Document what "TLS 1.3 depends on PSA" entails
Explicitly document that when using TLS 1.3, you must initialize PSA crypto before starting a handshake. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
parent
f4385faa6f
commit
8c2830a06a
2 changed files with 13 additions and 5 deletions
|
@ -1578,11 +1578,14 @@
|
||||||
* Requires: MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
|
* Requires: MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
|
||||||
* Requires: MBEDTLS_PSA_CRYPTO_C
|
* Requires: MBEDTLS_PSA_CRYPTO_C
|
||||||
*
|
*
|
||||||
* Note: even though TLS 1.3 depends on PSA Crypto, and uses it unconditionally
|
* \note TLS 1.3 uses PSA crypto for cryptographic operations that are
|
||||||
* for most operations, if you want it to only use PSA for all crypto
|
* directly performed by TLS 1.3 code. As a consequence, you must
|
||||||
* operations, you need to also enable MBEDTLS_USE_PSA_CRYPTO; otherwise X.509
|
* call psa_crypto_init() before the first TLS 1.3 handshake.
|
||||||
* operations, and functions that are common with TLS 1.2 (record protection,
|
*
|
||||||
* running handshake hash) will still use non-PSA crypto.
|
* \note Cryptographic operations performed indirectly via another module
|
||||||
|
* (X.509, PK) or by code shared with TLS 1.2 (record protection,
|
||||||
|
* running handshake hash) only use PSA crypto if
|
||||||
|
* #MBEDTLS_USE_PSA_CRYPTO is enabled.
|
||||||
*
|
*
|
||||||
* Uncomment this macro to enable the support for TLS 1.3.
|
* Uncomment this macro to enable the support for TLS 1.3.
|
||||||
*/
|
*/
|
||||||
|
|
|
@ -4684,6 +4684,11 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl,
|
||||||
* in which case the datagram of the underlying transport that is
|
* in which case the datagram of the underlying transport that is
|
||||||
* currently being processed might or might not contain further
|
* currently being processed might or might not contain further
|
||||||
* DTLS records.
|
* DTLS records.
|
||||||
|
*
|
||||||
|
* \note If the context is configured to allow TLS 1.3, or if
|
||||||
|
* #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
|
||||||
|
* subsystem must have been initialized by calling
|
||||||
|
* psa_crypto_init() before calling this function.
|
||||||
*/
|
*/
|
||||||
int mbedtls_ssl_handshake(mbedtls_ssl_context *ssl);
|
int mbedtls_ssl_handshake(mbedtls_ssl_context *ssl);
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue