Update Mbed TLS and Mbed Crypto to latest as of 2019-12-20 #12150
Conversation
|
@Patater, thank you for your changes. |
|
CI Started |
Test run: FAILEDSummary: 3 of 4 test jobs failed Failed test jobs:
|
Update Mbed OS's PSA Crypto service to work with Mbed Crypto 3.x. - psa_asymmetric_verify() is now called psa_verify_hash(). - psa_asymmetric_sign() is now called psa_sign_hash(). Compatibilty wrappers are provided via crypto_compat.h for source-level backwards compatibility.
Patater
force-pushed
the
update-tls-crypto-20191220
branch
from
37d6ae7 to
689274b
Compare
|
CI Started |
Test run: FAILEDSummary: 2 of 11 test jobs failed Failed test jobs:
|
|
It's a major change of crypto and i think some APIs moved, do we need a release note? |
@Patater That is mandatory for a major change. All sections of the template header should be filled in please. |
|
Hey @gilles-peskine-arm have a look here #11687 you guys in TLS tend to write the best release notes :) |
|
CI restarted |
0xc0170
added
the
release-version: 6.0.0-alpha-1
Test run: FAILEDSummary: 1 of 11 test jobs failed Failed test jobs:
|
|
mbed-os-ci_cloud-client restarted |
|
@Patater It was at least 2x restarted. The failures are most probably valid and related to these changes. Please verify |
I found a bug in Client's PAL that will need to be fixed before we can merge this. I raised a PR to fix the issue in Client. |
adbridge
added
release-version: 6.0.0-alpha-2
|
The fix to Client will be released with version 4.3.0 of Client. |
It was released this week, shall we progress with this PR now? |
Yes, please. Could we kick off CI and see if, now that CI will be testing with 4.3.0, anything will break? Thanks! |
|
CI started |
Test run: SUCCESSSummary: 11 of 11 test jobs passed |
Summary of changes
Upgrade to Mbed TLS 2.20.0d1 and Mbed Crypto 3.0.0d0.
Migration actions required
None
Documentation
None
Pull request type
Test results
Release Notes
What behavior changes are being made?
For security and NIST SP 800-90A compliance reasons, CTR DRBG now grabs a nonce from the entropy source if needed to provide the maximum security strength. A previously unused-before-seeding member of the CTR DRBG context,
mbedtls_ctr_drbg_context::reseed_counter, is used to hold the number of bytes the user has requested to include from the nonce viambedtls_ctr_drbg_set_nonce_len(), or-1to indicate that the entropy nonce length was not set explicitly. This means applications that were depending on areseed_countervalue of0to mean "not yet seeded" will need to instead handle errors from calls tombedtls_ctr_drbg_seed().What is being deprecated?
A few PSA Crypto asymmetric cryptography functions and macros, key usage definitions, and error code definitions have been renamed to better reflect their operation and to improve readability.
Why is this being deprecated?
The PSA Crypto API continues to develop as it heads towards its 1.0 release. Mbed Crypto 3.0.0d0 implements more of PSA Crypto 1.0b3 than was implemented in Mbed Crypto 2.x, and this brings along some API deprecations.
Mbed Crypto includes backwards compatibility macros (by way of
psa/crypto_compat.h) to provide source-level backwards compatibility, although it's recommended to stop using the deprecated APIs as soon as you are able to.Migration
To avoid using deprecated APIs, users of PSA Crypto should update to the new version of API.
psa_asymmetric_sign()psa_sign_hash()psa_asymmetric_verify()psa_verify_hash()PSA_ASYMMETRIC_SIGNATURE_MAX_SIZE()PSA_SIGNATURE_MAX_SIZE()PSA_ASYMMETRIC_SIGN_OUTPUT_SIZE()PSA_SIGN_OUTPUT_SIZE()PSA_KEY_USAGE_SIGNPSA_KEY_USAGE_SIGN_HASHPSA_KEY_USAGE_VERIFYPSA_KEY_USAGE_VERIFY_HASHPSA_ERROR_UNKNOWN_ERRORPSA_ERROR_GENERIC_ERRORPSA_ERROR_OCCUPIED_SLOTPSA_ERROR_ALREADY_EXISTSPSA_ERROR_EMPTY_SLOTPSA_ERROR_DOES_NOT_EXISTPSA_ERROR_INSUFFICIENT_CAPACITYPSA_ERROR_INSUFFICIENT_DATAPSA_ERROR_TAMPERING_DETECTEDPSA_ERROR_CORRUPTION_DETECTED