From b0c96f47e7dfa7f463cb92f886842a48d85e1d26 Mon Sep 17 00:00:00 2001
From: Ronald Cron <ronald.cron@arm.com>
Date: Wed, 15 May 2024 09:27:27 +0200
Subject: [PATCH] Resolve some HMAC dependencies automatically

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
---
 configs/crypto-config-ccm-aes-sha256.h        |  4 +--
 configs/crypto-config-ccm-psk-tls1_2.h        |  2 --
 configs/crypto-config-suite-b.h               |  3 ---
 include/mbedtls/config_psa.h                  |  2 ++
 .../psa/crypto_adjust_config_dependencies.h   | 27 +++++++++++++++++++
 5 files changed, 30 insertions(+), 8 deletions(-)
 create mode 100644 include/psa/crypto_adjust_config_dependencies.h

diff --git a/configs/crypto-config-ccm-aes-sha256.h b/configs/crypto-config-ccm-aes-sha256.h
index 7f8d58768c..68a9c0a539 100644
--- a/configs/crypto-config-ccm-aes-sha256.h
+++ b/configs/crypto-config-ccm-aes-sha256.h
@@ -2,7 +2,7 @@
  * \file configs/crypto-config-ccm-aes-sha256.h
  *
  * \brief PSA crypto configuration with only symmetric cryptography: CCM-AES,
- *        SHA-256, HMAC and key derivation
+ *        SHA-256 and key derivation (uses HMAC).
  */
 /*
  *  Copyright The Mbed TLS Contributors
@@ -13,12 +13,10 @@
 #define PSA_CRYPTO_CONFIG_H
 
 #define PSA_WANT_ALG_CCM 1
-#define PSA_WANT_ALG_HMAC 1
 #define PSA_WANT_ALG_SHA_256 1
 #define PSA_WANT_ALG_TLS12_PRF 1
 #define PSA_WANT_ALG_TLS12_PSK_TO_MS 1
 #define PSA_WANT_KEY_TYPE_DERIVE 1
-#define PSA_WANT_KEY_TYPE_HMAC 1
 #define PSA_WANT_KEY_TYPE_AES 1
 #define PSA_WANT_KEY_TYPE_RAW_DATA 1
 
diff --git a/configs/crypto-config-ccm-psk-tls1_2.h b/configs/crypto-config-ccm-psk-tls1_2.h
index d59729cd1b..f4928e2ee0 100644
--- a/configs/crypto-config-ccm-psk-tls1_2.h
+++ b/configs/crypto-config-ccm-psk-tls1_2.h
@@ -17,11 +17,9 @@
 #define PSA_CRYPTO_CONFIG_H
 
 #define PSA_WANT_ALG_CCM                        1
-#define PSA_WANT_ALG_HMAC                       1
 #define PSA_WANT_ALG_SHA_256                    1
 #define PSA_WANT_ALG_TLS12_PRF                  1
 #define PSA_WANT_ALG_TLS12_PSK_TO_MS            1
 
 #define PSA_WANT_KEY_TYPE_AES                   1
-#define PSA_WANT_KEY_TYPE_HMAC                  1
 #endif /* PSA_CRYPTO_CONFIG_H */
diff --git a/configs/crypto-config-suite-b.h b/configs/crypto-config-suite-b.h
index 268db60d7a..ec209193e0 100644
--- a/configs/crypto-config-suite-b.h
+++ b/configs/crypto-config-suite-b.h
@@ -18,7 +18,6 @@
  *
  * Possible improvements:
  * - if 128-bit security is enough, disable secp384r1 and SHA-512
- * - use embedded certs in DER format and disable PEM_PARSE_C and BASE64_C
  *
  * To be used in conjunction with configs/config-suite-b.h. */
 
@@ -28,7 +27,6 @@
 #define PSA_WANT_ALG_ECDH                        1
 #define PSA_WANT_ALG_ECDSA                       1
 #define PSA_WANT_ALG_GCM                         1
-#define PSA_WANT_ALG_HMAC                        1
 #define PSA_WANT_ALG_SHA_256                     1
 #define PSA_WANT_ALG_SHA_384                     1
 #define PSA_WANT_ALG_SHA_512                     1
@@ -40,5 +38,4 @@
 #define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC     1
 #define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT    1
 #define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE  1
-#define PSA_WANT_KEY_TYPE_HMAC                   1
 #endif /* PSA_CRYPTO_CONFIG_H */
diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h
index 17da61b3e8..de961ec0f8 100644
--- a/include/mbedtls/config_psa.h
+++ b/include/mbedtls/config_psa.h
@@ -22,6 +22,8 @@
 
 #include "psa/crypto_adjust_config_synonyms.h"
 
+#include "psa/crypto_adjust_config_dependencies.h"
+
 #include "mbedtls/config_adjust_psa_superset_legacy.h"
 
 #if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
diff --git a/include/psa/crypto_adjust_config_dependencies.h b/include/psa/crypto_adjust_config_dependencies.h
new file mode 100644
index 0000000000..776f05b422
--- /dev/null
+++ b/include/psa/crypto_adjust_config_dependencies.h
@@ -0,0 +1,27 @@
+/**
+ * \file psa/crypto_adjust_config_dependencies.h
+ * \brief Adjust PSA configuration by resolving some dependencies.
+ *
+ * See docs/proposed/psa-conditional-inclusion-c.md.
+ * If a cryptographic mechanism A depends on a cryptographic mechanism B and
+ * A is enabled then enable B.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H
+#define PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H
+
+#if defined(PSA_WANT_ALG_TLS12_PRF) || \
+    defined(PSA_WANT_ALG_TLS12_PSK_TO_MS) || \
+    defined(PSA_WANT_ALG_HKDF) || \
+    defined(PSA_WANT_ALG_HKDF_EXTRACT) || \
+    defined(PSA_WANT_ALG_HKDF_EXPAND) || \
+    defined(PSA_WANT_ALG_PBKDF2_HMAC)
+#define PSA_WANT_ALG_HMAC 1
+#define PSA_WANT_KEY_TYPE_HMAC 1
+#endif
+
+#endif /* PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H */