mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-02-11 00:40:05 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Clarify wording of "not covered" section

Browse Source 
The section is about things that are not covered, but some lists are
about things that are covered, which was very confusing.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
Manuel Pégourié-Gonnard 2021-09-24 10:06:04 +02:00
parent 1e07869381
commit d3ac4a9a8a
1 changed files with 24 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
docs/use-psa-crypto.md
View File

@ -153,27 +153,33 @@ This is only a high-level overview, grouped by theme
TLS: key exchanges / asymmetric crypto TLS: key exchanges / asymmetric crypto
-------------------------------------- --------------------------------------
- RSA: not covered The following key exchanges are not covered at all:
- DHE-RSA: not covered
- ECDHE-RSA: ECDHE computation client-side only - RSA
- ECDHE-ECDSA: - DHE-RSA
- ECDHE computation client-side - DHE-PSK
- ECDSA verification both sides - RSA-PSK
- ECDSA signature (if using `mbedtls_pk_setup_opaque()`) - ECDHE-PSK
- PSK: PSA-held keys using `mbedtls_ssl_conf_psk_opaque()` - ECDH-RSA
- DHE-PSK: not covered - ECDH-ECDSA
- RSA-PSK: not covered - ECJPAKE
- ECDHE-PSK: not covered
- ECDH-RSA: not covered The following key exchanges are only partially covered:
- ECDH-ECDSA: not covered
- ECJPAKE: not covered - ECDHE-RSA: RSA operations are not covered and, server-side, the ECDHE
operation isn't either
- ECDHE-ECDSA: server-side, the ECDHE operation isn't covered. (ECDSA
signature generation is only covered if using `mbedtls_pk_setup_opaque()`.)
PSK if covered when the application uses `mbedtls_ssl_conf_psk_opaque()` or
`mbedtls_ssl_set_hs_psk_opaque()`.
TLS: symmetric crypto TLS: symmetric crypto
--------------------- ---------------------
- some ciphers not supported via PSA yet: ARIA, Camellia, ChachaPoly (silent - some ciphers not supported via PSA yet: ARIA, Camellia, ChachaPoly (silent
fallback to the legacy APIs) fallback to the legacy APIs)
- the HMAC part of the CBC and NULL ciphersuites is not covered - the HMAC part of the CBC and NULL ciphersuites
- the HMAC computation in `ssl_cookie.c` - the HMAC computation in `ssl_cookie.c`
X.509 X.509
@ -181,6 +187,6 @@ X.509
- most hash operations are still done via the legacy API, except the few that - most hash operations are still done via the legacy API, except the few that
are documented above as using PSA are documented above as using PSA
- RSA PKCS#1 v1.5 signature generation (from PSA-held keys): not covered - RSA PKCS#1 v1.5 signature generation (from PSA-held keys)
- RSA PKCS#1 v1.5 signature verification: not covered - RSA PKCS#1 v1.5 signature verification
- RSA-PSS signature verification: not covered - RSA-PSS signature verification