mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2024-12-26 09:19:15 +00:00
Remove MBEDTLS_PSA_CRYPTO_CONFIG configuration option
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
Ronald Cron
parent
e0ebf55a19
commit
93ba625b96
@ -303,11 +303,6 @@ Mbed TLS supports drivers for cryptographic accelerators, secure elements and ra
|
||||
|
||||
Please see the [PSA driver example and guide](docs/psa-driver-example-and-guide.md) for information on writing a driver.
|
||||
|
||||
When using drivers, you will generally want to enable two compilation options (see the reference manual for more information):
|
||||
|
||||
* `MBEDTLS_USE_PSA_CRYPTO` is necessary so that the X.509 and TLS code calls the PSA drivers rather than the built-in software implementation.
|
||||
* `MBEDTLS_PSA_CRYPTO_CONFIG` allows you to enable PSA cryptographic mechanisms without including the code of the corresponding software implementation. This is not yet supported for all mechanisms.
|
||||
|
||||
License
|
||||
-------
|
||||
|
||||
|
||||
@ -26,7 +26,6 @@
|
||||
#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-ccm-psk-tls1_2.h"
|
||||
|
||||
#define MBEDTLS_PSA_CRYPTO_C
|
||||
#define MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
#define MBEDTLS_USE_PSA_CRYPTO
|
||||
|
||||
/* System support */
|
||||
|
||||
@ -25,7 +25,6 @@
|
||||
#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-ccm-psk-tls1_2.h"
|
||||
|
||||
#define MBEDTLS_PSA_CRYPTO_C
|
||||
#define MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
#define MBEDTLS_USE_PSA_CRYPTO
|
||||
|
||||
/* System support */
|
||||
|
||||
@ -24,7 +24,6 @@
|
||||
#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-suite-b.h"
|
||||
|
||||
#define MBEDTLS_PSA_CRYPTO_C
|
||||
#define MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
#define MBEDTLS_USE_PSA_CRYPTO
|
||||
|
||||
/* System support */
|
||||
|
||||
@ -11,7 +11,6 @@
|
||||
#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-symmetric-only.h"
|
||||
|
||||
#define MBEDTLS_PSA_CRYPTO_C
|
||||
#define MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
#define MBEDTLS_USE_PSA_CRYPTO
|
||||
|
||||
/* System support */
|
||||
|
||||
@ -24,7 +24,6 @@
|
||||
#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-thread.h"
|
||||
|
||||
#define MBEDTLS_PSA_CRYPTO_C
|
||||
#define MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
#define MBEDTLS_USE_PSA_CRYPTO
|
||||
|
||||
/* System support */
|
||||
|
||||
@ -124,9 +124,7 @@ New constants must have a test case in `tests/suites/test_suite_psa_crypto_metad
|
||||
|
||||
Each cryptographic mechanism is optional and can be selected by the application at build time. For each feature `PSA_ttt_xxx`:
|
||||
|
||||
* The feature is available to applications when the preprocessor symbol `PSA_WANT_ttt_xxx` is defined. These symbols are set:
|
||||
* If `MBEDTLS_PSA_CRYPTO_CONFIG` is disabled: based on the available mechanisms in Mbed TLS, deduced from `mbedtls/mbedtls_config.h` by code in `include/mbedtls/config_psa.h`.
|
||||
* if `MBEDTLS_PSA_CRYPTO_CONFIG` is enabled: in the application configuration file `include/psa/crypto_config.h` (or `MBEDTLS_PSA_CRYPTO_CONFIG_FILE`, plus `MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE`), with code in `include/mbedtls/config_psa.h` deducing the necessary underlying `MBEDTLS_xxx` symbols.
|
||||
* The feature is available to applications when the preprocessor symbol `PSA_WANT_ttt_xxx` is defined. These symbols are set in the application configuration file `include/psa/crypto_config.h` (or `MBEDTLS_PSA_CRYPTO_CONFIG_FILE`, plus `MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE`), with code in `include/mbedtls/config_psa.h` deducing the necessary underlying `MBEDTLS_xxx` symbols.
|
||||
* For transparent keys (keys that are not in a secure element), the feature is implemented by Mbed TLS if `MBEDTLS_PSA_BUILTIN_ttt_xxx` is defined, and by an accelerator driver if `MBEDTLS_PSA_ACCEL_ttt_xxx` is defined. `MBEDTLS_PSA_BUILTIN_ttt_xxx` constants are set in `include/mbedtls/config_psa.h` based on the application requests `PSA_WANT_ttt_xxx` and the accelerator driver declarations `MBEDTLS_PSA_ACCEL_ttt_xxx`.
|
||||
* For the testing of the driver dispatch code, `tests/configs/crypto_config_test_driver_extension.h` sets additional `MBEDTLS_PSA_ACCEL_xxx` symbols.
|
||||
|
||||
|
||||
@ -73,7 +73,6 @@ The following configuration options are described as experimental, and are likel
|
||||
|
||||
* `MBEDTLS_PSA_CRYPTO_CLIENT`: “This interface is experimental and may change or be removed without notice.” In practice we don't want to remove this, but we may constrain how it's used.
|
||||
* `MBEDTLS_PSA_CRYPTO_DRIVERS`: “This interface is experimental. We intend to maintain backward compatibility with application code that relies on drivers, but the driver interfaces may change without notice.” In practice, this may mean constraints not only on how to write drivers, but also on how to integrate drivers into code that is platform code more than application code.
|
||||
* `MBEDTLS_PSA_CRYPTO_CONFIG`: “This feature is still experimental and is not ready for production since it is not completed.” We may want to change this, for example, to automatically enable more mechanisms (although this wouldn't be considered a backward compatibility break anyway, since we don't promise that you will not get a feature if you don't enable its `PSA_WANT_xxx`).
|
||||
|
||||
### Non-goals
|
||||
|
||||
@ -285,8 +284,7 @@ We could go further and make PSA accelerators available to legacy callers that c
|
||||
|
||||
#### Implications between legacy availability and PSA availability
|
||||
|
||||
* When `MBEDTLS_PSA_CRYPTO_CONFIG` is disabled, all legacy mechanisms are automatically enabled through PSA. Users can manually enable PSA mechanisms that are available through accelerators but not through legacy, but this is not officially supported (users are not supposed to manually define PSA configuration symbols when `MBEDTLS_PSA_CRYPTO_CONFIG` is disabled).
|
||||
* When `MBEDTLS_PSA_CRYPTO_CONFIG` is enabled, there is no mandatory relationship between PSA support and legacy support for a mechanism. Users can configure legacy support and PSA support independently. Legacy support is automatically enabled if PSA support is requested, but only if there is no accelerator.
|
||||
There is no mandatory relationship between PSA support and legacy support for a mechanism. Users can configure legacy support and PSA support independently. Legacy support is automatically enabled if PSA support is requested, but only if there is no accelerator.
|
||||
|
||||
It is strongly desirable to allow mechanisms available through PSA but not legacy: this allows saving code size when an accelerator is present.
|
||||
|
||||
@ -522,8 +520,6 @@ As discussed in [“Implications between legacy availability and PSA availabilit
|
||||
|
||||
> If an algorithm has a legacy implementation, it is also available through PSA.
|
||||
|
||||
When `MBEDTLS_PSA_CRYPTO_CONFIG` is disabled, this is already the case. When is enabled, we will now make it so as well. Change `include/mbedtls/config_psa.h` accordingly.
|
||||
|
||||
### MD light optimizations
|
||||
|
||||
This section is not necessary to implement MD light, but will cut down its code size.
|
||||
|
||||
@ -22,11 +22,6 @@ the following compile-time configuration options enabled:
|
||||
TLS use PSA Crypto. You need to enable this if you're using PK, X.509 or TLS
|
||||
and want them to have access to the algorithms provided by your driver. (See
|
||||
[the dedicated document](use-psa-crypto.md) for details.)
|
||||
- `MBEDTLS_PSA_CRYPTO_CONFIG` (disabled by default) - this enables
|
||||
configuration of cryptographic algorithms using `PSA_WANT` macros in
|
||||
`include/psa/crypto_config.h`. See [Conditional inclusion of cryptographic
|
||||
mechanism through the PSA API in Mbed
|
||||
TLS](proposed/psa-conditional-inclusion-c.md) for details.
|
||||
|
||||
In addition, for each mechanism you want provided only by your driver:
|
||||
|
||||
|
||||
@ -347,7 +347,6 @@ PSA_WANT_\* macros as in current `crypto_config.h`.
|
||||
#define MBEDTLS_PKCS1_V15
|
||||
#define MBEDTLS_PKCS1_V21
|
||||
#define MBEDTLS_POLY1305_C
|
||||
//#define MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
//#define MBEDTLS_PSA_CRYPTO_SE_C
|
||||
#define MBEDTLS_RIPEMD160_C
|
||||
#define MBEDTLS_RSA_C
|
||||
|
||||
@ -50,11 +50,7 @@ The current model is difficult to adapt to the PSA interface for several reasons
|
||||
### PSA Crypto configuration file
|
||||
|
||||
The PSA Crypto configuration file `psa/crypto_config.h` defines a series of symbols of the form `PSA_WANT_xxx` where `xxx` describes the feature that the symbol enables. The symbols are documented in the section [“PSA Crypto configuration symbols”](#psa-crypto-configuration-symbols) below.
|
||||
|
||||
The symbol `MBEDTLS_PSA_CRYPTO_CONFIG` in `mbedtls/mbedtls_config.h` determines whether `psa/crypto_config.h` is used.
|
||||
|
||||
* If `MBEDTLS_PSA_CRYPTO_CONFIG` is unset, which is the default at least in Mbed TLS 2.x versions, things are as they are today: the PSA subsystem includes generic code unconditionally, and includes support for specific mechanisms conditionally based on the existing `MBEDTLS_xxx_` symbols.
|
||||
* If `MBEDTLS_PSA_CRYPTO_CONFIG` is set, the necessary software implementations of cryptographic algorithms are included based on both the content of the PSA Crypto configuration file and the Mbed TLS configuration file. For example, the code in `aes.c` is enabled if either `mbedtls/mbedtls_config.h` contains `MBEDTLS_AES_C` or `psa/crypto_config.h` contains `PSA_WANT_KEY_TYPE_AES`.
|
||||
The necessary software implementations of cryptographic algorithms are included based on the content of the PSA Crypto configuration file. For example, the code in `aes.c` is enabled if `psa/crypto_config.h` contains `PSA_WANT_KEY_TYPE_AES`.
|
||||
|
||||
### PSA Crypto configuration symbols
|
||||
|
||||
@ -130,23 +126,15 @@ These symbols are not part of the public interface of Mbed TLS towards applicati
|
||||
|
||||
### Architecture of symbol definitions
|
||||
|
||||
#### New-style definition of configuration symbols
|
||||
#### Definition of configuration symbols
|
||||
|
||||
When `MBEDTLS_PSA_CRYPTO_CONFIG` is set, the header file `mbedtls/mbedtls_config.h` needs to define all the `MBEDTLS_xxx_C` configuration symbols, including the ones deduced from the PSA Crypto configuration. It does this by including the new header file **`mbedtls/config_psa.h`**, which defines the `MBEDTLS_PSA_BUILTIN_xxx` symbols and deduces the corresponding `MBEDTLS_xxx_C` (and other) symbols.
|
||||
The header file `mbedtls/mbedtls_config.h` defines all the `MBEDTLS_xxx_C` configuration symbols, including the ones deduced from the PSA Crypto configuration. It does this by including the new header file **`mbedtls/config_psa.h`**, which defines the `MBEDTLS_PSA_BUILTIN_xxx` symbols and deduces the corresponding `MBEDTLS_xxx_C` (and other) symbols.
|
||||
|
||||
`mbedtls/config_psa.h` includes `psa/crypto_config.h`, the user-editable file that defines application requirements.
|
||||
|
||||
#### Old-style definition of configuration symbols
|
||||
|
||||
When `MBEDTLS_PSA_CRYPTO_CONFIG` is not set, the configuration of Mbed TLS works as before, and the inclusion of non-PSA code only depends on `MBEDTLS_xxx` symbols defined (or not) in `mbedtls/mbedtls_config.h`. Furthermore, the new header file **`mbedtls/config_psa.h`** deduces PSA configuration symbols (`PSA_WANT_xxx`, `MBEDTLS_PSA_BUILTIN_xxx`) from classic configuration symbols (`MBEDTLS_xxx`).
|
||||
|
||||
The `PSA_WANT_xxx` definitions in `mbedtls/config_psa.h` are needed not only to build the PSA parts of the library, but also to build code that uses these parts. This includes structure definitions in `psa/crypto_struct.h`, size calculations in `psa/crypto_sizes.h`, and application code that's specific to a given cryptographic mechanism. In Mbed TLS itself, code under `MBEDTLS_USE_PSA_CRYPTO` and conditional compilation guards in tests and sample programs need `PSA_WANT_xxx`.
|
||||
|
||||
Since some existing applications use a handwritten `mbedtls/mbedtls_config.h` or an edited copy of `mbedtls/mbedtls_config.h` from an earlier version of Mbed TLS, `mbedtls/config_psa.h` must be included via an already existing header that is not `mbedtls/mbedtls_config.h`, so it is included via `psa/crypto.h` (for example from `psa/crypto_platform.h`).
|
||||
|
||||
#### Summary of definitions of configuration symbols
|
||||
|
||||
Whether `MBEDTLS_PSA_CRYPTO_CONFIG` is set or not, `mbedtls/config_psa.h` includes `mbedtls/crypto_drivers.h`, a header file generated by the transpilation of the driver descriptions. It defines `MBEDTLS_PSA_ACCEL_xxx` symbols according to the availability of transparent drivers without fallback.
|
||||
`mbedtls/config_psa.h` includes `mbedtls/crypto_drivers.h`, a header file generated by the transpilation of the driver descriptions. It defines `MBEDTLS_PSA_ACCEL_xxx` symbols according to the availability of transparent drivers without fallback.
|
||||
|
||||
The following table summarizes where symbols are defined depending on the configuration mode.
|
||||
|
||||
@ -154,13 +142,13 @@ The following table summarizes where symbols are defined depending on the config
|
||||
* (D) indicates a symbol that is deduced from other symbols by code that ships with Mbed TLS.
|
||||
* (G) indicates a symbol that is generated from driver descriptions.
|
||||
|
||||
| Symbols | With `MBEDTLS_PSA_CRYPTO_CONFIG` | Without `MBEDTLS_PSA_CRYPTO_CONFIG` |
|
||||
| ------------------------- | --------------------------------- | ----------------------------------- |
|
||||
| `MBEDTLS_xxx_C` | `mbedtls/mbedtls_config.h` (U) or | `mbedtls/mbedtls_config.h` (U) |
|
||||
| | `mbedtls/config_psa.h` (D) | |
|
||||
| `PSA_WANT_xxx` | `psa/crypto_config.h` (U) | `mbedtls/config_psa.h` (D) |
|
||||
| `MBEDTLS_PSA_BUILTIN_xxx` | `mbedtls/config_psa.h` (D) | `mbedtls/config_psa.h` (D) |
|
||||
| `MBEDTLS_PSA_ACCEL_xxx` | `mbedtls/crypto_drivers.h` (G) | N/A |
|
||||
| Symbols | |
|
||||
| ------------------------- | --------------------------------- |
|
||||
| `MBEDTLS_xxx_C` | `mbedtls/mbedtls_config.h` (U) or |
|
||||
| | `mbedtls/config_psa.h` (D) |
|
||||
| `PSA_WANT_xxx` | `psa/crypto_config.h` (U) |
|
||||
| `MBEDTLS_PSA_BUILTIN_xxx` | `mbedtls/config_psa.h` (D) |
|
||||
| `MBEDTLS_PSA_ACCEL_xxx` | `mbedtls/crypto_drivers.h` (G) |
|
||||
|
||||
#### Visibility of internal symbols
|
||||
|
||||
|
||||
@ -142,7 +142,6 @@ This guide assumes you are building Mbed TLS from source alongside your project.
|
||||
|
||||
The Mbed TLS build system includes the instructions needed to build p256-m. To build with and use p256-m, set the macro `MBEDTLS_PSA_P256M_DRIVER_ENABLED` using `config.py`, then build as usual using make/cmake. From the root of the `mbedtls/` directory, run:
|
||||
|
||||
python3 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
python3 scripts/config.py set MBEDTLS_PSA_P256M_DRIVER_ENABLED
|
||||
make
|
||||
|
||||
|
||||
@ -175,9 +175,7 @@ Note that a key consumes a key store entry, which is distinct from heap memory,
|
||||
|
||||
### Cryptographic mechanism availability
|
||||
|
||||
**This section only applies if `MBEDTLS_PSA_CRYPTO_CONFIG` is enabled.** This option is disabled in the default configuration.
|
||||
|
||||
When the configuration option [`MBEDTLS_PSA_CRYPTO_CONFIG`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/mbedtls__config_8h/#mbedtls__config_8h_1a5aca5ddcffb586acad82f9aef26db056) is enabled, the cryptographic mechanisms available through the PSA API are determined by the contents of the header file `"psa/crypto_config.h"`. You can override the file location with the macro [`MBEDTLS_PSA_CRYPTO_CONFIG_FILE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/mbedtls__config_8h/#mbedtls__config_8h_1a25f7e358caa101570cb9519705c2b873), and you can set [`MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/mbedtls__config_8h/#mbedtls__config_8h_1abd1870cc0d2681183a3018a7247cb137) to the path of an additional file (similar to `MBEDTLS_CONFIG_FILE` and `MBEDTLS_USER_CONFIG_FILE` for legacy configuration symbols).
|
||||
The cryptographic mechanisms available through the PSA API are determined by the contents of the header file `"psa/crypto_config.h"`. You can override the file location with the macro [`MBEDTLS_PSA_CRYPTO_CONFIG_FILE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/mbedtls__config_8h/#mbedtls__config_8h_1a25f7e358caa101570cb9519705c2b873), and you can set [`MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/mbedtls__config_8h/#mbedtls__config_8h_1abd1870cc0d2681183a3018a7247cb137) to the path of an additional file (similar to `MBEDTLS_CONFIG_FILE` and `MBEDTLS_USER_CONFIG_FILE` for legacy configuration symbols).
|
||||
|
||||
The availability of cryptographic mechanisms in the PSA API is based on a systematic pattern:
|
||||
|
||||
|
||||
@ -131,7 +131,6 @@
|
||||
#endif
|
||||
|
||||
/* PSA crypto configuration */
|
||||
#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
|
||||
#if defined(MBEDTLS_PSA_CRYPTO_CONFIG_FILE)
|
||||
#include MBEDTLS_PSA_CRYPTO_CONFIG_FILE
|
||||
#else
|
||||
@ -140,7 +139,6 @@
|
||||
#if defined(MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE)
|
||||
#include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE
|
||||
#endif
|
||||
#endif /* defined(MBEDTLS_PSA_CRYPTO_CONFIG) */
|
||||
|
||||
/* Indicate that all configuration files have been read.
|
||||
* It is now time to adjust the configuration (follow through on dependencies,
|
||||
@ -170,11 +168,7 @@
|
||||
* this symbol should be consulted after its inclusion.
|
||||
* (e.g. MBEDTLS_MD_LIGHT)
|
||||
*/
|
||||
#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) /* PSA_WANT_xxx influences MBEDTLS_xxx */ || \
|
||||
defined(MBEDTLS_PSA_CRYPTO_C) /* MBEDTLS_xxx influences PSA_WANT_xxx */ || \
|
||||
defined(MBEDTLS_PSA_CRYPTO_CLIENT) /* The same as the previous, but with separation only */
|
||||
#include "mbedtls/config_psa.h"
|
||||
#endif
|
||||
|
||||
#include "mbedtls/config_adjust_legacy_crypto.h"
|
||||
|
||||
|
||||
@ -118,7 +118,7 @@
|
||||
#error "MBEDTLS_NIST_KW_C defined, but not all prerequisites"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) && defined(MBEDTLS_PSA_CRYPTO_CONFIG)
|
||||
#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
|
||||
#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
|
||||
#error "MBEDTLS_BLOCK_CIPHER_NO_DECRYPT and PSA_WANT_ALG_CBC_NO_PADDING cannot be defined simultaneously"
|
||||
#endif
|
||||
|
||||
@ -1,359 +0,0 @@
|
||||
/**
|
||||
* \file mbedtls/config_adjust_psa_from_legacy.h
|
||||
* \brief Adjust PSA configuration: construct PSA configuration from legacy
|
||||
*
|
||||
* This is an internal header. Do not include it directly.
|
||||
*
|
||||
* When MBEDTLS_PSA_CRYPTO_CONFIG is disabled, we automatically enable
|
||||
* cryptographic mechanisms through the PSA interface when the corresponding
|
||||
* legacy mechanism is enabled. In many cases, this just enables the PSA
|
||||
* wrapper code around the legacy implementation, but we also do this for
|
||||
* some mechanisms where PSA has its own independent implementation so
|
||||
* that high-level modules that can use either cryptographic API have the
|
||||
* same feature set in both cases.
|
||||
*/
|
||||
/*
|
||||
* Copyright The Mbed TLS Contributors
|
||||
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||
*/
|
||||
|
||||
#ifndef MBEDTLS_CONFIG_ADJUST_PSA_FROM_LEGACY_H
|
||||
#define MBEDTLS_CONFIG_ADJUST_PSA_FROM_LEGACY_H
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILES_READ)
|
||||
#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \
|
||||
"up to and including runtime errors such as buffer overflows. " \
|
||||
"If you're trying to fix a complaint from check_config.h, just remove " \
|
||||
"it from your configuration file: since Mbed TLS 3.0, it is included " \
|
||||
"automatically at the right point."
|
||||
#endif /* */
|
||||
|
||||
/*
|
||||
* Ensure PSA_WANT_* defines are setup properly if MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
* is not defined
|
||||
*/
|
||||
|
||||
#if defined(MBEDTLS_CCM_C)
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_CCM 1
|
||||
#define PSA_WANT_ALG_CCM 1
|
||||
#if defined(MBEDTLS_CIPHER_C)
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG 1
|
||||
#define PSA_WANT_ALG_CCM_STAR_NO_TAG 1
|
||||
#endif /* MBEDTLS_CIPHER_C */
|
||||
#endif /* MBEDTLS_CCM_C */
|
||||
|
||||
#if defined(MBEDTLS_CMAC_C)
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_CMAC 1
|
||||
#define PSA_WANT_ALG_CMAC 1
|
||||
#endif /* MBEDTLS_CMAC_C */
|
||||
|
||||
#if defined(MBEDTLS_ECDH_C)
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_ECDH 1
|
||||
#define PSA_WANT_ALG_ECDH 1
|
||||
#endif /* MBEDTLS_ECDH_C */
|
||||
|
||||
#if defined(MBEDTLS_ECDSA_C)
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_ECDSA 1
|
||||
#define PSA_WANT_ALG_ECDSA 1
|
||||
#define PSA_WANT_ALG_ECDSA_ANY 1
|
||||
|
||||
// Only add in DETERMINISTIC support if ECDSA is also enabled
|
||||
#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA 1
|
||||
#define PSA_WANT_ALG_DETERMINISTIC_ECDSA 1
|
||||
#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
|
||||
|
||||
#endif /* MBEDTLS_ECDSA_C */
|
||||
|
||||
#if defined(MBEDTLS_ECP_C)
|
||||
#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC 1
|
||||
#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT 1
|
||||
#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT 1
|
||||
#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1
|
||||
/* Normally we wouldn't enable this because it's not implemented in ecp.c,
|
||||
* but since it used to be available any time ECP_C was enabled, let's enable
|
||||
* it anyway for the sake of backwards compatibility */
|
||||
#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1
|
||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_BASIC 1
|
||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT 1
|
||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT 1
|
||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1
|
||||
/* See comment for PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE above. */
|
||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1
|
||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY 1
|
||||
#define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 1
|
||||
#endif /* MBEDTLS_ECP_C */
|
||||
|
||||
#if defined(MBEDTLS_DHM_C)
|
||||
#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC 1
|
||||
#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT 1
|
||||
#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT 1
|
||||
#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE 1
|
||||
#define PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY 1
|
||||
#define PSA_WANT_ALG_FFDH 1
|
||||
#define PSA_WANT_DH_RFC7919_2048 1
|
||||
#define PSA_WANT_DH_RFC7919_3072 1
|
||||
#define PSA_WANT_DH_RFC7919_4096 1
|
||||
#define PSA_WANT_DH_RFC7919_6144 1
|
||||
#define PSA_WANT_DH_RFC7919_8192 1
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_FFDH 1
|
||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_BASIC 1
|
||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT 1
|
||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT 1
|
||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE 1
|
||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY 1
|
||||
#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048 1
|
||||
#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072 1
|
||||
#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096 1
|
||||
#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144 1
|
||||
#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192 1
|
||||
#endif /* MBEDTLS_DHM_C */
|
||||
|
||||
#if defined(MBEDTLS_GCM_C)
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_GCM 1
|
||||
#define PSA_WANT_ALG_GCM 1
|
||||
#endif /* MBEDTLS_GCM_C */
|
||||
|
||||
/* Enable PSA HKDF algorithm if mbedtls HKDF is supported.
|
||||
* PSA HKDF EXTRACT and PSA HKDF EXPAND have minimal cost when
|
||||
* PSA HKDF is enabled, so enable both algorithms together
|
||||
* with PSA HKDF. */
|
||||
#if defined(MBEDTLS_HKDF_C)
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
|
||||
#define PSA_WANT_ALG_HMAC 1
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_HKDF 1
|
||||
#define PSA_WANT_ALG_HKDF 1
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT 1
|
||||
#define PSA_WANT_ALG_HKDF_EXTRACT 1
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND 1
|
||||
#define PSA_WANT_ALG_HKDF_EXPAND 1
|
||||
#endif /* MBEDTLS_HKDF_C */
|
||||
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
|
||||
#define PSA_WANT_ALG_HMAC 1
|
||||
#define PSA_WANT_KEY_TYPE_HMAC 1
|
||||
|
||||
#if defined(MBEDTLS_MD_C)
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF 1
|
||||
#define PSA_WANT_ALG_TLS12_PRF 1
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS 1
|
||||
#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1
|
||||
#endif /* MBEDTLS_MD_C */
|
||||
|
||||
#if defined(MBEDTLS_MD5_C)
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_MD5 1
|
||||
#define PSA_WANT_ALG_MD5 1
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ECJPAKE_C)
|
||||
#define MBEDTLS_PSA_BUILTIN_PAKE 1
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_JPAKE 1
|
||||
#define PSA_WANT_ALG_JPAKE 1
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_RIPEMD160_C)
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160 1
|
||||
#define PSA_WANT_ALG_RIPEMD160 1
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_RSA_C)
|
||||
#if defined(MBEDTLS_PKCS1_V15)
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT 1
|
||||
#define PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 1
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN 1
|
||||
#define PSA_WANT_ALG_RSA_PKCS1V15_SIGN 1
|
||||
#define PSA_WANT_ALG_RSA_PKCS1V15_SIGN_RAW 1
|
||||
#endif /* MBEDTLS_PKCS1_V15 */
|
||||
#if defined(MBEDTLS_PKCS1_V21)
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP 1
|
||||
#define PSA_WANT_ALG_RSA_OAEP 1
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS 1
|
||||
#define PSA_WANT_ALG_RSA_PSS 1
|
||||
#endif /* MBEDTLS_PKCS1_V21 */
|
||||
#if defined(MBEDTLS_GENPRIME)
|
||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE 1
|
||||
#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE 1
|
||||
#endif /* MBEDTLS_GENPRIME */
|
||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_BASIC 1
|
||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT 1
|
||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT 1
|
||||
#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC 1
|
||||
#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT 1
|
||||
#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT 1
|
||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY 1
|
||||
#define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1
|
||||
#endif /* MBEDTLS_RSA_C */
|
||||
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_SHA_1 1
|
||||
#define PSA_WANT_ALG_SHA_1 1
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SHA224_C)
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_SHA_224 1
|
||||
#define PSA_WANT_ALG_SHA_224 1
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_SHA_256 1
|
||||
#define PSA_WANT_ALG_SHA_256 1
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SHA384_C)
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_SHA_384 1
|
||||
#define PSA_WANT_ALG_SHA_384 1
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_SHA_512 1
|
||||
#define PSA_WANT_ALG_SHA_512 1
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SHA3_C)
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_224 1
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_256 1
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_384 1
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_512 1
|
||||
#define PSA_WANT_ALG_SHA3_224 1
|
||||
#define PSA_WANT_ALG_SHA3_256 1
|
||||
#define PSA_WANT_ALG_SHA3_384 1
|
||||
#define PSA_WANT_ALG_SHA3_512 1
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_AES_C)
|
||||
#define PSA_WANT_KEY_TYPE_AES 1
|
||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES 1
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ARIA_C)
|
||||
#define PSA_WANT_KEY_TYPE_ARIA 1
|
||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ARIA 1
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_CAMELLIA_C)
|
||||
#define PSA_WANT_KEY_TYPE_CAMELLIA 1
|
||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CAMELLIA 1
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_DES_C)
|
||||
#define PSA_WANT_KEY_TYPE_DES 1
|
||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES 1
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256)
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS 1
|
||||
#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_CHACHA20_C)
|
||||
#define PSA_WANT_KEY_TYPE_CHACHA20 1
|
||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20 1
|
||||
/* ALG_STREAM_CIPHER requires CIPHER_C in order to be supported in PSA */
|
||||
#if defined(MBEDTLS_CIPHER_C)
|
||||
#define PSA_WANT_ALG_STREAM_CIPHER 1
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER 1
|
||||
#endif
|
||||
#if defined(MBEDTLS_CHACHAPOLY_C)
|
||||
#define PSA_WANT_ALG_CHACHA20_POLY1305 1
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 1
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_CIPHER_MODE_CBC)
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING 1
|
||||
#define PSA_WANT_ALG_CBC_NO_PADDING 1
|
||||
#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7 1
|
||||
#define PSA_WANT_ALG_CBC_PKCS7 1
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if (defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) || \
|
||||
defined(MBEDTLS_ARIA_C) || defined(MBEDTLS_CAMELLIA_C)) && \
|
||||
defined(MBEDTLS_CIPHER_C)
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING 1
|
||||
#define PSA_WANT_ALG_ECB_NO_PADDING 1
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_CIPHER_MODE_CFB)
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_CFB 1
|
||||
#define PSA_WANT_ALG_CFB 1
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_CIPHER_MODE_CTR)
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_CTR 1
|
||||
#define PSA_WANT_ALG_CTR 1
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_CIPHER_MODE_OFB)
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_OFB 1
|
||||
#define PSA_WANT_ALG_OFB 1
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
|
||||
#define MBEDTLS_PSA_BUILTIN_ECC_BRAINPOOL_P_R1_256 1
|
||||
#define PSA_WANT_ECC_BRAINPOOL_P_R1_256 1
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
|
||||
#define MBEDTLS_PSA_BUILTIN_ECC_BRAINPOOL_P_R1_384 1
|
||||
#define PSA_WANT_ECC_BRAINPOOL_P_R1_384 1
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
|
||||
#define MBEDTLS_PSA_BUILTIN_ECC_BRAINPOOL_P_R1_512 1
|
||||
#define PSA_WANT_ECC_BRAINPOOL_P_R1_512 1
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
|
||||
#define MBEDTLS_PSA_BUILTIN_ECC_MONTGOMERY_255 1
|
||||
#define PSA_WANT_ECC_MONTGOMERY_255 1
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
|
||||
#define MBEDTLS_PSA_BUILTIN_ECC_MONTGOMERY_448 1
|
||||
#define PSA_WANT_ECC_MONTGOMERY_448 1
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
|
||||
#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_192 1
|
||||
#define PSA_WANT_ECC_SECP_R1_192 1
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
|
||||
#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_224 1
|
||||
#define PSA_WANT_ECC_SECP_R1_224 1
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
|
||||
#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_256 1
|
||||
#define PSA_WANT_ECC_SECP_R1_256 1
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
|
||||
#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_384 1
|
||||
#define PSA_WANT_ECC_SECP_R1_384 1
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
|
||||
#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_521 1
|
||||
#define PSA_WANT_ECC_SECP_R1_521 1
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
|
||||
#define MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_192 1
|
||||
#define PSA_WANT_ECC_SECP_K1_192 1
|
||||
#endif
|
||||
|
||||
/* SECP224K1 is buggy via the PSA API (https://github.com/Mbed-TLS/mbedtls/issues/3541) */
|
||||
#if 0 && defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
|
||||
#define MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_224 1
|
||||
#define PSA_WANT_ECC_SECP_K1_224 1
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
|
||||
#define MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_256 1
|
||||
#define PSA_WANT_ECC_SECP_K1_256 1
|
||||
#endif
|
||||
|
||||
#endif /* MBEDTLS_CONFIG_ADJUST_PSA_FROM_LEGACY_H */
|
||||
@ -1241,8 +1241,7 @@
|
||||
* If you enable this option, you do not need to enable any ECC-related
|
||||
* MBEDTLS_xxx option. You do need to separately request support for the
|
||||
* cryptographic mechanisms through the PSA API:
|
||||
* - #MBEDTLS_PSA_CRYPTO_C and #MBEDTLS_PSA_CRYPTO_CONFIG for PSA-based
|
||||
* configuration;
|
||||
* - #MBEDTLS_PSA_CRYPTO_C for PSA-based configuration;
|
||||
* - #MBEDTLS_USE_PSA_CRYPTO if you want to use p256-m from PK, X.509 or TLS;
|
||||
* - #PSA_WANT_ECC_SECP_R1_256;
|
||||
* - #PSA_WANT_ALG_ECDH and/or #PSA_WANT_ALG_ECDSA as needed;
|
||||
@ -1901,38 +1900,6 @@
|
||||
*/
|
||||
//#define MBEDTLS_THREADING_PTHREAD
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
*
|
||||
* This setting allows support for cryptographic mechanisms through the PSA
|
||||
* API to be configured separately from support through the mbedtls API.
|
||||
*
|
||||
* When this option is disabled, the PSA API exposes the cryptographic
|
||||
* mechanisms that can be implemented on top of the `mbedtls_xxx` API
|
||||
* configured with `MBEDTLS_XXX` symbols.
|
||||
*
|
||||
* When this option is enabled, the PSA API exposes the cryptographic
|
||||
* mechanisms requested by the `PSA_WANT_XXX` symbols defined in
|
||||
* include/psa/crypto_config.h. The corresponding `MBEDTLS_XXX` settings are
|
||||
* automatically enabled if required (i.e. if no PSA driver provides the
|
||||
* mechanism). You may still freely enable additional `MBEDTLS_XXX` symbols
|
||||
* in mbedtls_config.h.
|
||||
*
|
||||
* If the symbol #MBEDTLS_PSA_CRYPTO_CONFIG_FILE is defined, it specifies
|
||||
* an alternative header to include instead of include/psa/crypto_config.h.
|
||||
*
|
||||
* \warning This option is experimental, in that the set of `PSA_WANT_XXX`
|
||||
* symbols is not completely finalized yet, and the configuration
|
||||
* tooling is not ideally adapted to having two separate configuration
|
||||
* files.
|
||||
* Future minor releases of Mbed TLS may make minor changes to those
|
||||
* symbols, but we will endeavor to provide a transition path.
|
||||
* Nonetheless, this option is considered mature enough to use in
|
||||
* production, as long as you accept that you may need to make
|
||||
* minor changes to psa/crypto_config.h when upgrading Mbed TLS.
|
||||
*/
|
||||
//#define MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_VERSION_FEATURES
|
||||
*
|
||||
@ -2173,10 +2140,10 @@
|
||||
* \note This feature is incompatible with insecure block cipher,
|
||||
* MBEDTLS_DES_C, and cipher modes which always require decryption
|
||||
* operation, MBEDTLS_CIPHER_MODE_CBC, MBEDTLS_CIPHER_MODE_XTS and
|
||||
* MBEDTLS_NIST_KW_C. When #MBEDTLS_PSA_CRYPTO_CONFIG is enabled,
|
||||
* this feature is incompatible with following supported PSA equivalence,
|
||||
* PSA_WANT_ALG_ECB_NO_PADDING, PSA_WANT_ALG_CBC_NO_PADDING,
|
||||
* PSA_WANT_ALG_CBC_PKCS7 and PSA_WANT_KEY_TYPE_DES.
|
||||
* MBEDTLS_NIST_KW_C. This feature is incompatible with following
|
||||
* supported PSA equivalence PSA_WANT_ALG_ECB_NO_PADDING,
|
||||
* PSA_WANT_ALG_CBC_NO_PADDING, PSA_WANT_ALG_CBC_PKCS7 and
|
||||
* PSA_WANT_KEY_TYPE_DES.
|
||||
*
|
||||
* Module: library/aes.c
|
||||
* library/aesce.c
|
||||
@ -3572,8 +3539,7 @@
|
||||
* If defined, this is a header which will be included instead of
|
||||
* `"psa/crypto_config.h"`.
|
||||
* This header file specifies which cryptographic mechanisms are available
|
||||
* through the PSA API when #MBEDTLS_PSA_CRYPTO_CONFIG is enabled, and
|
||||
* is not used when #MBEDTLS_PSA_CRYPTO_CONFIG is disabled.
|
||||
* through the PSA API.
|
||||
*
|
||||
* This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
|
||||
* non-standard feature of the C language, so this feature is only available
|
||||
|
||||
@ -108,7 +108,6 @@ component_test_psa_crypto_without_heap() {
|
||||
scripts/config.py unset-all "^MBEDTLS_"
|
||||
# Build the PSA core using the proper config file.
|
||||
scripts/config.py set MBEDTLS_PSA_CRYPTO_C
|
||||
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
# Enable fully-static key slots in PSA core.
|
||||
scripts/config.py set MBEDTLS_PSA_STATIC_KEY_SLOTS
|
||||
# Prevent PSA core from creating a copy of input/output buffers.
|
||||
@ -139,7 +138,6 @@ component_test_psa_crypto_without_heap() {
|
||||
|
||||
component_test_no_rsa_key_pair_generation () {
|
||||
msg "build: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE"
|
||||
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
scripts/config.py unset MBEDTLS_GENPRIME
|
||||
scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
|
||||
make
|
||||
@ -452,7 +450,6 @@ component_test_everest () {
|
||||
|
||||
component_test_everest_curve25519_only () {
|
||||
msg "build: Everest ECDH context, only Curve25519" # ~ 6 min
|
||||
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED
|
||||
scripts/config.py unset MBEDTLS_ECDSA_C
|
||||
scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
|
||||
@ -640,7 +637,7 @@ component_build_module_alt () {
|
||||
}
|
||||
|
||||
component_test_psa_crypto_config_accel_ecdsa () {
|
||||
msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA"
|
||||
msg "build: accelerated ECDSA"
|
||||
|
||||
# Algorithms and key types to accelerate
|
||||
loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
|
||||
@ -677,12 +674,12 @@ component_test_psa_crypto_config_accel_ecdsa () {
|
||||
# Run the tests
|
||||
# -------------
|
||||
|
||||
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA"
|
||||
msg "test: accelerated ECDSA"
|
||||
make test
|
||||
}
|
||||
|
||||
component_test_psa_crypto_config_accel_ecdh () {
|
||||
msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH"
|
||||
msg "build: accelerated ECDH"
|
||||
|
||||
# Algorithms and key types to accelerate
|
||||
loc_accel_list="ALG_ECDH \
|
||||
@ -718,7 +715,7 @@ component_test_psa_crypto_config_accel_ecdh () {
|
||||
# Run the tests
|
||||
# -------------
|
||||
|
||||
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH"
|
||||
msg "test: accelerated ECDH"
|
||||
make test
|
||||
}
|
||||
|
||||
@ -1072,7 +1069,7 @@ component_test_psa_crypto_config_accel_ecc_ecp_light_only () {
|
||||
|
||||
# Keep in sync with component_test_psa_crypto_config_accel_ecc_ecp_light_only
|
||||
component_test_psa_crypto_config_reference_ecc_ecp_light_only () {
|
||||
msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with non-accelerated EC algs"
|
||||
msg "build: non-accelerated EC algs"
|
||||
|
||||
config_psa_crypto_config_ecp_light_only 0
|
||||
|
||||
@ -1622,9 +1619,6 @@ component_test_new_psa_want_key_pair_symbol () {
|
||||
scripts/config.py unset MBEDTLS_RSA_C
|
||||
scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
|
||||
|
||||
# Enable PSA support
|
||||
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
|
||||
# Keep only PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC enabled in order to ensure
|
||||
# that proper translations is done in crypto_legacy.h.
|
||||
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
|
||||
@ -1647,7 +1641,7 @@ component_test_new_psa_want_key_pair_symbol () {
|
||||
}
|
||||
|
||||
component_test_psa_crypto_config_accel_hash () {
|
||||
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash"
|
||||
msg "test: accelerated hash"
|
||||
|
||||
loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \
|
||||
ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
|
||||
@ -1687,7 +1681,7 @@ component_test_psa_crypto_config_accel_hash () {
|
||||
# Run the tests
|
||||
# -------------
|
||||
|
||||
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash"
|
||||
msg "test: accelerated hash"
|
||||
make test
|
||||
}
|
||||
|
||||
@ -1847,7 +1841,7 @@ component_test_psa_crypto_config_reference_hmac () {
|
||||
}
|
||||
|
||||
component_test_psa_crypto_config_accel_des () {
|
||||
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated DES"
|
||||
msg "test: accelerated DES"
|
||||
|
||||
# Albeit this components aims at accelerating DES which should only support
|
||||
# CBC and ECB modes, we need to accelerate more than that otherwise DES_C
|
||||
@ -1889,12 +1883,12 @@ component_test_psa_crypto_config_accel_des () {
|
||||
# Run the tests
|
||||
# -------------
|
||||
|
||||
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated DES"
|
||||
msg "test: accelerated DES"
|
||||
make test
|
||||
}
|
||||
|
||||
component_test_psa_crypto_config_accel_aead () {
|
||||
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated AEAD"
|
||||
msg "test: accelerated AEAD"
|
||||
|
||||
loc_accel_list="ALG_GCM ALG_CCM ALG_CHACHA20_POLY1305 \
|
||||
KEY_TYPE_AES KEY_TYPE_CHACHA20 KEY_TYPE_ARIA KEY_TYPE_CAMELLIA"
|
||||
@ -1928,7 +1922,7 @@ component_test_psa_crypto_config_accel_aead () {
|
||||
# Run the tests
|
||||
# -------------
|
||||
|
||||
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated AEAD"
|
||||
msg "test: accelerated AEAD"
|
||||
make test
|
||||
}
|
||||
|
||||
@ -2283,7 +2277,6 @@ component_build_aes_variations () {
|
||||
# MBEDTLS_BLOCK_CIPHER_NO_DECRYPT is incompatible with ECB in PSA, CBC/XTS/NIST_KW/DES,
|
||||
# manually set or unset those configurations to check
|
||||
# MBEDTLS_BLOCK_CIPHER_NO_DECRYPT with various combinations in aes.o.
|
||||
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
|
||||
scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
|
||||
scripts/config.py unset MBEDTLS_NIST_KW_C
|
||||
@ -2311,7 +2304,6 @@ component_test_sha3_variations () {
|
||||
#define MBEDTLS_CTR_DRBG_C
|
||||
#define MBEDTLS_ENTROPY_C
|
||||
#define MBEDTLS_PSA_CRYPTO_C
|
||||
#define MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
#define MBEDTLS_SELF_TEST
|
||||
END
|
||||
|
||||
@ -2504,7 +2496,6 @@ config_block_cipher_no_decrypt () {
|
||||
|
||||
# Enable support for cryptographic mechanisms through the PSA API.
|
||||
# Note: XTS, KW are not yet supported via the PSA API in Mbed TLS.
|
||||
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING
|
||||
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7
|
||||
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING
|
||||
@ -2659,7 +2650,6 @@ component_test_psa_crypto_drivers () {
|
||||
|
||||
component_build_psa_config_file () {
|
||||
msg "build: make with MBEDTLS_PSA_CRYPTO_CONFIG_FILE" # ~40s
|
||||
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
cp "$CRYPTO_CONFIG_H" psa_test_config.h
|
||||
echo '#error "MBEDTLS_PSA_CRYPTO_CONFIG_FILE is not working"' >"$CRYPTO_CONFIG_H"
|
||||
make CFLAGS="-I '$PWD' -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"'"
|
||||
|
||||
@ -57,7 +57,6 @@ component_test_no_renegotiation () {
|
||||
component_test_tls1_2_default_stream_cipher_only () {
|
||||
msg "build: default with only stream cipher use psa"
|
||||
|
||||
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
# Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
|
||||
scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
|
||||
scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
|
||||
@ -94,7 +93,6 @@ component_test_tls1_2_default_stream_cipher_only () {
|
||||
component_test_tls1_2_default_cbc_legacy_cipher_only () {
|
||||
msg "build: default with only CBC-legacy cipher use psa"
|
||||
|
||||
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
# Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
|
||||
scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
|
||||
scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
|
||||
@ -128,7 +126,6 @@ component_test_tls1_2_default_cbc_legacy_cipher_only () {
|
||||
component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () {
|
||||
msg "build: default with only CBC-legacy and CBC-EtM ciphers use psa"
|
||||
|
||||
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
# Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
|
||||
scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
|
||||
scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
|
||||
@ -424,7 +421,6 @@ component_test_ssl_alloc_buffer_and_mfl () {
|
||||
|
||||
component_test_when_no_ciphersuites_have_mac () {
|
||||
msg "build: when no ciphersuites have MAC"
|
||||
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING
|
||||
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7
|
||||
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC
|
||||
@ -482,7 +478,6 @@ component_test_tls13_only_psk () {
|
||||
scripts/config.py unset MBEDTLS_PKCS7_C
|
||||
scripts/config.py set MBEDTLS_SSL_EARLY_DATA
|
||||
|
||||
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDH
|
||||
scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA
|
||||
scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
|
||||
@ -534,7 +529,6 @@ component_test_tls13_only_ephemeral_ffdh () {
|
||||
scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
||||
scripts/config.py unset MBEDTLS_SSL_EARLY_DATA
|
||||
|
||||
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDH
|
||||
# Note: The unset below is to be removed for Mbed TLS 4.0
|
||||
scripts/config.py unset MBEDTLS_ECDH_C
|
||||
@ -558,7 +552,6 @@ component_test_tls13_only_psk_ephemeral () {
|
||||
scripts/config.py unset MBEDTLS_PKCS7_C
|
||||
scripts/config.py set MBEDTLS_SSL_EARLY_DATA
|
||||
|
||||
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA
|
||||
scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
|
||||
scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_OAEP
|
||||
@ -586,7 +579,6 @@ component_test_tls13_only_psk_ephemeral_ffdh () {
|
||||
scripts/config.py unset MBEDTLS_PKCS7_C
|
||||
scripts/config.py set MBEDTLS_SSL_EARLY_DATA
|
||||
|
||||
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDH
|
||||
scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA
|
||||
scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
|
||||
@ -615,7 +607,6 @@ component_test_tls13_only_psk_all () {
|
||||
scripts/config.py unset MBEDTLS_PKCS7_C
|
||||
scripts/config.py set MBEDTLS_SSL_EARLY_DATA
|
||||
|
||||
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA
|
||||
scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
|
||||
scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_OAEP
|
||||
|
||||
@ -11,10 +11,7 @@
|
||||
|
||||
#if defined(MBEDTLS_PSA_CRYPTO_C)
|
||||
|
||||
#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
|
||||
#include "check_crypto_config.h"
|
||||
#endif
|
||||
|
||||
#include "psa/crypto.h"
|
||||
#include "psa/crypto_values.h"
|
||||
|
||||
|
||||
@ -4,11 +4,10 @@
|
||||
*
|
||||
* This is an internal header. Do not include it directly.
|
||||
*
|
||||
* When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, activate legacy implementations
|
||||
* of cryptographic mechanisms as needed to fulfill the needs of the PSA
|
||||
* configuration. Generally speaking, we activate a legacy mechanism if
|
||||
* it's needed for a requested PSA mechanism and there is no PSA driver
|
||||
* for it.
|
||||
* Activate legacy implementations of cryptographic mechanisms as needed to
|
||||
* fulfill the needs of the PSA configuration. Generally speaking, we activate
|
||||
* a legacy mechanism if it's needed for a requested PSA mechanism and there is
|
||||
* no PSA driver for it.
|
||||
*/
|
||||
/*
|
||||
* Copyright The Mbed TLS Contributors
|
||||
|
||||
@ -4,8 +4,7 @@
|
||||
*
|
||||
* This is an internal header for test purposes only. Do not include it directly.
|
||||
*
|
||||
* As part of the transition to MBEDTLS_PSA_CRYPTO_CONFIG always on, the
|
||||
* purpose of this header is to keep executing as long as necessary some
|
||||
* The purpose of this header is to keep executing as long as necessary some
|
||||
* driver-only related unit test cases when running the test_psa_crypto_drivers
|
||||
* all.sh component (namely test cases in test_suite_block_cipher and
|
||||
* test_suite_md.psa). It is expected that as the 4.x work progress these test
|
||||
|
||||
@ -26,8 +26,6 @@
|
||||
|
||||
#include "mbedtls/config_adjust_psa_superset_legacy.h"
|
||||
|
||||
#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
|
||||
|
||||
/* Require built-in implementations based on PSA requirements */
|
||||
|
||||
/* We need this to have a complete list of requirements
|
||||
@ -43,18 +41,6 @@
|
||||
#endif
|
||||
#endif /* MBEDTLS_PSA_CRYPTO_C */
|
||||
|
||||
#else /* MBEDTLS_PSA_CRYPTO_CONFIG */
|
||||
|
||||
/* Infer PSA requirements from Mbed TLS capabilities */
|
||||
|
||||
#include "mbedtls/config_adjust_psa_from_legacy.h"
|
||||
|
||||
/* Hopefully the file above will have enabled keypair symbols in a consistent
|
||||
* way, but including this here fixes them if that wasn't the case. */
|
||||
#include "psa/crypto_adjust_config_key_pair_types.h"
|
||||
|
||||
#endif /* MBEDTLS_PSA_CRYPTO_CONFIG */
|
||||
|
||||
#include "psa/crypto_adjust_config_derived.h"
|
||||
|
||||
#include "psa/crypto_adjust_auto_enabled.h"
|
||||
|
||||
@ -3,10 +3,8 @@
|
||||
* \brief PSA crypto configuration options (set of defines)
|
||||
*
|
||||
*/
|
||||
#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
|
||||
/**
|
||||
* When #MBEDTLS_PSA_CRYPTO_CONFIG is enabled in mbedtls_config.h,
|
||||
* this file determines which cryptographic mechanisms are enabled
|
||||
* This file determines which cryptographic mechanisms are enabled
|
||||
* through the PSA Cryptography API (\c psa_xxx() functions).
|
||||
*
|
||||
* To enable a cryptographic mechanism, uncomment the definition of
|
||||
@ -22,14 +20,7 @@
|
||||
* (\c PSA_WANT_ALG_xxx). Mechanisms with additional parameters may involve
|
||||
* additional symbols.
|
||||
*/
|
||||
#else
|
||||
/**
|
||||
* When \c MBEDTLS_PSA_CRYPTO_CONFIG is disabled in mbedtls_config.h,
|
||||
* this file is not used, and cryptographic mechanisms are supported
|
||||
* through the PSA API if and only if they are supported through the
|
||||
* mbedtls_xxx API.
|
||||
*/
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Copyright The Mbed TLS Contributors
|
||||
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||
|
||||
@ -18,7 +18,6 @@
|
||||
#endif
|
||||
|
||||
#define MBEDTLS_PSA_CRYPTO_C
|
||||
#define MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
|
||||
/* PSA core mandatory configuration options */
|
||||
#define MBEDTLS_CIPHER_C
|
||||
|
||||
@ -49,11 +49,7 @@
|
||||
/* Pick an elliptic curve that's supported by PSA. Note that the curve is
|
||||
* not guaranteed to be supported by the ECP module.
|
||||
*
|
||||
* This should always find a curve if ECC is enabled in the build, except in
|
||||
* one edge case: in a build with MBEDTLS_PSA_CRYPTO_CONFIG disabled and
|
||||
* where the only legacy curve is secp224k1, which is not supported in PSA,
|
||||
* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY ends up enabled but PSA does not
|
||||
* support any curve.
|
||||
* This should always find a curve if ECC is enabled in the build.
|
||||
*/
|
||||
|
||||
/* First try all the curves that can do both ECDSA and ECDH, then try
|
||||
|
||||
Loading…
Reference in New Issue
Block a user