From cf9d972a9abb214d78008a0a4419d9bdc29abc4b Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Fri, 2 Sep 2022 13:29:25 +0200 Subject: [PATCH] Fix config for MBEDTLS_SSL_PROTO_TLS1_3 Remove MBEDTLS_HKDF_C as it is not needed since #5838 Reasoning: we need SHA-256 or SHA-384 via PSA because they're used by HKDF which is now always done via PSA. If in addition to that USE_PSA is enabled, then everything is done via PSA so that's enough. Otherwise, we need the software implementation of SHA-256 or SHA-384, plus MD_C because we're using a VIA_MD_OR_PSA_BASED_ON_USE_PSA as discussed above. Signed-off-by: Przemek Stekiel --- include/mbedtls/check_config.h | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index e00ffb5a96..33e4d0d9b0 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -260,7 +260,7 @@ #error "MBEDTLS_ECP_NO_FALLBACK defined, but no alternative implementation enabled" #endif -#if defined(MBEDTLS_HKDF_C) && !defined(MBEDTLS_MD_C) +#if defined(MBEDTLS_HKDF_C) && !( defined(MBEDTLS_MD_C) || defined(MBEDTLS_PSA_CRYPTO_C) ) #error "MBEDTLS_HKDF_C defined, but not all prerequisites" #endif @@ -755,10 +755,9 @@ * Otherwise support for at least one ciphersuite mandates either SHA_256 or * SHA_384. */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ - ( ( !defined(MBEDTLS_HKDF_C) ) || \ - ( !defined(MBEDTLS_SHA256_C) && !defined(MBEDTLS_SHA384_C) ) || \ - ( !defined(MBEDTLS_PSA_CRYPTO_C) ) ) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ + !( ( defined(PSA_WANT_ALG_SHA_256) || defined(PSA_WANT_ALG_SHA_348) ) && \ + ( defined(MBEDTLS_USE_PSA_CRYPTO) || ( defined(MBEDTLS_MD_C) && ( defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA384_C) ) ) ) ) #error "MBEDTLS_SSL_PROTO_TLS1_3 defined, but not all prerequisites" #endif