the table below should be preceded by a `cmake -S . -B build` call to configure the build and generate build files in the `build` directory. - -| Make command | CMake equivalent | Description | -|-----------------|---------------------------------------------------------------------|---------------------------| -| `make lib` | `cmake --build build --target lib` | Build only the libraries. | -| `make tests` | `cmake -S . -B build -DENABLE_PROGRAMS=Off && cmake --build build` | Build test suites. | -| `make programs` | `cmake --build build --target programs` | Build example programs. | -| `make apidoc` | `cmake --build build --target mbedtls-apidoc` | Build documentation. | - -Target names may differ slightly; use `cmake --build build --target help` to list all available CMake targets. - -There is no CMake equivalent for `make generated_files` or `make neat`. -Generated files are automatically created in the build tree with `cmake --build build` and removed with `cmake --build build --target clean`. -If you need to build the generated files in the source tree without involving CMake, you can call `framework/scripts/make_generated_files.py`. - -There is currently no equivalent for `make uninstall` in the Mbed TLS CMake build system. - -#### Common build options - -The following table illustrates the approximate CMake equivalents of common make commands. -Most CMake examples show only the configuration step, others (like installation) correspond to different stages of the build process. - -| Make usage | CMake usage | Description | -|----------------------------|-------------------------------------------------------|----------------------| -| `make DEBUG=1` | `cmake -S . -B build -DCMAKE_BUILD_TYPE=Debug` | Build in debug mode. | -| `make SHARED=1` | `cmake -S . -B build -DUSE_SHARED_MBEDTLS_LIBRARY=On` | Also build shared libraries. | -| `make GEN_FILES=""` | `cmake -S . -B build -DGEN_FILES=OFF` | Skip generating files (not a strict equivalent). | -| `make DESTDIR=install_dir` | `cmake --install build --prefix install_dir` | Specify installation path. | -| `make CC=clang` | `cmake -S . -B build -DCMAKE_C_COMPILER=clang` | Set the compiler. | -| `make CFLAGS='-O2 -Wall'` | `cmake -S . -B build -DCMAKE_C_FLAGS="-O2 -Wall"` | Set compiler flags. | - -## Repository split -In Mbed TLS 4.0, the project was split into two repositories: -- [Mbed TLS](https://github.com/Mbed-TLS/mbedtls): provides TLS and X.509 functionality. -- [TF-PSA-Crypto](https://github.com/Mbed-TLS/TF-PSA-Crypto): provides the standalone cryptography library, implementing the PSA Cryptography API. -Mbed TLS consumes TF-PSA-Crypto as a submodule. -You should stay with Mbed TLS if you use TLS or X.509 functionality. You still have direct access to the cryptography library. - -### File and directory relocations - -The following table summarizes the file and directory relocations resulting from the repository split between Mbed TLS and TF-PSA-Crypto. -These changes reflect the move of cryptographic, cryptographic-adjacent, and platform components from Mbed TLS into the new TF-PSA-Crypto repository. - -| Original location | New location(s) | Notes | -|-----------------------------------------|--------------------------------------------------------------------------------------|-------| -| `library/*` () | `tf-psa-crypto/core/`
`tf-psa-crypto/drivers/builtin/src/` | Contains cryptographic, cryptographic-adjacent (e.g., ASN.1, Base64), and platform C modules and headers. | -| `include/mbedtls/*` () | `tf-psa-crypto/include/mbedtls/`
`tf-psa-crypto/drivers/builtin/include/private/` | Public headers moved to `include/mbedtls`; now internal headers moved to `include/private`. | -| `include/psa` | `tf-psa-crypto/include/psa` | All PSA headers consolidated here. | -| `3rdparty/everest`
`3rdparty/p256-m` | `tf-psa-crypto/drivers/everest`
`tf-psa-crypto/drivers/p256-m` | Third-party crypto driver implementations. | - -() The `library` and `include/mbedtls` directories still exist in Mbed TLS, but now contain only TLS and X.509 components. - -### Configuration file split -Cryptography and platform configuration options have been moved from `include/mbedtls/mbedtls_config.h` to `tf-psa-crypto/include/psa/crypto_config.h`, which is now mandatory. -See [Compile-time configuration](#compile-time-configuration). - -The header `include/mbedtls/mbedtls_config.h` still exists and now contains only the TLS and X.509 configuration options. - -If you use the Python script `scripts/config.py` to adjust your configuration, you do not need to modify your scripts to specify which configuration file to edit, the script automatically updates the correct file. - -There have been significant changes in the configuration options, primarily affecting cryptography. - -#### Cryptography configuration -- See [psa-transition.md](https://github.com/Mbed-TLS/TF-PSA-Crypto/blob/development/docs/psa-transition.md#compile-time-configuration). -- See also the following sections in the TF-PSA-Crypto 1.0 migration guide: - - *PSA as the Only Cryptography API* and its sub-section *Impact on the Library Configuration* - - *Random Number Generation Configuration* - -#### TLS configuration -For details about TLS-related changes, see [Changes to TLS options](#changes-to-tls-options). - -### Impact on some usages of the library - -#### Checking out a branch or a tag -After checking out a branch or tag of the Mbed TLS repository, you must now recursively update the submodules, as TF-PSA-Crypto contains itself a nested submodule: -``` -git submodule update --init --recursive -``` - -#### Linking directly to a built library - -The Mbed TLS CMake build system still provides the cryptography libraries under their legacy name, `libmbedcrypto.`, so you can continue linking against them. -These libraries are still located in the `library` directory within the build tree. - -The cryptography libraries are also now provided as `libtfpsacrypto.`, consistent with the naming used in the TF-PSA-Crypto repository. - -You may need to update include paths to the public header files, see [File and Directory Relocations](#file-and-directory-relocations) for details. - -#### Using Mbed TLS as a CMake subproject - -The base name of the libraries are now `tfpsacrypto` (formely `mbedcrypto`), `mbedx509` and `mbedtls`. -As before, these base names are also the names of CMake targets to build each library. -If your CMake scripts reference a cryptography library target, you need to update its name accordingly. - -For example, the following CMake code: -``` -target_link_libraries(mytarget PRIVATE mbedcrypto) -``` -should be updated to: -``` -target_link_libraries(mytarget PRIVATE tfpsacrypto) -``` - -You can refer to the following example demonstrating how to consume Mbed TLS as a CMake subproject: -- `programs/test/cmake_subproject` - -#### Using Mbed TLS as a CMake package - -The same renaming applies to the cryptography library targets declared as part of the Mbed TLS CMake package, use `MbedTLS::tfpsacrypto` instead of `MbedTLS::mbedcrypto`. - -For example, the following CMake code: -``` -find_package(MbedTLS REQUIRED) -target_link_libraries(myapp PRIVATE MbedTLS::mbedcrypto) -``` -should be updated to: -``` -find_package(MbedTLS REQUIRED) -target_link_libraries(myapp PRIVATE MbedTLS::tfpsacrypto) -``` -You can also refer to the following example programs demonstrating how to consume Mbed TLS as a CMake package: -- `programs/test/cmake_package` -- `programs/test/cmake_package_install` - -#### Using the Mbed TLS Crypto pkg-config file - -The Mbed TLS CMake build system still provides the pkg-config file mbedcrypto.pc, so you can continue using it. -Internally, it now references the tfpsacrypto library. - -A new pkg-config file, `tfpsacrypto.pc`, is also provided. -Both `mbedcrypto.pc` and `tfpsacrypto.pc` are functionally equivalent, providing the same compiler and linker flags. - -#### Using Mbed TLS as an installed library - -The Mbed TLS CMake build system still installs the cryptography libraries under their legacy name, `libmbedcrypto.`, so you can continue linking against them. -The cryptography library is also now provided as `libtfpsacrypto.`. - -Regarding the headers, the main change is the relocation of some headers to subdirectories called `private`. -These headers are installed primarily to satisfy compiler dependencies. -Others remain for historical reasons and may be cleaned up in later versions of the library. - -We strongly recommend not relying on the declarations in these headers, as they may be removed or modified without notice. -See the section Private Declarations in the TF-PSA-Crypto 1.0 migration guide for more information. - -Finally, note the new `include/tf-psa-crypto` directory, which contains the TF-PSA-Crypto version and build-time configuration headers. - -### Audience-Specific Notes - -#### Application Developers using a distribution package -- See [Impact on usages of the library](#impact-on-some-usages-of-the-library) for the possible impacts on: - - Linking against the cryptography library or CMake targets. - - Using the Mbed TLS Crypto pkg-config file. - - Using Mbed TLS as an installed library - -### Developer or package maintainers -If you build or distribute Mbed TLS: -- The build system is now CMake only, Makefiles and Visual Studio projects are removed. -- You may need to adapt packaging scripts to handle the TF-PSA-Crypto submodule. -- You should update submodules recursively after checkout. -- Review [File and directory relocations](#file-and-directory-relocations) for updated paths. -- See [Impact on usages of the library](#impact-on-some-usages-of-the-library) for the possible impacts on: - - Linking against the cryptography library or CMake targets. - - Using the Mbed TLS Crypto pkg-config file (`mbedcrypto.pc` or `tfpsacrypto.pc`). - - Using Mbed TLS as an installed library -- Configuration note: cryptography and platform options are now in `crypto_config.h` (see [Configuration file split](#configuration-file-split)). - -### Platform Integrators -If you integrate Mbed TLS with a platform or hardware drivers: -- TF-PSA-Crypto is now a submodule, update integration scripts to initialize submodules recursively. -- The PSA driver wrapper is now generated in TF-PSA-Crypto. -- Platform-specific configuration are now handled in `crypto_config.h`. -- See [Repository split](#repository-split) for how platform components moved to TF-PSA-Crypto. From 2c0cb9926a979cfc6e97f33d4eca9a8259e10305 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 10 Oct 2025 15:56:21 +0200 Subject: [PATCH 3/7] Add short introduction Signed-off-by: Gilles Peskine --- docs/4.0-migration-guide.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/docs/4.0-migration-guide.md b/docs/4.0-migration-guide.md index 83ec90ca92..040194b478 100644 --- a/docs/4.0-migration-guide.md +++ b/docs/4.0-migration-guide.md @@ -1,3 +1,16 @@ +# Migrating from Mbed TLS 3.x to TF-PSA-Crypto 1.0 + +This guide details the steps required to migrate from Mbed TLS version 2.x to Mbed TLS version 3.0 or greater. Unlike normal releases, Mbed TLS 3.0 breaks compatibility with previous versions, so users, integrators and package maintainers might need to change their own code in order to make it work with Mbed TLS 3.0. + +Here's the list of breaking changes; each entry should help you answer these two questions: (1) am I affected? (2) if yes, what's my migration path? + +- Mbed TLS has been split between two products: TF-PSA-Crypto for cryptography, and Mbed TLS for X.509 and (D)TLS. +- CMake is now the only supported build system. +- The cryptography API is now mostly the PSA API: most legacy cryptography APIs have been removed. This has led to adaptations in some X.509 and TLS APIs, notably because the library always uses the PSA random generator. +- Various deprecated or minor functionality has been removed. + +Please consult the [TF-PSA-Crypto migration guide](../tf-psa-crypto/docs/1.0-migration-guide.md) for all information related to the crytography part of the library. + ## CMake as the only build system Mbed TLS now uses CMake exclusively to configure and drive its build process. Support for the GNU Make and Microsoft Visual Studio project-based build systems has been removed. @@ -248,7 +261,7 @@ The PSA API is now the only API for cryptographic primitives. ### Impact on application code -The X.509, PKCS7 and SSL modules always use PSA for cryptography, with a few exceptions documented in the [PSA limitations](../architecture/psa-migration/psa-limitations.md) document. (These limitations are mostly transparent unless you want to leverage PSA accelerator drivers.) This corresponds to the behavior of Mbed TLS 3.x when `MBEDTLS_USE_PSA_CRYPTO` is enabled. In effect, `MBEDTLS_USE_PSA_CRYPTO` is now always enabled. +The X.509, PKCS7 and SSL modules always use PSA for cryptography, with a few exceptions documented in the [PSA limitations](architecture/psa-migration/psa-limitations.md) document. (These limitations are mostly transparent unless you want to leverage PSA accelerator drivers.) This corresponds to the behavior of Mbed TLS 3.x when `MBEDTLS_USE_PSA_CRYPTO` is enabled. In effect, `MBEDTLS_USE_PSA_CRYPTO` is now always enabled. `psa_crypto_init()` must be called before performing any cryptographic operation, including indirect requests such as parsing a key or certificate or starting a TLS handshake. From 66719098b872da4cb25728cd29ea11410155bbb0 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 10 Oct 2025 15:51:17 +0200 Subject: [PATCH 4/7] Ensure there is a blank line before headers (markdown portability) Signed-off-by: Gilles Peskine --- docs/4.0-migration-guide.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/4.0-migration-guide.md b/docs/4.0-migration-guide.md index 040194b478..16328ad028 100644 --- a/docs/4.0-migration-guide.md +++ b/docs/4.0-migration-guide.md @@ -211,6 +211,7 @@ If you integrate Mbed TLS with a platform or hardware drivers: - The PSA driver wrapper is now generated in TF-PSA-Crypto. - Platform-specific configuration are now handled in `crypto_config.h`. - See [Repository split](#repository-split) for how platform components moved to TF-PSA-Crypto. + ## Compile-time configuration ### Configuration file split @@ -255,6 +256,7 @@ The option to enable null cipher suites in TLS 1.2 has been renamed from `MBEDTL #### Removal of backward compatibility options The option `MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT` has been removed. Only the version standardized in RFC 9146 is supported now. + ## PSA as the only cryptography API The PSA API is now the only API for cryptographic primitives. @@ -278,6 +280,7 @@ See also [function prototype changes](#function-prototype-changes), many of whic ### Impact on the library configuration Mbed TLS follows the configuration of TF-PSA-Crypto with respect to cryptographic mechanisms. They are now based on `PSA_WANT_xxx` macros instead of legacy configuration macros such as `MBEDTLS_RSA_C`, `MBEDTLS_PKCS1_V15`, etc. The configuration of X.509 and TLS is not directly affected by the configuration. However, applications and middleware that rely on these configuration symbols to know which cryptographic mechanisms to support will need to migrate to `PSA_WANT_xxx` macros. For more information, consult the PSA transition guide in TF-PSA-Crypto. + ## Private declarations Since Mbed TLS 3.0, some things that are declared in a public header are not part of the stable application programming interface (API), but instead are considered private. Private elements may be removed or may have their semantics changed in a future minor release without notice. @@ -311,6 +314,7 @@ We strongly recommend against defining `MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS` or may not compile or work with future minor releases. If there's something you want to do that you feel can only be achieved by using one of these two macros, please reach out on github or the mailing list. + ## Error codes ### Unified error code space @@ -348,6 +352,7 @@ Many legacy error codes have been removed in favor of PSA error codes. Generally | `MBEDTLS_ERR_X509_BUFFER_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` | See also the corresponding section in the TF-PSA-Crypto migration guide, which lists error codes from cryptography modules. + ## Removal of deprecated functions ### Removal of deprecated X.509 functions @@ -362,6 +367,7 @@ The function was superseded by `mbedtls_ssl_conf_groups()`. ### Removal of `compat-2.x.h` The header `compat-2.x.h`, containing some definitions for backward compatibility with Mbed TLS 2.x, has been removed. + ## Removed features ### Removal of obsolete key exchanges methods in (D)TLS 1.2 @@ -514,6 +520,7 @@ Following their removal from the crypto library, elliptic curves of less than 25 The deprecated functions `mbedtls_ssl_conf_min_version()` and `mbedtls_ssl_conf_max_version()`, and the associated constants `MBEDTLS_SSL_MAJOR_VERSION_3`, `MBEDTLS_SSL_MINOR_VERSION_3` and `MBEDTLS_SSL_MINOR_VERSION_4` have been removed. Use `mbedtls_ssl_conf_min_tls_version()` and `mbedtls_ssl_conf_max_tls_version()` with `MBEDTLS_SSL_VERSION_TLS1_2` or `MBEDTLS_SSL_VERSION_TLS1_3` instead. The deprecated function `mbedtls_ssl_conf_sig_hashes()` has been removed. Use `mbedtls_ssl_conf_sig_algs()` instead. + ## Function prototype changes A number of existing functions now take a different list of arguments, mostly to migrate them to the PSA API. @@ -603,6 +610,7 @@ int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx, psa_algorithm_t alg, psa_key_type_t key_type, psa_key_bits_t key_bits, uint32_t lifetime); ``` + ## OID module The compilation option `MBEDTLS_OID_C` no longer exists. OID tables are included in the build automatically as needed for parsing and writing X.509 data. From d83c476f3b9d38890b86b2d3daee1fcf54e851a8 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 10 Oct 2025 16:36:42 +0200 Subject: [PATCH 5/7] Fix copypasta Signed-off-by: Gilles Peskine --- docs/4.0-migration-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/4.0-migration-guide.md b/docs/4.0-migration-guide.md index 16328ad028..fa7732b8c6 100644 --- a/docs/4.0-migration-guide.md +++ b/docs/4.0-migration-guide.md @@ -1,6 +1,6 @@ # Migrating from Mbed TLS 3.x to TF-PSA-Crypto 1.0 -This guide details the steps required to migrate from Mbed TLS version 2.x to Mbed TLS version 3.0 or greater. Unlike normal releases, Mbed TLS 3.0 breaks compatibility with previous versions, so users, integrators and package maintainers might need to change their own code in order to make it work with Mbed TLS 3.0. +This guide details the steps required to migrate from Mbed TLS version 3.x to Mbed TLS version 4.0 or greater. Unlike normal releases, Mbed TLS 4.0 breaks compatibility with previous versions, so users, integrators and package maintainers might need to change their own code in order to make it work with Mbed TLS 4.0. Here's the list of breaking changes; each entry should help you answer these two questions: (1) am I affected? (2) if yes, what's my migration path? From 75a36bd9cdffc4778d2ef70c3ee44cd4aca973a3 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 10 Oct 2025 17:45:33 +0200 Subject: [PATCH 6/7] Fix copypasta in title Signed-off-by: Gilles Peskine --- docs/4.0-migration-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/4.0-migration-guide.md b/docs/4.0-migration-guide.md index fa7732b8c6..ec4b8c9b8c 100644 --- a/docs/4.0-migration-guide.md +++ b/docs/4.0-migration-guide.md @@ -1,4 +1,4 @@ -# Migrating from Mbed TLS 3.x to TF-PSA-Crypto 1.0 +# Migrating from Mbed TLS 3.x to Mbed TLS 4.0 This guide details the steps required to migrate from Mbed TLS version 3.x to Mbed TLS version 4.0 or greater. Unlike normal releases, Mbed TLS 4.0 breaks compatibility with previous versions, so users, integrators and package maintainers might need to change their own code in order to make it work with Mbed TLS 4.0. From fa4e9461bd43866939f627ca6c4451df42575020 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 10 Oct 2025 17:54:00 +0200 Subject: [PATCH 7/7] Add sentence that was in 3.0 and is in TF-PSA-Crypto 1.0 Signed-off-by: Gilles Peskine --- docs/4.0-migration-guide.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/4.0-migration-guide.md b/docs/4.0-migration-guide.md index ec4b8c9b8c..9b4768a3a1 100644 --- a/docs/4.0-migration-guide.md +++ b/docs/4.0-migration-guide.md @@ -4,6 +4,8 @@ This guide details the steps required to migrate from Mbed TLS version 3.x to Mb Here's the list of breaking changes; each entry should help you answer these two questions: (1) am I affected? (2) if yes, what's my migration path? +The changes are detailed below. Here is a summary of the main points: + - Mbed TLS has been split between two products: TF-PSA-Crypto for cryptography, and Mbed TLS for X.509 and (D)TLS. - CMake is now the only supported build system. - The cryptography API is now mostly the PSA API: most legacy cryptography APIs have been removed. This has led to adaptations in some X.509 and TLS APIs, notably because the library always uses the PSA random generator.