diff --git a/docs/use-psa-crypto.md b/docs/use-psa-crypto.md index 6ec2dcaa1b..4a78e47e7e 100644 --- a/docs/use-psa-crypto.md +++ b/docs/use-psa-crypto.md @@ -12,9 +12,8 @@ Compile-time: enabling `MBEDTLS_USE_PSA_CRYPTO` requires `MBEDTLS_ECP_RESTARTABLE` and `MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER` to be disabled. -Effect: `MBEDTLS_USE_PSA_CRYPTO` currently has no effect on TLS 1.3 (which is -itself experimental and only partially supported so far): TLS 1.3 always uses -the legacy APIs even when this option is set. +Effect: `MBEDTLS_USE_PSA_CRYPTO` has no effect on TLS 1.3 for which PSA +cryptography is mandatory. Stability: any API that's only available when `MBEDTLS_USE_PSA_CRYPTO` is defined is considered experimental and may change in incompatible ways at any @@ -157,11 +156,6 @@ Parts that are not covered yet This is only a high-level overview, grouped by theme -TLS: 1.3 experimental support ------------------------------ - -No part of the experimental support for TLS 1.3 is covered at the moment. - TLS: key exchanges / asymmetric crypto -------------------------------------- diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 84afcf010f..ded871fbc0 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -598,8 +598,10 @@ #error "MBEDTLS_SSL_PROTO_TLS1_2 defined, but not all prerequisites" #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && ( !defined(MBEDTLS_HKDF_C) && \ - !defined(MBEDTLS_SHA256_C) && !defined(MBEDTLS_SHA512_C) ) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \ + ( ( !defined(MBEDTLS_HKDF_C) && !defined(MBEDTLS_SHA256_C) && \ + !defined(MBEDTLS_SHA512_C) ) \ + || ( !defined(MBEDTLS_PSA_CRYPTO_C) ) ) #error "MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL defined, but not all prerequisites" #endif diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index eb67a71550..08d3e65654 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1531,6 +1531,7 @@ component_test_no_use_psa_crypto_full_cmake_asan() { scripts/config.py set MBEDTLS_ECP_RESTARTABLE # not using PSA, so enable restartable ECC scripts/config.py unset MBEDTLS_PSA_CRYPTO_C scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C