Merge pull request #6283 from mpg/driver-only-hashes-wrap-up

Driver only hashes wrap-up
This commit is contained in:
Manuel Pégourié-Gonnard 2022-09-21 08:29:46 +02:00 committed by GitHub
commit d433cd7d07
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
36 changed files with 139 additions and 120 deletions

View file

@ -0,0 +1,20 @@
Features
* Some crypto modules that previously depended on MD or a low-level hash
module, either unconditionally (RSA, PK, PKCS5, PKCS12, EC J-PAKE), or
for some features (PEM for encrypted files), are now able to use PSA
Crypto instead when the legacy API is not available. This means it is
now possible to use all features from those modules in configurations
where the built-in implementations of hashes are excluded and the hashes
are only provided by PSA drivers. In these configurations, you need to
call `psa_crypto_init()` before you call any function from those
modules; this is not required in configurations where the built-in
implementation is still available. Note that some crypto modules and
features still depend on the built-in implementation of hashes:
MBEDTLS_HKDF_C (but the PSA HKDF function do not depend on it),
MBEDTLS_ENTROPY_C, MBEDTLS_HMAC_DRBG_C and MBEDTLS_ECDSA_DETERMINISTIC.
In particular, for now, compiling without built-in hashes requires use
of MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG.
* When MBEDTLS_USE_PSA_CRYPTO is enabled, X.509, TLS 1.2 and TLS 1.3 no
longer depend on MD. This means it is now possible to use them in
configurations where the built-in implementations of hashes are excluded
and the hashes are only provided by PSA drivers.

View file

@ -29,11 +29,6 @@ github.
[ffdh]: https://github.com/Mbed-TLS/mbedtls/issues/3261 [ffdh]: https://github.com/Mbed-TLS/mbedtls/issues/3261
PSA Crypto has an experimental API for EC J-PAKE, but it's not implemented in
Mbed TLS yet. See the [EC J-PAKE follow-up EPIC][ecjp] on github.
[ecjp]: https://github.com/orgs/Mbed-TLS/projects/1#column-17950140
Arbitrary parameters for FFDH Arbitrary parameters for FFDH
----------------------------- -----------------------------

View file

@ -345,19 +345,29 @@ available. Data related to a certain hash (OID, sizes, translations) should
only be included in the build if it is possible to use that hash in some way. only be included in the build if it is possible to use that hash in some way.
In order to cater to these new needs, new families of macros are introduced in In order to cater to these new needs, new families of macros are introduced in
`library/legacy_or_psa.h`, see its documentation for details. `legacy_or_psa.h`, see its documentation for details.
It should be noted that there are currently: It should be noted that there are currently:
- too many different ways of computing a hash (low-level, MD, PSA); - too many different ways of computing a hash (low-level, MD, PSA);
- too many different ways to configure the library that influence which of - too many different ways to configure the library that influence which of
these ways is available and will be used (`MBEDTLS_USE_PSA_CRYPTO`, these ways is available and will be used (`MBEDTLS_USE_PSA_CRYPTO`,
`MBEDTLS_PSA_CRYPTO_CONFIG`, `mbedtls_config.h` + `psa/crypto_config.h`). `MBEDTLS_PSA_CRYPTO_CONFIG`, `mbedtls_config.h` + `psa/crypto_config.h`).
As a result, we need more families of dependency macros than we'd like to. As a result, we need more families of dependency macros than we'd like to.
This is a temporary situation until we move to a place where everything is This is a temporary situation until we move to a place where everything is
based on PSA Crypto. In the meantime, long and explicit names where chosen for based on PSA Crypto. In the meantime, long and explicit names where chosen for
the new macros in the hope of avoiding confusion. the new macros in the hope of avoiding confusion.
Note: the new macros supplement but do not replace the existing macros:
- code that always uses PSA Crypto (for example, code specific to TLS 1.3)
should use `PSA_WANT_xxx`;
- code that always uses the legacy API (for example, crypto modules that have
not undergone step 1 yet) should use `MBEDTLS_xxx_C`;
- code that may use one of the two APIs, either based on
`MBEDTLS_USE_PSA_CRYPTO` (X.509, TLS 1.2, shared between TLS 1.2 and 1.3),
or based on availability (crypto modules after step 1), should use one of
the new macros from `legacy_or_psa.h`.
Executing step 3 will mostly consist of using the right dependency macros in Executing step 3 will mostly consist of using the right dependency macros in
the right places (once the previous steps are done). the right places (once the previous steps are done).

View file

@ -320,11 +320,20 @@
#endif #endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
( !defined(MBEDTLS_ECJPAKE_C) || !defined(MBEDTLS_SHA256_C) || \ ( !defined(MBEDTLS_ECJPAKE_C) || \
!defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) ) !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) )
#error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites" #error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites"
#endif #endif
/* Use of EC J-PAKE in TLS requires SHA-256.
* This will be taken from MD if it is present, or from PSA if MD is absent.
* Note: ECJPAKE_C depends on MD_C || PSA_CRYPTO_C. */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
!( defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA256_C) ) && \
!( !defined(MBEDTLS_MD_C) && defined(PSA_WANT_ALG_SHA_256) )
#error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) && \ #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) && \
!defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) && \ !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) && \
( !defined(MBEDTLS_SHA256_C) && \ ( !defined(MBEDTLS_SHA256_C) && \

View file

@ -1,6 +1,6 @@
/** /**
* Internal macros to express dependencies for code and tests * Macros to express dependencies for code and tests that may use either the
* that may use either the legacy API or PSA in various builds. * legacy API or PSA in various builds; mostly for internal use.
* *
* Copyright The Mbed TLS Contributors * Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 * SPDX-License-Identifier: Apache-2.0
@ -19,6 +19,18 @@
*/ */
/* /*
* Note: applications that are targeting a specific configuration do not need
* to use these macros; instead they should directly use the functions they
* know are available in their configuration.
*
* Note: code that is purely based on PSA Crypto (psa_xxx() functions)
* does not need to use these macros; instead it should use the relevant
* PSA_WANT_xxx macros.
*
* Note: code that is purely based on the legacy crypto APIs (mbedtls_xxx())
* does not need to use these macros; instead it should use the relevant
* MBEDTLS_xxx macros.
*
* These macros are for code that wants to use <crypto feature> and will do so * These macros are for code that wants to use <crypto feature> and will do so
* using <legacy API> or PSA depending on <condition>, where: * using <legacy API> or PSA depending on <condition>, where:
* - <crypto feature> will generally be an algorithm (SHA-256, ECDH) but may * - <crypto feature> will generally be an algorithm (SHA-256, ECDH) but may
@ -36,15 +48,10 @@
* - TLS 1.2 will compute hashes using either mbedtls_md_xxx() (and * - TLS 1.2 will compute hashes using either mbedtls_md_xxx() (and
* mbedtls_sha256_xxx()) or psa_aead_xxx() depending on whether * mbedtls_sha256_xxx()) or psa_aead_xxx() depending on whether
* MBEDTLS_USE_PSA_CRYPTO is defined; * MBEDTLS_USE_PSA_CRYPTO is defined;
* - RSA PKCS#1 v2.1 will, in the near future*, compute hashes (for padding) * - RSA PKCS#1 v2.1 will compute hashes (for padding) using either
* using either `mbedtls_md()` if it's available, or `psa_hash_compute()` * `mbedtls_md()` if it's available, or `psa_hash_compute()` otherwise;
* otherwise; * - PEM decoding of PEM-encrypted keys will compute MD5 hashes using either
* - PEM decoding of PEM-encrypted keys will, in the near future*, compute MD5 * `mbedtls_md5_xxx()` if it's available, or `psa_hash_xxx()` otherwise.
* hashes using either `mbedtls_md5_xxx()` if it's available, or
* `psa_hash_xxx()` otherwise.
* *See docs/architecture/psa-migration/strategy.md, section "Supporting
* builds with drivers without the software implementation", strategy for step
* 1 (libmbedcrypto except the RNG subsystem).
* *
* Note: the macros are essential to express test dependencies. Inside code, * Note: the macros are essential to express test dependencies. Inside code,
* we could instead just use the equivalent pre-processor condition, but * we could instead just use the equivalent pre-processor condition, but
@ -70,9 +77,9 @@
* MBEDTLS_HAS_ALG_MD5_VIA_LOWLEVEL_OR_PSA * MBEDTLS_HAS_ALG_MD5_VIA_LOWLEVEL_OR_PSA
* *
* Note: every time it's possible to use, say SHA-256, via the MD API, then * Note: every time it's possible to use, say SHA-256, via the MD API, then
* it's also possible to used it via the low-level API. So, code that wants to * it's also possible to use it via the low-level API. So, code that wants to
* use SHA-256 via both APIs only needs to depend on the MD macro. Also, it * use SHA-256 via both APIs only needs to depend on the MD macro. Also, it
* just so happens that all the choosing which API to use based on * just so happens that all the code choosing which API to use based on
* MBEDTLS_USE_PSA_CRYPTO (X.509, TLS 1.2/shared), always uses the abstraction * MBEDTLS_USE_PSA_CRYPTO (X.509, TLS 1.2/shared), always uses the abstraction
* layer (sometimes in addition to the low-level API), so we don't need the * layer (sometimes in addition to the low-level API), so we don't need the
* MBEDTLS_HAS_feature_VIA_LOWLEVEL_OR_PSA_BASED_ON_USE_PSA macros. * MBEDTLS_HAS_feature_VIA_LOWLEVEL_OR_PSA_BASED_ON_USE_PSA macros.
@ -89,7 +96,7 @@
#ifndef MBEDTLS_OR_PSA_HELPERS_H #ifndef MBEDTLS_OR_PSA_HELPERS_H
#define MBEDTLS_OR_PSA_HELPERS_H #define MBEDTLS_OR_PSA_HELPERS_H
#include "common.h" #include "mbedtls/build_info.h"
#if defined(MBEDTLS_PSA_CRYPTO_C) #if defined(MBEDTLS_PSA_CRYPTO_C)
#include "psa/crypto.h" #include "psa/crypto.h"
#endif /* MBEDTLS_PSA_CRYPTO_C */ #endif /* MBEDTLS_PSA_CRYPTO_C */

View file

@ -958,7 +958,7 @@
* might still happen. For this reason, this is disabled by default. * might still happen. For this reason, this is disabled by default.
* *
* Requires: MBEDTLS_ECJPAKE_C * Requires: MBEDTLS_ECJPAKE_C
* MBEDTLS_SHA256_C * SHA-256 (via MD if present, or via PSA, see MBEDTLS_ECJPAKE_C)
* MBEDTLS_ECP_DP_SECP256R1_ENABLED * MBEDTLS_ECP_DP_SECP256R1_ENABLED
* *
* This enables the following ciphersuites (if other requisites are * This enables the following ciphersuites (if other requisites are
@ -1492,13 +1492,14 @@
* *
* Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled). * Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled).
* *
* Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C * Requires: Without MBEDTLS_USE_PSA_CRYPTO: MBEDTLS_MD_C and
* (Depends on ciphersuites) when MBEDTLS_USE_PSA_CRYPTO * (MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C)
* is not defined, PSA_WANT_ALG_SHA_1 or PSA_WANT_ALG_SHA_256 or * With MBEDTLS_USE_PSA_CRYPTO:
* PSA_WANT_ALG_SHA_512 when MBEDTLS_USE_PSA_CRYPTO is defined. * PSA_WANT_ALG_SHA_1 or PSA_WANT_ALG_SHA_256 or
* PSA_WANT_ALG_SHA_512
* *
* \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init() * \warning If building with MBEDTLS_USE_PSA_CRYPTO, you must call
* before doing any TLS operation. * psa_crypto_init() before doing any TLS operations.
* *
* Comment this macro to disable support for TLS 1.2 / DTLS 1.2 * Comment this macro to disable support for TLS 1.2 / DTLS 1.2
*/ */
@ -1517,11 +1518,11 @@
* Requires: MBEDTLS_SSL_KEEP_PEER_CERTIFICATE * Requires: MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
* Requires: MBEDTLS_PSA_CRYPTO_C * Requires: MBEDTLS_PSA_CRYPTO_C
* *
* Note: even though TLS 1.3 depends on PSA Crypto, if you want it to only use * Note: even though TLS 1.3 depends on PSA Crypto, and uses it unconditonally
* PSA for all crypto operations, you need to also enable * for most operations, if you want it to only use PSA for all crypto
* MBEDTLS_USE_PSA_CRYPTO; otherwise X.509 operations, and functions that are * operations, you need to also enable MBEDTLS_USE_PSA_CRYPTO; otherwise X.509
* common with TLS 1.2 (record protection, running handshake hash) will still * operations, and functions that are common with TLS 1.2 (record protection,
* use non-PSA crypto. * running handshake hash) will still use non-PSA crypto.
* *
* Uncomment this macro to enable the support for TLS 1.3. * Uncomment this macro to enable the support for TLS 1.3.
*/ */
@ -2357,7 +2358,7 @@
* This module is used by the following key exchanges: * This module is used by the following key exchanges:
* ECJPAKE * ECJPAKE
* *
* Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C * Requires: MBEDTLS_ECP_C and either MBEDTLS_MD_C or MBEDTLS_PSA_CRYPTO_C
* *
* \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init() * \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init()
* before doing any EC J-PAKE operations. * before doing any EC J-PAKE operations.
@ -2674,7 +2675,10 @@
* *
* Module: library/pkcs5.c * Module: library/pkcs5.c
* *
* Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C * Requires: MBEDTLS_CIPHER_C and either MBEDTLS_MD_C or MBEDTLS_PSA_CRYPTO_C.
*
* \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init()
* before doing any PKCS5 operation.
* *
* This module adds support for the PKCS#5 functions. * This module adds support for the PKCS#5 functions.
*/ */
@ -3156,8 +3160,8 @@
* Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C, * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C,
* (MBEDTLS_MD_C or MBEDTLS_USE_PSA_CRYPTO) * (MBEDTLS_MD_C or MBEDTLS_USE_PSA_CRYPTO)
* *
* \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init() * \warning If building with MBEDTLS_USE_PSA_CRYPTO, you must call
* before doing any X.509 operation. * psa_crypto_init() before doing any X.509 operation.
* *
* This module is required for the X.509 parsing modules. * This module is required for the X.509 parsing modules.
*/ */
@ -3217,8 +3221,8 @@
* Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C, * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C,
* (MBEDTLS_MD_C or MBEDTLS_USE_PSA_CRYPTO) * (MBEDTLS_MD_C or MBEDTLS_USE_PSA_CRYPTO)
* *
* \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init() * \warning If building with MBEDTLS_USE_PSA_CRYPTO, you must call
* before doing any X.509 create operation. * psa_crypto_init() before doing any X.509 create operation.
* *
* This module is the basis for creating X.509 certificates and CSRs. * This module is the basis for creating X.509 certificates and CSRs.
*/ */

View file

@ -52,9 +52,7 @@
#include "mbedtls/platform_time.h" #include "mbedtls/platform_time.h"
#endif #endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h" #include "psa/crypto.h"
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* /*
* SSL Error codes * SSL Error codes
@ -629,11 +627,7 @@ union mbedtls_ssl_premaster_secret
#define MBEDTLS_PREMASTER_SIZE sizeof( union mbedtls_ssl_premaster_secret ) #define MBEDTLS_PREMASTER_SIZE sizeof( union mbedtls_ssl_premaster_secret )
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#define MBEDTLS_TLS1_3_MD_MAX_SIZE PSA_HASH_MAX_SIZE #define MBEDTLS_TLS1_3_MD_MAX_SIZE PSA_HASH_MAX_SIZE
#else
#define MBEDTLS_TLS1_3_MD_MAX_SIZE MBEDTLS_MD_MAX_SIZE
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* Length in number of bytes of the TLS sequence number */ /* Length in number of bytes of the TLS sequence number */

View file

@ -24,6 +24,7 @@
#include "mbedtls/private_access.h" #include "mbedtls/private_access.h"
#include "mbedtls/build_info.h" #include "mbedtls/build_info.h"
#include "mbedtls/legacy_or_psa.h"
#include "mbedtls/x509.h" #include "mbedtls/x509.h"
#include "mbedtls/x509_crl.h" #include "mbedtls/x509_crl.h"
@ -1108,7 +1109,7 @@ int mbedtls_x509write_crt_set_extension( mbedtls_x509write_cert *ctx,
int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx, int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx,
int is_ca, int max_pathlen ); int is_ca, int max_pathlen );
#if defined(MBEDTLS_SHA1_C) || ( defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_1) ) #if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_LOWLEVEL_OR_PSA)
/** /**
* \brief Set the subjectKeyIdentifier extension for a CRT * \brief Set the subjectKeyIdentifier extension for a CRT
* Requires that mbedtls_x509write_crt_set_subject_key() has been * Requires that mbedtls_x509write_crt_set_subject_key() has been
@ -1130,7 +1131,7 @@ int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ct
* \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
*/ */
int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx ); int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx );
#endif /* MBEDTLS_SHA1_C || (MBEDTLS_PSA_CRYPTO_C && PSA_WANT_ALG_SHA_1)*/ #endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_LOWLEVEL_OR_PSA */
/** /**
* \brief Set the Key Usage Extension flags * \brief Set the Key Usage Extension flags

View file

@ -21,7 +21,7 @@
*/ */
#include "hash_info.h" #include "hash_info.h"
#include "legacy_or_psa.h" #include "mbedtls/legacy_or_psa.h"
#include "mbedtls/error.h" #include "mbedtls/error.h"
typedef struct typedef struct

View file

@ -27,7 +27,7 @@
#include "mbedtls/rsa.h" #include "mbedtls/rsa.h"
#include "mbedtls/error.h" #include "mbedtls/error.h"
#include "legacy_or_psa.h" #include "mbedtls/legacy_or_psa.h"
#include <stdio.h> #include <stdio.h>
#include <string.h> #include <string.h>

View file

@ -45,12 +45,14 @@
#include "psa/crypto.h" #include "psa/crypto.h"
#endif #endif
#include "legacy_or_psa.h" #include "mbedtls/legacy_or_psa.h"
#if defined(MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && defined(MBEDTLS_CIPHER_MODE_CBC) && \ #if defined(MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \
defined(MBEDTLS_CIPHER_MODE_CBC) && \
( defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) ) ( defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) )
#define PEM_RFC1421 #define PEM_RFC1421
#endif /* MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA && MBEDTLS_CIPHER_MODE_CBC && #endif /* MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA &&
MBEDTLS_CIPHER_MODE_CBC &&
( MBEDTLS_AES_C || MBEDTLS_DES_C ) */ ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */
#if defined(MBEDTLS_PEM_PARSE_C) #if defined(MBEDTLS_PEM_PARSE_C)

View file

@ -33,7 +33,7 @@
#include "mbedtls/ssl.h" #include "mbedtls/ssl.h"
#include "ssl_misc.h" #include "ssl_misc.h"
#include "legacy_or_psa.h" #include "mbedtls/legacy_or_psa.h"
#include <string.h> #include <string.h>

View file

@ -38,7 +38,7 @@
#include "mbedtls/platform_util.h" #include "mbedtls/platform_util.h"
#include "mbedtls/constant_time.h" #include "mbedtls/constant_time.h"
#include "legacy_or_psa.h" #include "mbedtls/legacy_or_psa.h"
#include <string.h> #include <string.h>

View file

@ -32,7 +32,7 @@
#include "mbedtls/psa_util.h" #include "mbedtls/psa_util.h"
#include "hash_info.h" #include "hash_info.h"
#endif #endif
#include "legacy_or_psa.h" #include "mbedtls/legacy_or_psa.h"
#if defined(MBEDTLS_MD5_C) #if defined(MBEDTLS_MD5_C)
#include "mbedtls/md5.h" #include "mbedtls/md5.h"

View file

@ -54,7 +54,7 @@
#include "mbedtls/psa_util.h" #include "mbedtls/psa_util.h"
#include "psa/crypto.h" #include "psa/crypto.h"
#endif #endif
#include "legacy_or_psa.h" #include "mbedtls/legacy_or_psa.h"
#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_X509_CRT_PARSE_C)
#include "mbedtls/oid.h" #include "mbedtls/oid.h"

View file

@ -62,7 +62,7 @@
#include <time.h> #include <time.h>
#endif #endif
#include "legacy_or_psa.h" #include "mbedtls/legacy_or_psa.h"
#define CHECK(code) if( ( ret = ( code ) ) != 0 ){ return( ret ); } #define CHECK(code) if( ( ret = ( code ) ) != 0 ){ return( ret ); }
#define CHECK_RANGE(min, max, val) \ #define CHECK_RANGE(min, max, val) \

View file

@ -46,7 +46,7 @@
#endif /* MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_USE_PSA_CRYPTO */
#include "hash_info.h" #include "hash_info.h"
#include "legacy_or_psa.h" #include "mbedtls/legacy_or_psa.h"
void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx ) void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx )
{ {

View file

@ -1478,11 +1478,11 @@ int main( int argc, char *argv[] )
if( opt.psk_opaque != 0 ) if( opt.psk_opaque != 0 )
{ {
/* Determine KDF algorithm the opaque PSK will be used in. */ /* Determine KDF algorithm the opaque PSK will be used in. */
#if defined(HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384); alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
else else
#endif /* HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256); alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
} }
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */

View file

@ -2261,11 +2261,11 @@ int main( int argc, char *argv[] )
if( opt.psk_opaque != 0 || opt.psk_list_opaque != 0 ) if( opt.psk_opaque != 0 || opt.psk_list_opaque != 0 )
{ {
/* Determine KDF algorithm the opaque PSK will be used in. */ /* Determine KDF algorithm the opaque PSK will be used in. */
#if defined(HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384); alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
else else
#endif /* HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256); alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
} }
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */

View file

@ -297,49 +297,23 @@ int send_cb( void *ctx, unsigned char const *buf, size_t len )
#define MBEDTLS_SSL_SIG_ALG( hash ) #define MBEDTLS_SSL_SIG_ALG( hash )
#endif #endif
#if ( !defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA1_C) ) || \
( defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_SHA_1) )
#define HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA
#endif
#if ( !defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA224_C) ) || \
( defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_SHA_224) )
#define HAS_ALG_SHA_224_VIA_MD_OR_PSA_BASED_ON_USE_PSA
#endif
#if ( !defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA256_C) ) || \
( defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_SHA_256) )
#define HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA
#endif
#if ( !defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA384_C) ) || \
( defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_SHA_384) )
#define HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA
#endif
#if ( !defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA512_C) ) || \
( defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_SHA_512) )
#define HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA
#endif
uint16_t ssl_sig_algs_for_test[] = { uint16_t ssl_sig_algs_for_test[] = {
#if defined(HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA512 ) MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA512 )
#endif #endif
#if defined(HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA384 ) MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA384 )
#endif #endif
#if defined(HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA256 ) MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA256 )
#endif #endif
#if defined(HAS_ALG_SHA_224_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_HAS_ALG_SHA_224_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA224 ) MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA224 )
#endif #endif
#if defined(MBEDTLS_RSA_C) && defined(HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256, MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */ #endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */
#if defined(HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
/* Allow SHA-1 as we use it extensively in tests. */ /* Allow SHA-1 as we use it extensively in tests. */
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA1 ) MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA1 )
#endif #endif

View file

@ -1715,7 +1715,7 @@ component_test_psa_crypto_config_accel_ecdsa () {
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
make CFLAGS="$ASAN_CFLAGS -O -Werror -I../tests/include -I../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" make CFLAGS="$ASAN_CFLAGS -O -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
not grep mbedtls_ecdsa_ library/ecdsa.o not grep mbedtls_ecdsa_ library/ecdsa.o
@ -1797,7 +1797,7 @@ component_test_psa_crypto_config_accel_rsa_signature () {
scripts/config.py unset MBEDTLS_SSL_CBC_RECORD_SPLITTING scripts/config.py unset MBEDTLS_SSL_CBC_RECORD_SPLITTING
loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
not grep mbedtls_rsa_rsassa_pkcs1_v15_sign library/rsa.o not grep mbedtls_rsa_rsassa_pkcs1_v15_sign library/rsa.o
not grep mbedtls_rsa_rsassa_pss_sign_ext library/rsa.o not grep mbedtls_rsa_rsassa_pss_sign_ext library/rsa.o
@ -1827,7 +1827,7 @@ component_test_psa_crypto_config_accel_hash () {
scripts/config.py unset MBEDTLS_SHA384_C scripts/config.py unset MBEDTLS_SHA384_C
scripts/config.py unset MBEDTLS_SHA512_C scripts/config.py unset MBEDTLS_SHA512_C
loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
not grep mbedtls_sha512_init library/sha512.o not grep mbedtls_sha512_init library/sha512.o
not grep mbedtls_sha1_init library/sha1.o not grep mbedtls_sha1_init library/sha1.o
@ -1848,21 +1848,28 @@ component_test_psa_crypto_config_accel_hash_use_psa () {
loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"
# start with config full for maximum coverage (also enables USE_PSA)
scripts/config.py full
# enable support for drivers and configuring PSA-only algorithms
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_USE_PSA_CRYPTO # disable the built-in implementation of hashes
scripts/config.py unset MBEDTLS_MD5_C scripts/config.py unset MBEDTLS_MD5_C
scripts/config.py unset MBEDTLS_RIPEMD160_C scripts/config.py unset MBEDTLS_RIPEMD160_C
scripts/config.py unset MBEDTLS_SHA1_C scripts/config.py unset MBEDTLS_SHA1_C
scripts/config.py unset MBEDTLS_SHA224_C scripts/config.py unset MBEDTLS_SHA224_C
scripts/config.py unset MBEDTLS_SHA256_C # see external RNG below scripts/config.py unset MBEDTLS_SHA256_C # see external RNG below
scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
scripts/config.py unset MBEDTLS_SHA384_C scripts/config.py unset MBEDTLS_SHA384_C
scripts/config.py unset MBEDTLS_SHA512_C scripts/config.py unset MBEDTLS_SHA512_C
scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
# Use an external RNG as currently internal RNGs depend on entropy.c # Use an external RNG as currently internal RNGs depend on entropy.c
# which in turn hard-depends on SHA256_C (or SHA512_C). # which in turn hard-depends on SHA256_C (or SHA512_C).
# See component_test_psa_external_rng_no_drbg_use_psa. # See component_test_psa_external_rng_no_drbg_use_psa.
scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
scripts/config.py unset MBEDTLS_ENTROPY_C scripts/config.py unset MBEDTLS_ENTROPY_C
scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED # depends on ENTROPY_C
scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT # depends on former
# Also unset MD_C and things that depend on it; # Also unset MD_C and things that depend on it;
# see component_test_crypto_full_no_md. # see component_test_crypto_full_no_md.
scripts/config.py unset MBEDTLS_MD_C scripts/config.py unset MBEDTLS_MD_C
@ -1870,10 +1877,6 @@ component_test_psa_crypto_config_accel_hash_use_psa () {
scripts/config.py unset MBEDTLS_HMAC_DRBG_C scripts/config.py unset MBEDTLS_HMAC_DRBG_C
scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_DETERMINISTIC_ECDSA scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
# Enable TLS 1.3: use PSA implementation for hashes
scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3
scripts/config.py set MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
scripts/config.py set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1
loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" all make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" all
@ -1925,7 +1928,7 @@ component_test_psa_crypto_config_accel_cipher () {
scripts/config.py unset MBEDTLS_DES_C scripts/config.py unset MBEDTLS_DES_C
loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
not grep mbedtls_des* library/des.o not grep mbedtls_des* library/des.o

View file

@ -23,7 +23,7 @@
#include "mbedtls/build_info.h" #include "mbedtls/build_info.h"
#include "legacy_or_psa.h" #include "mbedtls/legacy_or_psa.h"
/* /*
* Test CA Certificates * Test CA Certificates

View file

@ -1,7 +1,7 @@
/* BEGIN_HEADER */ /* BEGIN_HEADER */
#include "mbedtls/ecdsa.h" #include "mbedtls/ecdsa.h"
#include "hash_info.h" #include "hash_info.h"
#include "legacy_or_psa.h" #include "mbedtls/legacy_or_psa.h"
#if ( defined(MBEDTLS_ECDSA_DETERMINISTIC) && defined(MBEDTLS_SHA256_C) ) || \ #if ( defined(MBEDTLS_ECDSA_DETERMINISTIC) && defined(MBEDTLS_SHA256_C) ) || \
( !defined(MBEDTLS_ECDSA_DETERMINISTIC) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_LOWLEVEL_OR_PSA) ) ( !defined(MBEDTLS_ECDSA_DETERMINISTIC) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_LOWLEVEL_OR_PSA) )
#define MBEDTLS_HAS_ALG_SHA_256_VIA_MD_IF_DETERMINISTIC #define MBEDTLS_HAS_ALG_SHA_256_VIA_MD_IF_DETERMINISTIC

View file

@ -1,6 +1,6 @@
/* BEGIN_HEADER */ /* BEGIN_HEADER */
#include "mbedtls/ecjpake.h" #include "mbedtls/ecjpake.h"
#include "legacy_or_psa.h" #include "mbedtls/legacy_or_psa.h"
#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA) #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA)
static const unsigned char ecjpake_test_x1[] = { static const unsigned char ecjpake_test_x1[] = {

View file

@ -3,7 +3,7 @@
#include "mbedtls/asn1.h" #include "mbedtls/asn1.h"
#include "mbedtls/asn1write.h" #include "mbedtls/asn1write.h"
#include "string.h" #include "string.h"
#include "legacy_or_psa.h" #include "mbedtls/legacy_or_psa.h"
/* END_HEADER */ /* END_HEADER */
/* BEGIN_DEPENDENCIES /* BEGIN_DEPENDENCIES

View file

@ -3,7 +3,7 @@
#include "mbedtls/pem.h" #include "mbedtls/pem.h"
#include "mbedtls/des.h" #include "mbedtls/des.h"
#include "mbedtls/aes.h" #include "mbedtls/aes.h"
#include "legacy_or_psa.h" #include "mbedtls/legacy_or_psa.h"
/* END_HEADER */ /* END_HEADER */

View file

@ -8,7 +8,7 @@
#include "mbedtls/rsa.h" #include "mbedtls/rsa.h"
#include "hash_info.h" #include "hash_info.h"
#include "legacy_or_psa.h" #include "mbedtls/legacy_or_psa.h"
#include <limits.h> #include <limits.h>
#include <stdint.h> #include <stdint.h>

View file

@ -2,7 +2,7 @@
#include "mbedtls/pkcs12.h" #include "mbedtls/pkcs12.h"
#include "common.h" #include "common.h"
#include "legacy_or_psa.h" #include "mbedtls/legacy_or_psa.h"
typedef enum typedef enum
{ {

View file

@ -2,7 +2,7 @@
#include "mbedtls/rsa.h" #include "mbedtls/rsa.h"
#include "mbedtls/md.h" #include "mbedtls/md.h"
#include "legacy_or_psa.h" #include "mbedtls/legacy_or_psa.h"
/* END_HEADER */ /* END_HEADER */
/* BEGIN_DEPENDENCIES /* BEGIN_DEPENDENCIES

View file

@ -1,6 +1,6 @@
/* BEGIN_HEADER */ /* BEGIN_HEADER */
#include "mbedtls/rsa.h" #include "mbedtls/rsa.h"
#include "legacy_or_psa.h" #include "mbedtls/legacy_or_psa.h"
/* END_HEADER */ /* END_HEADER */
/* BEGIN_DEPENDENCIES /* BEGIN_DEPENDENCIES

View file

@ -1,6 +1,6 @@
/* BEGIN_HEADER */ /* BEGIN_HEADER */
#include "mbedtls/pkcs5.h" #include "mbedtls/pkcs5.h"
#include "legacy_or_psa.h" #include "mbedtls/legacy_or_psa.h"
/* END_HEADER */ /* END_HEADER */
/* BEGIN_DEPENDENCIES /* BEGIN_DEPENDENCIES

View file

@ -2,7 +2,7 @@
#include "mbedtls/pk.h" #include "mbedtls/pk.h"
#include "mbedtls/pem.h" #include "mbedtls/pem.h"
#include "mbedtls/oid.h" #include "mbedtls/oid.h"
#include "legacy_or_psa.h" #include "mbedtls/legacy_or_psa.h"
/* END_HEADER */ /* END_HEADER */
/* BEGIN_DEPENDENCIES /* BEGIN_DEPENDENCIES

View file

@ -2,7 +2,7 @@
#include "mbedtls/rsa.h" #include "mbedtls/rsa.h"
#include "rsa_alt_helpers.h" #include "rsa_alt_helpers.h"
#include "legacy_or_psa.h" #include "mbedtls/legacy_or_psa.h"
/* END_HEADER */ /* END_HEADER */
/* BEGIN_DEPENDENCIES /* BEGIN_DEPENDENCIES

View file

@ -11,7 +11,7 @@
#include "mbedtls/ssl_cache.h" #include "mbedtls/ssl_cache.h"
#endif #endif
#include <legacy_or_psa.h> #include <mbedtls/legacy_or_psa.h>
#include "hash_info.h" #include "hash_info.h"
#include <constant_time_internal.h> #include <constant_time_internal.h>
@ -5439,7 +5439,7 @@ void ssl_cf_hmac( int hash )
size_t min_in_len, in_len, max_in_len, i; size_t min_in_len, in_len, max_in_len, i;
/* TLS additional data is 13 bytes (hence the "lucky 13" name) */ /* TLS additional data is 13 bytes (hence the "lucky 13" name) */
unsigned char add_data[13]; unsigned char add_data[13];
unsigned char ref_out[MBEDTLS_MD_MAX_SIZE]; unsigned char ref_out[MBEDTLS_HASH_MAX_SIZE];
unsigned char *data = NULL; unsigned char *data = NULL;
unsigned char *out = NULL; unsigned char *out = NULL;
unsigned char rec_num = 0; unsigned char rec_num = 0;

View file

@ -10,7 +10,7 @@
#include "mbedtls/error.h" #include "mbedtls/error.h"
#include "string.h" #include "string.h"
#include "legacy_or_psa.h" #include "mbedtls/legacy_or_psa.h"
#if MBEDTLS_X509_MAX_INTERMEDIATE_CA > 19 #if MBEDTLS_X509_MAX_INTERMEDIATE_CA > 19
#error "The value of MBEDTLS_X509_MAX_INTERMEDIATE_C is larger \ #error "The value of MBEDTLS_X509_MAX_INTERMEDIATE_C is larger \

View file

@ -7,7 +7,7 @@
#include "mbedtls/rsa.h" #include "mbedtls/rsa.h"
#include "hash_info.h" #include "hash_info.h"
#include "legacy_or_psa.h" #include "mbedtls/legacy_or_psa.h"
#if defined(MBEDTLS_RSA_C) #if defined(MBEDTLS_RSA_C)
int mbedtls_rsa_decrypt_func( void *ctx, size_t *olen, int mbedtls_rsa_decrypt_func( void *ctx, size_t *olen,