From 93ba625b9691f333401bd5f5c2fbec5e8186f741 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 5 Sep 2024 10:37:14 +0200 Subject: [PATCH] Remove MBEDTLS_PSA_CRYPTO_CONFIG configuration option Signed-off-by: Ronald Cron --- README.md | 5 - configs/config-ccm-psk-dtls1_2.h | 1 - configs/config-ccm-psk-tls1_2.h | 1 - configs/config-suite-b.h | 1 - configs/config-symmetric-only.h | 1 - configs/config-thread.h | 1 - .../psa-crypto-implementation-structure.md | 4 +- .../psa-migration/md-cipher-dispatch.md | 6 +- docs/driver-only-builds.md | 5 - docs/proposed/config-split.md | 1 - docs/proposed/psa-conditional-inclusion-c.md | 34 +- docs/psa-driver-example-and-guide.md | 1 - docs/psa-transition.md | 4 +- include/mbedtls/build_info.h | 6 - include/mbedtls/check_config.h | 2 +- .../mbedtls/config_adjust_psa_from_legacy.h | 359 ------------------ include/mbedtls/mbedtls_config.h | 46 +-- .../components-configuration-crypto.sh | 32 +- tests/scripts/components-configuration-tls.sh | 9 - tf-psa-crypto/core/psa_crypto.c | 3 - .../mbedtls/config_adjust_legacy_from_psa.h | 9 +- .../mbedtls/config_adjust_test_accelerators.h | 3 +- .../builtin/include/mbedtls/config_psa.h | 14 - tf-psa-crypto/include/psa/crypto_config.h | 13 +- .../tests/configs/config_test_driver.h | 1 - .../tests/suites/test_suite_pk.function | 6 +- 26 files changed, 40 insertions(+), 528 deletions(-) delete mode 100644 include/mbedtls/config_adjust_psa_from_legacy.h diff --git a/README.md b/README.md index dbee4a8307..317874f6f4 100644 --- a/README.md +++ b/README.md @@ -303,11 +303,6 @@ Mbed TLS supports drivers for cryptographic accelerators, secure elements and ra Please see the [PSA driver example and guide](docs/psa-driver-example-and-guide.md) for information on writing a driver. -When using drivers, you will generally want to enable two compilation options (see the reference manual for more information): - -* `MBEDTLS_USE_PSA_CRYPTO` is necessary so that the X.509 and TLS code calls the PSA drivers rather than the built-in software implementation. -* `MBEDTLS_PSA_CRYPTO_CONFIG` allows you to enable PSA cryptographic mechanisms without including the code of the corresponding software implementation. This is not yet supported for all mechanisms. - License ------- diff --git a/configs/config-ccm-psk-dtls1_2.h b/configs/config-ccm-psk-dtls1_2.h index be785b7aec..d41d544005 100644 --- a/configs/config-ccm-psk-dtls1_2.h +++ b/configs/config-ccm-psk-dtls1_2.h @@ -26,7 +26,6 @@ #define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-ccm-psk-tls1_2.h" #define MBEDTLS_PSA_CRYPTO_C -#define MBEDTLS_PSA_CRYPTO_CONFIG #define MBEDTLS_USE_PSA_CRYPTO /* System support */ diff --git a/configs/config-ccm-psk-tls1_2.h b/configs/config-ccm-psk-tls1_2.h index d8f4f9c180..85f08c352f 100644 --- a/configs/config-ccm-psk-tls1_2.h +++ b/configs/config-ccm-psk-tls1_2.h @@ -25,7 +25,6 @@ #define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-ccm-psk-tls1_2.h" #define MBEDTLS_PSA_CRYPTO_C -#define MBEDTLS_PSA_CRYPTO_CONFIG #define MBEDTLS_USE_PSA_CRYPTO /* System support */ diff --git a/configs/config-suite-b.h b/configs/config-suite-b.h index cdea16e25a..8bc2cf386d 100644 --- a/configs/config-suite-b.h +++ b/configs/config-suite-b.h @@ -24,7 +24,6 @@ #define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-suite-b.h" #define MBEDTLS_PSA_CRYPTO_C -#define MBEDTLS_PSA_CRYPTO_CONFIG #define MBEDTLS_USE_PSA_CRYPTO /* System support */ diff --git a/configs/config-symmetric-only.h b/configs/config-symmetric-only.h index 13e4d26677..e29fd6210b 100644 --- a/configs/config-symmetric-only.h +++ b/configs/config-symmetric-only.h @@ -11,7 +11,6 @@ #define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-symmetric-only.h" #define MBEDTLS_PSA_CRYPTO_C -#define MBEDTLS_PSA_CRYPTO_CONFIG #define MBEDTLS_USE_PSA_CRYPTO /* System support */ diff --git a/configs/config-thread.h b/configs/config-thread.h index 160aded92c..df25cfa7f0 100644 --- a/configs/config-thread.h +++ b/configs/config-thread.h @@ -24,7 +24,6 @@ #define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-thread.h" #define MBEDTLS_PSA_CRYPTO_C -#define MBEDTLS_PSA_CRYPTO_CONFIG #define MBEDTLS_USE_PSA_CRYPTO /* System support */ diff --git a/docs/architecture/psa-crypto-implementation-structure.md b/docs/architecture/psa-crypto-implementation-structure.md index 3421354843..5948d572ff 100644 --- a/docs/architecture/psa-crypto-implementation-structure.md +++ b/docs/architecture/psa-crypto-implementation-structure.md @@ -124,9 +124,7 @@ New constants must have a test case in `tests/suites/test_suite_psa_crypto_metad Each cryptographic mechanism is optional and can be selected by the application at build time. For each feature `PSA_ttt_xxx`: -* The feature is available to applications when the preprocessor symbol `PSA_WANT_ttt_xxx` is defined. These symbols are set: - * If `MBEDTLS_PSA_CRYPTO_CONFIG` is disabled: based on the available mechanisms in Mbed TLS, deduced from `mbedtls/mbedtls_config.h` by code in `include/mbedtls/config_psa.h`. - * if `MBEDTLS_PSA_CRYPTO_CONFIG` is enabled: in the application configuration file `include/psa/crypto_config.h` (or `MBEDTLS_PSA_CRYPTO_CONFIG_FILE`, plus `MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE`), with code in `include/mbedtls/config_psa.h` deducing the necessary underlying `MBEDTLS_xxx` symbols. +* The feature is available to applications when the preprocessor symbol `PSA_WANT_ttt_xxx` is defined. These symbols are set in the application configuration file `include/psa/crypto_config.h` (or `MBEDTLS_PSA_CRYPTO_CONFIG_FILE`, plus `MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE`), with code in `include/mbedtls/config_psa.h` deducing the necessary underlying `MBEDTLS_xxx` symbols. * For transparent keys (keys that are not in a secure element), the feature is implemented by Mbed TLS if `MBEDTLS_PSA_BUILTIN_ttt_xxx` is defined, and by an accelerator driver if `MBEDTLS_PSA_ACCEL_ttt_xxx` is defined. `MBEDTLS_PSA_BUILTIN_ttt_xxx` constants are set in `include/mbedtls/config_psa.h` based on the application requests `PSA_WANT_ttt_xxx` and the accelerator driver declarations `MBEDTLS_PSA_ACCEL_ttt_xxx`. * For the testing of the driver dispatch code, `tests/configs/crypto_config_test_driver_extension.h` sets additional `MBEDTLS_PSA_ACCEL_xxx` symbols. diff --git a/docs/architecture/psa-migration/md-cipher-dispatch.md b/docs/architecture/psa-migration/md-cipher-dispatch.md index eda65a348c..91e26ed60d 100644 --- a/docs/architecture/psa-migration/md-cipher-dispatch.md +++ b/docs/architecture/psa-migration/md-cipher-dispatch.md @@ -73,7 +73,6 @@ The following configuration options are described as experimental, and are likel * `MBEDTLS_PSA_CRYPTO_CLIENT`: “This interface is experimental and may change or be removed without notice.” In practice we don't want to remove this, but we may constrain how it's used. * `MBEDTLS_PSA_CRYPTO_DRIVERS`: “This interface is experimental. We intend to maintain backward compatibility with application code that relies on drivers, but the driver interfaces may change without notice.” In practice, this may mean constraints not only on how to write drivers, but also on how to integrate drivers into code that is platform code more than application code. -* `MBEDTLS_PSA_CRYPTO_CONFIG`: “This feature is still experimental and is not ready for production since it is not completed.” We may want to change this, for example, to automatically enable more mechanisms (although this wouldn't be considered a backward compatibility break anyway, since we don't promise that you will not get a feature if you don't enable its `PSA_WANT_xxx`). ### Non-goals @@ -285,8 +284,7 @@ We could go further and make PSA accelerators available to legacy callers that c #### Implications between legacy availability and PSA availability -* When `MBEDTLS_PSA_CRYPTO_CONFIG` is disabled, all legacy mechanisms are automatically enabled through PSA. Users can manually enable PSA mechanisms that are available through accelerators but not through legacy, but this is not officially supported (users are not supposed to manually define PSA configuration symbols when `MBEDTLS_PSA_CRYPTO_CONFIG` is disabled). -* When `MBEDTLS_PSA_CRYPTO_CONFIG` is enabled, there is no mandatory relationship between PSA support and legacy support for a mechanism. Users can configure legacy support and PSA support independently. Legacy support is automatically enabled if PSA support is requested, but only if there is no accelerator. +There is no mandatory relationship between PSA support and legacy support for a mechanism. Users can configure legacy support and PSA support independently. Legacy support is automatically enabled if PSA support is requested, but only if there is no accelerator. It is strongly desirable to allow mechanisms available through PSA but not legacy: this allows saving code size when an accelerator is present. @@ -522,8 +520,6 @@ As discussed in [“Implications between legacy availability and PSA availabilit > If an algorithm has a legacy implementation, it is also available through PSA. -When `MBEDTLS_PSA_CRYPTO_CONFIG` is disabled, this is already the case. When is enabled, we will now make it so as well. Change `include/mbedtls/config_psa.h` accordingly. - ### MD light optimizations This section is not necessary to implement MD light, but will cut down its code size. diff --git a/docs/driver-only-builds.md b/docs/driver-only-builds.md index 2c08c69063..3d999c2e1e 100644 --- a/docs/driver-only-builds.md +++ b/docs/driver-only-builds.md @@ -22,11 +22,6 @@ the following compile-time configuration options enabled: TLS use PSA Crypto. You need to enable this if you're using PK, X.509 or TLS and want them to have access to the algorithms provided by your driver. (See [the dedicated document](use-psa-crypto.md) for details.) -- `MBEDTLS_PSA_CRYPTO_CONFIG` (disabled by default) - this enables - configuration of cryptographic algorithms using `PSA_WANT` macros in -`include/psa/crypto_config.h`. See [Conditional inclusion of cryptographic -mechanism through the PSA API in Mbed -TLS](proposed/psa-conditional-inclusion-c.md) for details. In addition, for each mechanism you want provided only by your driver: diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index fd8a8c70cd..b91d55e5ce 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -347,7 +347,6 @@ PSA_WANT_\* macros as in current `crypto_config.h`. #define MBEDTLS_PKCS1_V15 #define MBEDTLS_PKCS1_V21 #define MBEDTLS_POLY1305_C -//#define MBEDTLS_PSA_CRYPTO_CONFIG //#define MBEDTLS_PSA_CRYPTO_SE_C #define MBEDTLS_RIPEMD160_C #define MBEDTLS_RSA_C diff --git a/docs/proposed/psa-conditional-inclusion-c.md b/docs/proposed/psa-conditional-inclusion-c.md index 3dd5345abf..5277e2c32f 100644 --- a/docs/proposed/psa-conditional-inclusion-c.md +++ b/docs/proposed/psa-conditional-inclusion-c.md @@ -50,11 +50,7 @@ The current model is difficult to adapt to the PSA interface for several reasons ### PSA Crypto configuration file The PSA Crypto configuration file `psa/crypto_config.h` defines a series of symbols of the form `PSA_WANT_xxx` where `xxx` describes the feature that the symbol enables. The symbols are documented in the section [“PSA Crypto configuration symbols”](#psa-crypto-configuration-symbols) below. - -The symbol `MBEDTLS_PSA_CRYPTO_CONFIG` in `mbedtls/mbedtls_config.h` determines whether `psa/crypto_config.h` is used. - -* If `MBEDTLS_PSA_CRYPTO_CONFIG` is unset, which is the default at least in Mbed TLS 2.x versions, things are as they are today: the PSA subsystem includes generic code unconditionally, and includes support for specific mechanisms conditionally based on the existing `MBEDTLS_xxx_` symbols. -* If `MBEDTLS_PSA_CRYPTO_CONFIG` is set, the necessary software implementations of cryptographic algorithms are included based on both the content of the PSA Crypto configuration file and the Mbed TLS configuration file. For example, the code in `aes.c` is enabled if either `mbedtls/mbedtls_config.h` contains `MBEDTLS_AES_C` or `psa/crypto_config.h` contains `PSA_WANT_KEY_TYPE_AES`. +The necessary software implementations of cryptographic algorithms are included based on the content of the PSA Crypto configuration file. For example, the code in `aes.c` is enabled if `psa/crypto_config.h` contains `PSA_WANT_KEY_TYPE_AES`. ### PSA Crypto configuration symbols @@ -130,23 +126,15 @@ These symbols are not part of the public interface of Mbed TLS towards applicati ### Architecture of symbol definitions -#### New-style definition of configuration symbols +#### Definition of configuration symbols -When `MBEDTLS_PSA_CRYPTO_CONFIG` is set, the header file `mbedtls/mbedtls_config.h` needs to define all the `MBEDTLS_xxx_C` configuration symbols, including the ones deduced from the PSA Crypto configuration. It does this by including the new header file **`mbedtls/config_psa.h`**, which defines the `MBEDTLS_PSA_BUILTIN_xxx` symbols and deduces the corresponding `MBEDTLS_xxx_C` (and other) symbols. +The header file `mbedtls/mbedtls_config.h` defines all the `MBEDTLS_xxx_C` configuration symbols, including the ones deduced from the PSA Crypto configuration. It does this by including the new header file **`mbedtls/config_psa.h`**, which defines the `MBEDTLS_PSA_BUILTIN_xxx` symbols and deduces the corresponding `MBEDTLS_xxx_C` (and other) symbols. `mbedtls/config_psa.h` includes `psa/crypto_config.h`, the user-editable file that defines application requirements. -#### Old-style definition of configuration symbols - -When `MBEDTLS_PSA_CRYPTO_CONFIG` is not set, the configuration of Mbed TLS works as before, and the inclusion of non-PSA code only depends on `MBEDTLS_xxx` symbols defined (or not) in `mbedtls/mbedtls_config.h`. Furthermore, the new header file **`mbedtls/config_psa.h`** deduces PSA configuration symbols (`PSA_WANT_xxx`, `MBEDTLS_PSA_BUILTIN_xxx`) from classic configuration symbols (`MBEDTLS_xxx`). - -The `PSA_WANT_xxx` definitions in `mbedtls/config_psa.h` are needed not only to build the PSA parts of the library, but also to build code that uses these parts. This includes structure definitions in `psa/crypto_struct.h`, size calculations in `psa/crypto_sizes.h`, and application code that's specific to a given cryptographic mechanism. In Mbed TLS itself, code under `MBEDTLS_USE_PSA_CRYPTO` and conditional compilation guards in tests and sample programs need `PSA_WANT_xxx`. - -Since some existing applications use a handwritten `mbedtls/mbedtls_config.h` or an edited copy of `mbedtls/mbedtls_config.h` from an earlier version of Mbed TLS, `mbedtls/config_psa.h` must be included via an already existing header that is not `mbedtls/mbedtls_config.h`, so it is included via `psa/crypto.h` (for example from `psa/crypto_platform.h`). - #### Summary of definitions of configuration symbols -Whether `MBEDTLS_PSA_CRYPTO_CONFIG` is set or not, `mbedtls/config_psa.h` includes `mbedtls/crypto_drivers.h`, a header file generated by the transpilation of the driver descriptions. It defines `MBEDTLS_PSA_ACCEL_xxx` symbols according to the availability of transparent drivers without fallback. +`mbedtls/config_psa.h` includes `mbedtls/crypto_drivers.h`, a header file generated by the transpilation of the driver descriptions. It defines `MBEDTLS_PSA_ACCEL_xxx` symbols according to the availability of transparent drivers without fallback. The following table summarizes where symbols are defined depending on the configuration mode. @@ -154,13 +142,13 @@ The following table summarizes where symbols are defined depending on the config * (D) indicates a symbol that is deduced from other symbols by code that ships with Mbed TLS. * (G) indicates a symbol that is generated from driver descriptions. -| Symbols | With `MBEDTLS_PSA_CRYPTO_CONFIG` | Without `MBEDTLS_PSA_CRYPTO_CONFIG` | -| ------------------------- | --------------------------------- | ----------------------------------- | -| `MBEDTLS_xxx_C` | `mbedtls/mbedtls_config.h` (U) or | `mbedtls/mbedtls_config.h` (U) | -| | `mbedtls/config_psa.h` (D) | | -| `PSA_WANT_xxx` | `psa/crypto_config.h` (U) | `mbedtls/config_psa.h` (D) | -| `MBEDTLS_PSA_BUILTIN_xxx` | `mbedtls/config_psa.h` (D) | `mbedtls/config_psa.h` (D) | -| `MBEDTLS_PSA_ACCEL_xxx` | `mbedtls/crypto_drivers.h` (G) | N/A | +| Symbols | | +| ------------------------- | --------------------------------- | +| `MBEDTLS_xxx_C` | `mbedtls/mbedtls_config.h` (U) or | +| | `mbedtls/config_psa.h` (D) | +| `PSA_WANT_xxx` | `psa/crypto_config.h` (U) | +| `MBEDTLS_PSA_BUILTIN_xxx` | `mbedtls/config_psa.h` (D) | +| `MBEDTLS_PSA_ACCEL_xxx` | `mbedtls/crypto_drivers.h` (G) | #### Visibility of internal symbols diff --git a/docs/psa-driver-example-and-guide.md b/docs/psa-driver-example-and-guide.md index 8222322d14..15aa155b56 100644 --- a/docs/psa-driver-example-and-guide.md +++ b/docs/psa-driver-example-and-guide.md @@ -142,7 +142,6 @@ This guide assumes you are building Mbed TLS from source alongside your project. The Mbed TLS build system includes the instructions needed to build p256-m. To build with and use p256-m, set the macro `MBEDTLS_PSA_P256M_DRIVER_ENABLED` using `config.py`, then build as usual using make/cmake. From the root of the `mbedtls/` directory, run: - python3 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG python3 scripts/config.py set MBEDTLS_PSA_P256M_DRIVER_ENABLED make diff --git a/docs/psa-transition.md b/docs/psa-transition.md index 952cb1cf55..2d7ad15ab3 100644 --- a/docs/psa-transition.md +++ b/docs/psa-transition.md @@ -175,9 +175,7 @@ Note that a key consumes a key store entry, which is distinct from heap memory, ### Cryptographic mechanism availability -**This section only applies if `MBEDTLS_PSA_CRYPTO_CONFIG` is enabled.** This option is disabled in the default configuration. - -When the configuration option [`MBEDTLS_PSA_CRYPTO_CONFIG`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/mbedtls__config_8h/#mbedtls__config_8h_1a5aca5ddcffb586acad82f9aef26db056) is enabled, the cryptographic mechanisms available through the PSA API are determined by the contents of the header file `"psa/crypto_config.h"`. You can override the file location with the macro [`MBEDTLS_PSA_CRYPTO_CONFIG_FILE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/mbedtls__config_8h/#mbedtls__config_8h_1a25f7e358caa101570cb9519705c2b873), and you can set [`MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/mbedtls__config_8h/#mbedtls__config_8h_1abd1870cc0d2681183a3018a7247cb137) to the path of an additional file (similar to `MBEDTLS_CONFIG_FILE` and `MBEDTLS_USER_CONFIG_FILE` for legacy configuration symbols). +The cryptographic mechanisms available through the PSA API are determined by the contents of the header file `"psa/crypto_config.h"`. You can override the file location with the macro [`MBEDTLS_PSA_CRYPTO_CONFIG_FILE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/mbedtls__config_8h/#mbedtls__config_8h_1a25f7e358caa101570cb9519705c2b873), and you can set [`MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/mbedtls__config_8h/#mbedtls__config_8h_1abd1870cc0d2681183a3018a7247cb137) to the path of an additional file (similar to `MBEDTLS_CONFIG_FILE` and `MBEDTLS_USER_CONFIG_FILE` for legacy configuration symbols). The availability of cryptographic mechanisms in the PSA API is based on a systematic pattern: diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h index 2b48e50341..da5ef4cae9 100644 --- a/include/mbedtls/build_info.h +++ b/include/mbedtls/build_info.h @@ -131,7 +131,6 @@ #endif /* PSA crypto configuration */ -#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) #if defined(MBEDTLS_PSA_CRYPTO_CONFIG_FILE) #include MBEDTLS_PSA_CRYPTO_CONFIG_FILE #else @@ -140,7 +139,6 @@ #if defined(MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE) #include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE #endif -#endif /* defined(MBEDTLS_PSA_CRYPTO_CONFIG) */ /* Indicate that all configuration files have been read. * It is now time to adjust the configuration (follow through on dependencies, @@ -170,11 +168,7 @@ * this symbol should be consulted after its inclusion. * (e.g. MBEDTLS_MD_LIGHT) */ -#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) /* PSA_WANT_xxx influences MBEDTLS_xxx */ || \ - defined(MBEDTLS_PSA_CRYPTO_C) /* MBEDTLS_xxx influences PSA_WANT_xxx */ || \ - defined(MBEDTLS_PSA_CRYPTO_CLIENT) /* The same as the previous, but with separation only */ #include "mbedtls/config_psa.h" -#endif #include "mbedtls/config_adjust_legacy_crypto.h" diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index d7cc3653db..91b88bd8eb 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -118,7 +118,7 @@ #error "MBEDTLS_NIST_KW_C defined, but not all prerequisites" #endif -#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) && defined(MBEDTLS_PSA_CRYPTO_CONFIG) +#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) #if defined(PSA_WANT_ALG_CBC_NO_PADDING) #error "MBEDTLS_BLOCK_CIPHER_NO_DECRYPT and PSA_WANT_ALG_CBC_NO_PADDING cannot be defined simultaneously" #endif diff --git a/include/mbedtls/config_adjust_psa_from_legacy.h b/include/mbedtls/config_adjust_psa_from_legacy.h deleted file mode 100644 index 14ca14696f..0000000000 --- a/include/mbedtls/config_adjust_psa_from_legacy.h +++ /dev/null @@ -1,359 +0,0 @@ -/** - * \file mbedtls/config_adjust_psa_from_legacy.h - * \brief Adjust PSA configuration: construct PSA configuration from legacy - * - * This is an internal header. Do not include it directly. - * - * When MBEDTLS_PSA_CRYPTO_CONFIG is disabled, we automatically enable - * cryptographic mechanisms through the PSA interface when the corresponding - * legacy mechanism is enabled. In many cases, this just enables the PSA - * wrapper code around the legacy implementation, but we also do this for - * some mechanisms where PSA has its own independent implementation so - * that high-level modules that can use either cryptographic API have the - * same feature set in both cases. - */ -/* - * Copyright The Mbed TLS Contributors - * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later - */ - -#ifndef MBEDTLS_CONFIG_ADJUST_PSA_FROM_LEGACY_H -#define MBEDTLS_CONFIG_ADJUST_PSA_FROM_LEGACY_H - -#if !defined(MBEDTLS_CONFIG_FILES_READ) -#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \ - "up to and including runtime errors such as buffer overflows. " \ - "If you're trying to fix a complaint from check_config.h, just remove " \ - "it from your configuration file: since Mbed TLS 3.0, it is included " \ - "automatically at the right point." -#endif /* */ - -/* - * Ensure PSA_WANT_* defines are setup properly if MBEDTLS_PSA_CRYPTO_CONFIG - * is not defined - */ - -#if defined(MBEDTLS_CCM_C) -#define MBEDTLS_PSA_BUILTIN_ALG_CCM 1 -#define PSA_WANT_ALG_CCM 1 -#if defined(MBEDTLS_CIPHER_C) -#define MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG 1 -#define PSA_WANT_ALG_CCM_STAR_NO_TAG 1 -#endif /* MBEDTLS_CIPHER_C */ -#endif /* MBEDTLS_CCM_C */ - -#if defined(MBEDTLS_CMAC_C) -#define MBEDTLS_PSA_BUILTIN_ALG_CMAC 1 -#define PSA_WANT_ALG_CMAC 1 -#endif /* MBEDTLS_CMAC_C */ - -#if defined(MBEDTLS_ECDH_C) -#define MBEDTLS_PSA_BUILTIN_ALG_ECDH 1 -#define PSA_WANT_ALG_ECDH 1 -#endif /* MBEDTLS_ECDH_C */ - -#if defined(MBEDTLS_ECDSA_C) -#define MBEDTLS_PSA_BUILTIN_ALG_ECDSA 1 -#define PSA_WANT_ALG_ECDSA 1 -#define PSA_WANT_ALG_ECDSA_ANY 1 - -// Only add in DETERMINISTIC support if ECDSA is also enabled -#if defined(MBEDTLS_ECDSA_DETERMINISTIC) -#define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA 1 -#define PSA_WANT_ALG_DETERMINISTIC_ECDSA 1 -#endif /* MBEDTLS_ECDSA_DETERMINISTIC */ - -#endif /* MBEDTLS_ECDSA_C */ - -#if defined(MBEDTLS_ECP_C) -#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC 1 -#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT 1 -#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT 1 -#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1 -/* Normally we wouldn't enable this because it's not implemented in ecp.c, - * but since it used to be available any time ECP_C was enabled, let's enable - * it anyway for the sake of backwards compatibility */ -#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1 -#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_BASIC 1 -#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT 1 -#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT 1 -#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1 -/* See comment for PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE above. */ -#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1 -#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY 1 -#define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 1 -#endif /* MBEDTLS_ECP_C */ - -#if defined(MBEDTLS_DHM_C) -#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC 1 -#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT 1 -#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT 1 -#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE 1 -#define PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY 1 -#define PSA_WANT_ALG_FFDH 1 -#define PSA_WANT_DH_RFC7919_2048 1 -#define PSA_WANT_DH_RFC7919_3072 1 -#define PSA_WANT_DH_RFC7919_4096 1 -#define PSA_WANT_DH_RFC7919_6144 1 -#define PSA_WANT_DH_RFC7919_8192 1 -#define MBEDTLS_PSA_BUILTIN_ALG_FFDH 1 -#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_BASIC 1 -#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT 1 -#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT 1 -#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE 1 -#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY 1 -#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048 1 -#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072 1 -#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096 1 -#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144 1 -#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192 1 -#endif /* MBEDTLS_DHM_C */ - -#if defined(MBEDTLS_GCM_C) -#define MBEDTLS_PSA_BUILTIN_ALG_GCM 1 -#define PSA_WANT_ALG_GCM 1 -#endif /* MBEDTLS_GCM_C */ - -/* Enable PSA HKDF algorithm if mbedtls HKDF is supported. - * PSA HKDF EXTRACT and PSA HKDF EXPAND have minimal cost when - * PSA HKDF is enabled, so enable both algorithms together - * with PSA HKDF. */ -#if defined(MBEDTLS_HKDF_C) -#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1 -#define PSA_WANT_ALG_HMAC 1 -#define MBEDTLS_PSA_BUILTIN_ALG_HKDF 1 -#define PSA_WANT_ALG_HKDF 1 -#define MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT 1 -#define PSA_WANT_ALG_HKDF_EXTRACT 1 -#define MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND 1 -#define PSA_WANT_ALG_HKDF_EXPAND 1 -#endif /* MBEDTLS_HKDF_C */ - -#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1 -#define PSA_WANT_ALG_HMAC 1 -#define PSA_WANT_KEY_TYPE_HMAC 1 - -#if defined(MBEDTLS_MD_C) -#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF 1 -#define PSA_WANT_ALG_TLS12_PRF 1 -#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS 1 -#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 -#endif /* MBEDTLS_MD_C */ - -#if defined(MBEDTLS_MD5_C) -#define MBEDTLS_PSA_BUILTIN_ALG_MD5 1 -#define PSA_WANT_ALG_MD5 1 -#endif - -#if defined(MBEDTLS_ECJPAKE_C) -#define MBEDTLS_PSA_BUILTIN_PAKE 1 -#define MBEDTLS_PSA_BUILTIN_ALG_JPAKE 1 -#define PSA_WANT_ALG_JPAKE 1 -#endif - -#if defined(MBEDTLS_RIPEMD160_C) -#define MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160 1 -#define PSA_WANT_ALG_RIPEMD160 1 -#endif - -#if defined(MBEDTLS_RSA_C) -#if defined(MBEDTLS_PKCS1_V15) -#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT 1 -#define PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 1 -#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN 1 -#define PSA_WANT_ALG_RSA_PKCS1V15_SIGN 1 -#define PSA_WANT_ALG_RSA_PKCS1V15_SIGN_RAW 1 -#endif /* MBEDTLS_PKCS1_V15 */ -#if defined(MBEDTLS_PKCS1_V21) -#define MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP 1 -#define PSA_WANT_ALG_RSA_OAEP 1 -#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS 1 -#define PSA_WANT_ALG_RSA_PSS 1 -#endif /* MBEDTLS_PKCS1_V21 */ -#if defined(MBEDTLS_GENPRIME) -#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE 1 -#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE 1 -#endif /* MBEDTLS_GENPRIME */ -#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_BASIC 1 -#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT 1 -#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT 1 -#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC 1 -#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT 1 -#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT 1 -#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY 1 -#define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1 -#endif /* MBEDTLS_RSA_C */ - -#if defined(MBEDTLS_SHA1_C) -#define MBEDTLS_PSA_BUILTIN_ALG_SHA_1 1 -#define PSA_WANT_ALG_SHA_1 1 -#endif - -#if defined(MBEDTLS_SHA224_C) -#define MBEDTLS_PSA_BUILTIN_ALG_SHA_224 1 -#define PSA_WANT_ALG_SHA_224 1 -#endif - -#if defined(MBEDTLS_SHA256_C) -#define MBEDTLS_PSA_BUILTIN_ALG_SHA_256 1 -#define PSA_WANT_ALG_SHA_256 1 -#endif - -#if defined(MBEDTLS_SHA384_C) -#define MBEDTLS_PSA_BUILTIN_ALG_SHA_384 1 -#define PSA_WANT_ALG_SHA_384 1 -#endif - -#if defined(MBEDTLS_SHA512_C) -#define MBEDTLS_PSA_BUILTIN_ALG_SHA_512 1 -#define PSA_WANT_ALG_SHA_512 1 -#endif - -#if defined(MBEDTLS_SHA3_C) -#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_224 1 -#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_256 1 -#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_384 1 -#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_512 1 -#define PSA_WANT_ALG_SHA3_224 1 -#define PSA_WANT_ALG_SHA3_256 1 -#define PSA_WANT_ALG_SHA3_384 1 -#define PSA_WANT_ALG_SHA3_512 1 -#endif - -#if defined(MBEDTLS_AES_C) -#define PSA_WANT_KEY_TYPE_AES 1 -#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES 1 -#endif - -#if defined(MBEDTLS_ARIA_C) -#define PSA_WANT_KEY_TYPE_ARIA 1 -#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ARIA 1 -#endif - -#if defined(MBEDTLS_CAMELLIA_C) -#define PSA_WANT_KEY_TYPE_CAMELLIA 1 -#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CAMELLIA 1 -#endif - -#if defined(MBEDTLS_DES_C) -#define PSA_WANT_KEY_TYPE_DES 1 -#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES 1 -#endif - -#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256) -#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS 1 -#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1 -#endif - -#if defined(MBEDTLS_CHACHA20_C) -#define PSA_WANT_KEY_TYPE_CHACHA20 1 -#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20 1 -/* ALG_STREAM_CIPHER requires CIPHER_C in order to be supported in PSA */ -#if defined(MBEDTLS_CIPHER_C) -#define PSA_WANT_ALG_STREAM_CIPHER 1 -#define MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER 1 -#endif -#if defined(MBEDTLS_CHACHAPOLY_C) -#define PSA_WANT_ALG_CHACHA20_POLY1305 1 -#define MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 1 -#endif -#endif - -#if defined(MBEDTLS_CIPHER_MODE_CBC) -#define MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING 1 -#define PSA_WANT_ALG_CBC_NO_PADDING 1 -#if defined(MBEDTLS_CIPHER_PADDING_PKCS7) -#define MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7 1 -#define PSA_WANT_ALG_CBC_PKCS7 1 -#endif -#endif - -#if (defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) || \ - defined(MBEDTLS_ARIA_C) || defined(MBEDTLS_CAMELLIA_C)) && \ - defined(MBEDTLS_CIPHER_C) -#define MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING 1 -#define PSA_WANT_ALG_ECB_NO_PADDING 1 -#endif - -#if defined(MBEDTLS_CIPHER_MODE_CFB) -#define MBEDTLS_PSA_BUILTIN_ALG_CFB 1 -#define PSA_WANT_ALG_CFB 1 -#endif - -#if defined(MBEDTLS_CIPHER_MODE_CTR) -#define MBEDTLS_PSA_BUILTIN_ALG_CTR 1 -#define PSA_WANT_ALG_CTR 1 -#endif - -#if defined(MBEDTLS_CIPHER_MODE_OFB) -#define MBEDTLS_PSA_BUILTIN_ALG_OFB 1 -#define PSA_WANT_ALG_OFB 1 -#endif - -#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) -#define MBEDTLS_PSA_BUILTIN_ECC_BRAINPOOL_P_R1_256 1 -#define PSA_WANT_ECC_BRAINPOOL_P_R1_256 1 -#endif - -#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) -#define MBEDTLS_PSA_BUILTIN_ECC_BRAINPOOL_P_R1_384 1 -#define PSA_WANT_ECC_BRAINPOOL_P_R1_384 1 -#endif - -#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) -#define MBEDTLS_PSA_BUILTIN_ECC_BRAINPOOL_P_R1_512 1 -#define PSA_WANT_ECC_BRAINPOOL_P_R1_512 1 -#endif - -#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) -#define MBEDTLS_PSA_BUILTIN_ECC_MONTGOMERY_255 1 -#define PSA_WANT_ECC_MONTGOMERY_255 1 -#endif - -#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) -#define MBEDTLS_PSA_BUILTIN_ECC_MONTGOMERY_448 1 -#define PSA_WANT_ECC_MONTGOMERY_448 1 -#endif - -#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) -#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_192 1 -#define PSA_WANT_ECC_SECP_R1_192 1 -#endif - -#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) -#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_224 1 -#define PSA_WANT_ECC_SECP_R1_224 1 -#endif - -#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) -#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_256 1 -#define PSA_WANT_ECC_SECP_R1_256 1 -#endif - -#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) -#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_384 1 -#define PSA_WANT_ECC_SECP_R1_384 1 -#endif - -#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) -#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_521 1 -#define PSA_WANT_ECC_SECP_R1_521 1 -#endif - -#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) -#define MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_192 1 -#define PSA_WANT_ECC_SECP_K1_192 1 -#endif - -/* SECP224K1 is buggy via the PSA API (https://github.com/Mbed-TLS/mbedtls/issues/3541) */ -#if 0 && defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) -#define MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_224 1 -#define PSA_WANT_ECC_SECP_K1_224 1 -#endif - -#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) -#define MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_256 1 -#define PSA_WANT_ECC_SECP_K1_256 1 -#endif - -#endif /* MBEDTLS_CONFIG_ADJUST_PSA_FROM_LEGACY_H */ diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index fa223ffa8d..266f7cbdf8 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -1241,8 +1241,7 @@ * If you enable this option, you do not need to enable any ECC-related * MBEDTLS_xxx option. You do need to separately request support for the * cryptographic mechanisms through the PSA API: - * - #MBEDTLS_PSA_CRYPTO_C and #MBEDTLS_PSA_CRYPTO_CONFIG for PSA-based - * configuration; + * - #MBEDTLS_PSA_CRYPTO_C for PSA-based configuration; * - #MBEDTLS_USE_PSA_CRYPTO if you want to use p256-m from PK, X.509 or TLS; * - #PSA_WANT_ECC_SECP_R1_256; * - #PSA_WANT_ALG_ECDH and/or #PSA_WANT_ALG_ECDSA as needed; @@ -1901,38 +1900,6 @@ */ //#define MBEDTLS_THREADING_PTHREAD -/** - * \def MBEDTLS_PSA_CRYPTO_CONFIG - * - * This setting allows support for cryptographic mechanisms through the PSA - * API to be configured separately from support through the mbedtls API. - * - * When this option is disabled, the PSA API exposes the cryptographic - * mechanisms that can be implemented on top of the `mbedtls_xxx` API - * configured with `MBEDTLS_XXX` symbols. - * - * When this option is enabled, the PSA API exposes the cryptographic - * mechanisms requested by the `PSA_WANT_XXX` symbols defined in - * include/psa/crypto_config.h. The corresponding `MBEDTLS_XXX` settings are - * automatically enabled if required (i.e. if no PSA driver provides the - * mechanism). You may still freely enable additional `MBEDTLS_XXX` symbols - * in mbedtls_config.h. - * - * If the symbol #MBEDTLS_PSA_CRYPTO_CONFIG_FILE is defined, it specifies - * an alternative header to include instead of include/psa/crypto_config.h. - * - * \warning This option is experimental, in that the set of `PSA_WANT_XXX` - * symbols is not completely finalized yet, and the configuration - * tooling is not ideally adapted to having two separate configuration - * files. - * Future minor releases of Mbed TLS may make minor changes to those - * symbols, but we will endeavor to provide a transition path. - * Nonetheless, this option is considered mature enough to use in - * production, as long as you accept that you may need to make - * minor changes to psa/crypto_config.h when upgrading Mbed TLS. - */ -//#define MBEDTLS_PSA_CRYPTO_CONFIG - /** * \def MBEDTLS_VERSION_FEATURES * @@ -2173,10 +2140,10 @@ * \note This feature is incompatible with insecure block cipher, * MBEDTLS_DES_C, and cipher modes which always require decryption * operation, MBEDTLS_CIPHER_MODE_CBC, MBEDTLS_CIPHER_MODE_XTS and - * MBEDTLS_NIST_KW_C. When #MBEDTLS_PSA_CRYPTO_CONFIG is enabled, - * this feature is incompatible with following supported PSA equivalence, - * PSA_WANT_ALG_ECB_NO_PADDING, PSA_WANT_ALG_CBC_NO_PADDING, - * PSA_WANT_ALG_CBC_PKCS7 and PSA_WANT_KEY_TYPE_DES. + * MBEDTLS_NIST_KW_C. This feature is incompatible with following + * supported PSA equivalence PSA_WANT_ALG_ECB_NO_PADDING, + * PSA_WANT_ALG_CBC_NO_PADDING, PSA_WANT_ALG_CBC_PKCS7 and + * PSA_WANT_KEY_TYPE_DES. * * Module: library/aes.c * library/aesce.c @@ -3572,8 +3539,7 @@ * If defined, this is a header which will be included instead of * `"psa/crypto_config.h"`. * This header file specifies which cryptographic mechanisms are available - * through the PSA API when #MBEDTLS_PSA_CRYPTO_CONFIG is enabled, and - * is not used when #MBEDTLS_PSA_CRYPTO_CONFIG is disabled. + * through the PSA API. * * This macro is expanded after an \#include directive. This is a popular but * non-standard feature of the C language, so this feature is only available diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 2c83caf07f..0cf2ca978d 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -108,7 +108,6 @@ component_test_psa_crypto_without_heap() { scripts/config.py unset-all "^MBEDTLS_" # Build the PSA core using the proper config file. scripts/config.py set MBEDTLS_PSA_CRYPTO_C - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG # Enable fully-static key slots in PSA core. scripts/config.py set MBEDTLS_PSA_STATIC_KEY_SLOTS # Prevent PSA core from creating a copy of input/output buffers. @@ -139,7 +138,6 @@ component_test_psa_crypto_without_heap() { component_test_no_rsa_key_pair_generation () { msg "build: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE" - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py unset MBEDTLS_GENPRIME scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE make @@ -452,7 +450,6 @@ component_test_everest () { component_test_everest_curve25519_only () { msg "build: Everest ECDH context, only Curve25519" # ~ 6 min - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED scripts/config.py unset MBEDTLS_ECDSA_C scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA @@ -640,7 +637,7 @@ component_build_module_alt () { } component_test_psa_crypto_config_accel_ecdsa () { - msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA" + msg "build: accelerated ECDSA" # Algorithms and key types to accelerate loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ @@ -677,12 +674,12 @@ component_test_psa_crypto_config_accel_ecdsa () { # Run the tests # ------------- - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA" + msg "test: accelerated ECDSA" make test } component_test_psa_crypto_config_accel_ecdh () { - msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH" + msg "build: accelerated ECDH" # Algorithms and key types to accelerate loc_accel_list="ALG_ECDH \ @@ -718,7 +715,7 @@ component_test_psa_crypto_config_accel_ecdh () { # Run the tests # ------------- - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH" + msg "test: accelerated ECDH" make test } @@ -1072,7 +1069,7 @@ component_test_psa_crypto_config_accel_ecc_ecp_light_only () { # Keep in sync with component_test_psa_crypto_config_accel_ecc_ecp_light_only component_test_psa_crypto_config_reference_ecc_ecp_light_only () { - msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with non-accelerated EC algs" + msg "build: non-accelerated EC algs" config_psa_crypto_config_ecp_light_only 0 @@ -1622,9 +1619,6 @@ component_test_new_psa_want_key_pair_symbol () { scripts/config.py unset MBEDTLS_RSA_C scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT - # Enable PSA support - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - # Keep only PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC enabled in order to ensure # that proper translations is done in crypto_legacy.h. scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT @@ -1647,7 +1641,7 @@ component_test_new_psa_want_key_pair_symbol () { } component_test_psa_crypto_config_accel_hash () { - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash" + msg "test: accelerated hash" loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \ ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ @@ -1687,7 +1681,7 @@ component_test_psa_crypto_config_accel_hash () { # Run the tests # ------------- - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash" + msg "test: accelerated hash" make test } @@ -1847,7 +1841,7 @@ component_test_psa_crypto_config_reference_hmac () { } component_test_psa_crypto_config_accel_des () { - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated DES" + msg "test: accelerated DES" # Albeit this components aims at accelerating DES which should only support # CBC and ECB modes, we need to accelerate more than that otherwise DES_C @@ -1889,12 +1883,12 @@ component_test_psa_crypto_config_accel_des () { # Run the tests # ------------- - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated DES" + msg "test: accelerated DES" make test } component_test_psa_crypto_config_accel_aead () { - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated AEAD" + msg "test: accelerated AEAD" loc_accel_list="ALG_GCM ALG_CCM ALG_CHACHA20_POLY1305 \ KEY_TYPE_AES KEY_TYPE_CHACHA20 KEY_TYPE_ARIA KEY_TYPE_CAMELLIA" @@ -1928,7 +1922,7 @@ component_test_psa_crypto_config_accel_aead () { # Run the tests # ------------- - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated AEAD" + msg "test: accelerated AEAD" make test } @@ -2283,7 +2277,6 @@ component_build_aes_variations () { # MBEDTLS_BLOCK_CIPHER_NO_DECRYPT is incompatible with ECB in PSA, CBC/XTS/NIST_KW/DES, # manually set or unset those configurations to check # MBEDTLS_BLOCK_CIPHER_NO_DECRYPT with various combinations in aes.o. - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS scripts/config.py unset MBEDTLS_NIST_KW_C @@ -2311,7 +2304,6 @@ component_test_sha3_variations () { #define MBEDTLS_CTR_DRBG_C #define MBEDTLS_ENTROPY_C #define MBEDTLS_PSA_CRYPTO_C - #define MBEDTLS_PSA_CRYPTO_CONFIG #define MBEDTLS_SELF_TEST END @@ -2504,7 +2496,6 @@ config_block_cipher_no_decrypt () { # Enable support for cryptographic mechanisms through the PSA API. # Note: XTS, KW are not yet supported via the PSA API in Mbed TLS. - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING @@ -2659,7 +2650,6 @@ component_test_psa_crypto_drivers () { component_build_psa_config_file () { msg "build: make with MBEDTLS_PSA_CRYPTO_CONFIG_FILE" # ~40s - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG cp "$CRYPTO_CONFIG_H" psa_test_config.h echo '#error "MBEDTLS_PSA_CRYPTO_CONFIG_FILE is not working"' >"$CRYPTO_CONFIG_H" make CFLAGS="-I '$PWD' -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"'" diff --git a/tests/scripts/components-configuration-tls.sh b/tests/scripts/components-configuration-tls.sh index 077d0a076c..b522419beb 100644 --- a/tests/scripts/components-configuration-tls.sh +++ b/tests/scripts/components-configuration-tls.sh @@ -57,7 +57,6 @@ component_test_no_renegotiation () { component_test_tls1_2_default_stream_cipher_only () { msg "build: default with only stream cipher use psa" - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG @@ -94,7 +93,6 @@ component_test_tls1_2_default_stream_cipher_only () { component_test_tls1_2_default_cbc_legacy_cipher_only () { msg "build: default with only CBC-legacy cipher use psa" - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG @@ -128,7 +126,6 @@ component_test_tls1_2_default_cbc_legacy_cipher_only () { component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () { msg "build: default with only CBC-legacy and CBC-EtM ciphers use psa" - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG @@ -424,7 +421,6 @@ component_test_ssl_alloc_buffer_and_mfl () { component_test_when_no_ciphersuites_have_mac () { msg "build: when no ciphersuites have MAC" - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC @@ -482,7 +478,6 @@ component_test_tls13_only_psk () { scripts/config.py unset MBEDTLS_PKCS7_C scripts/config.py set MBEDTLS_SSL_EARLY_DATA - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDH scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA @@ -534,7 +529,6 @@ component_test_tls13_only_ephemeral_ffdh () { scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED scripts/config.py unset MBEDTLS_SSL_EARLY_DATA - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDH # Note: The unset below is to be removed for Mbed TLS 4.0 scripts/config.py unset MBEDTLS_ECDH_C @@ -558,7 +552,6 @@ component_test_tls13_only_psk_ephemeral () { scripts/config.py unset MBEDTLS_PKCS7_C scripts/config.py set MBEDTLS_SSL_EARLY_DATA - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_OAEP @@ -586,7 +579,6 @@ component_test_tls13_only_psk_ephemeral_ffdh () { scripts/config.py unset MBEDTLS_PKCS7_C scripts/config.py set MBEDTLS_SSL_EARLY_DATA - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDH scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA @@ -615,7 +607,6 @@ component_test_tls13_only_psk_all () { scripts/config.py unset MBEDTLS_PKCS7_C scripts/config.py set MBEDTLS_SSL_EARLY_DATA - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_OAEP diff --git a/tf-psa-crypto/core/psa_crypto.c b/tf-psa-crypto/core/psa_crypto.c index d82e36a92f..237310c280 100644 --- a/tf-psa-crypto/core/psa_crypto.c +++ b/tf-psa-crypto/core/psa_crypto.c @@ -11,10 +11,7 @@ #if defined(MBEDTLS_PSA_CRYPTO_C) -#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) #include "check_crypto_config.h" -#endif - #include "psa/crypto.h" #include "psa/crypto_values.h" diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/config_adjust_legacy_from_psa.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/config_adjust_legacy_from_psa.h index 04bdae61bb..c968d585a2 100644 --- a/tf-psa-crypto/drivers/builtin/include/mbedtls/config_adjust_legacy_from_psa.h +++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/config_adjust_legacy_from_psa.h @@ -4,11 +4,10 @@ * * This is an internal header. Do not include it directly. * - * When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, activate legacy implementations - * of cryptographic mechanisms as needed to fulfill the needs of the PSA - * configuration. Generally speaking, we activate a legacy mechanism if - * it's needed for a requested PSA mechanism and there is no PSA driver - * for it. + * Activate legacy implementations of cryptographic mechanisms as needed to + * fulfill the needs of the PSA configuration. Generally speaking, we activate + * a legacy mechanism if it's needed for a requested PSA mechanism and there is + * no PSA driver for it. */ /* * Copyright The Mbed TLS Contributors diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/config_adjust_test_accelerators.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/config_adjust_test_accelerators.h index 7d930427e6..cce4e892b1 100644 --- a/tf-psa-crypto/drivers/builtin/include/mbedtls/config_adjust_test_accelerators.h +++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/config_adjust_test_accelerators.h @@ -4,8 +4,7 @@ * * This is an internal header for test purposes only. Do not include it directly. * - * As part of the transition to MBEDTLS_PSA_CRYPTO_CONFIG always on, the - * purpose of this header is to keep executing as long as necessary some + * The purpose of this header is to keep executing as long as necessary some * driver-only related unit test cases when running the test_psa_crypto_drivers * all.sh component (namely test cases in test_suite_block_cipher and * test_suite_md.psa). It is expected that as the 4.x work progress these test diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/config_psa.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/config_psa.h index 86bcc80a7b..3c076b5e90 100644 --- a/tf-psa-crypto/drivers/builtin/include/mbedtls/config_psa.h +++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/config_psa.h @@ -26,8 +26,6 @@ #include "mbedtls/config_adjust_psa_superset_legacy.h" -#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) - /* Require built-in implementations based on PSA requirements */ /* We need this to have a complete list of requirements @@ -43,18 +41,6 @@ #endif #endif /* MBEDTLS_PSA_CRYPTO_C */ -#else /* MBEDTLS_PSA_CRYPTO_CONFIG */ - -/* Infer PSA requirements from Mbed TLS capabilities */ - -#include "mbedtls/config_adjust_psa_from_legacy.h" - -/* Hopefully the file above will have enabled keypair symbols in a consistent - * way, but including this here fixes them if that wasn't the case. */ -#include "psa/crypto_adjust_config_key_pair_types.h" - -#endif /* MBEDTLS_PSA_CRYPTO_CONFIG */ - #include "psa/crypto_adjust_config_derived.h" #include "psa/crypto_adjust_auto_enabled.h" diff --git a/tf-psa-crypto/include/psa/crypto_config.h b/tf-psa-crypto/include/psa/crypto_config.h index 36e937ad35..59fac26c9d 100644 --- a/tf-psa-crypto/include/psa/crypto_config.h +++ b/tf-psa-crypto/include/psa/crypto_config.h @@ -3,10 +3,8 @@ * \brief PSA crypto configuration options (set of defines) * */ -#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) /** - * When #MBEDTLS_PSA_CRYPTO_CONFIG is enabled in mbedtls_config.h, - * this file determines which cryptographic mechanisms are enabled + * This file determines which cryptographic mechanisms are enabled * through the PSA Cryptography API (\c psa_xxx() functions). * * To enable a cryptographic mechanism, uncomment the definition of @@ -22,14 +20,7 @@ * (\c PSA_WANT_ALG_xxx). Mechanisms with additional parameters may involve * additional symbols. */ -#else -/** - * When \c MBEDTLS_PSA_CRYPTO_CONFIG is disabled in mbedtls_config.h, - * this file is not used, and cryptographic mechanisms are supported - * through the PSA API if and only if they are supported through the - * mbedtls_xxx API. - */ -#endif + /* * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later diff --git a/tf-psa-crypto/tests/configs/config_test_driver.h b/tf-psa-crypto/tests/configs/config_test_driver.h index ec8bcb6135..ed3b640ccc 100644 --- a/tf-psa-crypto/tests/configs/config_test_driver.h +++ b/tf-psa-crypto/tests/configs/config_test_driver.h @@ -18,7 +18,6 @@ #endif #define MBEDTLS_PSA_CRYPTO_C -#define MBEDTLS_PSA_CRYPTO_CONFIG /* PSA core mandatory configuration options */ #define MBEDTLS_CIPHER_C diff --git a/tf-psa-crypto/tests/suites/test_suite_pk.function b/tf-psa-crypto/tests/suites/test_suite_pk.function index bad09fac89..96ea591390 100644 --- a/tf-psa-crypto/tests/suites/test_suite_pk.function +++ b/tf-psa-crypto/tests/suites/test_suite_pk.function @@ -49,11 +49,7 @@ /* Pick an elliptic curve that's supported by PSA. Note that the curve is * not guaranteed to be supported by the ECP module. * - * This should always find a curve if ECC is enabled in the build, except in - * one edge case: in a build with MBEDTLS_PSA_CRYPTO_CONFIG disabled and - * where the only legacy curve is secp224k1, which is not supported in PSA, - * PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY ends up enabled but PSA does not - * support any curve. + * This should always find a curve if ECC is enabled in the build. */ /* First try all the curves that can do both ECDSA and ECDH, then try