From 8793d9cee88211357b5160d0df8c13a265867773 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 6 Jun 2024 17:54:45 +0200 Subject: [PATCH 01/32] Configuration file split proposal Signed-off-by: Ronald Cron --- docs/proposed/config-split.md | 469 ++++++++++++++++++++++++++++++++++ 1 file changed, 469 insertions(+) create mode 100644 docs/proposed/config-split.md diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md new file mode 100644 index 0000000000..57ffd5a486 --- /dev/null +++ b/docs/proposed/config-split.md @@ -0,0 +1,469 @@ +Mbed TLS and TF-PSA-Crypto configuration +======================================== + +## Objectives + +The objective of the repository split is to reach the point where in Mbed TLS +all the cryptography code and its tests are located in a tf-psa-crypto +directory that just contains the TF-PSA-Crypto repository as a submodule. +The cryptography APIs exposed by Mbed TLS are just the TF-PSA-Crypto ones. +Mbed TLS relies solely on the TF-PSA-Crypto build system to build its +cryptography library and its tests. + +The TF-PSA-Crypto configuration file tf_psa_crypto_config.h configures +entirely the cryptography interface exposed by Mbed TLS through TF-PSA-Crypto. +Mbed TLS is configured with two files: mbedtls_config.h for TLS and x509 +and tf_psa_crypto_config.h. + +The platform abstraction layer and its configuration are the same in Mbed TLS +and TF-PSA-Crypto as: +* we want an user of Mbed TLS to set up only one plaform +abstraction layer for both the TLS/x509 part of Mbed TLS and its cryptography +part (TF-PSA-Crypto). +* we want to avoid an interface adaptation. + +## Requirements on tf_psa_crypto_config.h +* it configures the PSA APIs, their implementations, the implementation of the + builtin drivers and the platform abstraction layer. +* it does not contain the legacy cryptography configuration options that are + superseded by the PSA cryptography configuration scheme (PSA_WANT_ and + MBEDTLS_PSA_ACCEL_ macros), for example MBEDTLS_CCM_C or + MBEDTLS_CHACHAPOLY_ALT. +* apart from the legacy cryptography configuration options mentioned in the + previous point and the cryptography configuration options that are planned + to be removed for 4.0, tf_psa_crypto_config.h inherites from all the + cryptography configuration options of mbedtls_config.h. +* apart from the PSA cryptography API configuration options that are prefixed + by PSA_WANT_, the tf_psa_crypto_config.h configuration options are prefixed + by TF_PSA_CRYPTO_. + +## Comments about objectives and requirements + +Given the objectives and requirements on tf_psa_crypto_config.h above, the +Mbed TLS configuration with mbedtls_config.h and tf_psa_crypto_config.h can be +seen as an extension of the so called PSA cryptographic configuration scheme +based on mbedtls_config.h and crypto_config.h. The configuration file +crypto_config.h is extended to become the TF-PSA-Crypto configuration file, +mbedtls_config.h mainly becomes the configuration file for the TLS and x509 +libraries. + +Regarding the platform abstraction layer configuration options, we do not +want to use the TF-PSA-Crypto ones in TLS and x509 code thus each of them has +an equivalent one in mbedtls_config.h prefixed by MBEDTLS_ instead of +TF_PSA_CRYPTO_ that just expand to the TF_PSA_CRYPTO_ one: +#define MBEDTLS_xyz TF_PSA_CRYPTO_xyz. + +## Sections in tf_psa_crypto_config.h + +The tf_psa_crypto_config.h configuration file is organized into seven sections. + +The pre-split mbedtls_config.h configuration files contains configuration +options that apply to the whole code base (TLS, x509, crypto and tests) mostly +related to the platform abstraction layer and testing. In tf_psa_crypto_config.h +these configurations options are organized into two sections, one for the +platform abstraction layer options and one for the others, respectively named +"Platform abstraction layer configuration options" and +"General and test configuration options". + +Then, the "PSA cryptography API configuration options" section is the +equivalent of the pre-split crypto_config.h configuration file containing the +PSA_WANT_ prefixed macros. + +Compared to Mbed TLS, the cryptography code in TF-PSA-Crypto is not located +in a single directory but split between the PSA core (core directory) and the +PSA builtin drivers (drivers/builtin/src directory). This is reflected in +tf_psa_crypto_config.h with two sections named "PSA core configuration options" +and "Builtin drivers configuration options". + +The two last sections contain the configuration options for the cryptography +mechanisms that are not yet part of the PSA cryptography API (like LMS) and +for cryptography utilities (like base64 or ASN1 APIs) that facilitate the usage +of the PSA cryptography API in other cryptography projects. They are +named respectively "Beyond the current PSA cryptography API configuration +options" and "Cryptography utilities configuration options". + +By contrast to mbedtls_config.h, tf_psa_crypto_config.h does not contain a +section like the "Module configuration options" one containing non boolean +configuration options. The configuration options that are not boolean are +located in the same section as the boolean option they are associated to. + +Open question: do we group them into a subsection? + +## Repartition of the configuration options + +Starting from mbedtls_config.h as in c085cc767d, we remove the following +configuration options as duplicates of PSA_WANT_ and MBEDTLS_PSA_ACCEL_ +options or obsolete options: +//#define MBEDTLS_AES_ALT +//#define MBEDTLS_ARIA_ALT +//#define MBEDTLS_CAMELLIA_ALT +//#define MBEDTLS_CCM_ALT +//#define MBEDTLS_CHACHA20_ALT +//#define MBEDTLS_CHACHAPOLY_ALT +//#define MBEDTLS_CMAC_ALT +//#define MBEDTLS_DES_ALT +//#define MBEDTLS_DHM_ALT +//#define MBEDTLS_ECJPAKE_ALT +//#define MBEDTLS_GCM_ALT +//#define MBEDTLS_NIST_KW_ALT +//#define MBEDTLS_MD5_ALT +//#define MBEDTLS_POLY1305_ALT +//#define MBEDTLS_RIPEMD160_ALT +//#define MBEDTLS_RSA_ALT +//#define MBEDTLS_SHA1_ALT +//#define MBEDTLS_SHA256_ALT +//#define MBEDTLS_SHA512_ALT +//#define MBEDTLS_ECP_ALT +//#define MBEDTLS_MD5_PROCESS_ALT +//#define MBEDTLS_RIPEMD160_PROCESS_ALT +//#define MBEDTLS_SHA1_PROCESS_ALT +//#define MBEDTLS_SHA256_PROCESS_ALT +//#define MBEDTLS_SHA512_PROCESS_ALT +//#define MBEDTLS_DES_SETKEY_ALT +//#define MBEDTLS_DES_CRYPT_ECB_ALT +//#define MBEDTLS_DES3_CRYPT_ECB_ALT +//#define MBEDTLS_AES_SETKEY_ENC_ALT +//#define MBEDTLS_AES_SETKEY_DEC_ALT +//#define MBEDTLS_AES_ENCRYPT_ALT +//#define MBEDTLS_AES_DECRYPT_ALT +//#define MBEDTLS_ECDH_GEN_PUBLIC_ALT +//#define MBEDTLS_ECDH_COMPUTE_SHARED_ALT +//#define MBEDTLS_ECDSA_VERIFY_ALT +//#define MBEDTLS_ECDSA_SIGN_ALT +//#define MBEDTLS_ECDSA_GENKEY_ALT +//#define MBEDTLS_ECP_INTERNAL_ALT +//#define MBEDTLS_ECP_NO_FALLBACK +//#define MBEDTLS_ECP_RANDOMIZE_JAC_ALT +//#define MBEDTLS_ECP_ADD_MIXED_ALT +//#define MBEDTLS_ECP_DOUBLE_JAC_ALT +//#define MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT +//#define MBEDTLS_ECP_NORMALIZE_JAC_ALT +//#define MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT +//#define MBEDTLS_ECP_RANDOMIZE_MXZ_ALT +//#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT +#define MBEDTLS_CIPHER_MODE_CBC +#define MBEDTLS_CIPHER_MODE_CFB +#define MBEDTLS_CIPHER_MODE_CTR +#define MBEDTLS_CIPHER_MODE_OFB +#define MBEDTLS_CIPHER_MODE_XTS +#define MBEDTLS_CIPHER_PADDING_PKCS7 +#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS +#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN +#define MBEDTLS_CIPHER_PADDING_ZEROS +#define MBEDTLS_ECP_DP_SECP192R1_ENABLED +#define MBEDTLS_ECP_DP_SECP224R1_ENABLED +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED +#define MBEDTLS_ECP_DP_SECP384R1_ENABLED +#define MBEDTLS_ECP_DP_SECP521R1_ENABLED +#define MBEDTLS_ECP_DP_SECP192K1_ENABLED +#define MBEDTLS_ECP_DP_SECP224K1_ENABLED +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED +#define MBEDTLS_ECP_DP_BP256R1_ENABLED +#define MBEDTLS_ECP_DP_BP384R1_ENABLED +#define MBEDTLS_ECP_DP_BP512R1_ENABLED +#define MBEDTLS_ECP_DP_CURVE25519_ENABLED +#define MBEDTLS_ECP_DP_CURVE448_ENABLED +#define MBEDTLS_ECDSA_DETERMINISTIC +#define MBEDTLS_GENPRIME +#define MBEDTLS_PKCS1_V15 +#define MBEDTLS_PKCS1_V21 +//#define MBEDTLS_PSA_CRYPTO_CONFIG +#define MBEDTLS_AES_C +#define MBEDTLS_BIGNUM_C +#define MBEDTLS_CAMELLIA_C +#define MBEDTLS_ARIA_C +#define MBEDTLS_CCM_C +#define MBEDTLS_CHACHA20_C +#define MBEDTLS_CHACHAPOLY_C +#define MBEDTLS_CMAC_C +#define MBEDTLS_DES_C +#define MBEDTLS_DHM_C +#define MBEDTLS_ECDH_C +#define MBEDTLS_ECDSA_C +#define MBEDTLS_ECJPAKE_C +#define MBEDTLS_ECP_C +#define MBEDTLS_GCM_C +#define MBEDTLS_HKDF_C +#define MBEDTLS_MD5_C +#define MBEDTLS_PADLOCK_C +#define MBEDTLS_POLY1305_C +//#define MBEDTLS_PSA_CRYPTO_SE_C +#define MBEDTLS_RIPEMD160_C +#define MBEDTLS_RSA_C +#define MBEDTLS_SHA1_C +#define MBEDTLS_SHA224_C +#define MBEDTLS_SHA256_C +#define MBEDTLS_SHA384_C +#define MBEDTLS_SHA512_C +#define MBEDTLS_SHA3_C + +### In tf_psa_crypto_config.h, we have: +* SECTION "Platform abstraction layer configuration options" +#define MBEDTLS_HAVE_TIME +#define MBEDTLS_HAVE_TIME_DATE +//#define MBEDTLS_PLATFORM_MEMORY +//#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS +//#define MBEDTLS_PLATFORM_SETBUF_ALT +//#define MBEDTLS_PLATFORM_EXIT_ALT +//#define MBEDTLS_PLATFORM_TIME_ALT +//#define MBEDTLS_PLATFORM_FPRINTF_ALT +//#define MBEDTLS_PLATFORM_PRINTF_ALT +//#define MBEDTLS_PLATFORM_SNPRINTF_ALT +//#define MBEDTLS_PLATFORM_VSNPRINTF_ALT +//#define MBEDTLS_PLATFORM_NV_SEED_ALT +//#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT +//#define MBEDTLS_PLATFORM_MS_TIME_ALT +//#define MBEDTLS_PLATFORM_GMTIME_R_ALT +//#define MBEDTLS_PLATFORM_ZEROIZE_ALT +#define MBEDTLS_FS_IO +//#define MBEDTLS_MEMORY_DEBUG +//#define MBEDTLS_MEMORY_BACKTRACE +//#define MBEDTLS_THREADING_ALT ??? +//#define MBEDTLS_THREADING_PTHREAD +#define MBEDTLS_PLATFORM_C +//#define MBEDTLS_THREADING_C +#define MBEDTLS_TIMING_C +//#define MBEDTLS_TIMING_ALT ??? +//#define MBEDTLS_PLATFORM_STD_MEM_HDR +//#define MBEDTLS_PLATFORM_STD_CALLOC calloc +//#define MBEDTLS_PLATFORM_STD_FREE free +//#define MBEDTLS_PLATFORM_STD_SETBUF setbuf +//#define MBEDTLS_PLATFORM_STD_EXIT exit +//#define MBEDTLS_PLATFORM_STD_TIME time +//#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf +//#define MBEDTLS_PLATFORM_STD_PRINTF printf +//#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf +//#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS 0 +//#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE 1 +//#define MBEDTLS_PLATFORM_STD_NV_SEED_READ mbedtls_platform_std_nv_seed_read +//#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE mbedtls_platform_std_nv_seed_write +//#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE "seedfile" +//#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc +//#define MBEDTLS_PLATFORM_FREE_MACRO free +//#define MBEDTLS_PLATFORM_EXIT_MACRO exit +//#define MBEDTLS_PLATFORM_SETBUF_MACRO setbuf +//#define MBEDTLS_PLATFORM_TIME_MACRO time +//#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO time_t +//#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf +//#define MBEDTLS_PLATFORM_PRINTF_MACRO printf +//#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf +//#define MBEDTLS_PLATFORM_VSNPRINTF_MACRO vsnprintf +//#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read +//#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write +//#define MBEDTLS_PLATFORM_MS_TIME_TYPE_MACRO int64_t +//#define MBEDTLS_PRINTF_MS_TIME PRId64 +//#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 4 +//#define MBEDTLS_CHECK_RETURN __attribute__((__warn_unused_result__)) +//#define MBEDTLS_IGNORE_RETURN( result ) ((void) !(result)) + +* SECTION "General and test configuration options" +//#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h" +//#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null" +//#define MBEDTLS_DEPRECATED_WARNING +//#define MBEDTLS_DEPRECATED_REMOVED +//#define MBEDTLS_CHECK_RETURN_WARNING +//#define MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN +//#define MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND +//#define MBEDTLS_TEST_HOOKS +#define MBEDTLS_VERSION_C +#define MBEDTLS_VERSION_FEATURES + + +* SECTION "PSA cryptography API configuration options" +include/psa/crypto_config.h + + +* SECTION "PSA core configuration options" +//#define MBEDTLS_ENTROPY_HARDWARE_ALT +//#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY +//#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES +//#define MBEDTLS_NO_PLATFORM_ENTROPY +//#define MBEDTLS_ENTROPY_FORCE_SHA256 +//#define MBEDTLS_ENTROPY_NV_SEED ??? +//#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER +//#define MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS +#define MBEDTLS_PSA_CRYPTO_C +//#define MBEDTLS_PSA_CRYPTO_CLIENT +//#define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG +//#define MBEDTLS_PSA_CRYPTO_SPM +//#define MBEDTLS_PSA_INJECT_ENTROPY +//#define MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS +#define MBEDTLS_CTR_DRBG_C +#define MBEDTLS_ENTROPY_C +#define MBEDTLS_HMAC_DRBG_C +#define MBEDTLS_PSA_CRYPTO_STORAGE_C +#define MBEDTLS_PSA_ITS_FILE_C +//#define MBEDTLS_PSA_CRYPTO_PLATFORM_FILE "psa/crypto_platform_alt.h" +//#define MBEDTLS_PSA_CRYPTO_STRUCT_FILE "psa/crypto_struct_alt.h" +//#define MBEDTLS_PSA_KEY_SLOT_COUNT 32 +//#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256 +//#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 48 +//#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000 +//#define MBEDTLS_CTR_DRBG_MAX_INPUT 256 +//#define MBEDTLS_CTR_DRBG_MAX_REQUEST 1024 +//#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT 384 +//#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 +//#define MBEDTLS_HMAC_DRBG_MAX_INPUT 256 +//#define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024 +//#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 +//#define MBEDTLS_ENTROPY_MAX_SOURCES 20 +//#define MBEDTLS_ENTROPY_MAX_GATHER 128 +//#define MBEDTLS_ENTROPY_MIN_HARDWARE 32 + +* SECTION "Builtin drivers configuration options" +#define MBEDTLS_HAVE_ASM +//#define MBEDTLS_NO_UDBL_DIVISION +//#define MBEDTLS_NO_64BIT_MULTIPLICATION +//#define MBEDTLS_HAVE_SSE2 +#define MBEDTLS_AESNI_C +#define MBEDTLS_AESCE_C +//#define MBEDTLS_AES_ROM_TABLES +//#define MBEDTLS_AES_FEWER_TABLES +//#define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +//#define MBEDTLS_AES_USE_HARDWARE_ONLY +//#define MBEDTLS_CAMELLIA_SMALL_MEMORY +//#define MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED +#define MBEDTLS_ECP_NIST_OPTIM +//#define MBEDTLS_ECP_RESTARTABLE ??? +//#define MBEDTLS_ECP_WITH_MPI_UINT +//#define MBEDTLS_PSA_P256M_DRIVER_ENABLED +//#define MBEDTLS_SHA256_SMALLER +//#define MBEDTLS_SHA512_SMALLER +//#define MBEDTLS_RSA_NO_CRT +#define MBEDTLS_SELF_TEST +//#define MBEDTLS_BLOCK_CIPHER_NO_DECRYPT +//#define MBEDTLS_GCM_LARGE_TABLE +//#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT +//#define MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT +//#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY +//#define MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY +//#define MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT +//#define MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY +//#define MBEDTLS_MPI_WINDOW_SIZE 2 +//#define MBEDTLS_MPI_MAX_SIZE 1024 +//#define MBEDTLS_ECP_WINDOW_SIZE 4 +//#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 +//#define MBEDTLS_RSA_GEN_KEY_MIN_BITS 1024 + + +* SECTION "Beyond the current PSA cryptography API configuration options." +#define MBEDTLS_CIPHER_C +#define MBEDTLS_LMS_C +//#define MBEDTLS_LMS_PRIVATE +#define MBEDTLS_MD_C +#define MBEDTLS_NIST_KW_C +#define MBEDTLS_PK_PARSE_EC_EXTENDED +#define MBEDTLS_PK_PARSE_EC_COMPRESSED +#define MBEDTLS_PK_RSA_ALT_SUPPORT +#define MBEDTLS_PK_C +#define MBEDTLS_PK_PARSE_C +#define MBEDTLS_PK_WRITE_C +#define MBEDTLS_PKCS5_C +#define MBEDTLS_PKCS12_C + + +* SECTION "Cryptography utilities configuration options" +#define MBEDTLS_ASN1_PARSE_C +#define MBEDTLS_ASN1_WRITE_C +#define MBEDTLS_BASE64_C +#define MBEDTLS_OID_C +#define MBEDTLS_PEM_PARSE_C +#define MBEDTLS_PEM_WRITE_C + + +### In mbedtls_config.h, we have: +* SECTION "System support" +Empty + + +* SECTION "Mbed TLS feature support" +//#define MBEDTLS_CIPHER_NULL_CIPHER +#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED +#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED +#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED +//#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED +#define MBEDTLS_ERROR_STRERROR_DUMMY +#define MBEDTLS_SSL_ALL_ALERT_MESSAGES +#define MBEDTLS_SSL_DTLS_CONNECTION_ID +#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0 +//#define MBEDTLS_SSL_ASYNC_PRIVATE +#define MBEDTLS_SSL_CONTEXT_SERIALIZATION +//#define MBEDTLS_SSL_DEBUG_ALL +#define MBEDTLS_SSL_ENCRYPT_THEN_MAC +#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET +#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE +#define MBEDTLS_SSL_RENEGOTIATION +#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +//#define MBEDTLS_SSL_RECORD_SIZE_LIMIT +#define MBEDTLS_SSL_PROTO_TLS1_2 +#define MBEDTLS_SSL_PROTO_TLS1_3 +#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +//#define MBEDTLS_SSL_EARLY_DATA +#define MBEDTLS_SSL_PROTO_DTLS +#define MBEDTLS_SSL_ALPN +#define MBEDTLS_SSL_DTLS_ANTI_REPLAY +#define MBEDTLS_SSL_DTLS_HELLO_VERIFY +//#define MBEDTLS_SSL_DTLS_SRTP +#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE +#define MBEDTLS_SSL_SESSION_TICKETS +#define MBEDTLS_SSL_SERVER_NAME_INDICATION +//#define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH +//#define MBEDTLS_USE_PSA_CRYPTO +//#define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK +//#define MBEDTLS_X509_REMOVE_INFO +#define MBEDTLS_X509_RSASSA_PSS_SUPPORT + + +* SECTION "Mbed TLS modules" +#define MBEDTLS_DEBUG_C +#define MBEDTLS_ERROR_C +#define MBEDTLS_NET_C +#define MBEDTLS_PKCS7_C +#define MBEDTLS_SSL_CACHE_C +#define MBEDTLS_SSL_COOKIE_C +#define MBEDTLS_SSL_TICKET_C +#define MBEDTLS_SSL_CLI_C +#define MBEDTLS_SSL_SRV_C +#define MBEDTLS_SSL_TLS_C +#define MBEDTLS_X509_USE_C +#define MBEDTLS_X509_CRT_PARSE_C +#define MBEDTLS_X509_CRL_PARSE_C +#define MBEDTLS_X509_CSR_PARSE_C +#define MBEDTLS_X509_CREATE_C +#define MBEDTLS_X509_CRT_WRITE_C +#define MBEDTLS_X509_CSR_WRITE_C + + +* SECTION "General configuration options" +//#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h" +//#define MBEDTLS_USER_CONFIG_FILE "/dev/null" + + +* SECTION "Module configuration options" +//#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 +//#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 +//#define MBEDTLS_SSL_IN_CONTENT_LEN 16384 +//#define MBEDTLS_SSL_CID_IN_LEN_MAX 32 +//#define MBEDTLS_SSL_CID_OUT_LEN_MAX 32 +//#define MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 16 +//#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384 +//#define MBEDTLS_SSL_DTLS_MAX_BUFFERING 32768 +//#define MBEDTLS_PSK_MAX_LEN 32 +//#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 +//#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 +//#define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 1024 +//#define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 6000 +//#define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 32 +//#define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1 +//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 +//#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 From a3f3fca492662eb6754ef70a61775a47a3edaee5 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 2 Sep 2024 12:09:18 +0200 Subject: [PATCH 02/32] Remove trailing spaces Signed-off-by: Ronald Cron --- docs/proposed/config-split.md | 706 +++++++++++++++++----------------- 1 file changed, 353 insertions(+), 353 deletions(-) diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index 57ffd5a486..93660f6d24 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -93,377 +93,377 @@ Open question: do we group them into a subsection? Starting from mbedtls_config.h as in c085cc767d, we remove the following configuration options as duplicates of PSA_WANT_ and MBEDTLS_PSA_ACCEL_ -options or obsolete options: -//#define MBEDTLS_AES_ALT -//#define MBEDTLS_ARIA_ALT -//#define MBEDTLS_CAMELLIA_ALT -//#define MBEDTLS_CCM_ALT -//#define MBEDTLS_CHACHA20_ALT -//#define MBEDTLS_CHACHAPOLY_ALT -//#define MBEDTLS_CMAC_ALT -//#define MBEDTLS_DES_ALT -//#define MBEDTLS_DHM_ALT -//#define MBEDTLS_ECJPAKE_ALT -//#define MBEDTLS_GCM_ALT -//#define MBEDTLS_NIST_KW_ALT -//#define MBEDTLS_MD5_ALT -//#define MBEDTLS_POLY1305_ALT -//#define MBEDTLS_RIPEMD160_ALT -//#define MBEDTLS_RSA_ALT -//#define MBEDTLS_SHA1_ALT -//#define MBEDTLS_SHA256_ALT -//#define MBEDTLS_SHA512_ALT -//#define MBEDTLS_ECP_ALT -//#define MBEDTLS_MD5_PROCESS_ALT -//#define MBEDTLS_RIPEMD160_PROCESS_ALT -//#define MBEDTLS_SHA1_PROCESS_ALT -//#define MBEDTLS_SHA256_PROCESS_ALT -//#define MBEDTLS_SHA512_PROCESS_ALT -//#define MBEDTLS_DES_SETKEY_ALT -//#define MBEDTLS_DES_CRYPT_ECB_ALT -//#define MBEDTLS_DES3_CRYPT_ECB_ALT -//#define MBEDTLS_AES_SETKEY_ENC_ALT -//#define MBEDTLS_AES_SETKEY_DEC_ALT -//#define MBEDTLS_AES_ENCRYPT_ALT -//#define MBEDTLS_AES_DECRYPT_ALT -//#define MBEDTLS_ECDH_GEN_PUBLIC_ALT -//#define MBEDTLS_ECDH_COMPUTE_SHARED_ALT -//#define MBEDTLS_ECDSA_VERIFY_ALT -//#define MBEDTLS_ECDSA_SIGN_ALT -//#define MBEDTLS_ECDSA_GENKEY_ALT -//#define MBEDTLS_ECP_INTERNAL_ALT -//#define MBEDTLS_ECP_NO_FALLBACK -//#define MBEDTLS_ECP_RANDOMIZE_JAC_ALT -//#define MBEDTLS_ECP_ADD_MIXED_ALT -//#define MBEDTLS_ECP_DOUBLE_JAC_ALT -//#define MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT -//#define MBEDTLS_ECP_NORMALIZE_JAC_ALT -//#define MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT -//#define MBEDTLS_ECP_RANDOMIZE_MXZ_ALT -//#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT -#define MBEDTLS_CIPHER_MODE_CBC -#define MBEDTLS_CIPHER_MODE_CFB -#define MBEDTLS_CIPHER_MODE_CTR -#define MBEDTLS_CIPHER_MODE_OFB -#define MBEDTLS_CIPHER_MODE_XTS -#define MBEDTLS_CIPHER_PADDING_PKCS7 -#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS -#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN -#define MBEDTLS_CIPHER_PADDING_ZEROS -#define MBEDTLS_ECP_DP_SECP192R1_ENABLED -#define MBEDTLS_ECP_DP_SECP224R1_ENABLED -#define MBEDTLS_ECP_DP_SECP256R1_ENABLED -#define MBEDTLS_ECP_DP_SECP384R1_ENABLED -#define MBEDTLS_ECP_DP_SECP521R1_ENABLED -#define MBEDTLS_ECP_DP_SECP192K1_ENABLED -#define MBEDTLS_ECP_DP_SECP224K1_ENABLED -#define MBEDTLS_ECP_DP_SECP256K1_ENABLED -#define MBEDTLS_ECP_DP_BP256R1_ENABLED -#define MBEDTLS_ECP_DP_BP384R1_ENABLED -#define MBEDTLS_ECP_DP_BP512R1_ENABLED -#define MBEDTLS_ECP_DP_CURVE25519_ENABLED -#define MBEDTLS_ECP_DP_CURVE448_ENABLED -#define MBEDTLS_ECDSA_DETERMINISTIC -#define MBEDTLS_GENPRIME -#define MBEDTLS_PKCS1_V15 -#define MBEDTLS_PKCS1_V21 -//#define MBEDTLS_PSA_CRYPTO_CONFIG -#define MBEDTLS_AES_C -#define MBEDTLS_BIGNUM_C -#define MBEDTLS_CAMELLIA_C -#define MBEDTLS_ARIA_C -#define MBEDTLS_CCM_C -#define MBEDTLS_CHACHA20_C -#define MBEDTLS_CHACHAPOLY_C -#define MBEDTLS_CMAC_C -#define MBEDTLS_DES_C -#define MBEDTLS_DHM_C -#define MBEDTLS_ECDH_C -#define MBEDTLS_ECDSA_C -#define MBEDTLS_ECJPAKE_C -#define MBEDTLS_ECP_C -#define MBEDTLS_GCM_C -#define MBEDTLS_HKDF_C -#define MBEDTLS_MD5_C -#define MBEDTLS_PADLOCK_C -#define MBEDTLS_POLY1305_C -//#define MBEDTLS_PSA_CRYPTO_SE_C -#define MBEDTLS_RIPEMD160_C -#define MBEDTLS_RSA_C -#define MBEDTLS_SHA1_C -#define MBEDTLS_SHA224_C -#define MBEDTLS_SHA256_C -#define MBEDTLS_SHA384_C -#define MBEDTLS_SHA512_C -#define MBEDTLS_SHA3_C +options or obsolete options: +//#define MBEDTLS_AES_ALT +//#define MBEDTLS_ARIA_ALT +//#define MBEDTLS_CAMELLIA_ALT +//#define MBEDTLS_CCM_ALT +//#define MBEDTLS_CHACHA20_ALT +//#define MBEDTLS_CHACHAPOLY_ALT +//#define MBEDTLS_CMAC_ALT +//#define MBEDTLS_DES_ALT +//#define MBEDTLS_DHM_ALT +//#define MBEDTLS_ECJPAKE_ALT +//#define MBEDTLS_GCM_ALT +//#define MBEDTLS_NIST_KW_ALT +//#define MBEDTLS_MD5_ALT +//#define MBEDTLS_POLY1305_ALT +//#define MBEDTLS_RIPEMD160_ALT +//#define MBEDTLS_RSA_ALT +//#define MBEDTLS_SHA1_ALT +//#define MBEDTLS_SHA256_ALT +//#define MBEDTLS_SHA512_ALT +//#define MBEDTLS_ECP_ALT +//#define MBEDTLS_MD5_PROCESS_ALT +//#define MBEDTLS_RIPEMD160_PROCESS_ALT +//#define MBEDTLS_SHA1_PROCESS_ALT +//#define MBEDTLS_SHA256_PROCESS_ALT +//#define MBEDTLS_SHA512_PROCESS_ALT +//#define MBEDTLS_DES_SETKEY_ALT +//#define MBEDTLS_DES_CRYPT_ECB_ALT +//#define MBEDTLS_DES3_CRYPT_ECB_ALT +//#define MBEDTLS_AES_SETKEY_ENC_ALT +//#define MBEDTLS_AES_SETKEY_DEC_ALT +//#define MBEDTLS_AES_ENCRYPT_ALT +//#define MBEDTLS_AES_DECRYPT_ALT +//#define MBEDTLS_ECDH_GEN_PUBLIC_ALT +//#define MBEDTLS_ECDH_COMPUTE_SHARED_ALT +//#define MBEDTLS_ECDSA_VERIFY_ALT +//#define MBEDTLS_ECDSA_SIGN_ALT +//#define MBEDTLS_ECDSA_GENKEY_ALT +//#define MBEDTLS_ECP_INTERNAL_ALT +//#define MBEDTLS_ECP_NO_FALLBACK +//#define MBEDTLS_ECP_RANDOMIZE_JAC_ALT +//#define MBEDTLS_ECP_ADD_MIXED_ALT +//#define MBEDTLS_ECP_DOUBLE_JAC_ALT +//#define MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT +//#define MBEDTLS_ECP_NORMALIZE_JAC_ALT +//#define MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT +//#define MBEDTLS_ECP_RANDOMIZE_MXZ_ALT +//#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT +#define MBEDTLS_CIPHER_MODE_CBC +#define MBEDTLS_CIPHER_MODE_CFB +#define MBEDTLS_CIPHER_MODE_CTR +#define MBEDTLS_CIPHER_MODE_OFB +#define MBEDTLS_CIPHER_MODE_XTS +#define MBEDTLS_CIPHER_PADDING_PKCS7 +#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS +#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN +#define MBEDTLS_CIPHER_PADDING_ZEROS +#define MBEDTLS_ECP_DP_SECP192R1_ENABLED +#define MBEDTLS_ECP_DP_SECP224R1_ENABLED +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED +#define MBEDTLS_ECP_DP_SECP384R1_ENABLED +#define MBEDTLS_ECP_DP_SECP521R1_ENABLED +#define MBEDTLS_ECP_DP_SECP192K1_ENABLED +#define MBEDTLS_ECP_DP_SECP224K1_ENABLED +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED +#define MBEDTLS_ECP_DP_BP256R1_ENABLED +#define MBEDTLS_ECP_DP_BP384R1_ENABLED +#define MBEDTLS_ECP_DP_BP512R1_ENABLED +#define MBEDTLS_ECP_DP_CURVE25519_ENABLED +#define MBEDTLS_ECP_DP_CURVE448_ENABLED +#define MBEDTLS_ECDSA_DETERMINISTIC +#define MBEDTLS_GENPRIME +#define MBEDTLS_PKCS1_V15 +#define MBEDTLS_PKCS1_V21 +//#define MBEDTLS_PSA_CRYPTO_CONFIG +#define MBEDTLS_AES_C +#define MBEDTLS_BIGNUM_C +#define MBEDTLS_CAMELLIA_C +#define MBEDTLS_ARIA_C +#define MBEDTLS_CCM_C +#define MBEDTLS_CHACHA20_C +#define MBEDTLS_CHACHAPOLY_C +#define MBEDTLS_CMAC_C +#define MBEDTLS_DES_C +#define MBEDTLS_DHM_C +#define MBEDTLS_ECDH_C +#define MBEDTLS_ECDSA_C +#define MBEDTLS_ECJPAKE_C +#define MBEDTLS_ECP_C +#define MBEDTLS_GCM_C +#define MBEDTLS_HKDF_C +#define MBEDTLS_MD5_C +#define MBEDTLS_PADLOCK_C +#define MBEDTLS_POLY1305_C +//#define MBEDTLS_PSA_CRYPTO_SE_C +#define MBEDTLS_RIPEMD160_C +#define MBEDTLS_RSA_C +#define MBEDTLS_SHA1_C +#define MBEDTLS_SHA224_C +#define MBEDTLS_SHA256_C +#define MBEDTLS_SHA384_C +#define MBEDTLS_SHA512_C +#define MBEDTLS_SHA3_C -### In tf_psa_crypto_config.h, we have: -* SECTION "Platform abstraction layer configuration options" -#define MBEDTLS_HAVE_TIME -#define MBEDTLS_HAVE_TIME_DATE -//#define MBEDTLS_PLATFORM_MEMORY -//#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS -//#define MBEDTLS_PLATFORM_SETBUF_ALT -//#define MBEDTLS_PLATFORM_EXIT_ALT -//#define MBEDTLS_PLATFORM_TIME_ALT -//#define MBEDTLS_PLATFORM_FPRINTF_ALT -//#define MBEDTLS_PLATFORM_PRINTF_ALT -//#define MBEDTLS_PLATFORM_SNPRINTF_ALT -//#define MBEDTLS_PLATFORM_VSNPRINTF_ALT -//#define MBEDTLS_PLATFORM_NV_SEED_ALT -//#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT -//#define MBEDTLS_PLATFORM_MS_TIME_ALT -//#define MBEDTLS_PLATFORM_GMTIME_R_ALT -//#define MBEDTLS_PLATFORM_ZEROIZE_ALT -#define MBEDTLS_FS_IO -//#define MBEDTLS_MEMORY_DEBUG -//#define MBEDTLS_MEMORY_BACKTRACE -//#define MBEDTLS_THREADING_ALT ??? -//#define MBEDTLS_THREADING_PTHREAD -#define MBEDTLS_PLATFORM_C -//#define MBEDTLS_THREADING_C -#define MBEDTLS_TIMING_C -//#define MBEDTLS_TIMING_ALT ??? -//#define MBEDTLS_PLATFORM_STD_MEM_HDR -//#define MBEDTLS_PLATFORM_STD_CALLOC calloc -//#define MBEDTLS_PLATFORM_STD_FREE free -//#define MBEDTLS_PLATFORM_STD_SETBUF setbuf -//#define MBEDTLS_PLATFORM_STD_EXIT exit -//#define MBEDTLS_PLATFORM_STD_TIME time -//#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf -//#define MBEDTLS_PLATFORM_STD_PRINTF printf -//#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf -//#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS 0 -//#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE 1 -//#define MBEDTLS_PLATFORM_STD_NV_SEED_READ mbedtls_platform_std_nv_seed_read -//#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE mbedtls_platform_std_nv_seed_write -//#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE "seedfile" -//#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc -//#define MBEDTLS_PLATFORM_FREE_MACRO free -//#define MBEDTLS_PLATFORM_EXIT_MACRO exit -//#define MBEDTLS_PLATFORM_SETBUF_MACRO setbuf -//#define MBEDTLS_PLATFORM_TIME_MACRO time -//#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO time_t -//#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf -//#define MBEDTLS_PLATFORM_PRINTF_MACRO printf -//#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf -//#define MBEDTLS_PLATFORM_VSNPRINTF_MACRO vsnprintf -//#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read -//#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write -//#define MBEDTLS_PLATFORM_MS_TIME_TYPE_MACRO int64_t -//#define MBEDTLS_PRINTF_MS_TIME PRId64 -//#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 4 -//#define MBEDTLS_CHECK_RETURN __attribute__((__warn_unused_result__)) -//#define MBEDTLS_IGNORE_RETURN( result ) ((void) !(result)) +### In tf_psa_crypto_config.h, we have: +* SECTION "Platform abstraction layer configuration options" +#define MBEDTLS_HAVE_TIME +#define MBEDTLS_HAVE_TIME_DATE +//#define MBEDTLS_PLATFORM_MEMORY +//#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS +//#define MBEDTLS_PLATFORM_SETBUF_ALT +//#define MBEDTLS_PLATFORM_EXIT_ALT +//#define MBEDTLS_PLATFORM_TIME_ALT +//#define MBEDTLS_PLATFORM_FPRINTF_ALT +//#define MBEDTLS_PLATFORM_PRINTF_ALT +//#define MBEDTLS_PLATFORM_SNPRINTF_ALT +//#define MBEDTLS_PLATFORM_VSNPRINTF_ALT +//#define MBEDTLS_PLATFORM_NV_SEED_ALT +//#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT +//#define MBEDTLS_PLATFORM_MS_TIME_ALT +//#define MBEDTLS_PLATFORM_GMTIME_R_ALT +//#define MBEDTLS_PLATFORM_ZEROIZE_ALT +#define MBEDTLS_FS_IO +//#define MBEDTLS_MEMORY_DEBUG +//#define MBEDTLS_MEMORY_BACKTRACE +//#define MBEDTLS_THREADING_ALT ??? +//#define MBEDTLS_THREADING_PTHREAD +#define MBEDTLS_PLATFORM_C +//#define MBEDTLS_THREADING_C +#define MBEDTLS_TIMING_C +//#define MBEDTLS_TIMING_ALT ??? +//#define MBEDTLS_PLATFORM_STD_MEM_HDR +//#define MBEDTLS_PLATFORM_STD_CALLOC calloc +//#define MBEDTLS_PLATFORM_STD_FREE free +//#define MBEDTLS_PLATFORM_STD_SETBUF setbuf +//#define MBEDTLS_PLATFORM_STD_EXIT exit +//#define MBEDTLS_PLATFORM_STD_TIME time +//#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf +//#define MBEDTLS_PLATFORM_STD_PRINTF printf +//#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf +//#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS 0 +//#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE 1 +//#define MBEDTLS_PLATFORM_STD_NV_SEED_READ mbedtls_platform_std_nv_seed_read +//#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE mbedtls_platform_std_nv_seed_write +//#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE "seedfile" +//#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc +//#define MBEDTLS_PLATFORM_FREE_MACRO free +//#define MBEDTLS_PLATFORM_EXIT_MACRO exit +//#define MBEDTLS_PLATFORM_SETBUF_MACRO setbuf +//#define MBEDTLS_PLATFORM_TIME_MACRO time +//#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO time_t +//#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf +//#define MBEDTLS_PLATFORM_PRINTF_MACRO printf +//#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf +//#define MBEDTLS_PLATFORM_VSNPRINTF_MACRO vsnprintf +//#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read +//#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write +//#define MBEDTLS_PLATFORM_MS_TIME_TYPE_MACRO int64_t +//#define MBEDTLS_PRINTF_MS_TIME PRId64 +//#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 4 +//#define MBEDTLS_CHECK_RETURN __attribute__((__warn_unused_result__)) +//#define MBEDTLS_IGNORE_RETURN( result ) ((void) !(result)) -* SECTION "General and test configuration options" -//#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h" -//#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null" -//#define MBEDTLS_DEPRECATED_WARNING -//#define MBEDTLS_DEPRECATED_REMOVED -//#define MBEDTLS_CHECK_RETURN_WARNING -//#define MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN -//#define MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND -//#define MBEDTLS_TEST_HOOKS -#define MBEDTLS_VERSION_C -#define MBEDTLS_VERSION_FEATURES +* SECTION "General and test configuration options" +//#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h" +//#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null" +//#define MBEDTLS_DEPRECATED_WARNING +//#define MBEDTLS_DEPRECATED_REMOVED +//#define MBEDTLS_CHECK_RETURN_WARNING +//#define MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN +//#define MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND +//#define MBEDTLS_TEST_HOOKS +#define MBEDTLS_VERSION_C +#define MBEDTLS_VERSION_FEATURES -* SECTION "PSA cryptography API configuration options" -include/psa/crypto_config.h +* SECTION "PSA cryptography API configuration options" +include/psa/crypto_config.h -* SECTION "PSA core configuration options" -//#define MBEDTLS_ENTROPY_HARDWARE_ALT -//#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY -//#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES -//#define MBEDTLS_NO_PLATFORM_ENTROPY -//#define MBEDTLS_ENTROPY_FORCE_SHA256 -//#define MBEDTLS_ENTROPY_NV_SEED ??? -//#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER -//#define MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS -#define MBEDTLS_PSA_CRYPTO_C -//#define MBEDTLS_PSA_CRYPTO_CLIENT -//#define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG -//#define MBEDTLS_PSA_CRYPTO_SPM -//#define MBEDTLS_PSA_INJECT_ENTROPY -//#define MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS -#define MBEDTLS_CTR_DRBG_C -#define MBEDTLS_ENTROPY_C -#define MBEDTLS_HMAC_DRBG_C -#define MBEDTLS_PSA_CRYPTO_STORAGE_C -#define MBEDTLS_PSA_ITS_FILE_C -//#define MBEDTLS_PSA_CRYPTO_PLATFORM_FILE "psa/crypto_platform_alt.h" -//#define MBEDTLS_PSA_CRYPTO_STRUCT_FILE "psa/crypto_struct_alt.h" -//#define MBEDTLS_PSA_KEY_SLOT_COUNT 32 -//#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256 -//#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 48 -//#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000 -//#define MBEDTLS_CTR_DRBG_MAX_INPUT 256 -//#define MBEDTLS_CTR_DRBG_MAX_REQUEST 1024 -//#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT 384 -//#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 -//#define MBEDTLS_HMAC_DRBG_MAX_INPUT 256 -//#define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024 -//#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 -//#define MBEDTLS_ENTROPY_MAX_SOURCES 20 -//#define MBEDTLS_ENTROPY_MAX_GATHER 128 -//#define MBEDTLS_ENTROPY_MIN_HARDWARE 32 +* SECTION "PSA core configuration options" +//#define MBEDTLS_ENTROPY_HARDWARE_ALT +//#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY +//#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES +//#define MBEDTLS_NO_PLATFORM_ENTROPY +//#define MBEDTLS_ENTROPY_FORCE_SHA256 +//#define MBEDTLS_ENTROPY_NV_SEED ??? +//#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER +//#define MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS +#define MBEDTLS_PSA_CRYPTO_C +//#define MBEDTLS_PSA_CRYPTO_CLIENT +//#define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG +//#define MBEDTLS_PSA_CRYPTO_SPM +//#define MBEDTLS_PSA_INJECT_ENTROPY +//#define MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS +#define MBEDTLS_CTR_DRBG_C +#define MBEDTLS_ENTROPY_C +#define MBEDTLS_HMAC_DRBG_C +#define MBEDTLS_PSA_CRYPTO_STORAGE_C +#define MBEDTLS_PSA_ITS_FILE_C +//#define MBEDTLS_PSA_CRYPTO_PLATFORM_FILE "psa/crypto_platform_alt.h" +//#define MBEDTLS_PSA_CRYPTO_STRUCT_FILE "psa/crypto_struct_alt.h" +//#define MBEDTLS_PSA_KEY_SLOT_COUNT 32 +//#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256 +//#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 48 +//#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000 +//#define MBEDTLS_CTR_DRBG_MAX_INPUT 256 +//#define MBEDTLS_CTR_DRBG_MAX_REQUEST 1024 +//#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT 384 +//#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 +//#define MBEDTLS_HMAC_DRBG_MAX_INPUT 256 +//#define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024 +//#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 +//#define MBEDTLS_ENTROPY_MAX_SOURCES 20 +//#define MBEDTLS_ENTROPY_MAX_GATHER 128 +//#define MBEDTLS_ENTROPY_MIN_HARDWARE 32 -* SECTION "Builtin drivers configuration options" -#define MBEDTLS_HAVE_ASM -//#define MBEDTLS_NO_UDBL_DIVISION -//#define MBEDTLS_NO_64BIT_MULTIPLICATION -//#define MBEDTLS_HAVE_SSE2 -#define MBEDTLS_AESNI_C -#define MBEDTLS_AESCE_C -//#define MBEDTLS_AES_ROM_TABLES -//#define MBEDTLS_AES_FEWER_TABLES -//#define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH -//#define MBEDTLS_AES_USE_HARDWARE_ONLY -//#define MBEDTLS_CAMELLIA_SMALL_MEMORY -//#define MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED -#define MBEDTLS_ECP_NIST_OPTIM -//#define MBEDTLS_ECP_RESTARTABLE ??? -//#define MBEDTLS_ECP_WITH_MPI_UINT -//#define MBEDTLS_PSA_P256M_DRIVER_ENABLED -//#define MBEDTLS_SHA256_SMALLER -//#define MBEDTLS_SHA512_SMALLER -//#define MBEDTLS_RSA_NO_CRT -#define MBEDTLS_SELF_TEST -//#define MBEDTLS_BLOCK_CIPHER_NO_DECRYPT -//#define MBEDTLS_GCM_LARGE_TABLE -//#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT -//#define MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT -//#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY -//#define MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY -//#define MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT -//#define MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY -//#define MBEDTLS_MPI_WINDOW_SIZE 2 -//#define MBEDTLS_MPI_MAX_SIZE 1024 -//#define MBEDTLS_ECP_WINDOW_SIZE 4 -//#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 -//#define MBEDTLS_RSA_GEN_KEY_MIN_BITS 1024 +* SECTION "Builtin drivers configuration options" +#define MBEDTLS_HAVE_ASM +//#define MBEDTLS_NO_UDBL_DIVISION +//#define MBEDTLS_NO_64BIT_MULTIPLICATION +//#define MBEDTLS_HAVE_SSE2 +#define MBEDTLS_AESNI_C +#define MBEDTLS_AESCE_C +//#define MBEDTLS_AES_ROM_TABLES +//#define MBEDTLS_AES_FEWER_TABLES +//#define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +//#define MBEDTLS_AES_USE_HARDWARE_ONLY +//#define MBEDTLS_CAMELLIA_SMALL_MEMORY +//#define MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED +#define MBEDTLS_ECP_NIST_OPTIM +//#define MBEDTLS_ECP_RESTARTABLE ??? +//#define MBEDTLS_ECP_WITH_MPI_UINT +//#define MBEDTLS_PSA_P256M_DRIVER_ENABLED +//#define MBEDTLS_SHA256_SMALLER +//#define MBEDTLS_SHA512_SMALLER +//#define MBEDTLS_RSA_NO_CRT +#define MBEDTLS_SELF_TEST +//#define MBEDTLS_BLOCK_CIPHER_NO_DECRYPT +//#define MBEDTLS_GCM_LARGE_TABLE +//#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT +//#define MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT +//#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY +//#define MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY +//#define MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT +//#define MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY +//#define MBEDTLS_MPI_WINDOW_SIZE 2 +//#define MBEDTLS_MPI_MAX_SIZE 1024 +//#define MBEDTLS_ECP_WINDOW_SIZE 4 +//#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 +//#define MBEDTLS_RSA_GEN_KEY_MIN_BITS 1024 -* SECTION "Beyond the current PSA cryptography API configuration options." -#define MBEDTLS_CIPHER_C -#define MBEDTLS_LMS_C -//#define MBEDTLS_LMS_PRIVATE -#define MBEDTLS_MD_C -#define MBEDTLS_NIST_KW_C -#define MBEDTLS_PK_PARSE_EC_EXTENDED -#define MBEDTLS_PK_PARSE_EC_COMPRESSED -#define MBEDTLS_PK_RSA_ALT_SUPPORT -#define MBEDTLS_PK_C -#define MBEDTLS_PK_PARSE_C -#define MBEDTLS_PK_WRITE_C -#define MBEDTLS_PKCS5_C -#define MBEDTLS_PKCS12_C +* SECTION "Beyond the current PSA cryptography API configuration options." +#define MBEDTLS_CIPHER_C +#define MBEDTLS_LMS_C +//#define MBEDTLS_LMS_PRIVATE +#define MBEDTLS_MD_C +#define MBEDTLS_NIST_KW_C +#define MBEDTLS_PK_PARSE_EC_EXTENDED +#define MBEDTLS_PK_PARSE_EC_COMPRESSED +#define MBEDTLS_PK_RSA_ALT_SUPPORT +#define MBEDTLS_PK_C +#define MBEDTLS_PK_PARSE_C +#define MBEDTLS_PK_WRITE_C +#define MBEDTLS_PKCS5_C +#define MBEDTLS_PKCS12_C -* SECTION "Cryptography utilities configuration options" -#define MBEDTLS_ASN1_PARSE_C -#define MBEDTLS_ASN1_WRITE_C -#define MBEDTLS_BASE64_C -#define MBEDTLS_OID_C -#define MBEDTLS_PEM_PARSE_C -#define MBEDTLS_PEM_WRITE_C +* SECTION "Cryptography utilities configuration options" +#define MBEDTLS_ASN1_PARSE_C +#define MBEDTLS_ASN1_WRITE_C +#define MBEDTLS_BASE64_C +#define MBEDTLS_OID_C +#define MBEDTLS_PEM_PARSE_C +#define MBEDTLS_PEM_WRITE_C -### In mbedtls_config.h, we have: -* SECTION "System support" -Empty +### In mbedtls_config.h, we have: +* SECTION "System support" +Empty -* SECTION "Mbed TLS feature support" -//#define MBEDTLS_CIPHER_NULL_CIPHER -#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED -#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED -#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED -#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED -#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED -#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED -#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED -#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED -//#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED -#define MBEDTLS_ERROR_STRERROR_DUMMY -#define MBEDTLS_SSL_ALL_ALERT_MESSAGES -#define MBEDTLS_SSL_DTLS_CONNECTION_ID -#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0 -//#define MBEDTLS_SSL_ASYNC_PRIVATE -#define MBEDTLS_SSL_CONTEXT_SERIALIZATION -//#define MBEDTLS_SSL_DEBUG_ALL -#define MBEDTLS_SSL_ENCRYPT_THEN_MAC -#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET -#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE -#define MBEDTLS_SSL_RENEGOTIATION -#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -//#define MBEDTLS_SSL_RECORD_SIZE_LIMIT -#define MBEDTLS_SSL_PROTO_TLS1_2 -#define MBEDTLS_SSL_PROTO_TLS1_3 -#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE -#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED -#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED -//#define MBEDTLS_SSL_EARLY_DATA -#define MBEDTLS_SSL_PROTO_DTLS -#define MBEDTLS_SSL_ALPN -#define MBEDTLS_SSL_DTLS_ANTI_REPLAY -#define MBEDTLS_SSL_DTLS_HELLO_VERIFY -//#define MBEDTLS_SSL_DTLS_SRTP -#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE -#define MBEDTLS_SSL_SESSION_TICKETS -#define MBEDTLS_SSL_SERVER_NAME_INDICATION -//#define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH -//#define MBEDTLS_USE_PSA_CRYPTO -//#define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK -//#define MBEDTLS_X509_REMOVE_INFO -#define MBEDTLS_X509_RSASSA_PSS_SUPPORT +* SECTION "Mbed TLS feature support" +//#define MBEDTLS_CIPHER_NULL_CIPHER +#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED +#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED +#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED +//#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED +#define MBEDTLS_ERROR_STRERROR_DUMMY +#define MBEDTLS_SSL_ALL_ALERT_MESSAGES +#define MBEDTLS_SSL_DTLS_CONNECTION_ID +#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0 +//#define MBEDTLS_SSL_ASYNC_PRIVATE +#define MBEDTLS_SSL_CONTEXT_SERIALIZATION +//#define MBEDTLS_SSL_DEBUG_ALL +#define MBEDTLS_SSL_ENCRYPT_THEN_MAC +#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET +#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE +#define MBEDTLS_SSL_RENEGOTIATION +#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +//#define MBEDTLS_SSL_RECORD_SIZE_LIMIT +#define MBEDTLS_SSL_PROTO_TLS1_2 +#define MBEDTLS_SSL_PROTO_TLS1_3 +#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +//#define MBEDTLS_SSL_EARLY_DATA +#define MBEDTLS_SSL_PROTO_DTLS +#define MBEDTLS_SSL_ALPN +#define MBEDTLS_SSL_DTLS_ANTI_REPLAY +#define MBEDTLS_SSL_DTLS_HELLO_VERIFY +//#define MBEDTLS_SSL_DTLS_SRTP +#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE +#define MBEDTLS_SSL_SESSION_TICKETS +#define MBEDTLS_SSL_SERVER_NAME_INDICATION +//#define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH +//#define MBEDTLS_USE_PSA_CRYPTO +//#define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK +//#define MBEDTLS_X509_REMOVE_INFO +#define MBEDTLS_X509_RSASSA_PSS_SUPPORT -* SECTION "Mbed TLS modules" -#define MBEDTLS_DEBUG_C -#define MBEDTLS_ERROR_C -#define MBEDTLS_NET_C -#define MBEDTLS_PKCS7_C -#define MBEDTLS_SSL_CACHE_C -#define MBEDTLS_SSL_COOKIE_C -#define MBEDTLS_SSL_TICKET_C -#define MBEDTLS_SSL_CLI_C -#define MBEDTLS_SSL_SRV_C -#define MBEDTLS_SSL_TLS_C -#define MBEDTLS_X509_USE_C -#define MBEDTLS_X509_CRT_PARSE_C -#define MBEDTLS_X509_CRL_PARSE_C -#define MBEDTLS_X509_CSR_PARSE_C -#define MBEDTLS_X509_CREATE_C -#define MBEDTLS_X509_CRT_WRITE_C -#define MBEDTLS_X509_CSR_WRITE_C +* SECTION "Mbed TLS modules" +#define MBEDTLS_DEBUG_C +#define MBEDTLS_ERROR_C +#define MBEDTLS_NET_C +#define MBEDTLS_PKCS7_C +#define MBEDTLS_SSL_CACHE_C +#define MBEDTLS_SSL_COOKIE_C +#define MBEDTLS_SSL_TICKET_C +#define MBEDTLS_SSL_CLI_C +#define MBEDTLS_SSL_SRV_C +#define MBEDTLS_SSL_TLS_C +#define MBEDTLS_X509_USE_C +#define MBEDTLS_X509_CRT_PARSE_C +#define MBEDTLS_X509_CRL_PARSE_C +#define MBEDTLS_X509_CSR_PARSE_C +#define MBEDTLS_X509_CREATE_C +#define MBEDTLS_X509_CRT_WRITE_C +#define MBEDTLS_X509_CSR_WRITE_C -* SECTION "General configuration options" -//#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h" -//#define MBEDTLS_USER_CONFIG_FILE "/dev/null" +* SECTION "General configuration options" +//#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h" +//#define MBEDTLS_USER_CONFIG_FILE "/dev/null" -* SECTION "Module configuration options" -//#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 -//#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 -//#define MBEDTLS_SSL_IN_CONTENT_LEN 16384 -//#define MBEDTLS_SSL_CID_IN_LEN_MAX 32 -//#define MBEDTLS_SSL_CID_OUT_LEN_MAX 32 -//#define MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 16 -//#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384 -//#define MBEDTLS_SSL_DTLS_MAX_BUFFERING 32768 -//#define MBEDTLS_PSK_MAX_LEN 32 -//#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 -//#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 -//#define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 1024 -//#define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 6000 -//#define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 32 -//#define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1 -//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 -//#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 +* SECTION "Module configuration options" +//#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 +//#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 +//#define MBEDTLS_SSL_IN_CONTENT_LEN 16384 +//#define MBEDTLS_SSL_CID_IN_LEN_MAX 32 +//#define MBEDTLS_SSL_CID_OUT_LEN_MAX 32 +//#define MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 16 +//#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384 +//#define MBEDTLS_SSL_DTLS_MAX_BUFFERING 32768 +//#define MBEDTLS_PSK_MAX_LEN 32 +//#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 +//#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 +//#define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 1024 +//#define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 6000 +//#define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 32 +//#define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1 +//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 +//#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 From 4f4a30c2e7af56adbb3c5bf6df77cf784d52a9f0 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 2 Sep 2024 15:00:54 +0200 Subject: [PATCH 03/32] Remove question marks triplets The associated config options are at the right place. Signed-off-by: Ronald Cron --- docs/proposed/config-split.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index 93660f6d24..9224f23cfb 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -218,12 +218,12 @@ options or obsolete options: #define MBEDTLS_FS_IO //#define MBEDTLS_MEMORY_DEBUG //#define MBEDTLS_MEMORY_BACKTRACE -//#define MBEDTLS_THREADING_ALT ??? +//#define MBEDTLS_THREADING_ALT //#define MBEDTLS_THREADING_PTHREAD #define MBEDTLS_PLATFORM_C //#define MBEDTLS_THREADING_C #define MBEDTLS_TIMING_C -//#define MBEDTLS_TIMING_ALT ??? +//#define MBEDTLS_TIMING_ALT //#define MBEDTLS_PLATFORM_STD_MEM_HDR //#define MBEDTLS_PLATFORM_STD_CALLOC calloc //#define MBEDTLS_PLATFORM_STD_FREE free @@ -279,7 +279,7 @@ include/psa/crypto_config.h //#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES //#define MBEDTLS_NO_PLATFORM_ENTROPY //#define MBEDTLS_ENTROPY_FORCE_SHA256 -//#define MBEDTLS_ENTROPY_NV_SEED ??? +//#define MBEDTLS_ENTROPY_NV_SEED //#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER //#define MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS #define MBEDTLS_PSA_CRYPTO_C @@ -324,7 +324,7 @@ include/psa/crypto_config.h //#define MBEDTLS_CAMELLIA_SMALL_MEMORY //#define MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED #define MBEDTLS_ECP_NIST_OPTIM -//#define MBEDTLS_ECP_RESTARTABLE ??? +//#define MBEDTLS_ECP_RESTARTABLE //#define MBEDTLS_ECP_WITH_MPI_UINT //#define MBEDTLS_PSA_P256M_DRIVER_ENABLED //#define MBEDTLS_SHA256_SMALLER From 5c46496dd2063c6aadcf9359df9182f6cc2c76df Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 2 Sep 2024 12:01:36 +0200 Subject: [PATCH 04/32] Improve section names Signed-off-by: Ronald Cron --- docs/proposed/config-split.md | 29 ++++++++++++++--------------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index 9224f23cfb..52b7526c16 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -62,25 +62,24 @@ options that apply to the whole code base (TLS, x509, crypto and tests) mostly related to the platform abstraction layer and testing. In tf_psa_crypto_config.h these configurations options are organized into two sections, one for the platform abstraction layer options and one for the others, respectively named -"Platform abstraction layer configuration options" and -"General and test configuration options". +"Platform abstraction layer" and "General and test configuration options". -Then, the "PSA cryptography API configuration options" section is the +Then, the "Cryptographic mechanism selection (PSA API)" section is the equivalent of the pre-split crypto_config.h configuration file containing the PSA_WANT_ prefixed macros. Compared to Mbed TLS, the cryptography code in TF-PSA-Crypto is not located in a single directory but split between the PSA core (core directory) and the PSA builtin drivers (drivers/builtin/src directory). This is reflected in -tf_psa_crypto_config.h with two sections named "PSA core configuration options" -and "Builtin drivers configuration options". +tf_psa_crypto_config.h with two sections respectively named "PSA core" and +"Builtin drivers". The two last sections contain the configuration options for the cryptography mechanisms that are not yet part of the PSA cryptography API (like LMS) and for cryptography utilities (like base64 or ASN1 APIs) that facilitate the usage of the PSA cryptography API in other cryptography projects. They are -named respectively "Beyond the current PSA cryptography API configuration -options" and "Cryptography utilities configuration options". +named respectively "Cryptographic mechanism selection (extended API)" +options" and "Data format support". By contrast to mbedtls_config.h, tf_psa_crypto_config.h does not contain a section like the "Module configuration options" one containing non boolean @@ -198,7 +197,7 @@ options or obsolete options: #define MBEDTLS_SHA3_C ### In tf_psa_crypto_config.h, we have: -* SECTION "Platform abstraction layer configuration options" +* SECTION "Platform abstraction layer" #define MBEDTLS_HAVE_TIME #define MBEDTLS_HAVE_TIME_DATE //#define MBEDTLS_PLATFORM_MEMORY @@ -269,11 +268,11 @@ options or obsolete options: #define MBEDTLS_VERSION_FEATURES -* SECTION "PSA cryptography API configuration options" -include/psa/crypto_config.h +* SECTION "Cryptographic mechanism selection (PSA API)" +PSA_WANT_\* macros as in current crypto_config.h. -* SECTION "PSA core configuration options" +* SECTION "PSA core" //#define MBEDTLS_ENTROPY_HARDWARE_ALT //#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY //#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES @@ -310,7 +309,7 @@ include/psa/crypto_config.h //#define MBEDTLS_ENTROPY_MAX_GATHER 128 //#define MBEDTLS_ENTROPY_MIN_HARDWARE 32 -* SECTION "Builtin drivers configuration options" +* SECTION "Builtin drivers" #define MBEDTLS_HAVE_ASM //#define MBEDTLS_NO_UDBL_DIVISION //#define MBEDTLS_NO_64BIT_MULTIPLICATION @@ -346,7 +345,7 @@ include/psa/crypto_config.h //#define MBEDTLS_RSA_GEN_KEY_MIN_BITS 1024 -* SECTION "Beyond the current PSA cryptography API configuration options." +* SECTION "Cryptographic mechanism selection (extended API)" #define MBEDTLS_CIPHER_C #define MBEDTLS_LMS_C //#define MBEDTLS_LMS_PRIVATE @@ -362,7 +361,7 @@ include/psa/crypto_config.h #define MBEDTLS_PKCS12_C -* SECTION "Cryptography utilities configuration options" +* SECTION "Data format support" #define MBEDTLS_ASN1_PARSE_C #define MBEDTLS_ASN1_WRITE_C #define MBEDTLS_BASE64_C @@ -372,7 +371,7 @@ include/psa/crypto_config.h ### In mbedtls_config.h, we have: -* SECTION "System support" +* SECTION "Platform abstraction layer" Empty From ad62dce86f56e5bb01adeefafaacc5397bdc12ce Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 2 Sep 2024 14:22:24 +0200 Subject: [PATCH 05/32] Keep legacy crypto config options Signed-off-by: Ronald Cron --- docs/proposed/config-split.md | 228 +++++++++++++++++----------------- 1 file changed, 112 insertions(+), 116 deletions(-) diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index 52b7526c16..923e527e55 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -25,14 +25,8 @@ part (TF-PSA-Crypto). ## Requirements on tf_psa_crypto_config.h * it configures the PSA APIs, their implementations, the implementation of the builtin drivers and the platform abstraction layer. -* it does not contain the legacy cryptography configuration options that are - superseded by the PSA cryptography configuration scheme (PSA_WANT_ and - MBEDTLS_PSA_ACCEL_ macros), for example MBEDTLS_CCM_C or - MBEDTLS_CHACHAPOLY_ALT. -* apart from the legacy cryptography configuration options mentioned in the - previous point and the cryptography configuration options that are planned - to be removed for 4.0, tf_psa_crypto_config.h inherites from all the - cryptography configuration options of mbedtls_config.h. +* tf_psa_crypto_config.h inherites from all the cryptography configuration + options of mbedtls_config.h. * apart from the PSA cryptography API configuration options that are prefixed by PSA_WANT_, the tf_psa_crypto_config.h configuration options are prefixed by TF_PSA_CRYPTO_. @@ -55,7 +49,7 @@ TF_PSA_CRYPTO_ that just expand to the TF_PSA_CRYPTO_ one: ## Sections in tf_psa_crypto_config.h -The tf_psa_crypto_config.h configuration file is organized into seven sections. +The tf_psa_crypto_config.h configuration file is organized into eight sections. The pre-split mbedtls_config.h configuration files contains configuration options that apply to the whole code base (TLS, x509, crypto and tests) mostly @@ -74,13 +68,17 @@ PSA builtin drivers (drivers/builtin/src directory). This is reflected in tf_psa_crypto_config.h with two sections respectively named "PSA core" and "Builtin drivers". -The two last sections contain the configuration options for the cryptography +The two following sections contain the configuration options for the cryptography mechanisms that are not yet part of the PSA cryptography API (like LMS) and for cryptography utilities (like base64 or ASN1 APIs) that facilitate the usage of the PSA cryptography API in other cryptography projects. They are named respectively "Cryptographic mechanism selection (extended API)" options" and "Data format support". +Finally, the last section named "Legacy cryptography" contains the configuration +options that will eventually be removed as duplicates of PSA_WANT_\* and +MBEDTLS_PSA_ACCEL_\* configuration options. + By contrast to mbedtls_config.h, tf_psa_crypto_config.h does not contain a section like the "Module configuration options" one containing non boolean configuration options. The configuration options that are not boolean are @@ -90,112 +88,6 @@ Open question: do we group them into a subsection? ## Repartition of the configuration options -Starting from mbedtls_config.h as in c085cc767d, we remove the following -configuration options as duplicates of PSA_WANT_ and MBEDTLS_PSA_ACCEL_ -options or obsolete options: -//#define MBEDTLS_AES_ALT -//#define MBEDTLS_ARIA_ALT -//#define MBEDTLS_CAMELLIA_ALT -//#define MBEDTLS_CCM_ALT -//#define MBEDTLS_CHACHA20_ALT -//#define MBEDTLS_CHACHAPOLY_ALT -//#define MBEDTLS_CMAC_ALT -//#define MBEDTLS_DES_ALT -//#define MBEDTLS_DHM_ALT -//#define MBEDTLS_ECJPAKE_ALT -//#define MBEDTLS_GCM_ALT -//#define MBEDTLS_NIST_KW_ALT -//#define MBEDTLS_MD5_ALT -//#define MBEDTLS_POLY1305_ALT -//#define MBEDTLS_RIPEMD160_ALT -//#define MBEDTLS_RSA_ALT -//#define MBEDTLS_SHA1_ALT -//#define MBEDTLS_SHA256_ALT -//#define MBEDTLS_SHA512_ALT -//#define MBEDTLS_ECP_ALT -//#define MBEDTLS_MD5_PROCESS_ALT -//#define MBEDTLS_RIPEMD160_PROCESS_ALT -//#define MBEDTLS_SHA1_PROCESS_ALT -//#define MBEDTLS_SHA256_PROCESS_ALT -//#define MBEDTLS_SHA512_PROCESS_ALT -//#define MBEDTLS_DES_SETKEY_ALT -//#define MBEDTLS_DES_CRYPT_ECB_ALT -//#define MBEDTLS_DES3_CRYPT_ECB_ALT -//#define MBEDTLS_AES_SETKEY_ENC_ALT -//#define MBEDTLS_AES_SETKEY_DEC_ALT -//#define MBEDTLS_AES_ENCRYPT_ALT -//#define MBEDTLS_AES_DECRYPT_ALT -//#define MBEDTLS_ECDH_GEN_PUBLIC_ALT -//#define MBEDTLS_ECDH_COMPUTE_SHARED_ALT -//#define MBEDTLS_ECDSA_VERIFY_ALT -//#define MBEDTLS_ECDSA_SIGN_ALT -//#define MBEDTLS_ECDSA_GENKEY_ALT -//#define MBEDTLS_ECP_INTERNAL_ALT -//#define MBEDTLS_ECP_NO_FALLBACK -//#define MBEDTLS_ECP_RANDOMIZE_JAC_ALT -//#define MBEDTLS_ECP_ADD_MIXED_ALT -//#define MBEDTLS_ECP_DOUBLE_JAC_ALT -//#define MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT -//#define MBEDTLS_ECP_NORMALIZE_JAC_ALT -//#define MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT -//#define MBEDTLS_ECP_RANDOMIZE_MXZ_ALT -//#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT -#define MBEDTLS_CIPHER_MODE_CBC -#define MBEDTLS_CIPHER_MODE_CFB -#define MBEDTLS_CIPHER_MODE_CTR -#define MBEDTLS_CIPHER_MODE_OFB -#define MBEDTLS_CIPHER_MODE_XTS -#define MBEDTLS_CIPHER_PADDING_PKCS7 -#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS -#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN -#define MBEDTLS_CIPHER_PADDING_ZEROS -#define MBEDTLS_ECP_DP_SECP192R1_ENABLED -#define MBEDTLS_ECP_DP_SECP224R1_ENABLED -#define MBEDTLS_ECP_DP_SECP256R1_ENABLED -#define MBEDTLS_ECP_DP_SECP384R1_ENABLED -#define MBEDTLS_ECP_DP_SECP521R1_ENABLED -#define MBEDTLS_ECP_DP_SECP192K1_ENABLED -#define MBEDTLS_ECP_DP_SECP224K1_ENABLED -#define MBEDTLS_ECP_DP_SECP256K1_ENABLED -#define MBEDTLS_ECP_DP_BP256R1_ENABLED -#define MBEDTLS_ECP_DP_BP384R1_ENABLED -#define MBEDTLS_ECP_DP_BP512R1_ENABLED -#define MBEDTLS_ECP_DP_CURVE25519_ENABLED -#define MBEDTLS_ECP_DP_CURVE448_ENABLED -#define MBEDTLS_ECDSA_DETERMINISTIC -#define MBEDTLS_GENPRIME -#define MBEDTLS_PKCS1_V15 -#define MBEDTLS_PKCS1_V21 -//#define MBEDTLS_PSA_CRYPTO_CONFIG -#define MBEDTLS_AES_C -#define MBEDTLS_BIGNUM_C -#define MBEDTLS_CAMELLIA_C -#define MBEDTLS_ARIA_C -#define MBEDTLS_CCM_C -#define MBEDTLS_CHACHA20_C -#define MBEDTLS_CHACHAPOLY_C -#define MBEDTLS_CMAC_C -#define MBEDTLS_DES_C -#define MBEDTLS_DHM_C -#define MBEDTLS_ECDH_C -#define MBEDTLS_ECDSA_C -#define MBEDTLS_ECJPAKE_C -#define MBEDTLS_ECP_C -#define MBEDTLS_GCM_C -#define MBEDTLS_HKDF_C -#define MBEDTLS_MD5_C -#define MBEDTLS_PADLOCK_C -#define MBEDTLS_POLY1305_C -//#define MBEDTLS_PSA_CRYPTO_SE_C -#define MBEDTLS_RIPEMD160_C -#define MBEDTLS_RSA_C -#define MBEDTLS_SHA1_C -#define MBEDTLS_SHA224_C -#define MBEDTLS_SHA256_C -#define MBEDTLS_SHA384_C -#define MBEDTLS_SHA512_C -#define MBEDTLS_SHA3_C - ### In tf_psa_crypto_config.h, we have: * SECTION "Platform abstraction layer" #define MBEDTLS_HAVE_TIME @@ -369,6 +261,110 @@ PSA_WANT_\* macros as in current crypto_config.h. #define MBEDTLS_PEM_PARSE_C #define MBEDTLS_PEM_WRITE_C +* SECTION "Legacy cryptography" +//#define MBEDTLS_AES_ALT +//#define MBEDTLS_ARIA_ALT +//#define MBEDTLS_CAMELLIA_ALT +//#define MBEDTLS_CCM_ALT +//#define MBEDTLS_CHACHA20_ALT +//#define MBEDTLS_CHACHAPOLY_ALT +//#define MBEDTLS_CMAC_ALT +//#define MBEDTLS_DES_ALT +//#define MBEDTLS_DHM_ALT +//#define MBEDTLS_ECJPAKE_ALT +//#define MBEDTLS_GCM_ALT +//#define MBEDTLS_NIST_KW_ALT +//#define MBEDTLS_MD5_ALT +//#define MBEDTLS_POLY1305_ALT +//#define MBEDTLS_RIPEMD160_ALT +//#define MBEDTLS_RSA_ALT +//#define MBEDTLS_SHA1_ALT +//#define MBEDTLS_SHA256_ALT +//#define MBEDTLS_SHA512_ALT +//#define MBEDTLS_ECP_ALT +//#define MBEDTLS_MD5_PROCESS_ALT +//#define MBEDTLS_RIPEMD160_PROCESS_ALT +//#define MBEDTLS_SHA1_PROCESS_ALT +//#define MBEDTLS_SHA256_PROCESS_ALT +//#define MBEDTLS_SHA512_PROCESS_ALT +//#define MBEDTLS_DES_SETKEY_ALT +//#define MBEDTLS_DES_CRYPT_ECB_ALT +//#define MBEDTLS_DES3_CRYPT_ECB_ALT +//#define MBEDTLS_AES_SETKEY_ENC_ALT +//#define MBEDTLS_AES_SETKEY_DEC_ALT +//#define MBEDTLS_AES_ENCRYPT_ALT +//#define MBEDTLS_AES_DECRYPT_ALT +//#define MBEDTLS_ECDH_GEN_PUBLIC_ALT +//#define MBEDTLS_ECDH_COMPUTE_SHARED_ALT +//#define MBEDTLS_ECDSA_VERIFY_ALT +//#define MBEDTLS_ECDSA_SIGN_ALT +//#define MBEDTLS_ECDSA_GENKEY_ALT +//#define MBEDTLS_ECP_INTERNAL_ALT +//#define MBEDTLS_ECP_NO_FALLBACK +//#define MBEDTLS_ECP_RANDOMIZE_JAC_ALT +//#define MBEDTLS_ECP_ADD_MIXED_ALT +//#define MBEDTLS_ECP_DOUBLE_JAC_ALT +//#define MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT +//#define MBEDTLS_ECP_NORMALIZE_JAC_ALT +//#define MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT +//#define MBEDTLS_ECP_RANDOMIZE_MXZ_ALT +//#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT +#define MBEDTLS_CIPHER_MODE_CBC +#define MBEDTLS_CIPHER_MODE_CFB +#define MBEDTLS_CIPHER_MODE_CTR +#define MBEDTLS_CIPHER_MODE_OFB +#define MBEDTLS_CIPHER_MODE_XTS +#define MBEDTLS_CIPHER_PADDING_PKCS7 +#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS +#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN +#define MBEDTLS_CIPHER_PADDING_ZEROS +#define MBEDTLS_ECP_DP_SECP192R1_ENABLED +#define MBEDTLS_ECP_DP_SECP224R1_ENABLED +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED +#define MBEDTLS_ECP_DP_SECP384R1_ENABLED +#define MBEDTLS_ECP_DP_SECP521R1_ENABLED +#define MBEDTLS_ECP_DP_SECP192K1_ENABLED +#define MBEDTLS_ECP_DP_SECP224K1_ENABLED +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED +#define MBEDTLS_ECP_DP_BP256R1_ENABLED +#define MBEDTLS_ECP_DP_BP384R1_ENABLED +#define MBEDTLS_ECP_DP_BP512R1_ENABLED +#define MBEDTLS_ECP_DP_CURVE25519_ENABLED +#define MBEDTLS_ECP_DP_CURVE448_ENABLED +#define MBEDTLS_ECDSA_DETERMINISTIC +#define MBEDTLS_GENPRIME +#define MBEDTLS_PKCS1_V15 +#define MBEDTLS_PKCS1_V21 +//#define MBEDTLS_PSA_CRYPTO_CONFIG +#define MBEDTLS_AES_C +#define MBEDTLS_BIGNUM_C +#define MBEDTLS_CAMELLIA_C +#define MBEDTLS_ARIA_C +#define MBEDTLS_CCM_C +#define MBEDTLS_CHACHA20_C +#define MBEDTLS_CHACHAPOLY_C +#define MBEDTLS_CMAC_C +#define MBEDTLS_DES_C +#define MBEDTLS_DHM_C +#define MBEDTLS_ECDH_C +#define MBEDTLS_ECDSA_C +#define MBEDTLS_ECJPAKE_C +#define MBEDTLS_ECP_C +#define MBEDTLS_GCM_C +#define MBEDTLS_HKDF_C +#define MBEDTLS_MD5_C +#define MBEDTLS_PADLOCK_C +#define MBEDTLS_POLY1305_C +//#define MBEDTLS_PSA_CRYPTO_SE_C +#define MBEDTLS_RIPEMD160_C +#define MBEDTLS_RSA_C +#define MBEDTLS_SHA1_C +#define MBEDTLS_SHA224_C +#define MBEDTLS_SHA256_C +#define MBEDTLS_SHA384_C +#define MBEDTLS_SHA512_C +#define MBEDTLS_SHA3_C + ### In mbedtls_config.h, we have: * SECTION "Platform abstraction layer" From ca99203bc388b54b5e42151ca618f3a0ac9bb474 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 2 Sep 2024 14:44:27 +0200 Subject: [PATCH 06/32] Remove module and function _ALT config option These options have been removed now. Signed-off-by: Ronald Cron --- docs/proposed/config-split.md | 47 ----------------------------------- 1 file changed, 47 deletions(-) diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index 923e527e55..d9c2b3b5b6 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -262,53 +262,6 @@ PSA_WANT_\* macros as in current crypto_config.h. #define MBEDTLS_PEM_WRITE_C * SECTION "Legacy cryptography" -//#define MBEDTLS_AES_ALT -//#define MBEDTLS_ARIA_ALT -//#define MBEDTLS_CAMELLIA_ALT -//#define MBEDTLS_CCM_ALT -//#define MBEDTLS_CHACHA20_ALT -//#define MBEDTLS_CHACHAPOLY_ALT -//#define MBEDTLS_CMAC_ALT -//#define MBEDTLS_DES_ALT -//#define MBEDTLS_DHM_ALT -//#define MBEDTLS_ECJPAKE_ALT -//#define MBEDTLS_GCM_ALT -//#define MBEDTLS_NIST_KW_ALT -//#define MBEDTLS_MD5_ALT -//#define MBEDTLS_POLY1305_ALT -//#define MBEDTLS_RIPEMD160_ALT -//#define MBEDTLS_RSA_ALT -//#define MBEDTLS_SHA1_ALT -//#define MBEDTLS_SHA256_ALT -//#define MBEDTLS_SHA512_ALT -//#define MBEDTLS_ECP_ALT -//#define MBEDTLS_MD5_PROCESS_ALT -//#define MBEDTLS_RIPEMD160_PROCESS_ALT -//#define MBEDTLS_SHA1_PROCESS_ALT -//#define MBEDTLS_SHA256_PROCESS_ALT -//#define MBEDTLS_SHA512_PROCESS_ALT -//#define MBEDTLS_DES_SETKEY_ALT -//#define MBEDTLS_DES_CRYPT_ECB_ALT -//#define MBEDTLS_DES3_CRYPT_ECB_ALT -//#define MBEDTLS_AES_SETKEY_ENC_ALT -//#define MBEDTLS_AES_SETKEY_DEC_ALT -//#define MBEDTLS_AES_ENCRYPT_ALT -//#define MBEDTLS_AES_DECRYPT_ALT -//#define MBEDTLS_ECDH_GEN_PUBLIC_ALT -//#define MBEDTLS_ECDH_COMPUTE_SHARED_ALT -//#define MBEDTLS_ECDSA_VERIFY_ALT -//#define MBEDTLS_ECDSA_SIGN_ALT -//#define MBEDTLS_ECDSA_GENKEY_ALT -//#define MBEDTLS_ECP_INTERNAL_ALT -//#define MBEDTLS_ECP_NO_FALLBACK -//#define MBEDTLS_ECP_RANDOMIZE_JAC_ALT -//#define MBEDTLS_ECP_ADD_MIXED_ALT -//#define MBEDTLS_ECP_DOUBLE_JAC_ALT -//#define MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT -//#define MBEDTLS_ECP_NORMALIZE_JAC_ALT -//#define MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT -//#define MBEDTLS_ECP_RANDOMIZE_MXZ_ALT -//#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT #define MBEDTLS_CIPHER_MODE_CBC #define MBEDTLS_CIPHER_MODE_CFB #define MBEDTLS_CIPHER_MODE_CTR From 61391063b680e11eb81c5f7f90b9ac39c92e03de Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 2 Sep 2024 14:55:49 +0200 Subject: [PATCH 07/32] No config renaming Signed-off-by: Ronald Cron --- docs/proposed/config-split.md | 9 --------- 1 file changed, 9 deletions(-) diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index d9c2b3b5b6..a6b1a012c0 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -27,9 +27,6 @@ part (TF-PSA-Crypto). builtin drivers and the platform abstraction layer. * tf_psa_crypto_config.h inherites from all the cryptography configuration options of mbedtls_config.h. -* apart from the PSA cryptography API configuration options that are prefixed - by PSA_WANT_, the tf_psa_crypto_config.h configuration options are prefixed - by TF_PSA_CRYPTO_. ## Comments about objectives and requirements @@ -41,12 +38,6 @@ crypto_config.h is extended to become the TF-PSA-Crypto configuration file, mbedtls_config.h mainly becomes the configuration file for the TLS and x509 libraries. -Regarding the platform abstraction layer configuration options, we do not -want to use the TF-PSA-Crypto ones in TLS and x509 code thus each of them has -an equivalent one in mbedtls_config.h prefixed by MBEDTLS_ instead of -TF_PSA_CRYPTO_ that just expand to the TF_PSA_CRYPTO_ one: -#define MBEDTLS_xyz TF_PSA_CRYPTO_xyz. - ## Sections in tf_psa_crypto_config.h The tf_psa_crypto_config.h configuration file is organized into eight sections. From 42c30e6a6ef5219e698322cd38215a362feb9e60 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 2 Sep 2024 15:22:29 +0200 Subject: [PATCH 08/32] Move DRBG options Move DRBG options to the "Cryptographic mechanism selection (extended API)" section. Signed-off-by: Ronald Cron --- docs/proposed/config-split.md | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index a6b1a012c0..17a4e7b038 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -157,7 +157,6 @@ PSA_WANT_\* macros as in current crypto_config.h. * SECTION "PSA core" //#define MBEDTLS_ENTROPY_HARDWARE_ALT -//#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY //#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES //#define MBEDTLS_NO_PLATFORM_ENTROPY //#define MBEDTLS_ENTROPY_FORCE_SHA256 @@ -170,24 +169,12 @@ PSA_WANT_\* macros as in current crypto_config.h. //#define MBEDTLS_PSA_CRYPTO_SPM //#define MBEDTLS_PSA_INJECT_ENTROPY //#define MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS -#define MBEDTLS_CTR_DRBG_C #define MBEDTLS_ENTROPY_C -#define MBEDTLS_HMAC_DRBG_C #define MBEDTLS_PSA_CRYPTO_STORAGE_C #define MBEDTLS_PSA_ITS_FILE_C //#define MBEDTLS_PSA_CRYPTO_PLATFORM_FILE "psa/crypto_platform_alt.h" //#define MBEDTLS_PSA_CRYPTO_STRUCT_FILE "psa/crypto_struct_alt.h" //#define MBEDTLS_PSA_KEY_SLOT_COUNT 32 -//#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256 -//#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 48 -//#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000 -//#define MBEDTLS_CTR_DRBG_MAX_INPUT 256 -//#define MBEDTLS_CTR_DRBG_MAX_REQUEST 1024 -//#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT 384 -//#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 -//#define MBEDTLS_HMAC_DRBG_MAX_INPUT 256 -//#define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024 -//#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 //#define MBEDTLS_ENTROPY_MAX_SOURCES 20 //#define MBEDTLS_ENTROPY_MAX_GATHER 128 //#define MBEDTLS_ENTROPY_MIN_HARDWARE 32 @@ -230,6 +217,9 @@ PSA_WANT_\* macros as in current crypto_config.h. * SECTION "Cryptographic mechanism selection (extended API)" #define MBEDTLS_CIPHER_C +//#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY +#define MBEDTLS_CTR_DRBG_C +#define MBEDTLS_HMAC_DRBG_C #define MBEDTLS_LMS_C //#define MBEDTLS_LMS_PRIVATE #define MBEDTLS_MD_C @@ -243,6 +233,17 @@ PSA_WANT_\* macros as in current crypto_config.h. #define MBEDTLS_PKCS5_C #define MBEDTLS_PKCS12_C +//#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256 +//#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 48 +//#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000 +//#define MBEDTLS_CTR_DRBG_MAX_INPUT 256 +//#define MBEDTLS_CTR_DRBG_MAX_REQUEST 1024 +//#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT 384 +//#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 +//#define MBEDTLS_HMAC_DRBG_MAX_INPUT 256 +//#define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024 +//#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 + * SECTION "Data format support" #define MBEDTLS_ASN1_PARSE_C From 717663bcbc23c6d1d9810d96197b1f5aeee163fa Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 2 Sep 2024 15:30:10 +0200 Subject: [PATCH 09/32] Move MBEDTLS_SELF_TEST option Move MBEDTLS_SELF_TEST option to the "General and test configuration options" section as MBEDTLS_VERSION_C. Signed-off-by: Ronald Cron --- docs/proposed/config-split.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index 17a4e7b038..4974bbdd0e 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -144,6 +144,7 @@ Open question: do we group them into a subsection? //#define MBEDTLS_DEPRECATED_WARNING //#define MBEDTLS_DEPRECATED_REMOVED //#define MBEDTLS_CHECK_RETURN_WARNING +#define MBEDTLS_SELF_TEST //#define MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN //#define MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND //#define MBEDTLS_TEST_HOOKS @@ -199,7 +200,6 @@ PSA_WANT_\* macros as in current crypto_config.h. //#define MBEDTLS_SHA256_SMALLER //#define MBEDTLS_SHA512_SMALLER //#define MBEDTLS_RSA_NO_CRT -#define MBEDTLS_SELF_TEST //#define MBEDTLS_BLOCK_CIPHER_NO_DECRYPT //#define MBEDTLS_GCM_LARGE_TABLE //#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT From 34a4086901f5e159d2d9b7c78e3865d1fc4a71b7 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 2 Sep 2024 15:33:45 +0200 Subject: [PATCH 10/32] Move MBEDTLS_NET_C config option Signed-off-by: Ronald Cron --- docs/proposed/config-split.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index 4974bbdd0e..c21ec25ee3 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -313,7 +313,7 @@ PSA_WANT_\* macros as in current crypto_config.h. ### In mbedtls_config.h, we have: * SECTION "Platform abstraction layer" -Empty +#define MBEDTLS_NET_C * SECTION "Mbed TLS feature support" @@ -367,7 +367,6 @@ Empty * SECTION "Mbed TLS modules" #define MBEDTLS_DEBUG_C #define MBEDTLS_ERROR_C -#define MBEDTLS_NET_C #define MBEDTLS_PKCS7_C #define MBEDTLS_SSL_CACHE_C #define MBEDTLS_SSL_COOKIE_C From e5d0f8c90638430f61b73983524bdc9ae458356e Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 2 Sep 2024 15:43:10 +0200 Subject: [PATCH 11/32] Move MBEDTLS_*_RETURN config options Move MBEDTLS_*_RETURN config options in the same section as MBEDTLS_CHECK_RETURN_WARNING. Signed-off-by: Ronald Cron --- docs/proposed/config-split.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index c21ec25ee3..7116245ac1 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -135,8 +135,6 @@ Open question: do we group them into a subsection? //#define MBEDTLS_PLATFORM_MS_TIME_TYPE_MACRO int64_t //#define MBEDTLS_PRINTF_MS_TIME PRId64 //#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 4 -//#define MBEDTLS_CHECK_RETURN __attribute__((__warn_unused_result__)) -//#define MBEDTLS_IGNORE_RETURN( result ) ((void) !(result)) * SECTION "General and test configuration options" //#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h" @@ -151,6 +149,8 @@ Open question: do we group them into a subsection? #define MBEDTLS_VERSION_C #define MBEDTLS_VERSION_FEATURES +//#define MBEDTLS_CHECK_RETURN __attribute__((__warn_unused_result__)) +//#define MBEDTLS_IGNORE_RETURN( result ) ((void) !(result)) * SECTION "Cryptographic mechanism selection (PSA API)" PSA_WANT_\* macros as in current crypto_config.h. From 8e1b463e340a4e7af23194b47f312f5ac903776a Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 2 Sep 2024 16:21:44 +0200 Subject: [PATCH 12/32] Reorder sections Move "Cryptographic mechanism selection (extended API)" and "Data format support" just after section Cryptographic mechanism selection (PSA API)" Signed-off-by: Ronald Cron --- docs/proposed/config-split.md | 93 ++++++++++++++++++----------------- 1 file changed, 48 insertions(+), 45 deletions(-) diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index 7116245ac1..f4d7bdaa2b 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -53,19 +53,21 @@ Then, the "Cryptographic mechanism selection (PSA API)" section is the equivalent of the pre-split crypto_config.h configuration file containing the PSA_WANT_ prefixed macros. +The following section named "Cryptographic mechanism selection (extended API)" +contains the configuration options for the cryptography mechanisms that are not +yet part of the PSA cryptography API (like LMS or PK). + +It is followed by the "Data format support" section that contains configuration +options of utilities related to various data formats (like base64 or ASN1 APIs). +These utilities aim to facilitate the usage of the PSA cryptography API in other +cryptography projects. + Compared to Mbed TLS, the cryptography code in TF-PSA-Crypto is not located in a single directory but split between the PSA core (core directory) and the PSA builtin drivers (drivers/builtin/src directory). This is reflected in tf_psa_crypto_config.h with two sections respectively named "PSA core" and "Builtin drivers". -The two following sections contain the configuration options for the cryptography -mechanisms that are not yet part of the PSA cryptography API (like LMS) and -for cryptography utilities (like base64 or ASN1 APIs) that facilitate the usage -of the PSA cryptography API in other cryptography projects. They are -named respectively "Cryptographic mechanism selection (extended API)" -options" and "Data format support". - Finally, the last section named "Legacy cryptography" contains the configuration options that will eventually be removed as duplicates of PSA_WANT_\* and MBEDTLS_PSA_ACCEL_\* configuration options. @@ -156,6 +158,45 @@ Open question: do we group them into a subsection? PSA_WANT_\* macros as in current crypto_config.h. +* SECTION "Cryptographic mechanism selection (extended API)" +#define MBEDTLS_CIPHER_C +//#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY +#define MBEDTLS_CTR_DRBG_C +#define MBEDTLS_HMAC_DRBG_C +#define MBEDTLS_LMS_C +//#define MBEDTLS_LMS_PRIVATE +#define MBEDTLS_MD_C +#define MBEDTLS_NIST_KW_C +#define MBEDTLS_PK_PARSE_EC_EXTENDED +#define MBEDTLS_PK_PARSE_EC_COMPRESSED +#define MBEDTLS_PK_RSA_ALT_SUPPORT +#define MBEDTLS_PK_C +#define MBEDTLS_PK_PARSE_C +#define MBEDTLS_PK_WRITE_C +#define MBEDTLS_PKCS5_C +#define MBEDTLS_PKCS12_C + +//#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256 +//#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 48 +//#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000 +//#define MBEDTLS_CTR_DRBG_MAX_INPUT 256 +//#define MBEDTLS_CTR_DRBG_MAX_REQUEST 1024 +//#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT 384 +//#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 +//#define MBEDTLS_HMAC_DRBG_MAX_INPUT 256 +//#define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024 +//#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 + + +* SECTION "Data format support" +#define MBEDTLS_ASN1_PARSE_C +#define MBEDTLS_ASN1_WRITE_C +#define MBEDTLS_BASE64_C +#define MBEDTLS_OID_C +#define MBEDTLS_PEM_PARSE_C +#define MBEDTLS_PEM_WRITE_C + + * SECTION "PSA core" //#define MBEDTLS_ENTROPY_HARDWARE_ALT //#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES @@ -215,44 +256,6 @@ PSA_WANT_\* macros as in current crypto_config.h. //#define MBEDTLS_RSA_GEN_KEY_MIN_BITS 1024 -* SECTION "Cryptographic mechanism selection (extended API)" -#define MBEDTLS_CIPHER_C -//#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY -#define MBEDTLS_CTR_DRBG_C -#define MBEDTLS_HMAC_DRBG_C -#define MBEDTLS_LMS_C -//#define MBEDTLS_LMS_PRIVATE -#define MBEDTLS_MD_C -#define MBEDTLS_NIST_KW_C -#define MBEDTLS_PK_PARSE_EC_EXTENDED -#define MBEDTLS_PK_PARSE_EC_COMPRESSED -#define MBEDTLS_PK_RSA_ALT_SUPPORT -#define MBEDTLS_PK_C -#define MBEDTLS_PK_PARSE_C -#define MBEDTLS_PK_WRITE_C -#define MBEDTLS_PKCS5_C -#define MBEDTLS_PKCS12_C - -//#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256 -//#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 48 -//#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000 -//#define MBEDTLS_CTR_DRBG_MAX_INPUT 256 -//#define MBEDTLS_CTR_DRBG_MAX_REQUEST 1024 -//#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT 384 -//#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 -//#define MBEDTLS_HMAC_DRBG_MAX_INPUT 256 -//#define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024 -//#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 - - -* SECTION "Data format support" -#define MBEDTLS_ASN1_PARSE_C -#define MBEDTLS_ASN1_WRITE_C -#define MBEDTLS_BASE64_C -#define MBEDTLS_OID_C -#define MBEDTLS_PEM_PARSE_C -#define MBEDTLS_PEM_WRITE_C - * SECTION "Legacy cryptography" #define MBEDTLS_CIPHER_MODE_CBC #define MBEDTLS_CIPHER_MODE_CFB From a25e9dbdebff98c0d629b313a0b86bec7191d71b Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 3 Sep 2024 09:56:46 +0200 Subject: [PATCH 13/32] Move MBEDTLS_VERSION_* back to mbedtls_config.h We will add TF-PSA-Crypto specific ones when we add support for querying version and version features in TF-PSA-Crypto. Signed-off-by: Ronald Cron --- docs/proposed/config-split.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index f4d7bdaa2b..3713c2c4d8 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -148,8 +148,6 @@ Open question: do we group them into a subsection? //#define MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN //#define MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND //#define MBEDTLS_TEST_HOOKS -#define MBEDTLS_VERSION_C -#define MBEDTLS_VERSION_FEATURES //#define MBEDTLS_CHECK_RETURN __attribute__((__warn_unused_result__)) //#define MBEDTLS_IGNORE_RETURN( result ) ((void) !(result)) @@ -362,6 +360,8 @@ PSA_WANT_\* macros as in current crypto_config.h. #define MBEDTLS_SSL_SERVER_NAME_INDICATION //#define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH //#define MBEDTLS_USE_PSA_CRYPTO +#define MBEDTLS_VERSION_C +#define MBEDTLS_VERSION_FEATURES //#define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK //#define MBEDTLS_X509_REMOVE_INFO #define MBEDTLS_X509_RSASSA_PSS_SUPPORT From 5e292605441b9053c14a6ba30218cb42a4714789 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 3 Sep 2024 16:01:48 +0200 Subject: [PATCH 14/32] Rework first sections Signed-off-by: Ronald Cron --- docs/proposed/config-split.md | 57 ++++++++++++++++++++--------------- 1 file changed, 33 insertions(+), 24 deletions(-) diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index 3713c2c4d8..88845fd039 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -1,7 +1,7 @@ -Mbed TLS and TF-PSA-Crypto configuration -======================================== +Configuration file split +======================== -## Objectives +## Why splitting the configuration file? The objective of the repository split is to reach the point where in Mbed TLS all the cryptography code and its tests are located in a tf-psa-crypto @@ -12,31 +12,40 @@ cryptography library and its tests. The TF-PSA-Crypto configuration file tf_psa_crypto_config.h configures entirely the cryptography interface exposed by Mbed TLS through TF-PSA-Crypto. -Mbed TLS is configured with two files: mbedtls_config.h for TLS and x509 -and tf_psa_crypto_config.h. +Mbed TLS configuration is splitted in two files: mbedtls_config.h for TLS and +x509, tf_psa_crypto_config.h for the cryptography. -The platform abstraction layer and its configuration are the same in Mbed TLS -and TF-PSA-Crypto as: -* we want an user of Mbed TLS to set up only one plaform -abstraction layer for both the TLS/x509 part of Mbed TLS and its cryptography -part (TF-PSA-Crypto). -* we want to avoid an interface adaptation. +## How do we split the configuration file? -## Requirements on tf_psa_crypto_config.h -* it configures the PSA APIs, their implementations, the implementation of the - builtin drivers and the platform abstraction layer. -* tf_psa_crypto_config.h inherites from all the cryptography configuration - options of mbedtls_config.h. +We extend the so called PSA cryptographic configuration scheme based on +mbedtls_config.h and crypto_config.h. The configuration file crypto_config.h is +extended to become the TF-PSA-Crypto configuration file, mbedtls_config.h +becomes the configuration file for the TLS and x509 libraries. All the options +to select the cryptographic mechanisms and to configure their implementation +are moved from mbedtls_config.h to (tf_psa_)crypto_config.h. -## Comments about objectives and requirements +The configuration options that are relevant to both Mbed TLS and TF-PSA-Crypto +like platform or system ones are moved to (tf_psa_)crypto_config.h. That way +they are available in both repositories (as Mbed TLS includes +tf_psa_crypto_config.h) without duplication. Later, we may duplicate or create +aliases for some of them to align with the naming conventions of the +repositories. -Given the objectives and requirements on tf_psa_crypto_config.h above, the -Mbed TLS configuration with mbedtls_config.h and tf_psa_crypto_config.h can be -seen as an extension of the so called PSA cryptographic configuration scheme -based on mbedtls_config.h and crypto_config.h. The configuration file -crypto_config.h is extended to become the TF-PSA-Crypto configuration file, -mbedtls_config.h mainly becomes the configuration file for the TLS and x509 -libraries. +The layout of options into sections in mbedtls_config.h does not suit +TF-PSA-Crypto well thus the configuration options tf_psa_crypto_config.h are +organized into different sections (see below). + +## Configuration files and config.py + +Each repository contains a config.py script to create and modify configurations. + +In Mbed TLS, config.py handles both mbedtls_config.h and +tf_psa_crypto_config.h. It can set or unset TLS, x509 and cryptographic +configuration options without having to specify the configuration file the +options belong to. Commands like full and baremetal affect both configuration +files. + +In TF-PSA-Crypto, config.py addresses only tf_psa_crypto_config.h. ## Sections in tf_psa_crypto_config.h From 075c742cb0e6e66c36ad20248535b8aa091bd1ad Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 9 Sep 2024 15:43:38 +0200 Subject: [PATCH 15/32] Add backticks around file names Signed-off-by: Ronald Cron --- docs/proposed/config-split.md | 61 ++++++++++++++++++----------------- 1 file changed, 32 insertions(+), 29 deletions(-) diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index 88845fd039..39cf7fd013 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -10,56 +10,59 @@ The cryptography APIs exposed by Mbed TLS are just the TF-PSA-Crypto ones. Mbed TLS relies solely on the TF-PSA-Crypto build system to build its cryptography library and its tests. -The TF-PSA-Crypto configuration file tf_psa_crypto_config.h configures +The TF-PSA-Crypto configuration file `tf_psa_crypto_config.h` configures entirely the cryptography interface exposed by Mbed TLS through TF-PSA-Crypto. -Mbed TLS configuration is splitted in two files: mbedtls_config.h for TLS and -x509, tf_psa_crypto_config.h for the cryptography. +Mbed TLS configuration is splitted in two files: `mbedtls_config.h` for TLS and +x509, `tf_psa_crypto_config.h` for the cryptography. ## How do we split the configuration file? We extend the so called PSA cryptographic configuration scheme based on -mbedtls_config.h and crypto_config.h. The configuration file crypto_config.h is -extended to become the TF-PSA-Crypto configuration file, mbedtls_config.h +`mbedtls_config.h` and `crypto_config.h`. The configuration file `crypto_config.h` +is extended to become the TF-PSA-Crypto configuration file, `mbedtls_config.h` becomes the configuration file for the TLS and x509 libraries. All the options to select the cryptographic mechanisms and to configure their implementation -are moved from mbedtls_config.h to (tf_psa_)crypto_config.h. +are moved from `mbedtls_config.h` to `(tf_psa_)crypto_config.h`. The configuration options that are relevant to both Mbed TLS and TF-PSA-Crypto -like platform or system ones are moved to (tf_psa_)crypto_config.h. That way +like platform or system ones are moved to `(tf_psa_)crypto_config.h`. That way they are available in both repositories (as Mbed TLS includes -tf_psa_crypto_config.h) without duplication. Later, we may duplicate or create -aliases for some of them to align with the naming conventions of the +`tf_psa_crypto_config.h`) without duplication. Later, we may duplicate or +create aliases for some of them to align with the naming conventions of the repositories. -The layout of options into sections in mbedtls_config.h does not suit -TF-PSA-Crypto well thus the configuration options tf_psa_crypto_config.h are +The layout of options into sections in `mbedtls_config.h` does not suit +TF-PSA-Crypto well thus the configuration options `tf_psa_crypto_config.h` are organized into different sections (see below). -## Configuration files and config.py +## Configuration files and `config.py` -Each repository contains a config.py script to create and modify configurations. +Each repository contains a `config.py` script to create and modify +configurations. -In Mbed TLS, config.py handles both mbedtls_config.h and -tf_psa_crypto_config.h. It can set or unset TLS, x509 and cryptographic +In Mbed TLS, `config.py` handles both `mbedtls_config.h` and +`tf_psa_crypto_config.h`. It can set or unset TLS, x509 and cryptographic configuration options without having to specify the configuration file the options belong to. Commands like full and baremetal affect both configuration files. -In TF-PSA-Crypto, config.py addresses only tf_psa_crypto_config.h. +In TF-PSA-Crypto, `config.py` addresses only `tf_psa_crypto_config.h`. -## Sections in tf_psa_crypto_config.h +## Sections in `tf_psa_crypto_config.h` -The tf_psa_crypto_config.h configuration file is organized into eight sections. +The `tf_psa_crypto_config.h` configuration file is organized into eight +sections. -The pre-split mbedtls_config.h configuration files contains configuration +The pre-split `mbedtls_config.h` configuration file contains configuration options that apply to the whole code base (TLS, x509, crypto and tests) mostly -related to the platform abstraction layer and testing. In tf_psa_crypto_config.h -these configurations options are organized into two sections, one for the -platform abstraction layer options and one for the others, respectively named -"Platform abstraction layer" and "General and test configuration options". +related to the platform abstraction layer and testing. In +`tf_psa_crypto_config.h` these configurations options are organized into two +sections, one for the platform abstraction layer options and one for the others, +respectively named "Platform abstraction layer" and +"General and test configuration options". Then, the "Cryptographic mechanism selection (PSA API)" section is the -equivalent of the pre-split crypto_config.h configuration file containing the +equivalent of the pre-split `crypto_config.h` configuration file containing the PSA_WANT_ prefixed macros. The following section named "Cryptographic mechanism selection (extended API)" @@ -74,14 +77,14 @@ cryptography projects. Compared to Mbed TLS, the cryptography code in TF-PSA-Crypto is not located in a single directory but split between the PSA core (core directory) and the PSA builtin drivers (drivers/builtin/src directory). This is reflected in -tf_psa_crypto_config.h with two sections respectively named "PSA core" and +`tf_psa_crypto_config.h` with two sections respectively named "PSA core" and "Builtin drivers". Finally, the last section named "Legacy cryptography" contains the configuration options that will eventually be removed as duplicates of PSA_WANT_\* and MBEDTLS_PSA_ACCEL_\* configuration options. -By contrast to mbedtls_config.h, tf_psa_crypto_config.h does not contain a +By contrast to `mbedtls_config.h`, `tf_psa_crypto_config.h` does not contain a section like the "Module configuration options" one containing non boolean configuration options. The configuration options that are not boolean are located in the same section as the boolean option they are associated to. @@ -90,7 +93,7 @@ Open question: do we group them into a subsection? ## Repartition of the configuration options -### In tf_psa_crypto_config.h, we have: +### In `tf_psa_crypto_config.h`, we have: * SECTION "Platform abstraction layer" #define MBEDTLS_HAVE_TIME #define MBEDTLS_HAVE_TIME_DATE @@ -162,7 +165,7 @@ Open question: do we group them into a subsection? //#define MBEDTLS_IGNORE_RETURN( result ) ((void) !(result)) * SECTION "Cryptographic mechanism selection (PSA API)" -PSA_WANT_\* macros as in current crypto_config.h. +PSA_WANT_\* macros as in current `crypto_config.h`. * SECTION "Cryptographic mechanism selection (extended API)" @@ -321,7 +324,7 @@ PSA_WANT_\* macros as in current crypto_config.h. #define MBEDTLS_SHA3_C -### In mbedtls_config.h, we have: +### In `mbedtls_config.h`, we have: * SECTION "Platform abstraction layer" #define MBEDTLS_NET_C From 2589ee39528816547750f7f6d0130f15b0b7869c Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 9 Sep 2024 16:22:56 +0200 Subject: [PATCH 16/32] Move CIPHER, DRBG and TIME options Signed-off-by: Ronald Cron --- docs/proposed/config-split.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index 39cf7fd013..0119fae85e 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -118,8 +118,6 @@ Open question: do we group them into a subsection? //#define MBEDTLS_THREADING_PTHREAD #define MBEDTLS_PLATFORM_C //#define MBEDTLS_THREADING_C -#define MBEDTLS_TIMING_C -//#define MBEDTLS_TIMING_ALT //#define MBEDTLS_PLATFORM_STD_MEM_HDR //#define MBEDTLS_PLATFORM_STD_CALLOC calloc //#define MBEDTLS_PLATFORM_STD_FREE free @@ -169,10 +167,6 @@ PSA_WANT_\* macros as in current `crypto_config.h`. * SECTION "Cryptographic mechanism selection (extended API)" -#define MBEDTLS_CIPHER_C -//#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY -#define MBEDTLS_CTR_DRBG_C -#define MBEDTLS_HMAC_DRBG_C #define MBEDTLS_LMS_C //#define MBEDTLS_LMS_PRIVATE #define MBEDTLS_MD_C @@ -267,6 +261,7 @@ PSA_WANT_\* macros as in current `crypto_config.h`. * SECTION "Legacy cryptography" +#define MBEDTLS_CIPHER_C #define MBEDTLS_CIPHER_MODE_CBC #define MBEDTLS_CIPHER_MODE_CFB #define MBEDTLS_CIPHER_MODE_CTR @@ -276,6 +271,8 @@ PSA_WANT_\* macros as in current `crypto_config.h`. #define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS #define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN #define MBEDTLS_CIPHER_PADDING_ZEROS +//#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY +#define MBEDTLS_CTR_DRBG_C #define MBEDTLS_ECP_DP_SECP192R1_ENABLED #define MBEDTLS_ECP_DP_SECP224R1_ENABLED #define MBEDTLS_ECP_DP_SECP256R1_ENABLED @@ -291,6 +288,7 @@ PSA_WANT_\* macros as in current `crypto_config.h`. #define MBEDTLS_ECP_DP_CURVE448_ENABLED #define MBEDTLS_ECDSA_DETERMINISTIC #define MBEDTLS_GENPRIME +#define MBEDTLS_HMAC_DRBG_C #define MBEDTLS_PKCS1_V15 #define MBEDTLS_PKCS1_V21 //#define MBEDTLS_PSA_CRYPTO_CONFIG @@ -327,6 +325,8 @@ PSA_WANT_\* macros as in current `crypto_config.h`. ### In `mbedtls_config.h`, we have: * SECTION "Platform abstraction layer" #define MBEDTLS_NET_C +#define MBEDTLS_TIMING_C +//#define MBEDTLS_TIMING_ALT * SECTION "Mbed TLS feature support" From f50ae4273fc0e6aef62bba194824a21eed207201 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 9 Sep 2024 16:04:23 +0200 Subject: [PATCH 17/32] Sort macros alphabetically in sections Do not mix boolean and non boolean options though. Signed-off-by: Ronald Cron --- docs/proposed/config-split.md | 231 +++++++++++++++++----------------- 1 file changed, 117 insertions(+), 114 deletions(-) diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index 0119fae85e..59822d2047 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -95,65 +95,66 @@ Open question: do we group them into a subsection? ### In `tf_psa_crypto_config.h`, we have: * SECTION "Platform abstraction layer" +#define MBEDTLS_FS_IO #define MBEDTLS_HAVE_TIME #define MBEDTLS_HAVE_TIME_DATE -//#define MBEDTLS_PLATFORM_MEMORY -//#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS -//#define MBEDTLS_PLATFORM_SETBUF_ALT -//#define MBEDTLS_PLATFORM_EXIT_ALT -//#define MBEDTLS_PLATFORM_TIME_ALT -//#define MBEDTLS_PLATFORM_FPRINTF_ALT -//#define MBEDTLS_PLATFORM_PRINTF_ALT -//#define MBEDTLS_PLATFORM_SNPRINTF_ALT -//#define MBEDTLS_PLATFORM_VSNPRINTF_ALT -//#define MBEDTLS_PLATFORM_NV_SEED_ALT -//#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT -//#define MBEDTLS_PLATFORM_MS_TIME_ALT -//#define MBEDTLS_PLATFORM_GMTIME_R_ALT -//#define MBEDTLS_PLATFORM_ZEROIZE_ALT -#define MBEDTLS_FS_IO //#define MBEDTLS_MEMORY_DEBUG //#define MBEDTLS_MEMORY_BACKTRACE +#define MBEDTLS_PLATFORM_C +//#define MBEDTLS_PLATFORM_EXIT_ALT +//#define MBEDTLS_PLATFORM_FPRINTF_ALT +//#define MBEDTLS_PLATFORM_GMTIME_R_ALT +//#define MBEDTLS_PLATFORM_MEMORY +//#define MBEDTLS_PLATFORM_MS_TIME_ALT +//#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS +//#define MBEDTLS_PLATFORM_NV_SEED_ALT +//#define MBEDTLS_PLATFORM_PRINTF_ALT +//#define MBEDTLS_PLATFORM_SETBUF_ALT +//#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT +//#define MBEDTLS_PLATFORM_SNPRINTF_ALT +//#define MBEDTLS_PLATFORM_TIME_ALT +//#define MBEDTLS_PLATFORM_VSNPRINTF_ALT +//#define MBEDTLS_PLATFORM_ZEROIZE_ALT //#define MBEDTLS_THREADING_ALT //#define MBEDTLS_THREADING_PTHREAD -#define MBEDTLS_PLATFORM_C //#define MBEDTLS_THREADING_C -//#define MBEDTLS_PLATFORM_STD_MEM_HDR -//#define MBEDTLS_PLATFORM_STD_CALLOC calloc -//#define MBEDTLS_PLATFORM_STD_FREE free -//#define MBEDTLS_PLATFORM_STD_SETBUF setbuf -//#define MBEDTLS_PLATFORM_STD_EXIT exit -//#define MBEDTLS_PLATFORM_STD_TIME time -//#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf -//#define MBEDTLS_PLATFORM_STD_PRINTF printf -//#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf -//#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS 0 -//#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE 1 -//#define MBEDTLS_PLATFORM_STD_NV_SEED_READ mbedtls_platform_std_nv_seed_read -//#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE mbedtls_platform_std_nv_seed_write -//#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE "seedfile" + +//#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 4 //#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc -//#define MBEDTLS_PLATFORM_FREE_MACRO free //#define MBEDTLS_PLATFORM_EXIT_MACRO exit -//#define MBEDTLS_PLATFORM_SETBUF_MACRO setbuf -//#define MBEDTLS_PLATFORM_TIME_MACRO time -//#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO time_t +//#define MBEDTLS_PLATFORM_FREE_MACRO free //#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf -//#define MBEDTLS_PLATFORM_PRINTF_MACRO printf -//#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf -//#define MBEDTLS_PLATFORM_VSNPRINTF_MACRO vsnprintf -//#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read -//#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write //#define MBEDTLS_PLATFORM_MS_TIME_TYPE_MACRO int64_t //#define MBEDTLS_PRINTF_MS_TIME PRId64 -//#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 4 +//#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read +//#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write +//#define MBEDTLS_PLATFORM_PRINTF_MACRO printf +//#define MBEDTLS_PLATFORM_SETBUF_MACRO setbuf +//#define MBEDTLS_PLATFORM_STD_CALLOC calloc +//#define MBEDTLS_PLATFORM_STD_EXIT exit +//#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE 1 +//#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS 0 +//#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf +//#define MBEDTLS_PLATFORM_STD_FREE free +//#define MBEDTLS_PLATFORM_STD_MEM_HDR +//#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE "seedfile" +//#define MBEDTLS_PLATFORM_STD_NV_SEED_READ mbedtls_platform_std_nv_seed_read +//#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE mbedtls_platform_std_nv_seed_write +//#define MBEDTLS_PLATFORM_STD_PRINTF printf +//#define MBEDTLS_PLATFORM_STD_SETBUF setbuf +//#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf +//#define MBEDTLS_PLATFORM_STD_TIME time +//#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf +//#define MBEDTLS_PLATFORM_TIME_MACRO time +//#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO time_t +//#define MBEDTLS_PLATFORM_VSNPRINTF_MACRO vsnprintf * SECTION "General and test configuration options" +//#define MBEDTLS_CHECK_RETURN_WARNING +//#define MBEDTLS_DEPRECATED_REMOVED +//#define MBEDTLS_DEPRECATED_WARNING //#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h" //#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null" -//#define MBEDTLS_DEPRECATED_WARNING -//#define MBEDTLS_DEPRECATED_REMOVED -//#define MBEDTLS_CHECK_RETURN_WARNING #define MBEDTLS_SELF_TEST //#define MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN //#define MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND @@ -171,25 +172,25 @@ PSA_WANT_\* macros as in current `crypto_config.h`. //#define MBEDTLS_LMS_PRIVATE #define MBEDTLS_MD_C #define MBEDTLS_NIST_KW_C +#define MBEDTLS_PK_C +#define MBEDTLS_PKCS5_C +#define MBEDTLS_PKCS12_C +#define MBEDTLS_PK_PARSE_C #define MBEDTLS_PK_PARSE_EC_EXTENDED #define MBEDTLS_PK_PARSE_EC_COMPRESSED #define MBEDTLS_PK_RSA_ALT_SUPPORT -#define MBEDTLS_PK_C -#define MBEDTLS_PK_PARSE_C #define MBEDTLS_PK_WRITE_C -#define MBEDTLS_PKCS5_C -#define MBEDTLS_PKCS12_C -//#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256 //#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 48 -//#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000 //#define MBEDTLS_CTR_DRBG_MAX_INPUT 256 //#define MBEDTLS_CTR_DRBG_MAX_REQUEST 1024 //#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT 384 -//#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 +//#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000 //#define MBEDTLS_HMAC_DRBG_MAX_INPUT 256 //#define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024 //#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 +//#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 +//#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256 * SECTION "Data format support" @@ -202,65 +203,74 @@ PSA_WANT_\* macros as in current `crypto_config.h`. * SECTION "PSA core" +#define MBEDTLS_ENTROPY_C +//#define MBEDTLS_ENTROPY_FORCE_SHA256 //#define MBEDTLS_ENTROPY_HARDWARE_ALT +//#define MBEDTLS_ENTROPY_NV_SEED //#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES //#define MBEDTLS_NO_PLATFORM_ENTROPY -//#define MBEDTLS_ENTROPY_FORCE_SHA256 -//#define MBEDTLS_ENTROPY_NV_SEED -//#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER -//#define MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS #define MBEDTLS_PSA_CRYPTO_C +//#define MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS +//#define MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS //#define MBEDTLS_PSA_CRYPTO_CLIENT //#define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG +//#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER //#define MBEDTLS_PSA_CRYPTO_SPM -//#define MBEDTLS_PSA_INJECT_ENTROPY -//#define MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS -#define MBEDTLS_ENTROPY_C #define MBEDTLS_PSA_CRYPTO_STORAGE_C +//#define MBEDTLS_PSA_INJECT_ENTROPY #define MBEDTLS_PSA_ITS_FILE_C -//#define MBEDTLS_PSA_CRYPTO_PLATFORM_FILE "psa/crypto_platform_alt.h" -//#define MBEDTLS_PSA_CRYPTO_STRUCT_FILE "psa/crypto_struct_alt.h" -//#define MBEDTLS_PSA_KEY_SLOT_COUNT 32 + //#define MBEDTLS_ENTROPY_MAX_SOURCES 20 //#define MBEDTLS_ENTROPY_MAX_GATHER 128 //#define MBEDTLS_ENTROPY_MIN_HARDWARE 32 +//#define MBEDTLS_PSA_CRYPTO_PLATFORM_FILE "psa/crypto_platform_alt.h" +//#define MBEDTLS_PSA_CRYPTO_STRUCT_FILE "psa/crypto_struct_alt.h" +//#define MBEDTLS_PSA_KEY_SLOT_COUNT 32 * SECTION "Builtin drivers" -#define MBEDTLS_HAVE_ASM -//#define MBEDTLS_NO_UDBL_DIVISION -//#define MBEDTLS_NO_64BIT_MULTIPLICATION -//#define MBEDTLS_HAVE_SSE2 #define MBEDTLS_AESNI_C #define MBEDTLS_AESCE_C //#define MBEDTLS_AES_ROM_TABLES //#define MBEDTLS_AES_FEWER_TABLES //#define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH //#define MBEDTLS_AES_USE_HARDWARE_ONLY +//#define MBEDTLS_BLOCK_CIPHER_NO_DECRYPT //#define MBEDTLS_CAMELLIA_SMALL_MEMORY //#define MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED #define MBEDTLS_ECP_NIST_OPTIM //#define MBEDTLS_ECP_RESTARTABLE //#define MBEDTLS_ECP_WITH_MPI_UINT -//#define MBEDTLS_PSA_P256M_DRIVER_ENABLED -//#define MBEDTLS_SHA256_SMALLER -//#define MBEDTLS_SHA512_SMALLER -//#define MBEDTLS_RSA_NO_CRT -//#define MBEDTLS_BLOCK_CIPHER_NO_DECRYPT //#define MBEDTLS_GCM_LARGE_TABLE +#define MBEDTLS_HAVE_ASM +//#define MBEDTLS_HAVE_SSE2 +//#define MBEDTLS_NO_UDBL_DIVISION +//#define MBEDTLS_NO_64BIT_MULTIPLICATION +//#define MBEDTLS_PSA_P256M_DRIVER_ENABLED +//#define MBEDTLS_RSA_NO_CRT +//#define MBEDTLS_SHA256_SMALLER //#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT //#define MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT //#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY //#define MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY +//#define MBEDTLS_SHA512_SMALLER //#define MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT //#define MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY -//#define MBEDTLS_MPI_WINDOW_SIZE 2 -//#define MBEDTLS_MPI_MAX_SIZE 1024 -//#define MBEDTLS_ECP_WINDOW_SIZE 4 + //#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 +//#define MBEDTLS_ECP_WINDOW_SIZE 4 +//#define MBEDTLS_MPI_MAX_SIZE 1024 +//#define MBEDTLS_MPI_WINDOW_SIZE 2 //#define MBEDTLS_RSA_GEN_KEY_MIN_BITS 1024 * SECTION "Legacy cryptography" +#define MBEDTLS_AES_C +#define MBEDTLS_ARIA_C +#define MBEDTLS_BIGNUM_C +#define MBEDTLS_CAMELLIA_C +#define MBEDTLS_CCM_C +#define MBEDTLS_CHACHA20_C +#define MBEDTLS_CHACHAPOLY_C #define MBEDTLS_CIPHER_C #define MBEDTLS_CIPHER_MODE_CBC #define MBEDTLS_CIPHER_MODE_CFB @@ -271,8 +281,13 @@ PSA_WANT_\* macros as in current `crypto_config.h`. #define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS #define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN #define MBEDTLS_CIPHER_PADDING_ZEROS -//#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY +#define MBEDTLS_CMAC_C #define MBEDTLS_CTR_DRBG_C +//#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY +#define MBEDTLS_DES_C +#define MBEDTLS_DHM_C +#define MBEDTLS_ECDH_C +#define MBEDTLS_ECP_C #define MBEDTLS_ECP_DP_SECP192R1_ENABLED #define MBEDTLS_ECP_DP_SECP224R1_ENABLED #define MBEDTLS_ECP_DP_SECP256R1_ENABLED @@ -286,31 +301,19 @@ PSA_WANT_\* macros as in current `crypto_config.h`. #define MBEDTLS_ECP_DP_BP512R1_ENABLED #define MBEDTLS_ECP_DP_CURVE25519_ENABLED #define MBEDTLS_ECP_DP_CURVE448_ENABLED -#define MBEDTLS_ECDSA_DETERMINISTIC -#define MBEDTLS_GENPRIME -#define MBEDTLS_HMAC_DRBG_C -#define MBEDTLS_PKCS1_V15 -#define MBEDTLS_PKCS1_V21 -//#define MBEDTLS_PSA_CRYPTO_CONFIG -#define MBEDTLS_AES_C -#define MBEDTLS_BIGNUM_C -#define MBEDTLS_CAMELLIA_C -#define MBEDTLS_ARIA_C -#define MBEDTLS_CCM_C -#define MBEDTLS_CHACHA20_C -#define MBEDTLS_CHACHAPOLY_C -#define MBEDTLS_CMAC_C -#define MBEDTLS_DES_C -#define MBEDTLS_DHM_C -#define MBEDTLS_ECDH_C #define MBEDTLS_ECDSA_C +#define MBEDTLS_ECDSA_DETERMINISTIC #define MBEDTLS_ECJPAKE_C -#define MBEDTLS_ECP_C #define MBEDTLS_GCM_C +#define MBEDTLS_GENPRIME #define MBEDTLS_HKDF_C +#define MBEDTLS_HMAC_DRBG_C #define MBEDTLS_MD5_C #define MBEDTLS_PADLOCK_C +#define MBEDTLS_PKCS1_V15 +#define MBEDTLS_PKCS1_V21 #define MBEDTLS_POLY1305_C +//#define MBEDTLS_PSA_CRYPTO_CONFIG //#define MBEDTLS_PSA_CRYPTO_SE_C #define MBEDTLS_RIPEMD160_C #define MBEDTLS_RSA_C @@ -331,6 +334,7 @@ PSA_WANT_\* macros as in current `crypto_config.h`. * SECTION "Mbed TLS feature support" //#define MBEDTLS_CIPHER_NULL_CIPHER +#define MBEDTLS_ERROR_STRERROR_DUMMY #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED #define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED #define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED @@ -342,34 +346,33 @@ PSA_WANT_\* macros as in current `crypto_config.h`. #define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED #define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED //#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED -#define MBEDTLS_ERROR_STRERROR_DUMMY #define MBEDTLS_SSL_ALL_ALERT_MESSAGES -#define MBEDTLS_SSL_DTLS_CONNECTION_ID -#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0 +#define MBEDTLS_SSL_ALPN //#define MBEDTLS_SSL_ASYNC_PRIVATE #define MBEDTLS_SSL_CONTEXT_SERIALIZATION //#define MBEDTLS_SSL_DEBUG_ALL +#define MBEDTLS_SSL_DTLS_ANTI_REPLAY +#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE +#define MBEDTLS_SSL_DTLS_CONNECTION_ID +#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0 +#define MBEDTLS_SSL_DTLS_HELLO_VERIFY +//#define MBEDTLS_SSL_DTLS_SRTP #define MBEDTLS_SSL_ENCRYPT_THEN_MAC +//#define MBEDTLS_SSL_EARLY_DATA #define MBEDTLS_SSL_EXTENDED_MASTER_SECRET #define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE -#define MBEDTLS_SSL_RENEGOTIATION #define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH //#define MBEDTLS_SSL_RECORD_SIZE_LIMIT +#define MBEDTLS_SSL_RENEGOTIATION +#define MBEDTLS_SSL_PROTO_DTLS #define MBEDTLS_SSL_PROTO_TLS1_2 #define MBEDTLS_SSL_PROTO_TLS1_3 #define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE #define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED #define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED #define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED -//#define MBEDTLS_SSL_EARLY_DATA -#define MBEDTLS_SSL_PROTO_DTLS -#define MBEDTLS_SSL_ALPN -#define MBEDTLS_SSL_DTLS_ANTI_REPLAY -#define MBEDTLS_SSL_DTLS_HELLO_VERIFY -//#define MBEDTLS_SSL_DTLS_SRTP -#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE -#define MBEDTLS_SSL_SESSION_TICKETS #define MBEDTLS_SSL_SERVER_NAME_INDICATION +#define MBEDTLS_SSL_SESSION_TICKETS //#define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH //#define MBEDTLS_USE_PSA_CRYPTO #define MBEDTLS_VERSION_C @@ -385,17 +388,17 @@ PSA_WANT_\* macros as in current `crypto_config.h`. #define MBEDTLS_PKCS7_C #define MBEDTLS_SSL_CACHE_C #define MBEDTLS_SSL_COOKIE_C -#define MBEDTLS_SSL_TICKET_C #define MBEDTLS_SSL_CLI_C #define MBEDTLS_SSL_SRV_C +#define MBEDTLS_SSL_TICKET_C #define MBEDTLS_SSL_TLS_C -#define MBEDTLS_X509_USE_C -#define MBEDTLS_X509_CRT_PARSE_C -#define MBEDTLS_X509_CRL_PARSE_C -#define MBEDTLS_X509_CSR_PARSE_C #define MBEDTLS_X509_CREATE_C +#define MBEDTLS_X509_CRL_PARSE_C +#define MBEDTLS_X509_CRT_PARSE_C #define MBEDTLS_X509_CRT_WRITE_C +#define MBEDTLS_X509_CSR_PARSE_C #define MBEDTLS_X509_CSR_WRITE_C +#define MBEDTLS_X509_USE_C * SECTION "General configuration options" @@ -406,18 +409,18 @@ PSA_WANT_\* macros as in current `crypto_config.h`. * SECTION "Module configuration options" //#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 //#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 -//#define MBEDTLS_SSL_IN_CONTENT_LEN 16384 +//#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 +//#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 +//#define MBEDTLS_SSL_DTLS_MAX_BUFFERING 32768 //#define MBEDTLS_SSL_CID_IN_LEN_MAX 32 //#define MBEDTLS_SSL_CID_OUT_LEN_MAX 32 //#define MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 16 -//#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384 -//#define MBEDTLS_SSL_DTLS_MAX_BUFFERING 32768 -//#define MBEDTLS_PSK_MAX_LEN 32 -//#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 -//#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 +//#define MBEDTLS_SSL_IN_CONTENT_LEN 16384 //#define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 1024 +//#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384 //#define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 6000 //#define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 32 //#define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1 +//#define MBEDTLS_PSK_MAX_LEN 32 //#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 //#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 From a5a46d03222306b1ff21457efe75e842cd681060 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 10 Sep 2024 09:40:59 +0200 Subject: [PATCH 18/32] Fix md rendering Signed-off-by: Ronald Cron --- docs/proposed/config-split.md | 50 ++++++++++++++++++++++++++--------- 1 file changed, 37 insertions(+), 13 deletions(-) diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index 59822d2047..c925de6063 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -94,7 +94,8 @@ Open question: do we group them into a subsection? ## Repartition of the configuration options ### In `tf_psa_crypto_config.h`, we have: -* SECTION "Platform abstraction layer" +#### SECTION "Platform abstraction layer" +``` #define MBEDTLS_FS_IO #define MBEDTLS_HAVE_TIME #define MBEDTLS_HAVE_TIME_DATE @@ -148,8 +149,10 @@ Open question: do we group them into a subsection? //#define MBEDTLS_PLATFORM_TIME_MACRO time //#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO time_t //#define MBEDTLS_PLATFORM_VSNPRINTF_MACRO vsnprintf +``` -* SECTION "General and test configuration options" +#### SECTION "General and test configuration options" +``` //#define MBEDTLS_CHECK_RETURN_WARNING //#define MBEDTLS_DEPRECATED_REMOVED //#define MBEDTLS_DEPRECATED_WARNING @@ -162,12 +165,14 @@ Open question: do we group them into a subsection? //#define MBEDTLS_CHECK_RETURN __attribute__((__warn_unused_result__)) //#define MBEDTLS_IGNORE_RETURN( result ) ((void) !(result)) +``` -* SECTION "Cryptographic mechanism selection (PSA API)" +#### SECTION "Cryptographic mechanism selection (PSA API)" PSA_WANT_\* macros as in current `crypto_config.h`. -* SECTION "Cryptographic mechanism selection (extended API)" +#### SECTION "Cryptographic mechanism selection (extended API)" +``` #define MBEDTLS_LMS_C //#define MBEDTLS_LMS_PRIVATE #define MBEDTLS_MD_C @@ -191,18 +196,22 @@ PSA_WANT_\* macros as in current `crypto_config.h`. //#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 //#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 //#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256 +``` -* SECTION "Data format support" +#### SECTION "Data format support" +``` #define MBEDTLS_ASN1_PARSE_C #define MBEDTLS_ASN1_WRITE_C #define MBEDTLS_BASE64_C #define MBEDTLS_OID_C #define MBEDTLS_PEM_PARSE_C #define MBEDTLS_PEM_WRITE_C +``` -* SECTION "PSA core" +#### SECTION "PSA core" +``` #define MBEDTLS_ENTROPY_C //#define MBEDTLS_ENTROPY_FORCE_SHA256 //#define MBEDTLS_ENTROPY_HARDWARE_ALT @@ -226,8 +235,10 @@ PSA_WANT_\* macros as in current `crypto_config.h`. //#define MBEDTLS_PSA_CRYPTO_PLATFORM_FILE "psa/crypto_platform_alt.h" //#define MBEDTLS_PSA_CRYPTO_STRUCT_FILE "psa/crypto_struct_alt.h" //#define MBEDTLS_PSA_KEY_SLOT_COUNT 32 +``` -* SECTION "Builtin drivers" +#### SECTION "Builtin drivers" +``` #define MBEDTLS_AESNI_C #define MBEDTLS_AESCE_C //#define MBEDTLS_AES_ROM_TABLES @@ -261,9 +272,11 @@ PSA_WANT_\* macros as in current `crypto_config.h`. //#define MBEDTLS_MPI_MAX_SIZE 1024 //#define MBEDTLS_MPI_WINDOW_SIZE 2 //#define MBEDTLS_RSA_GEN_KEY_MIN_BITS 1024 +``` -* SECTION "Legacy cryptography" +#### SECTION "Legacy cryptography" +``` #define MBEDTLS_AES_C #define MBEDTLS_ARIA_C #define MBEDTLS_BIGNUM_C @@ -323,16 +336,20 @@ PSA_WANT_\* macros as in current `crypto_config.h`. #define MBEDTLS_SHA384_C #define MBEDTLS_SHA512_C #define MBEDTLS_SHA3_C +``` ### In `mbedtls_config.h`, we have: -* SECTION "Platform abstraction layer" +#### SECTION "Platform abstraction layer" +``` #define MBEDTLS_NET_C #define MBEDTLS_TIMING_C //#define MBEDTLS_TIMING_ALT +``` -* SECTION "Mbed TLS feature support" +#### SECTION "Mbed TLS feature support" +``` //#define MBEDTLS_CIPHER_NULL_CIPHER #define MBEDTLS_ERROR_STRERROR_DUMMY #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED @@ -380,9 +397,11 @@ PSA_WANT_\* macros as in current `crypto_config.h`. //#define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK //#define MBEDTLS_X509_REMOVE_INFO #define MBEDTLS_X509_RSASSA_PSS_SUPPORT +``` -* SECTION "Mbed TLS modules" +#### SECTION "Mbed TLS modules" +``` #define MBEDTLS_DEBUG_C #define MBEDTLS_ERROR_C #define MBEDTLS_PKCS7_C @@ -399,14 +418,18 @@ PSA_WANT_\* macros as in current `crypto_config.h`. #define MBEDTLS_X509_CSR_PARSE_C #define MBEDTLS_X509_CSR_WRITE_C #define MBEDTLS_X509_USE_C +``` -* SECTION "General configuration options" +#### SECTION "General configuration options" +``` //#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h" //#define MBEDTLS_USER_CONFIG_FILE "/dev/null" +``` -* SECTION "Module configuration options" +#### SECTION "Module configuration options" +``` //#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 //#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 //#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 @@ -424,3 +447,4 @@ PSA_WANT_\* macros as in current `crypto_config.h`. //#define MBEDTLS_PSK_MAX_LEN 32 //#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 //#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 +``` From 4162c3a24aaf002d918ca17d2766e40df8984266 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 19 Sep 2024 11:05:56 +0200 Subject: [PATCH 19/32] Fix/Improve wording Signed-off-by: Ronald Cron --- docs/proposed/config-split.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index c925de6063..4ec6aec922 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -1,10 +1,10 @@ Configuration file split ======================== -## Why splitting the configuration file? +## Why split the configuration file? The objective of the repository split is to reach the point where in Mbed TLS -all the cryptography code and its tests are located in a tf-psa-crypto +all the cryptography code and its tests are located in a `tf-psa-crypto` directory that just contains the TF-PSA-Crypto repository as a submodule. The cryptography APIs exposed by Mbed TLS are just the TF-PSA-Crypto ones. Mbed TLS relies solely on the TF-PSA-Crypto build system to build its @@ -12,12 +12,12 @@ cryptography library and its tests. The TF-PSA-Crypto configuration file `tf_psa_crypto_config.h` configures entirely the cryptography interface exposed by Mbed TLS through TF-PSA-Crypto. -Mbed TLS configuration is splitted in two files: `mbedtls_config.h` for TLS and +Mbed TLS configuration is split in two files: `mbedtls_config.h` for TLS and x509, `tf_psa_crypto_config.h` for the cryptography. ## How do we split the configuration file? -We extend the so called PSA cryptographic configuration scheme based on +We extend the so-called PSA cryptographic configuration scheme based on `mbedtls_config.h` and `crypto_config.h`. The configuration file `crypto_config.h` is extended to become the TF-PSA-Crypto configuration file, `mbedtls_config.h` becomes the configuration file for the TLS and x509 libraries. All the options @@ -70,7 +70,7 @@ contains the configuration options for the cryptography mechanisms that are not yet part of the PSA cryptography API (like LMS or PK). It is followed by the "Data format support" section that contains configuration -options of utilities related to various data formats (like base64 or ASN1 APIs). +options of utilities related to various data formats (like Base64 or ASN.1 APIs). These utilities aim to facilitate the usage of the PSA cryptography API in other cryptography projects. From 294b5e06b1278b3f5ea782228588a9359b80eb78 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 27 Sep 2024 10:04:31 +0200 Subject: [PATCH 20/32] Improve alphabetic ordering in sections Signed-off-by: Ronald Cron --- docs/proposed/config-split.md | 94 +++++++++++++++++------------------ 1 file changed, 47 insertions(+), 47 deletions(-) diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index 4ec6aec922..84081a8d3f 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -99,8 +99,8 @@ Open question: do we group them into a subsection? #define MBEDTLS_FS_IO #define MBEDTLS_HAVE_TIME #define MBEDTLS_HAVE_TIME_DATE -//#define MBEDTLS_MEMORY_DEBUG //#define MBEDTLS_MEMORY_BACKTRACE +//#define MBEDTLS_MEMORY_DEBUG #define MBEDTLS_PLATFORM_C //#define MBEDTLS_PLATFORM_EXIT_ALT //#define MBEDTLS_PLATFORM_FPRINTF_ALT @@ -117,8 +117,8 @@ Open question: do we group them into a subsection? //#define MBEDTLS_PLATFORM_VSNPRINTF_ALT //#define MBEDTLS_PLATFORM_ZEROIZE_ALT //#define MBEDTLS_THREADING_ALT -//#define MBEDTLS_THREADING_PTHREAD //#define MBEDTLS_THREADING_C +//#define MBEDTLS_THREADING_PTHREAD //#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 4 //#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc @@ -126,11 +126,11 @@ Open question: do we group them into a subsection? //#define MBEDTLS_PLATFORM_FREE_MACRO free //#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf //#define MBEDTLS_PLATFORM_MS_TIME_TYPE_MACRO int64_t -//#define MBEDTLS_PRINTF_MS_TIME PRId64 //#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read //#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write //#define MBEDTLS_PLATFORM_PRINTF_MACRO printf //#define MBEDTLS_PLATFORM_SETBUF_MACRO setbuf +//#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf //#define MBEDTLS_PLATFORM_STD_CALLOC calloc //#define MBEDTLS_PLATFORM_STD_EXIT exit //#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE 1 @@ -145,10 +145,10 @@ Open question: do we group them into a subsection? //#define MBEDTLS_PLATFORM_STD_SETBUF setbuf //#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf //#define MBEDTLS_PLATFORM_STD_TIME time -//#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf //#define MBEDTLS_PLATFORM_TIME_MACRO time //#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO time_t //#define MBEDTLS_PLATFORM_VSNPRINTF_MACRO vsnprintf +//#define MBEDTLS_PRINTF_MS_TIME PRId64 ``` #### SECTION "General and test configuration options" @@ -156,8 +156,6 @@ Open question: do we group them into a subsection? //#define MBEDTLS_CHECK_RETURN_WARNING //#define MBEDTLS_DEPRECATED_REMOVED //#define MBEDTLS_DEPRECATED_WARNING -//#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h" -//#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null" #define MBEDTLS_SELF_TEST //#define MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN //#define MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND @@ -165,6 +163,8 @@ Open question: do we group them into a subsection? //#define MBEDTLS_CHECK_RETURN __attribute__((__warn_unused_result__)) //#define MBEDTLS_IGNORE_RETURN( result ) ((void) !(result)) +//#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h" +//#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null" ``` #### SECTION "Cryptographic mechanism selection (PSA API)" @@ -177,12 +177,12 @@ PSA_WANT_\* macros as in current `crypto_config.h`. //#define MBEDTLS_LMS_PRIVATE #define MBEDTLS_MD_C #define MBEDTLS_NIST_KW_C -#define MBEDTLS_PK_C #define MBEDTLS_PKCS5_C #define MBEDTLS_PKCS12_C +#define MBEDTLS_PK_C #define MBEDTLS_PK_PARSE_C -#define MBEDTLS_PK_PARSE_EC_EXTENDED #define MBEDTLS_PK_PARSE_EC_COMPRESSED +#define MBEDTLS_PK_PARSE_EC_EXTENDED #define MBEDTLS_PK_RSA_ALT_SUPPORT #define MBEDTLS_PK_WRITE_C @@ -218,9 +218,9 @@ PSA_WANT_\* macros as in current `crypto_config.h`. //#define MBEDTLS_ENTROPY_NV_SEED //#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES //#define MBEDTLS_NO_PLATFORM_ENTROPY -#define MBEDTLS_PSA_CRYPTO_C //#define MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS //#define MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS +#define MBEDTLS_PSA_CRYPTO_C //#define MBEDTLS_PSA_CRYPTO_CLIENT //#define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG //#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER @@ -229,8 +229,8 @@ PSA_WANT_\* macros as in current `crypto_config.h`. //#define MBEDTLS_PSA_INJECT_ENTROPY #define MBEDTLS_PSA_ITS_FILE_C -//#define MBEDTLS_ENTROPY_MAX_SOURCES 20 //#define MBEDTLS_ENTROPY_MAX_GATHER 128 +//#define MBEDTLS_ENTROPY_MAX_SOURCES 20 //#define MBEDTLS_ENTROPY_MIN_HARDWARE 32 //#define MBEDTLS_PSA_CRYPTO_PLATFORM_FILE "psa/crypto_platform_alt.h" //#define MBEDTLS_PSA_CRYPTO_STRUCT_FILE "psa/crypto_struct_alt.h" @@ -239,11 +239,11 @@ PSA_WANT_\* macros as in current `crypto_config.h`. #### SECTION "Builtin drivers" ``` -#define MBEDTLS_AESNI_C #define MBEDTLS_AESCE_C -//#define MBEDTLS_AES_ROM_TABLES +#define MBEDTLS_AESNI_C //#define MBEDTLS_AES_FEWER_TABLES //#define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +//#define MBEDTLS_AES_ROM_TABLES //#define MBEDTLS_AES_USE_HARDWARE_ONLY //#define MBEDTLS_BLOCK_CIPHER_NO_DECRYPT //#define MBEDTLS_CAMELLIA_SMALL_MEMORY @@ -259,10 +259,10 @@ PSA_WANT_\* macros as in current `crypto_config.h`. //#define MBEDTLS_PSA_P256M_DRIVER_ENABLED //#define MBEDTLS_RSA_NO_CRT //#define MBEDTLS_SHA256_SMALLER -//#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT //#define MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT -//#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY //#define MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY +//#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT +//#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY //#define MBEDTLS_SHA512_SMALLER //#define MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT //#define MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY @@ -290,10 +290,10 @@ PSA_WANT_\* macros as in current `crypto_config.h`. #define MBEDTLS_CIPHER_MODE_CTR #define MBEDTLS_CIPHER_MODE_OFB #define MBEDTLS_CIPHER_MODE_XTS -#define MBEDTLS_CIPHER_PADDING_PKCS7 #define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS -#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN +#define MBEDTLS_CIPHER_PADDING_PKCS7 #define MBEDTLS_CIPHER_PADDING_ZEROS +#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN #define MBEDTLS_CMAC_C #define MBEDTLS_CTR_DRBG_C //#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY @@ -301,19 +301,19 @@ PSA_WANT_\* macros as in current `crypto_config.h`. #define MBEDTLS_DHM_C #define MBEDTLS_ECDH_C #define MBEDTLS_ECP_C -#define MBEDTLS_ECP_DP_SECP192R1_ENABLED -#define MBEDTLS_ECP_DP_SECP224R1_ENABLED -#define MBEDTLS_ECP_DP_SECP256R1_ENABLED -#define MBEDTLS_ECP_DP_SECP384R1_ENABLED -#define MBEDTLS_ECP_DP_SECP521R1_ENABLED -#define MBEDTLS_ECP_DP_SECP192K1_ENABLED -#define MBEDTLS_ECP_DP_SECP224K1_ENABLED -#define MBEDTLS_ECP_DP_SECP256K1_ENABLED #define MBEDTLS_ECP_DP_BP256R1_ENABLED #define MBEDTLS_ECP_DP_BP384R1_ENABLED #define MBEDTLS_ECP_DP_BP512R1_ENABLED #define MBEDTLS_ECP_DP_CURVE25519_ENABLED #define MBEDTLS_ECP_DP_CURVE448_ENABLED +#define MBEDTLS_ECP_DP_SECP192K1_ENABLED +#define MBEDTLS_ECP_DP_SECP192R1_ENABLED +#define MBEDTLS_ECP_DP_SECP224K1_ENABLED +#define MBEDTLS_ECP_DP_SECP224R1_ENABLED +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED +#define MBEDTLS_ECP_DP_SECP384R1_ENABLED +#define MBEDTLS_ECP_DP_SECP521R1_ENABLED #define MBEDTLS_ECDSA_C #define MBEDTLS_ECDSA_DETERMINISTIC #define MBEDTLS_ECJPAKE_C @@ -334,8 +334,8 @@ PSA_WANT_\* macros as in current `crypto_config.h`. #define MBEDTLS_SHA224_C #define MBEDTLS_SHA256_C #define MBEDTLS_SHA384_C -#define MBEDTLS_SHA512_C #define MBEDTLS_SHA3_C +#define MBEDTLS_SHA512_C ``` @@ -343,8 +343,8 @@ PSA_WANT_\* macros as in current `crypto_config.h`. #### SECTION "Platform abstraction layer" ``` #define MBEDTLS_NET_C -#define MBEDTLS_TIMING_C //#define MBEDTLS_TIMING_ALT +#define MBEDTLS_TIMING_C ``` @@ -352,17 +352,17 @@ PSA_WANT_\* macros as in current `crypto_config.h`. ``` //#define MBEDTLS_CIPHER_NULL_CIPHER #define MBEDTLS_ERROR_STRERROR_DUMMY -#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED #define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED -#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED -#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED #define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED -#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED #define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED #define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED //#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED +#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED +#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED #define MBEDTLS_SSL_ALL_ALERT_MESSAGES #define MBEDTLS_SSL_ALPN //#define MBEDTLS_SSL_ASYNC_PRIVATE @@ -374,29 +374,29 @@ PSA_WANT_\* macros as in current `crypto_config.h`. #define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0 #define MBEDTLS_SSL_DTLS_HELLO_VERIFY //#define MBEDTLS_SSL_DTLS_SRTP -#define MBEDTLS_SSL_ENCRYPT_THEN_MAC //#define MBEDTLS_SSL_EARLY_DATA +#define MBEDTLS_SSL_ENCRYPT_THEN_MAC #define MBEDTLS_SSL_EXTENDED_MASTER_SECRET #define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE #define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -//#define MBEDTLS_SSL_RECORD_SIZE_LIMIT -#define MBEDTLS_SSL_RENEGOTIATION #define MBEDTLS_SSL_PROTO_DTLS #define MBEDTLS_SSL_PROTO_TLS1_2 #define MBEDTLS_SSL_PROTO_TLS1_3 -#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE -#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED -#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +//#define MBEDTLS_SSL_RECORD_SIZE_LIMIT +#define MBEDTLS_SSL_RENEGOTIATION #define MBEDTLS_SSL_SERVER_NAME_INDICATION #define MBEDTLS_SSL_SESSION_TICKETS +#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED //#define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH //#define MBEDTLS_USE_PSA_CRYPTO #define MBEDTLS_VERSION_C #define MBEDTLS_VERSION_FEATURES -//#define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK //#define MBEDTLS_X509_REMOVE_INFO #define MBEDTLS_X509_RSASSA_PSS_SUPPORT +//#define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK ``` @@ -406,8 +406,8 @@ PSA_WANT_\* macros as in current `crypto_config.h`. #define MBEDTLS_ERROR_C #define MBEDTLS_PKCS7_C #define MBEDTLS_SSL_CACHE_C -#define MBEDTLS_SSL_COOKIE_C #define MBEDTLS_SSL_CLI_C +#define MBEDTLS_SSL_COOKIE_C #define MBEDTLS_SSL_SRV_C #define MBEDTLS_SSL_TICKET_C #define MBEDTLS_SSL_TLS_C @@ -430,21 +430,21 @@ PSA_WANT_\* macros as in current `crypto_config.h`. #### SECTION "Module configuration options" ``` -//#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 +//#define MBEDTLS_PSK_MAX_LEN 32 //#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 -//#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 -//#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 -//#define MBEDTLS_SSL_DTLS_MAX_BUFFERING 32768 +//#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 //#define MBEDTLS_SSL_CID_IN_LEN_MAX 32 //#define MBEDTLS_SSL_CID_OUT_LEN_MAX 32 //#define MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 16 +//#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 +//#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 +//#define MBEDTLS_SSL_DTLS_MAX_BUFFERING 32768 //#define MBEDTLS_SSL_IN_CONTENT_LEN 16384 //#define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 1024 //#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384 +//#define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1 //#define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 6000 //#define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 32 -//#define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1 -//#define MBEDTLS_PSK_MAX_LEN 32 -//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 //#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 +//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 ``` From 2c152fdc4e308cdabd6b131dcb96aac3d8a86a4e Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 27 Sep 2024 10:30:59 +0200 Subject: [PATCH 21/32] Add links to section descriptions Signed-off-by: Ronald Cron --- docs/proposed/config-split.md | 57 ++++++++++++++++++----------------- 1 file changed, 29 insertions(+), 28 deletions(-) diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index 84081a8d3f..da1a949d65 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -58,31 +58,32 @@ options that apply to the whole code base (TLS, x509, crypto and tests) mostly related to the platform abstraction layer and testing. In `tf_psa_crypto_config.h` these configurations options are organized into two sections, one for the platform abstraction layer options and one for the others, -respectively named "Platform abstraction layer" and -"General and test configuration options". +respectively named ["Platform abstraction layer"](#section-platform-abstraction-layer) +and ["General and test configuration options"](#section-general-and-test-configuration-options). -Then, the "Cryptographic mechanism selection (PSA API)" section is the -equivalent of the pre-split `crypto_config.h` configuration file containing the -PSA_WANT_ prefixed macros. +Then, the ["Cryptographic mechanism selection (PSA API)"](#section-cryptographic-mechanism-selection-PSA-API) +section is the equivalent of the pre-split `crypto_config.h` configuration file +containing the PSA_WANT_ prefixed macros. -The following section named "Cryptographic mechanism selection (extended API)" +The following section named +["Cryptographic mechanism selection (extended API)"](#section-cryptographic-mechanism-selection-extended-API) contains the configuration options for the cryptography mechanisms that are not yet part of the PSA cryptography API (like LMS or PK). -It is followed by the "Data format support" section that contains configuration -options of utilities related to various data formats (like Base64 or ASN.1 APIs). -These utilities aim to facilitate the usage of the PSA cryptography API in other -cryptography projects. +It is followed by the ["Data format support"](#section-data-format-support) +section that contains configuration options of utilities related to various data +formats (like Base64 or ASN.1 APIs). These utilities aim to facilitate the +usage of the PSA cryptography API in other cryptography projects. Compared to Mbed TLS, the cryptography code in TF-PSA-Crypto is not located in a single directory but split between the PSA core (core directory) and the PSA builtin drivers (drivers/builtin/src directory). This is reflected in -`tf_psa_crypto_config.h` with two sections respectively named "PSA core" and -"Builtin drivers". +`tf_psa_crypto_config.h` with two sections respectively named ["PSA core"](#section-psa-core) +and ["Builtin drivers"](#section-builtin-drivers). -Finally, the last section named "Legacy cryptography" contains the configuration -options that will eventually be removed as duplicates of PSA_WANT_\* and -MBEDTLS_PSA_ACCEL_\* configuration options. +Finally, the last section named ["Legacy cryptography"](#section-legacy-cryptography) +contains the configuration options that will eventually be removed as duplicates +of PSA_WANT_\* and MBEDTLS_PSA_ACCEL_\* configuration options. By contrast to `mbedtls_config.h`, `tf_psa_crypto_config.h` does not contain a section like the "Module configuration options" one containing non boolean @@ -94,7 +95,7 @@ Open question: do we group them into a subsection? ## Repartition of the configuration options ### In `tf_psa_crypto_config.h`, we have: -#### SECTION "Platform abstraction layer" +#### SECTION Platform abstraction layer ``` #define MBEDTLS_FS_IO #define MBEDTLS_HAVE_TIME @@ -151,7 +152,7 @@ Open question: do we group them into a subsection? //#define MBEDTLS_PRINTF_MS_TIME PRId64 ``` -#### SECTION "General and test configuration options" +#### SECTION General and test configuration options ``` //#define MBEDTLS_CHECK_RETURN_WARNING //#define MBEDTLS_DEPRECATED_REMOVED @@ -167,11 +168,11 @@ Open question: do we group them into a subsection? //#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null" ``` -#### SECTION "Cryptographic mechanism selection (PSA API)" +#### SECTION Cryptographic mechanism selection (PSA API) PSA_WANT_\* macros as in current `crypto_config.h`. -#### SECTION "Cryptographic mechanism selection (extended API)" +#### SECTION Cryptographic mechanism selection (extended API) ``` #define MBEDTLS_LMS_C //#define MBEDTLS_LMS_PRIVATE @@ -199,7 +200,7 @@ PSA_WANT_\* macros as in current `crypto_config.h`. ``` -#### SECTION "Data format support" +#### SECTION Data format support ``` #define MBEDTLS_ASN1_PARSE_C #define MBEDTLS_ASN1_WRITE_C @@ -210,7 +211,7 @@ PSA_WANT_\* macros as in current `crypto_config.h`. ``` -#### SECTION "PSA core" +#### SECTION PSA core ``` #define MBEDTLS_ENTROPY_C //#define MBEDTLS_ENTROPY_FORCE_SHA256 @@ -237,7 +238,7 @@ PSA_WANT_\* macros as in current `crypto_config.h`. //#define MBEDTLS_PSA_KEY_SLOT_COUNT 32 ``` -#### SECTION "Builtin drivers" +#### SECTION Builtin drivers ``` #define MBEDTLS_AESCE_C #define MBEDTLS_AESNI_C @@ -275,7 +276,7 @@ PSA_WANT_\* macros as in current `crypto_config.h`. ``` -#### SECTION "Legacy cryptography" +#### SECTION Legacy cryptography ``` #define MBEDTLS_AES_C #define MBEDTLS_ARIA_C @@ -340,7 +341,7 @@ PSA_WANT_\* macros as in current `crypto_config.h`. ### In `mbedtls_config.h`, we have: -#### SECTION "Platform abstraction layer" +#### SECTION Platform abstraction layer ``` #define MBEDTLS_NET_C //#define MBEDTLS_TIMING_ALT @@ -348,7 +349,7 @@ PSA_WANT_\* macros as in current `crypto_config.h`. ``` -#### SECTION "Mbed TLS feature support" +#### SECTION Mbed TLS feature support ``` //#define MBEDTLS_CIPHER_NULL_CIPHER #define MBEDTLS_ERROR_STRERROR_DUMMY @@ -400,7 +401,7 @@ PSA_WANT_\* macros as in current `crypto_config.h`. ``` -#### SECTION "Mbed TLS modules" +#### SECTION Mbed TLS modules ``` #define MBEDTLS_DEBUG_C #define MBEDTLS_ERROR_C @@ -421,14 +422,14 @@ PSA_WANT_\* macros as in current `crypto_config.h`. ``` -#### SECTION "General configuration options" +#### SECTION General configuration options ``` //#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h" //#define MBEDTLS_USER_CONFIG_FILE "/dev/null" ``` -#### SECTION "Module configuration options" +#### SECTION Module configuration options ``` //#define MBEDTLS_PSK_MAX_LEN 32 //#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 From 3c7b3be34eb7bee61aabc18eca3011edf943153c Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 27 Sep 2024 10:31:47 +0200 Subject: [PATCH 22/32] No subsection Signed-off-by: Ronald Cron --- docs/proposed/config-split.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index da1a949d65..b26aa8470e 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -90,8 +90,6 @@ section like the "Module configuration options" one containing non boolean configuration options. The configuration options that are not boolean are located in the same section as the boolean option they are associated to. -Open question: do we group them into a subsection? - ## Repartition of the configuration options ### In `tf_psa_crypto_config.h`, we have: From b992bc8aa75015ad6de19297095d6482f10fe7d0 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 27 Sep 2024 10:45:13 +0200 Subject: [PATCH 23/32] Re-order mbedtls_config.h sections Re-order mbedtls_config.h sections for the order to be more aligned with the tf_psa_crypto_config.h one. Signed-off-by: Ronald Cron --- docs/proposed/config-split.md | 98 +++++++++++++++++------------------ 1 file changed, 48 insertions(+), 50 deletions(-) diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index b26aa8470e..91d889e220 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -346,6 +346,54 @@ PSA_WANT_\* macros as in current `crypto_config.h`. #define MBEDTLS_TIMING_C ``` +#### SECTION General configuration options +``` +//#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h" +//#define MBEDTLS_USER_CONFIG_FILE "/dev/null" +``` + +#### SECTION Mbed TLS modules +``` +#define MBEDTLS_DEBUG_C +#define MBEDTLS_ERROR_C +#define MBEDTLS_PKCS7_C +#define MBEDTLS_SSL_CACHE_C +#define MBEDTLS_SSL_CLI_C +#define MBEDTLS_SSL_COOKIE_C +#define MBEDTLS_SSL_SRV_C +#define MBEDTLS_SSL_TICKET_C +#define MBEDTLS_SSL_TLS_C +#define MBEDTLS_X509_CREATE_C +#define MBEDTLS_X509_CRL_PARSE_C +#define MBEDTLS_X509_CRT_PARSE_C +#define MBEDTLS_X509_CRT_WRITE_C +#define MBEDTLS_X509_CSR_PARSE_C +#define MBEDTLS_X509_CSR_WRITE_C +#define MBEDTLS_X509_USE_C +``` + + +#### SECTION Module configuration options +``` +//#define MBEDTLS_PSK_MAX_LEN 32 +//#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 +//#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 +//#define MBEDTLS_SSL_CID_IN_LEN_MAX 32 +//#define MBEDTLS_SSL_CID_OUT_LEN_MAX 32 +//#define MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 16 +//#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 +//#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 +//#define MBEDTLS_SSL_DTLS_MAX_BUFFERING 32768 +//#define MBEDTLS_SSL_IN_CONTENT_LEN 16384 +//#define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 1024 +//#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384 +//#define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1 +//#define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 6000 +//#define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 32 +//#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 +//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 +``` + #### SECTION Mbed TLS feature support ``` @@ -397,53 +445,3 @@ PSA_WANT_\* macros as in current `crypto_config.h`. #define MBEDTLS_X509_RSASSA_PSS_SUPPORT //#define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK ``` - - -#### SECTION Mbed TLS modules -``` -#define MBEDTLS_DEBUG_C -#define MBEDTLS_ERROR_C -#define MBEDTLS_PKCS7_C -#define MBEDTLS_SSL_CACHE_C -#define MBEDTLS_SSL_CLI_C -#define MBEDTLS_SSL_COOKIE_C -#define MBEDTLS_SSL_SRV_C -#define MBEDTLS_SSL_TICKET_C -#define MBEDTLS_SSL_TLS_C -#define MBEDTLS_X509_CREATE_C -#define MBEDTLS_X509_CRL_PARSE_C -#define MBEDTLS_X509_CRT_PARSE_C -#define MBEDTLS_X509_CRT_WRITE_C -#define MBEDTLS_X509_CSR_PARSE_C -#define MBEDTLS_X509_CSR_WRITE_C -#define MBEDTLS_X509_USE_C -``` - - -#### SECTION General configuration options -``` -//#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h" -//#define MBEDTLS_USER_CONFIG_FILE "/dev/null" -``` - - -#### SECTION Module configuration options -``` -//#define MBEDTLS_PSK_MAX_LEN 32 -//#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 -//#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 -//#define MBEDTLS_SSL_CID_IN_LEN_MAX 32 -//#define MBEDTLS_SSL_CID_OUT_LEN_MAX 32 -//#define MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 16 -//#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 -//#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 -//#define MBEDTLS_SSL_DTLS_MAX_BUFFERING 32768 -//#define MBEDTLS_SSL_IN_CONTENT_LEN 16384 -//#define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 1024 -//#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384 -//#define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1 -//#define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 6000 -//#define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 32 -//#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 -//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 -``` From be352633ae83bbb6f99393c7cc6679f482a608cc Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 27 Sep 2024 10:55:25 +0200 Subject: [PATCH 24/32] Re-organize "Mbed TLS modules" and "Module configuration options" Re-organize "Mbed TLS modules" and "Module configuration options" into "X.509 feature selection" and "TLS feature selection" for better alignment with tf_psa_crypto_config.h. Signed-off-by: Ronald Cron --- docs/proposed/config-split.md | 45 ++++++++++++++++++++++------------- 1 file changed, 28 insertions(+), 17 deletions(-) diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index 91d889e220..a76fa8e426 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -85,10 +85,17 @@ Finally, the last section named ["Legacy cryptography"](#section-legacy-cryptogr contains the configuration options that will eventually be removed as duplicates of PSA_WANT_\* and MBEDTLS_PSA_ACCEL_\* configuration options. -By contrast to `mbedtls_config.h`, `tf_psa_crypto_config.h` does not contain a -section like the "Module configuration options" one containing non boolean -configuration options. The configuration options that are not boolean are -located in the same section as the boolean option they are associated to. +## Sections in `mbedtls_config.h` + +The sections in `mbedtls_config.h` are reorganized to be better aligned with +the ones in `tf_psa_crypto_config.h`. The main change is the reorganization +of the "Mbed TLS modules" and "Module configuration options" sections into +the ["TLS feature selection"](#section-tls-feature-selection) and +["X.509 feature selection"](#section-x.509-feature-selection) sections. That +way both configuration files do not have a section dedicated to non boolean +configuration options. The non boolean configuration options are located in the +same section as the boolean option they are associated to. + ## Repartition of the configuration options @@ -346,35 +353,25 @@ PSA_WANT_\* macros as in current `crypto_config.h`. #define MBEDTLS_TIMING_C ``` + #### SECTION General configuration options ``` //#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h" //#define MBEDTLS_USER_CONFIG_FILE "/dev/null" ``` -#### SECTION Mbed TLS modules + +#### SECTION TLS feature selection ``` #define MBEDTLS_DEBUG_C #define MBEDTLS_ERROR_C -#define MBEDTLS_PKCS7_C #define MBEDTLS_SSL_CACHE_C #define MBEDTLS_SSL_CLI_C #define MBEDTLS_SSL_COOKIE_C #define MBEDTLS_SSL_SRV_C #define MBEDTLS_SSL_TICKET_C #define MBEDTLS_SSL_TLS_C -#define MBEDTLS_X509_CREATE_C -#define MBEDTLS_X509_CRL_PARSE_C -#define MBEDTLS_X509_CRT_PARSE_C -#define MBEDTLS_X509_CRT_WRITE_C -#define MBEDTLS_X509_CSR_PARSE_C -#define MBEDTLS_X509_CSR_WRITE_C -#define MBEDTLS_X509_USE_C -``` - -#### SECTION Module configuration options -``` //#define MBEDTLS_PSK_MAX_LEN 32 //#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 //#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 @@ -390,6 +387,20 @@ PSA_WANT_\* macros as in current `crypto_config.h`. //#define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1 //#define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 6000 //#define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 32 +``` + + +#### SECTION X.509 feature selection +``` +#define MBEDTLS_PKCS7_C +#define MBEDTLS_X509_CREATE_C +#define MBEDTLS_X509_CRL_PARSE_C +#define MBEDTLS_X509_CRT_PARSE_C +#define MBEDTLS_X509_CRT_WRITE_C +#define MBEDTLS_X509_CSR_PARSE_C +#define MBEDTLS_X509_CSR_WRITE_C +#define MBEDTLS_X509_USE_C + //#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 //#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 ``` From 89d8a27d00e6704d44f5387b91291286c266f0cf Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 27 Sep 2024 16:08:27 +0200 Subject: [PATCH 25/32] Rework overview of section changes Signed-off-by: Ronald Cron --- docs/proposed/config-split.md | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index a76fa8e426..6854bb342f 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -31,9 +31,17 @@ they are available in both repositories (as Mbed TLS includes create aliases for some of them to align with the naming conventions of the repositories. -The layout of options into sections in `mbedtls_config.h` does not suit -TF-PSA-Crypto well thus the configuration options `tf_psa_crypto_config.h` are -organized into different sections (see below). +The cryptographic configuration options in `tf_psa_crypto_config.h` are +organized into sections that are different from the ones in the pre-split +`mbedtls_config.h` (see below). This is first to take into account the +specifics of TF-PSA-Crypto, for example a specific section for the +configuration of builtin drivers. We also get rid of the grouping of non +boolean options into a dedicated section: related boolean and non boolean +configuration options are rather grouped together into the same section. + +Finally, for consistency, the sections in `mbedtls_config.h` are reorganized +to be better aligned with the `tf_psa_crypto_config.h` ones. + ## Configuration files and `config.py` From eb589f9b994f545aba83f3e8f2d9f7db70e617ef Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 27 Sep 2024 16:10:20 +0200 Subject: [PATCH 26/32] Rename MBEDTLS_PSA_CRYPTO_(USER_)CONFIG_FILE Rename MBEDTLS_PSA_CRYPTO_(USER_)CONFIG_FILE to TF_PSA_CRYPTO_(USER_)CONFIG_FILE as we rename crypto_config.h to tf_psa_crypto_config.h. Signed-off-by: Ronald Cron --- docs/proposed/config-split.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index 6854bb342f..40ebb50ccf 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -166,6 +166,11 @@ same section as the boolean option they are associated to. ``` #### SECTION General and test configuration options +Note: for consistency with the configuration file name change from +`crypto_config.h` to `tf_psa_crypto_config.h`, the configuration options +MBEDTLS_PSA_CRYPTO_CONFIG_FILE and MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE are +respectively renamed TF_PSA_CRYPTO_CONFIG_FILE and TF_PSA_CRYPTO_USER_CONFIG_FILE. +These are the only configuration options renamed by this document. ``` //#define MBEDTLS_CHECK_RETURN_WARNING //#define MBEDTLS_DEPRECATED_REMOVED @@ -177,8 +182,8 @@ same section as the boolean option they are associated to. //#define MBEDTLS_CHECK_RETURN __attribute__((__warn_unused_result__)) //#define MBEDTLS_IGNORE_RETURN( result ) ((void) !(result)) -//#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h" -//#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null" +//#define TF_PSA_CRYPTO_CONFIG_FILE "psa/tf_psa_crypto_config.h" +//#define TF_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null" ``` #### SECTION Cryptographic mechanism selection (PSA API) From da4522c2b8dcd135c4e3c246ec7c6d7bd19371fc Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 1 Oct 2024 12:56:43 +0200 Subject: [PATCH 27/32] Move MBEDTLS_ERROR_C to section "General configuration options" Signed-off-by: Ronald Cron --- docs/proposed/config-split.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index 40ebb50ccf..69a45b826c 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -369,6 +369,7 @@ PSA_WANT_\* macros as in current `crypto_config.h`. #### SECTION General configuration options ``` +#define MBEDTLS_ERROR_C //#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h" //#define MBEDTLS_USER_CONFIG_FILE "/dev/null" ``` @@ -377,7 +378,6 @@ PSA_WANT_\* macros as in current `crypto_config.h`. #### SECTION TLS feature selection ``` #define MBEDTLS_DEBUG_C -#define MBEDTLS_ERROR_C #define MBEDTLS_SSL_CACHE_C #define MBEDTLS_SSL_CLI_C #define MBEDTLS_SSL_COOKIE_C From e2b24d346145266a504cbe3e646c275ce2dcc201 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 1 Oct 2024 13:00:02 +0200 Subject: [PATCH 28/32] Move MBEDTLS_USE_PSA_CRYPTO to "Builtin drivers" section Signed-off-by: Ronald Cron --- docs/proposed/config-split.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index 69a45b826c..148b6a6050 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -285,6 +285,7 @@ PSA_WANT_\* macros as in current `crypto_config.h`. //#define MBEDTLS_SHA512_SMALLER //#define MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT //#define MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY +//#define MBEDTLS_USE_PSA_CRYPTO //#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 //#define MBEDTLS_ECP_WINDOW_SIZE 4 @@ -462,7 +463,6 @@ PSA_WANT_\* macros as in current `crypto_config.h`. #define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED #define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED //#define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH -//#define MBEDTLS_USE_PSA_CRYPTO #define MBEDTLS_VERSION_C #define MBEDTLS_VERSION_FEATURES //#define MBEDTLS_X509_REMOVE_INFO From 5f64611f6b7a9d6f936c81ceb76fe1736318384f Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 2 Oct 2024 13:58:26 +0200 Subject: [PATCH 29/32] Remove Mbed TLS feature support section Signed-off-by: Ronald Cron --- docs/proposed/config-split.md | 108 ++++++++++++++++------------------ 1 file changed, 52 insertions(+), 56 deletions(-) diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index 148b6a6050..c81b3b2fb2 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -97,12 +97,12 @@ of PSA_WANT_\* and MBEDTLS_PSA_ACCEL_\* configuration options. The sections in `mbedtls_config.h` are reorganized to be better aligned with the ones in `tf_psa_crypto_config.h`. The main change is the reorganization -of the "Mbed TLS modules" and "Module configuration options" sections into -the ["TLS feature selection"](#section-tls-feature-selection) and +of the "Mbed TLS modules", "Mbed TLS feature support" and +"Module configuration options" sections into the +["TLS feature selection"](#section-tls-feature-selection) and ["X.509 feature selection"](#section-x.509-feature-selection) sections. That -way both configuration files do not have a section dedicated to non boolean -configuration options. The non boolean configuration options are located in the -same section as the boolean option they are associated to. +way all TLS/x509 options are grouped into one section and there is no +section dedicated to non boolean configuration options anymore. ## Repartition of the configuration options @@ -371,6 +371,10 @@ PSA_WANT_\* macros as in current `crypto_config.h`. #### SECTION General configuration options ``` #define MBEDTLS_ERROR_C +#define MBEDTLS_ERROR_STRERROR_DUMMY +#define MBEDTLS_VERSION_C +#define MBEDTLS_VERSION_FEATURES + //#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h" //#define MBEDTLS_USER_CONFIG_FILE "/dev/null" ``` @@ -378,13 +382,53 @@ PSA_WANT_\* macros as in current `crypto_config.h`. #### SECTION TLS feature selection ``` +//#define MBEDTLS_CIPHER_NULL_CIPHER #define MBEDTLS_DEBUG_C +#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED +#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED +//#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED +#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED +#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED +#define MBEDTLS_SSL_ALL_ALERT_MESSAGES +#define MBEDTLS_SSL_ALPN +//#define MBEDTLS_SSL_ASYNC_PRIVATE #define MBEDTLS_SSL_CACHE_C #define MBEDTLS_SSL_CLI_C +#define MBEDTLS_SSL_CONTEXT_SERIALIZATION #define MBEDTLS_SSL_COOKIE_C +//#define MBEDTLS_SSL_DEBUG_ALL +#define MBEDTLS_SSL_DTLS_ANTI_REPLAY +#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE +#define MBEDTLS_SSL_DTLS_CONNECTION_ID +#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0 +#define MBEDTLS_SSL_DTLS_HELLO_VERIFY +//#define MBEDTLS_SSL_DTLS_SRTP +//#define MBEDTLS_SSL_EARLY_DATA +#define MBEDTLS_SSL_ENCRYPT_THEN_MAC +#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET +#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE +#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +#define MBEDTLS_SSL_PROTO_DTLS +#define MBEDTLS_SSL_PROTO_TLS1_2 +#define MBEDTLS_SSL_PROTO_TLS1_3 +//#define MBEDTLS_SSL_RECORD_SIZE_LIMIT +#define MBEDTLS_SSL_RENEGOTIATION +#define MBEDTLS_SSL_SERVER_NAME_INDICATION +#define MBEDTLS_SSL_SESSION_TICKETS #define MBEDTLS_SSL_SRV_C #define MBEDTLS_SSL_TICKET_C +#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED #define MBEDTLS_SSL_TLS_C +//#define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH //#define MBEDTLS_PSK_MAX_LEN 32 //#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 @@ -413,59 +457,11 @@ PSA_WANT_\* macros as in current `crypto_config.h`. #define MBEDTLS_X509_CRT_WRITE_C #define MBEDTLS_X509_CSR_PARSE_C #define MBEDTLS_X509_CSR_WRITE_C +//#define MBEDTLS_X509_REMOVE_INFO +#define MBEDTLS_X509_RSASSA_PSS_SUPPORT +//#define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK #define MBEDTLS_X509_USE_C //#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 //#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 ``` - - -#### SECTION Mbed TLS feature support -``` -//#define MBEDTLS_CIPHER_NULL_CIPHER -#define MBEDTLS_ERROR_STRERROR_DUMMY -#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED -#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED -#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED -#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED -#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED -//#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED -#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED -#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED -#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED -#define MBEDTLS_SSL_ALL_ALERT_MESSAGES -#define MBEDTLS_SSL_ALPN -//#define MBEDTLS_SSL_ASYNC_PRIVATE -#define MBEDTLS_SSL_CONTEXT_SERIALIZATION -//#define MBEDTLS_SSL_DEBUG_ALL -#define MBEDTLS_SSL_DTLS_ANTI_REPLAY -#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE -#define MBEDTLS_SSL_DTLS_CONNECTION_ID -#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0 -#define MBEDTLS_SSL_DTLS_HELLO_VERIFY -//#define MBEDTLS_SSL_DTLS_SRTP -//#define MBEDTLS_SSL_EARLY_DATA -#define MBEDTLS_SSL_ENCRYPT_THEN_MAC -#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET -#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE -#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -#define MBEDTLS_SSL_PROTO_DTLS -#define MBEDTLS_SSL_PROTO_TLS1_2 -#define MBEDTLS_SSL_PROTO_TLS1_3 -//#define MBEDTLS_SSL_RECORD_SIZE_LIMIT -#define MBEDTLS_SSL_RENEGOTIATION -#define MBEDTLS_SSL_SERVER_NAME_INDICATION -#define MBEDTLS_SSL_SESSION_TICKETS -#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE -#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED -#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED -//#define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH -#define MBEDTLS_VERSION_C -#define MBEDTLS_VERSION_FEATURES -//#define MBEDTLS_X509_REMOVE_INFO -#define MBEDTLS_X509_RSASSA_PSS_SUPPORT -//#define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK -``` From 3ca3f151f5369f90782b9cf174f9499d294bbad6 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 3 Oct 2024 09:29:36 +0200 Subject: [PATCH 30/32] Add missing backticks Signed-off-by: Ronald Cron --- docs/proposed/config-split.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index c81b3b2fb2..fe750f485c 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -168,9 +168,10 @@ section dedicated to non boolean configuration options anymore. #### SECTION General and test configuration options Note: for consistency with the configuration file name change from `crypto_config.h` to `tf_psa_crypto_config.h`, the configuration options -MBEDTLS_PSA_CRYPTO_CONFIG_FILE and MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE are -respectively renamed TF_PSA_CRYPTO_CONFIG_FILE and TF_PSA_CRYPTO_USER_CONFIG_FILE. -These are the only configuration options renamed by this document. +`MBEDTLS_PSA_CRYPTO_CONFIG_FILE` and `MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE` are +respectively renamed `TF_PSA_CRYPTO_CONFIG_FILE` and +`TF_PSA_CRYPTO_USER_CONFIG_FILE`. These are the only configuration options +renamed by this document. ``` //#define MBEDTLS_CHECK_RETURN_WARNING //#define MBEDTLS_DEPRECATED_REMOVED From cbafe75f19b39a604e686047e80ab507438fa283 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 3 Oct 2024 09:33:25 +0200 Subject: [PATCH 31/32] Fix hyperlink Signed-off-by: Ronald Cron --- docs/proposed/config-split.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index fe750f485c..fd8a8c70cd 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -100,7 +100,7 @@ the ones in `tf_psa_crypto_config.h`. The main change is the reorganization of the "Mbed TLS modules", "Mbed TLS feature support" and "Module configuration options" sections into the ["TLS feature selection"](#section-tls-feature-selection) and -["X.509 feature selection"](#section-x.509-feature-selection) sections. That +["X.509 feature selection"](#section-x-509-feature-selection) sections. That way all TLS/x509 options are grouped into one section and there is no section dedicated to non boolean configuration options anymore. From 45daa8d8c39fd194d46e476f0dc6f603014cd40d Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 3 Oct 2024 09:38:27 +0200 Subject: [PATCH 32/32] Convert config-split.md with Pandoc Signed-off-by: Ronald Cron --- docs/proposed/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/proposed/Makefile b/docs/proposed/Makefile index 1c314640b9..7f5254fab7 100644 --- a/docs/proposed/Makefile +++ b/docs/proposed/Makefile @@ -3,6 +3,7 @@ PANDOC = pandoc default: all all_markdown = \ + config-split.md \ psa-conditional-inclusion-c.md \ psa-driver-developer-guide.md \ psa-driver-integration-guide.md \