From 3e83098e0173f625c849956eada978b514d2b065 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 11 May 2022 13:27:44 +0200 Subject: [PATCH] Clarify the TLS 1.3 situation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- docs/use-psa-crypto.md | 3 ++- include/mbedtls/mbedtls_config.h | 8 +++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/docs/use-psa-crypto.md b/docs/use-psa-crypto.md index b9983b724..c1789b30d 100644 --- a/docs/use-psa-crypto.md +++ b/docs/use-psa-crypto.md @@ -11,7 +11,8 @@ Compile-time: enabling `MBEDTLS_USE_PSA_CRYPTO` requires Scope: `MBEDTLS_USE_PSA_CRYPTO` has no effect on the parts of the code that are specific to TLS 1.3; those parts always use PSA Crypto. The parts of the TLS 1.3 code that are common with TLS 1.2, however, follow this option (this -is currently just the record protection code). +is currently just the record protection code, and X.509). You need to enable +`MBEDTLS_USE_PSA_CRYPTO` if you want TLS 1.3 to use PSA everywhere. New APIs / API extensions ------------------------- diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index e24366021..862972143 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -1506,9 +1506,15 @@ * 1.3 support that this option enables. * * Requires: MBEDTLS_SSL_KEEP_PEER_CERTIFICATE + * Requires: MBEDTLS_PSA_CRYPTO_C + * + * Note: even though TLS 1.3 depends on PSA Crypto, if you want it to only use + * PSA for all crypto operations, you need to also enable + * MBEDTLS_USE_PSA_CRYPTO; otherwise X.509 operations, and functions that are + * common with TLS 1.2 (record protection, running handshake hash) will still + * use non-PSA crypto. * * Uncomment this macro to enable the support for TLS 1.3. - * */ //#define MBEDTLS_SSL_PROTO_TLS1_3