Merge pull request #9666 from Harry-Ramsey/remove-obsolete-ci-scripts-development
Remove obsolete CI Scripts
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 64d95dc..1501240 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -333,11 +333,11 @@
endif()
if(TF_PSA_CRYPTO_CONFIG_FILE)
target_compile_definitions(${target}
- PUBLIC MBEDTLS_PSA_CRYPTO_CONFIG_FILE="${TF_PSA_CRYPTO_CONFIG_FILE}")
+ PUBLIC TF_PSA_CRYPTO_CONFIG_FILE="${TF_PSA_CRYPTO_CONFIG_FILE}")
endif()
if(TF_PSA_CRYPTO_USER_CONFIG_FILE)
target_compile_definitions(${target}
- PUBLIC MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE="${TF_PSA_CRYPTO_USER_CONFIG_FILE}")
+ PUBLIC TF_PSA_CRYPTO_USER_CONFIG_FILE="${TF_PSA_CRYPTO_USER_CONFIG_FILE}")
endif()
endfunction(set_config_files_compile_definitions)
@@ -413,9 +413,30 @@
#
if(ENABLE_TESTING OR ENABLE_PROGRAMS)
file(GLOB MBEDTLS_TEST_HELPER_FILES
+ ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/*.c
${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_helpers/*.c)
add_library(mbedtls_test_helpers OBJECT ${MBEDTLS_TEST_HELPER_FILES})
set_base_compile_options(mbedtls_test_helpers)
+
+ if(GEN_FILES)
+ add_custom_command(
+ OUTPUT
+ ${MBEDTLS_DIR}/tests/src/test_certs.h
+ WORKING_DIRECTORY
+ ${MBEDTLS_DIR}/tests
+ COMMAND
+ "${MBEDTLS_PYTHON_EXECUTABLE}"
+ "${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_test_cert_macros.py"
+ "--output"
+ "${MBEDTLS_DIR}/tests/src/test_certs.h"
+ DEPENDS
+ ${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_test_cert_macros.py
+ )
+ add_custom_target(mbedtls_test_certs_header
+ DEPENDS ${MBEDTLS_DIR}/tests/src/test_certs.h)
+ add_dependencies(mbedtls_test_helpers mbedtls_test_certs_header)
+ endif()
+
target_include_directories(mbedtls_test_helpers
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/framework/tests/include
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tests/include
diff --git a/ChangeLog.d/configuration-split.txt b/ChangeLog.d/configuration-split.txt
new file mode 100644
index 0000000..f4d9bc6
--- /dev/null
+++ b/ChangeLog.d/configuration-split.txt
@@ -0,0 +1,16 @@
+Changes
+ * Cryptography and platform configuration options have been migrated
+ from the Mbed TLS library configuration file mbedtls_config.h to
+ crypto_config.h that will become the TF-PSA-Crypto configuration file,
+ see config-split.md for more information. The reference and test custom
+ configuration files respectively in configs/ and tests/configs/ have
+ been updated accordingly.
+ To migrate custom Mbed TLS configurations where
+ MBEDTLS_PSA_CRYPTO_CONFIG is disabled, you should first adapt them
+ to the PSA configuration scheme based on PSA_WANT_XXX symbols
+ (see psa-conditional-inclusion-c.md for more information).
+ To migrate custom Mbed TLS configurations where
+ MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you should migrate the
+ cryptographic and platform configuration options from mbedtls_config.h
+ to crypto_config.h (see config-split.md for more information and configs/
+ for examples).
diff --git a/ChangeLog.d/fix-compilation-with-djgpp.txt b/ChangeLog.d/fix-compilation-with-djgpp.txt
new file mode 100644
index 0000000..5b79fb6
--- /dev/null
+++ b/ChangeLog.d/fix-compilation-with-djgpp.txt
@@ -0,0 +1,2 @@
+Bugfix
+ * Fix compilation on MS-DOS DJGPP. Fixes #9813.
diff --git a/configs/config-ccm-psk-dtls1_2.h b/configs/config-ccm-psk-dtls1_2.h
index d41d544..6712c33 100644
--- a/configs/config-ccm-psk-dtls1_2.h
+++ b/configs/config-ccm-psk-dtls1_2.h
@@ -23,18 +23,7 @@
* See README.txt for usage instructions.
*/
-#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-ccm-psk-tls1_2.h"
-
-#define MBEDTLS_PSA_CRYPTO_C
-#define MBEDTLS_USE_PSA_CRYPTO
-
-/* System support */
-//#define MBEDTLS_HAVE_TIME /* Optionally used in Hello messages */
-/* Other MBEDTLS_HAVE_XXX flags irrelevant for this configuration */
-
/* Mbed TLS modules */
-#define MBEDTLS_CTR_DRBG_C
-#define MBEDTLS_ENTROPY_C
#define MBEDTLS_NET_C
#define MBEDTLS_SSL_CLI_C
#define MBEDTLS_SSL_COOKIE_C
@@ -68,19 +57,9 @@
#define MBEDTLS_SSL_IN_CONTENT_LEN 256
#define MBEDTLS_SSL_OUT_CONTENT_LEN 256
-/* Save RAM at the expense of ROM */
-#define MBEDTLS_AES_ROM_TABLES
-
/* Save some RAM by adjusting to your exact needs */
#define MBEDTLS_PSK_MAX_LEN 16 /* 128-bits keys are generally enough */
-/*
- * You should adjust this to the exact number of sources you're using: default
- * is the "platform_entropy_poll" source, but you may want to add other ones
- * Minimum is 2 for the entropy test suite.
- */
-#define MBEDTLS_ENTROPY_MAX_SOURCES 2
-
/* Error messages and TLS debugging traces
* (huge code size increase, needed for tests/ssl-opt.sh) */
//#define MBEDTLS_DEBUG_C
diff --git a/configs/config-ccm-psk-tls1_2.h b/configs/config-ccm-psk-tls1_2.h
index 85f08c3..5fb67fe 100644
--- a/configs/config-ccm-psk-tls1_2.h
+++ b/configs/config-ccm-psk-tls1_2.h
@@ -22,18 +22,7 @@
* See README.txt for usage instructions.
*/
-#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-ccm-psk-tls1_2.h"
-
-#define MBEDTLS_PSA_CRYPTO_C
-#define MBEDTLS_USE_PSA_CRYPTO
-
-/* System support */
-//#define MBEDTLS_HAVE_TIME /* Optionally used in Hello messages */
-/* Other MBEDTLS_HAVE_XXX flags irrelevant for this configuration */
-
/* Mbed TLS modules */
-#define MBEDTLS_CTR_DRBG_C
-#define MBEDTLS_ENTROPY_C
#define MBEDTLS_NET_C
#define MBEDTLS_SSL_CLI_C
#define MBEDTLS_SSL_SRV_C
@@ -59,19 +48,10 @@
#define MBEDTLS_SSL_IN_CONTENT_LEN 1024
#define MBEDTLS_SSL_OUT_CONTENT_LEN 1024
-/* Save RAM at the expense of ROM */
-#define MBEDTLS_AES_ROM_TABLES
/* Save some RAM by adjusting to your exact needs */
#define MBEDTLS_PSK_MAX_LEN 16 /* 128-bits keys are generally enough */
-/*
- * You should adjust this to the exact number of sources you're using: default
- * is the "platform_entropy_poll" source, but you may want to add other ones
- * Minimum is 2 for the entropy test suite.
- */
-#define MBEDTLS_ENTROPY_MAX_SOURCES 2
-
/* Error messages and TLS debugging traces
* (huge code size increase, needed for tests/ssl-opt.sh) */
//#define MBEDTLS_DEBUG_C
diff --git a/configs/config-suite-b.h b/configs/config-suite-b.h
index 8bc2cf3..c08d5d1 100644
--- a/configs/config-suite-b.h
+++ b/configs/config-suite-b.h
@@ -21,58 +21,18 @@
* See README.txt for usage instructions.
*/
-#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-suite-b.h"
-
-#define MBEDTLS_PSA_CRYPTO_C
-#define MBEDTLS_USE_PSA_CRYPTO
-
-/* System support */
-#define MBEDTLS_HAVE_ASM
-#define MBEDTLS_HAVE_TIME
-
/* Mbed TLS feature support */
#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
#define MBEDTLS_SSL_PROTO_TLS1_2
/* Mbed TLS modules */
-#define MBEDTLS_ASN1_PARSE_C
-#define MBEDTLS_ASN1_WRITE_C
-#define MBEDTLS_CTR_DRBG_C
-#define MBEDTLS_ENTROPY_C
#define MBEDTLS_NET_C
-#define MBEDTLS_OID_C
-#define MBEDTLS_PK_C
-#define MBEDTLS_PK_PARSE_C
#define MBEDTLS_SSL_CLI_C
#define MBEDTLS_SSL_SRV_C
#define MBEDTLS_SSL_TLS_C
#define MBEDTLS_X509_CRT_PARSE_C
#define MBEDTLS_X509_USE_C
-/* For test certificates */
-#define MBEDTLS_BASE64_C
-#define MBEDTLS_PEM_PARSE_C
-
-/* Save RAM at the expense of ROM */
-#define MBEDTLS_AES_ROM_TABLES
-
-/* Save RAM by adjusting to our exact needs */
-#define MBEDTLS_MPI_MAX_SIZE 48 // 384-bit EC curve = 48 bytes
-
-/* Save RAM at the expense of speed, see ecp.h */
-#define MBEDTLS_ECP_WINDOW_SIZE 2
-#define MBEDTLS_ECP_FIXED_POINT_OPTIM 0
-
-/* Significant speed benefit at the expense of some ROM */
-#define MBEDTLS_ECP_NIST_OPTIM
-
-/*
- * You should adjust this to the exact number of sources you're using: default
- * is the "mbedtls_platform_entropy_poll" source, but you may want to add other ones.
- * Minimum is 2 for the entropy test suite.
- */
-#define MBEDTLS_ENTROPY_MAX_SOURCES 2
-
/* Save ROM and a few bytes of RAM by specifying our own ciphersuite list */
#define MBEDTLS_SSL_CIPHERSUITES \
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, \
diff --git a/configs/config-symmetric-only.h b/configs/config-symmetric-only.h
index e29fd62..606f4a1 100644
--- a/configs/config-symmetric-only.h
+++ b/configs/config-symmetric-only.h
@@ -8,42 +8,9 @@
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
-#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-symmetric-only.h"
-
-#define MBEDTLS_PSA_CRYPTO_C
-#define MBEDTLS_USE_PSA_CRYPTO
-
-/* System support */
-//#define MBEDTLS_HAVE_ASM
-#define MBEDTLS_HAVE_TIME
-#define MBEDTLS_HAVE_TIME_DATE
-
/* Mbed TLS feature support */
#define MBEDTLS_ERROR_STRERROR_DUMMY
-#define MBEDTLS_FS_IO
-#define MBEDTLS_ENTROPY_NV_SEED
-#define MBEDTLS_SELF_TEST
#define MBEDTLS_VERSION_FEATURES
-/* Mbed TLS modules */
-#define MBEDTLS_ASN1_PARSE_C
-#define MBEDTLS_ASN1_WRITE_C
-#define MBEDTLS_BASE64_C
-#define MBEDTLS_CTR_DRBG_C
-#define MBEDTLS_ENTROPY_C
-#define MBEDTLS_ERROR_C
-#define MBEDTLS_HMAC_DRBG_C
-#define MBEDTLS_NIST_KW_C
-#define MBEDTLS_OID_C
-#define MBEDTLS_PEM_PARSE_C
-#define MBEDTLS_PEM_WRITE_C
-#define MBEDTLS_PKCS5_C
-#define MBEDTLS_PKCS12_C
-#define MBEDTLS_PLATFORM_C
-#define MBEDTLS_PSA_CRYPTO_SE_C
-#define MBEDTLS_PSA_CRYPTO_STORAGE_C
-#define MBEDTLS_PSA_ITS_FILE_C
-
-//#define MBEDTLS_THREADING_C
#define MBEDTLS_TIMING_C
#define MBEDTLS_VERSION_C
diff --git a/configs/config-tfm.h b/configs/config-tfm.h
index 14896d4..8733831 100644
--- a/configs/config-tfm.h
+++ b/configs/config-tfm.h
@@ -10,59 +10,3 @@
/* TF-M medium profile: mbedtls legacy configuration */
#include "../configs/ext/tfm_mbedcrypto_config_profile_medium.h"
-
-/* TF-M medium profile: PSA crypto configuration */
-#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/ext/crypto_config_profile_medium.h"
-
-/***********************************************************/
-/* Tweak the configuration to remove dependencies on TF-M. */
-/***********************************************************/
-
-/* MBEDTLS_PSA_CRYPTO_SPM needs third-party files, so disable it. */
-#undef MBEDTLS_PSA_CRYPTO_SPM
-
-/* Disable buffer-based memory allocator. This isn't strictly required,
- * but using the native allocator is faster and works better with
- * memory management analysis frameworks such as ASan. */
-#undef MBEDTLS_MEMORY_BUFFER_ALLOC_C
-
-// This macro is enabled in TFM Medium but is disabled here because it is
-// incompatible with baremetal builds in Mbed TLS.
-#undef MBEDTLS_PSA_CRYPTO_STORAGE_C
-
-// This macro is enabled in TFM Medium but is disabled here because it is
-// incompatible with baremetal builds in Mbed TLS.
-#undef MBEDTLS_ENTROPY_NV_SEED
-
-// These platform-related TF-M settings are not useful here.
-#undef MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
-#undef MBEDTLS_PLATFORM_STD_MEM_HDR
-#undef MBEDTLS_PLATFORM_SNPRINTF_MACRO
-#undef MBEDTLS_PLATFORM_PRINTF_ALT
-#undef MBEDTLS_PLATFORM_STD_EXIT_SUCCESS
-#undef MBEDTLS_PLATFORM_STD_EXIT_FAILURE
-
-/*
- * In order to get an example config that works cleanly out-of-the-box
- * for both baremetal and non-baremetal builds, we detect baremetal builds
- * (either IAR, Arm compiler or __ARM_EABI__ defined), and adjust some
- * variables accordingly.
- */
-#if defined(__IAR_SYSTEMS_ICC__) || defined(__ARMCC_VERSION) || defined(__ARM_EABI__)
-#define MBEDTLS_NO_PLATFORM_ENTROPY
-#else
-/* Use built-in platform entropy functions (TF-M provides its own). */
-#undef MBEDTLS_NO_PLATFORM_ENTROPY
-#endif
-
-/***********************************************************************
- * Local changes to crypto config below this delimiter
- **********************************************************************/
-
-// We expect TF-M to pick this up soon
-#define MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
-
-/* CCM is the only cipher/AEAD enabled in TF-M configuration files, but it
- * does not need CIPHER_C to be enabled, so we can disable it in order
- * to reduce code size further. */
-#undef MBEDTLS_CIPHER_C
diff --git a/configs/config-thread.h b/configs/config-thread.h
index df25cfa..95f588e 100644
--- a/configs/config-thread.h
+++ b/configs/config-thread.h
@@ -21,17 +21,7 @@
* See README.txt for usage instructions.
*/
-#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-thread.h"
-
-#define MBEDTLS_PSA_CRYPTO_C
-#define MBEDTLS_USE_PSA_CRYPTO
-
-/* System support */
-#define MBEDTLS_HAVE_ASM
-
/* Mbed TLS feature support */
-#define MBEDTLS_AES_ROM_TABLES
-#define MBEDTLS_ECP_NIST_OPTIM
#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
#define MBEDTLS_SSL_PROTO_TLS1_2
@@ -40,15 +30,6 @@
#define MBEDTLS_SSL_DTLS_HELLO_VERIFY
/* Mbed TLS modules */
-#define MBEDTLS_ASN1_PARSE_C
-#define MBEDTLS_ASN1_WRITE_C
-#define MBEDTLS_CTR_DRBG_C
-#define MBEDTLS_ENTROPY_C
-#define MBEDTLS_HMAC_DRBG_C
-#define MBEDTLS_MD_C
-#define MBEDTLS_OID_C
-#define MBEDTLS_PK_C
-#define MBEDTLS_PK_PARSE_C
#define MBEDTLS_SSL_COOKIE_C
#define MBEDTLS_SSL_CLI_C
#define MBEDTLS_SSL_SRV_C
@@ -58,11 +39,5 @@
#define MBEDTLS_NET_C
#define MBEDTLS_TIMING_C
-/* Save RAM at the expense of ROM */
-#define MBEDTLS_AES_ROM_TABLES
-
-/* Save RAM by adjusting to our exact needs */
-#define MBEDTLS_MPI_MAX_SIZE 32 // 256-bit EC curve = 32 bytes
-
/* Save ROM and a few bytes of RAM by specifying our own ciphersuite list */
#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8
diff --git a/configs/crypto-config-ccm-aes-sha256.h b/configs/crypto-config-ccm-aes-sha256.h
index 68a9c0a..be8a746 100644
--- a/configs/crypto-config-ccm-aes-sha256.h
+++ b/configs/crypto-config-ccm-aes-sha256.h
@@ -20,4 +20,9 @@
#define PSA_WANT_KEY_TYPE_AES 1
#define PSA_WANT_KEY_TYPE_RAW_DATA 1
+
+#define MBEDTLS_PSA_CRYPTO_C
+#define MBEDTLS_CTR_DRBG_C
+#define MBEDTLS_ENTROPY_C
+
#endif /* PSA_CRYPTO_CONFIG_H */
diff --git a/configs/crypto-config-ccm-psk-tls1_2.h b/configs/crypto-config-ccm-psk-tls1_2.h
index f4928e2..e4de8b3 100644
--- a/configs/crypto-config-ccm-psk-tls1_2.h
+++ b/configs/crypto-config-ccm-psk-tls1_2.h
@@ -22,4 +22,24 @@
#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1
#define PSA_WANT_KEY_TYPE_AES 1
+
+#define MBEDTLS_PSA_CRYPTO_C
+
+/* System support */
+//#define MBEDTLS_HAVE_TIME /* Optionally used in Hello messages */
+/* Other MBEDTLS_HAVE_XXX flags irrelevant for this configuration */
+
+#define MBEDTLS_CTR_DRBG_C
+#define MBEDTLS_ENTROPY_C
+
+/* Save RAM at the expense of ROM */
+#define MBEDTLS_AES_ROM_TABLES
+
+/*
+ * You should adjust this to the exact number of sources you're using: default
+ * is the "platform_entropy_poll" source, but you may want to add other ones
+ * Minimum is 2 for the entropy test suite.
+ */
+#define MBEDTLS_ENTROPY_MAX_SOURCES 2
+
#endif /* PSA_CRYPTO_CONFIG_H */
diff --git a/configs/crypto-config-suite-b.h b/configs/crypto-config-suite-b.h
index ec20919..3eea061 100644
--- a/configs/crypto-config-suite-b.h
+++ b/configs/crypto-config-suite-b.h
@@ -38,4 +38,42 @@
#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC 1
#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT 1
#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1
+
+#define MBEDTLS_PSA_CRYPTO_C
+
+/* System support */
+#define MBEDTLS_HAVE_ASM
+#define MBEDTLS_HAVE_TIME
+
+#define MBEDTLS_ASN1_PARSE_C
+#define MBEDTLS_ASN1_WRITE_C
+#define MBEDTLS_CTR_DRBG_C
+#define MBEDTLS_ENTROPY_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_PK_C
+#define MBEDTLS_PK_PARSE_C
+
+/* For test certificates */
+#define MBEDTLS_BASE64_C
+#define MBEDTLS_PEM_PARSE_C
+
+/* Save RAM at the expense of ROM */
+#define MBEDTLS_AES_ROM_TABLES
+
+/* Save RAM by adjusting to our exact needs */
+#define MBEDTLS_MPI_MAX_SIZE 48 // 384-bit EC curve = 48 bytes
+
+/* Save RAM at the expense of speed, see ecp.h */
+#define MBEDTLS_ECP_WINDOW_SIZE 2
+#define MBEDTLS_ECP_FIXED_POINT_OPTIM 0
+
+/* Significant speed benefit at the expense of some ROM */
+#define MBEDTLS_ECP_NIST_OPTIM
+
+/*
+ * You should adjust this to the exact number of sources you're using: default
+ * is the "mbedtls_platform_entropy_poll" source, but you may want to add other ones.
+ * Minimum is 2 for the entropy test suite.
+ */
+#define MBEDTLS_ENTROPY_MAX_SOURCES 2
#endif /* PSA_CRYPTO_CONFIG_H */
diff --git a/configs/crypto-config-symmetric-only.h b/configs/crypto-config-symmetric-only.h
index 5d6bf85..dfe9e81 100644
--- a/configs/crypto-config-symmetric-only.h
+++ b/configs/crypto-config-symmetric-only.h
@@ -55,4 +55,37 @@
#define PSA_WANT_KEY_TYPE_DES 1
#define PSA_WANT_KEY_TYPE_HMAC 1
+#define MBEDTLS_SELF_TEST
+
+#define MBEDTLS_PSA_CRYPTO_C
+
+/* System support */
+//#define MBEDTLS_HAVE_ASM
+#define MBEDTLS_HAVE_TIME
+#define MBEDTLS_HAVE_TIME_DATE
+
+#define MBEDTLS_FS_IO
+#define MBEDTLS_ENTROPY_NV_SEED
+
+/* Mbed TLS modules */
+#define MBEDTLS_ASN1_PARSE_C
+#define MBEDTLS_ASN1_WRITE_C
+#define MBEDTLS_BASE64_C
+#define MBEDTLS_CTR_DRBG_C
+#define MBEDTLS_ENTROPY_C
+#define MBEDTLS_ERROR_C
+#define MBEDTLS_HMAC_DRBG_C
+#define MBEDTLS_NIST_KW_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_PEM_PARSE_C
+#define MBEDTLS_PEM_WRITE_C
+#define MBEDTLS_PKCS5_C
+#define MBEDTLS_PKCS12_C
+#define MBEDTLS_PLATFORM_C
+#define MBEDTLS_PSA_CRYPTO_SE_C
+#define MBEDTLS_PSA_CRYPTO_STORAGE_C
+#define MBEDTLS_PSA_ITS_FILE_C
+
+//#define MBEDTLS_THREADING_C
+
#endif /* PSA_CRYPTO_CONFIG_H */
diff --git a/configs/crypto-config-thread.h b/configs/crypto-config-thread.h
index 3c5fe24..f71b1f0 100644
--- a/configs/crypto-config-thread.h
+++ b/configs/crypto-config-thread.h
@@ -44,4 +44,27 @@
#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT 1
#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1
+#define MBEDTLS_PSA_CRYPTO_C
+
+/* System support */
+#define MBEDTLS_HAVE_ASM
+
+#define MBEDTLS_AES_ROM_TABLES
+#define MBEDTLS_ECP_NIST_OPTIM
+
+#define MBEDTLS_ASN1_PARSE_C
+#define MBEDTLS_ASN1_WRITE_C
+#define MBEDTLS_CTR_DRBG_C
+#define MBEDTLS_ENTROPY_C
+#define MBEDTLS_HMAC_DRBG_C
+#define MBEDTLS_MD_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_PK_C
+#define MBEDTLS_PK_PARSE_C
+
+/* Save RAM at the expense of ROM */
+#define MBEDTLS_AES_ROM_TABLES
+
+/* Save RAM by adjusting to our exact needs */
+#define MBEDTLS_MPI_MAX_SIZE 32 // 256-bit EC curve = 32 bytes
#endif /* PSA_CRYPTO_CONFIG_H */
diff --git a/configs/ext/README.md b/configs/ext/README.md
index 1358bd4..b07cbc1 100644
--- a/configs/ext/README.md
+++ b/configs/ext/README.md
@@ -21,5 +21,6 @@
In Mbed TLS, with permission from the TF-M project, they are distributed under a dual [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) OR [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) license, with copyright assigned to The Mbed TLS Contributors.
-We only retain the note at the top of the files because we are taking the files verbatim, for ease of
-maintenance.
+We only retain the note at the top of the files because the intent is to take these files verbatim,
+for ease of maintenance. Currently however, they contain changes, showing how these configurations
+will need to be adapted for 4.0.
diff --git a/configs/ext/crypto_config_profile_medium.h b/configs/ext/crypto_config_profile_medium.h
index af8869f..2871c94 100644
--- a/configs/ext/crypto_config_profile_medium.h
+++ b/configs/ext/crypto_config_profile_medium.h
@@ -125,6 +125,59 @@
#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1
//#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1
+/***********************************************************/
+/* Tweak the configuration to remove dependencies on TF-M. */
+/***********************************************************/
+
+/* MBEDTLS_PSA_CRYPTO_SPM needs third-party files, so disable it. */
+#undef MBEDTLS_PSA_CRYPTO_SPM
+
+/* Disable buffer-based memory allocator. This isn't strictly required,
+ * but using the native allocator is faster and works better with
+ * memory management analysis frameworks such as ASan. */
+#undef MBEDTLS_MEMORY_BUFFER_ALLOC_C
+
+// This macro is enabled in TFM Medium but is disabled here because it is
+// incompatible with baremetal builds in Mbed TLS.
+#undef MBEDTLS_PSA_CRYPTO_STORAGE_C
+
+// This macro is enabled in TFM Medium but is disabled here because it is
+// incompatible with baremetal builds in Mbed TLS.
+#undef MBEDTLS_ENTROPY_NV_SEED
+
+// These platform-related TF-M settings are not useful here.
+#undef MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+#undef MBEDTLS_PLATFORM_STD_MEM_HDR
+#undef MBEDTLS_PLATFORM_SNPRINTF_MACRO
+#undef MBEDTLS_PLATFORM_PRINTF_ALT
+#undef MBEDTLS_PLATFORM_STD_EXIT_SUCCESS
+#undef MBEDTLS_PLATFORM_STD_EXIT_FAILURE
+
+/*
+ * In order to get an example config that works cleanly out-of-the-box
+ * for both baremetal and non-baremetal builds, we detect baremetal builds
+ * (either IAR, Arm compiler or __ARM_EABI__ defined), and adjust some
+ * variables accordingly.
+ */
+#if defined(__IAR_SYSTEMS_ICC__) || defined(__ARMCC_VERSION) || defined(__ARM_EABI__)
+#define MBEDTLS_NO_PLATFORM_ENTROPY
+#else
+/* Use built-in platform entropy functions (TF-M provides its own). */
+#undef MBEDTLS_NO_PLATFORM_ENTROPY
+#endif
+
+/***********************************************************************
+ * Local changes to crypto config below this delimiter
+ **********************************************************************/
+
+// We expect TF-M to pick this up soon
+#define MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
+
+/* CCM is the only cipher/AEAD enabled in TF-M configuration files, but it
+ * does not need CIPHER_C to be enabled, so we can disable it in order
+ * to reduce code size further. */
+#undef MBEDTLS_CIPHER_C
+
#ifdef CRYPTO_HW_ACCELERATOR
#include "crypto_accelerator_config.h"
#endif
diff --git a/configs/ext/tfm_mbedcrypto_config_profile_medium.h b/configs/ext/tfm_mbedcrypto_config_profile_medium.h
index 0e7bc68..8ef28ee 100644
--- a/configs/ext/tfm_mbedcrypto_config_profile_medium.h
+++ b/configs/ext/tfm_mbedcrypto_config_profile_medium.h
@@ -234,7 +234,7 @@
* mechanism). You may still freely enable additional `MBEDTLS_XXX` symbols
* in mbedtls_config.h.
*
- * If the symbol #MBEDTLS_PSA_CRYPTO_CONFIG_FILE is defined, it specifies
+ * If the symbol #TF_PSA_CRYPTO_CONFIG_FILE is defined, it specifies
* an alternative header to include instead of include/psa/crypto_config.h.
*
* This feature is still experimental and is not ready for production since
@@ -460,7 +460,7 @@
//#define MBEDTLS_USER_CONFIG_FILE "/dev/null"
/**
- * \def MBEDTLS_PSA_CRYPTO_CONFIG_FILE
+ * \def TF_PSA_CRYPTO_CONFIG_FILE
*
* If defined, this is a header which will be included instead of
* `"psa/crypto_config.h"`.
@@ -475,13 +475,13 @@
* The value of this symbol is typically a path in double quotes, either
* absolute or relative to a directory on the include search path.
*/
-//#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h"
+//#define TF_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h"
/**
- * \def MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE
+ * \def TF_PSA_CRYPTO_USER_CONFIG_FILE
*
* If defined, this is a header which will be included after
- * `"psa/crypto_config.h"` or #MBEDTLS_PSA_CRYPTO_CONFIG_FILE.
+ * `"psa/crypto_config.h"` or #TF_PSA_CRYPTO_CONFIG_FILE.
* This allows you to modify the default configuration, including the ability
* to undefine options that are enabled by default.
*
@@ -492,7 +492,7 @@
* The value of this symbol is typically a path in double quotes, either
* absolute or relative to a directory on the include search path.
*/
-//#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null"
+//#define TF_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null"
/** \} name SECTION: General configuration options */
@@ -520,8 +520,7 @@
* Compared to the default implementation:
*
* - p256-m has a much smaller code size and RAM footprint.
- * - p256-m is only available via the PSA API. This includes the pk module
- * when #MBEDTLS_USE_PSA_CRYPTO is enabled.
+ * - p256-m is only available via the PSA API. This includes the pk module.
* - p256-m does not support deterministic ECDSA, EC-JPAKE, custom protocols
* over the core arithmetic, or deterministic derivation of keys.
*
@@ -534,7 +533,6 @@
* cryptographic mechanisms through the PSA API:
* - #MBEDTLS_PSA_CRYPTO_C and #MBEDTLS_PSA_CRYPTO_CONFIG for PSA-based
* configuration;
- * - #MBEDTLS_USE_PSA_CRYPTO if you want to use p256-m from PK, X.509 or TLS;
* - #PSA_WANT_ECC_SECP_R1_256;
* - #PSA_WANT_ALG_ECDH and/or #PSA_WANT_ALG_ECDSA as needed;
* - #PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY, #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC,
diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md
index b91d55e..6fd8c49 100644
--- a/docs/proposed/config-split.md
+++ b/docs/proposed/config-split.md
@@ -114,6 +114,7 @@
#define MBEDTLS_HAVE_TIME
#define MBEDTLS_HAVE_TIME_DATE
//#define MBEDTLS_MEMORY_BACKTRACE
+//#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
//#define MBEDTLS_MEMORY_DEBUG
#define MBEDTLS_PLATFORM_C
//#define MBEDTLS_PLATFORM_EXIT_ALT
@@ -248,6 +249,8 @@
#define MBEDTLS_PSA_CRYPTO_STORAGE_C
//#define MBEDTLS_PSA_INJECT_ENTROPY
#define MBEDTLS_PSA_ITS_FILE_C
+#define MBEDTLS_PSA_KEY_STORE_DYNAMIC
+//#define MBEDTLS_PSA_STATIC_KEY_SLOTS
//#define MBEDTLS_ENTROPY_MAX_GATHER 128
//#define MBEDTLS_ENTROPY_MAX_SOURCES 20
@@ -255,6 +258,7 @@
//#define MBEDTLS_PSA_CRYPTO_PLATFORM_FILE "psa/crypto_platform_alt.h"
//#define MBEDTLS_PSA_CRYPTO_STRUCT_FILE "psa/crypto_struct_alt.h"
//#define MBEDTLS_PSA_KEY_SLOT_COUNT 32
+//#define MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE 256
```
#### SECTION Builtin drivers
@@ -311,6 +315,7 @@
#define MBEDTLS_CIPHER_MODE_CTR
#define MBEDTLS_CIPHER_MODE_OFB
#define MBEDTLS_CIPHER_MODE_XTS
+//#define MBEDTLS_CIPHER_NULL_CIPHER
#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
#define MBEDTLS_CIPHER_PADDING_PKCS7
#define MBEDTLS_CIPHER_PADDING_ZEROS
@@ -382,7 +387,6 @@
#### SECTION TLS feature selection
```
-//#define MBEDTLS_CIPHER_NULL_CIPHER
#define MBEDTLS_DEBUG_C
#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
diff --git a/docs/psa-driver-example-and-guide.md b/docs/psa-driver-example-and-guide.md
index 15aa155..b392a85 100644
--- a/docs/psa-driver-example-and-guide.md
+++ b/docs/psa-driver-example-and-guide.md
@@ -43,7 +43,7 @@
- C header files defining the types required by the driver description. The names of these header files are declared in the driver description file.
- An object file compiled for the target platform defining the functions required by the driver description. Implementations may allow drivers to be provided as source files and compiled with the core instead of being pre-compiled.
-The Mbed TLS driver tests for the aforementioned entry points provide examples of how these deliverables can be implemented. For sample driver description JSON files, see [`mbedtls_test_transparent_driver.json`](https://github.com/Mbed-TLS/mbedtls/blob/development/scripts/data_files/driver_jsons/mbedtls_test_transparent_driver.json) or [`mbedtls_test_opaque_driver.json`](https://github.com/Mbed-TLS/mbedtls/blob/development/scripts/data_files/driver_jsons/mbedtls_test_transparent_driver.json). The header file required by the driver description is [`test_driver.h`](https://github.com/Mbed-TLS/mbedtls/blob/development/framework/tests/include/test/drivers/test_driver.h). As Mbed TLS tests are built from source, there is no object file for the test driver. However, the source for the test driver can be found under `framework/tests/src/drivers`.
+The Mbed TLS driver tests for the aforementioned entry points provide examples of how these deliverables can be implemented. For sample driver description JSON files, see [`mbedtls_test_transparent_driver.json`](https://github.com/Mbed-TLS/mbedtls/blob/development/tf-psa-crypto/scripts/data_files/driver_jsons/mbedtls_test_transparent_driver.json) or [`mbedtls_test_opaque_driver.json`](https://github.com/Mbed-TLS/mbedtls/blob/development/tf-psa-crypto/scripts/data_files/driver_jsons/mbedtls_test_transparent_driver.json). The header file required by the driver description is [`test_driver.h`](https://github.com/Mbed-TLS/mbedtls/blob/development/framework/tests/include/test/drivers/test_driver.h). As Mbed TLS tests are built from source, there is no object file for the test driver. However, the source for the test driver can be found under `framework/tests/src/drivers`.
### Process for Entry Points where auto-generation is not implemented
diff --git a/framework b/framework
index df0144c..a2c7694 160000
--- a/framework
+++ b/framework
@@ -1 +1 @@
-Subproject commit df0144c4a3c0fc9beea606afde07cf8708233675
+Subproject commit a2c76945ca090f9dd099001d7c5158557f5a2036
diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h
index da5ef4c..2025819 100644
--- a/include/mbedtls/build_info.h
+++ b/include/mbedtls/build_info.h
@@ -131,13 +131,13 @@
#endif
/* PSA crypto configuration */
-#if defined(MBEDTLS_PSA_CRYPTO_CONFIG_FILE)
-#include MBEDTLS_PSA_CRYPTO_CONFIG_FILE
+#if defined(TF_PSA_CRYPTO_CONFIG_FILE)
+#include TF_PSA_CRYPTO_CONFIG_FILE
#else
#include "psa/crypto_config.h"
#endif
-#if defined(MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE)
-#include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE
+#if defined(TF_PSA_CRYPTO_USER_CONFIG_FILE)
+#include TF_PSA_CRYPTO_USER_CONFIG_FILE
#endif
/* Indicate that all configuration files have been read.
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index 266f7cb..e5c6ee6 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -22,314 +22,6 @@
//#define MBEDTLS_CONFIG_VERSION 0x03000000
/**
- * \name SECTION: System support
- *
- * This section sets system specific settings.
- * \{
- */
-
-/**
- * \def MBEDTLS_HAVE_ASM
- *
- * The compiler has support for asm().
- *
- * Requires support for asm() in compiler.
- *
- * Used in:
- * library/aesni.h
- * library/aria.c
- * library/bn_mul.h
- * library/constant_time.c
- *
- * Required by:
- * MBEDTLS_AESCE_C
- * MBEDTLS_AESNI_C (on some platforms)
- *
- * Comment to disable the use of assembly code.
- */
-#define MBEDTLS_HAVE_ASM
-
-/**
- * \def MBEDTLS_NO_UDBL_DIVISION
- *
- * The platform lacks support for double-width integer division (64-bit
- * division on a 32-bit platform, 128-bit division on a 64-bit platform).
- *
- * Used in:
- * include/mbedtls/bignum.h
- * library/bignum.c
- *
- * The bignum code uses double-width division to speed up some operations.
- * Double-width division is often implemented in software that needs to
- * be linked with the program. The presence of a double-width integer
- * type is usually detected automatically through preprocessor macros,
- * but the automatic detection cannot know whether the code needs to
- * and can be linked with an implementation of division for that type.
- * By default division is assumed to be usable if the type is present.
- * Uncomment this option to prevent the use of double-width division.
- *
- * Note that division for the native integer type is always required.
- * Furthermore, a 64-bit type is always required even on a 32-bit
- * platform, but it need not support multiplication or division. In some
- * cases it is also desirable to disable some double-width operations. For
- * example, if double-width division is implemented in software, disabling
- * it can reduce code size in some embedded targets.
- */
-//#define MBEDTLS_NO_UDBL_DIVISION
-
-/**
- * \def MBEDTLS_NO_64BIT_MULTIPLICATION
- *
- * The platform lacks support for 32x32 -> 64-bit multiplication.
- *
- * Used in:
- * library/poly1305.c
- *
- * Some parts of the library may use multiplication of two unsigned 32-bit
- * operands with a 64-bit result in order to speed up computations. On some
- * platforms, this is not available in hardware and has to be implemented in
- * software, usually in a library provided by the toolchain.
- *
- * Sometimes it is not desirable to have to link to that library. This option
- * removes the dependency of that library on platforms that lack a hardware
- * 64-bit multiplier by embedding a software implementation in Mbed TLS.
- *
- * Note that depending on the compiler, this may decrease performance compared
- * to using the library function provided by the toolchain.
- */
-//#define MBEDTLS_NO_64BIT_MULTIPLICATION
-
-/**
- * \def MBEDTLS_HAVE_SSE2
- *
- * CPU supports SSE2 instruction set.
- *
- * Uncomment if the CPU supports SSE2 (IA-32 specific).
- */
-//#define MBEDTLS_HAVE_SSE2
-
-/**
- * \def MBEDTLS_HAVE_TIME
- *
- * System has time.h and time().
- * The time does not need to be correct, only time differences are used,
- * by contrast with MBEDTLS_HAVE_TIME_DATE
- *
- * Defining MBEDTLS_HAVE_TIME allows you to specify MBEDTLS_PLATFORM_TIME_ALT,
- * MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and
- * MBEDTLS_PLATFORM_STD_TIME.
- *
- * Comment if your system does not support time functions.
- *
- * \note If MBEDTLS_TIMING_C is set - to enable the semi-portable timing
- * interface - timing.c will include time.h on suitable platforms
- * regardless of the setting of MBEDTLS_HAVE_TIME, unless
- * MBEDTLS_TIMING_ALT is used. See timing.c for more information.
- */
-#define MBEDTLS_HAVE_TIME
-
-/**
- * \def MBEDTLS_HAVE_TIME_DATE
- *
- * System has time.h, time(), and an implementation for
- * mbedtls_platform_gmtime_r() (see below).
- * The time needs to be correct (not necessarily very accurate, but at least
- * the date should be correct). This is used to verify the validity period of
- * X.509 certificates.
- *
- * Comment if your system does not have a correct clock.
- *
- * \note mbedtls_platform_gmtime_r() is an abstraction in platform_util.h that
- * behaves similarly to the gmtime_r() function from the C standard. Refer to
- * the documentation for mbedtls_platform_gmtime_r() for more information.
- *
- * \note It is possible to configure an implementation for
- * mbedtls_platform_gmtime_r() at compile-time by using the macro
- * MBEDTLS_PLATFORM_GMTIME_R_ALT.
- */
-#define MBEDTLS_HAVE_TIME_DATE
-
-/**
- * \def MBEDTLS_PLATFORM_MEMORY
- *
- * Enable the memory allocation layer.
- *
- * By default Mbed TLS uses the system-provided calloc() and free().
- * This allows different allocators (self-implemented or provided) to be
- * provided to the platform abstraction layer.
- *
- * Enabling #MBEDTLS_PLATFORM_MEMORY without the
- * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide
- * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and
- * free() function pointer at runtime.
- *
- * Enabling #MBEDTLS_PLATFORM_MEMORY and specifying
- * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the
- * alternate function at compile time.
- *
- * An overview of how the value of mbedtls_calloc is determined:
- *
- * - if !MBEDTLS_PLATFORM_MEMORY
- * - mbedtls_calloc = calloc
- * - if MBEDTLS_PLATFORM_MEMORY
- * - if (MBEDTLS_PLATFORM_CALLOC_MACRO && MBEDTLS_PLATFORM_FREE_MACRO):
- * - mbedtls_calloc = MBEDTLS_PLATFORM_CALLOC_MACRO
- * - if !(MBEDTLS_PLATFORM_CALLOC_MACRO && MBEDTLS_PLATFORM_FREE_MACRO):
- * - Dynamic setup via mbedtls_platform_set_calloc_free is now possible with a default value MBEDTLS_PLATFORM_STD_CALLOC.
- * - How is MBEDTLS_PLATFORM_STD_CALLOC handled?
- * - if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS:
- * - MBEDTLS_PLATFORM_STD_CALLOC is not set to anything;
- * - MBEDTLS_PLATFORM_STD_MEM_HDR can be included if present;
- * - if !MBEDTLS_PLATFORM_NO_STD_FUNCTIONS:
- * - if MBEDTLS_PLATFORM_STD_CALLOC is present:
- * - User-defined MBEDTLS_PLATFORM_STD_CALLOC is respected;
- * - if !MBEDTLS_PLATFORM_STD_CALLOC:
- * - MBEDTLS_PLATFORM_STD_CALLOC = calloc
- *
- * - At this point the presence of MBEDTLS_PLATFORM_STD_CALLOC is checked.
- * - if !MBEDTLS_PLATFORM_STD_CALLOC
- * - MBEDTLS_PLATFORM_STD_CALLOC = uninitialized_calloc
- *
- * - mbedtls_calloc = MBEDTLS_PLATFORM_STD_CALLOC.
- *
- * Defining MBEDTLS_PLATFORM_CALLOC_MACRO and #MBEDTLS_PLATFORM_STD_CALLOC at the same time is not possible.
- * MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_FREE_MACRO must both be defined or undefined at the same time.
- * #MBEDTLS_PLATFORM_STD_CALLOC and #MBEDTLS_PLATFORM_STD_FREE do not have to be defined at the same time, as, if they are used,
- * dynamic setup of these functions is possible. See the tree above to see how are they handled in all cases.
- * An uninitialized #MBEDTLS_PLATFORM_STD_CALLOC always fails, returning a null pointer.
- * An uninitialized #MBEDTLS_PLATFORM_STD_FREE does not do anything.
- *
- * Requires: MBEDTLS_PLATFORM_C
- *
- * Enable this layer to allow use of alternative memory allocators.
- */
-//#define MBEDTLS_PLATFORM_MEMORY
-
-/**
- * \def MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
- *
- * Do not assign standard functions in the platform layer (e.g. calloc() to
- * MBEDTLS_PLATFORM_STD_CALLOC and printf() to MBEDTLS_PLATFORM_STD_PRINTF)
- *
- * This makes sure there are no linking errors on platforms that do not support
- * these functions. You will HAVE to provide alternatives, either at runtime
- * via the platform_set_xxx() functions or at compile time by setting
- * the MBEDTLS_PLATFORM_STD_XXX defines, or enabling a
- * MBEDTLS_PLATFORM_XXX_MACRO.
- *
- * Requires: MBEDTLS_PLATFORM_C
- *
- * Uncomment to prevent default assignment of standard functions in the
- * platform layer.
- */
-//#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
-
-/**
- * \def MBEDTLS_PLATFORM_EXIT_ALT
- *
- * MBEDTLS_PLATFORM_XXX_ALT: Uncomment a macro to let Mbed TLS support the
- * function in the platform abstraction layer.
- *
- * Example: In case you uncomment MBEDTLS_PLATFORM_PRINTF_ALT, Mbed TLS will
- * provide a function "mbedtls_platform_set_printf()" that allows you to set an
- * alternative printf function pointer.
- *
- * All these define require MBEDTLS_PLATFORM_C to be defined!
- *
- * \note MBEDTLS_PLATFORM_SNPRINTF_ALT is required on Windows;
- * it will be enabled automatically by check_config.h
- *
- * \warning MBEDTLS_PLATFORM_XXX_ALT cannot be defined at the same time as
- * MBEDTLS_PLATFORM_XXX_MACRO!
- *
- * Requires: MBEDTLS_PLATFORM_TIME_ALT requires MBEDTLS_HAVE_TIME
- *
- * Uncomment a macro to enable alternate implementation of specific base
- * platform function
- */
-//#define MBEDTLS_PLATFORM_SETBUF_ALT
-//#define MBEDTLS_PLATFORM_EXIT_ALT
-//#define MBEDTLS_PLATFORM_TIME_ALT
-//#define MBEDTLS_PLATFORM_FPRINTF_ALT
-//#define MBEDTLS_PLATFORM_PRINTF_ALT
-//#define MBEDTLS_PLATFORM_SNPRINTF_ALT
-//#define MBEDTLS_PLATFORM_VSNPRINTF_ALT
-//#define MBEDTLS_PLATFORM_NV_SEED_ALT
-//#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT
-//#define MBEDTLS_PLATFORM_MS_TIME_ALT
-
-/**
- * Uncomment the macro to let Mbed TLS use your alternate implementation of
- * mbedtls_platform_gmtime_r(). This replaces the default implementation in
- * platform_util.c.
- *
- * gmtime() is not a thread-safe function as defined in the C standard. The
- * library will try to use safer implementations of this function, such as
- * gmtime_r() when available. However, if Mbed TLS cannot identify the target
- * system, the implementation of mbedtls_platform_gmtime_r() will default to
- * using the standard gmtime(). In this case, calls from the library to
- * gmtime() will be guarded by the global mutex mbedtls_threading_gmtime_mutex
- * if MBEDTLS_THREADING_C is enabled. We recommend that calls from outside the
- * library are also guarded with this mutex to avoid race conditions. However,
- * if the macro MBEDTLS_PLATFORM_GMTIME_R_ALT is defined, Mbed TLS will
- * unconditionally use the implementation for mbedtls_platform_gmtime_r()
- * supplied at compile time.
- */
-//#define MBEDTLS_PLATFORM_GMTIME_R_ALT
-
-/**
- * Uncomment the macro to let Mbed TLS use your alternate implementation of
- * mbedtls_platform_zeroize(), to wipe sensitive data in memory. This replaces
- * the default implementation in platform_util.c.
- *
- * By default, the library uses a system function such as memset_s()
- * (optional feature of C11), explicit_bzero() (BSD and compatible), or
- * SecureZeroMemory (Windows). If no such function is detected, the library
- * falls back to a plain C implementation. Compilers are technically
- * permitted to optimize this implementation out, meaning that the memory is
- * not actually wiped. The library tries to prevent that, but the C language
- * makes it impossible to guarantee that the memory will always be wiped.
- *
- * If your platform provides a guaranteed method to wipe memory which
- * `platform_util.c` does not detect, define this macro to the name of
- * a function that takes two arguments, a `void *` pointer and a length,
- * and wipes that many bytes starting at the specified address. For example,
- * if your platform has explicit_bzero() but `platform_util.c` does not
- * detect its presence, define `MBEDTLS_PLATFORM_ZEROIZE_ALT` to be
- * `explicit_bzero` to use that function as mbedtls_platform_zeroize().
- */
-//#define MBEDTLS_PLATFORM_ZEROIZE_ALT
-
-/**
- * \def MBEDTLS_DEPRECATED_WARNING
- *
- * Mark deprecated functions and features so that they generate a warning if
- * used. Functionality deprecated in one version will usually be removed in the
- * next version. You can enable this to help you prepare the transition to a
- * new major version by making sure your code is not using this functionality.
- *
- * This only works with GCC and Clang. With other compilers, you may want to
- * use MBEDTLS_DEPRECATED_REMOVED
- *
- * Uncomment to get warnings on using deprecated functions and features.
- */
-//#define MBEDTLS_DEPRECATED_WARNING
-
-/**
- * \def MBEDTLS_DEPRECATED_REMOVED
- *
- * Remove deprecated functions and features so that they generate an error if
- * used. Functionality deprecated in one version will usually be removed in the
- * next version. You can enable this to help you prepare the transition to a
- * new major version by making sure your code is not using this functionality.
- *
- * Uncomment to get errors on using deprecated functions and features.
- */
-//#define MBEDTLS_DEPRECATED_REMOVED
-
-/** \} name SECTION: System support */
-
-/**
* \name SECTION: Mbed TLS feature support
*
* This section sets support for features that are or are not needed
@@ -351,331 +43,6 @@
//#define MBEDTLS_TIMING_ALT
/**
- * \def MBEDTLS_ENTROPY_HARDWARE_ALT
- *
- * Uncomment this macro to let Mbed TLS use your own implementation of a
- * hardware entropy collector.
- *
- * Your function must be called \c mbedtls_hardware_poll(), have the same
- * prototype as declared in library/entropy_poll.h, and accept NULL as first
- * argument.
- *
- * Uncomment to use your own hardware entropy collector.
- */
-//#define MBEDTLS_ENTROPY_HARDWARE_ALT
-
-/**
- * \def MBEDTLS_AES_ROM_TABLES
- *
- * Use precomputed AES tables stored in ROM.
- *
- * Uncomment this macro to use precomputed AES tables stored in ROM.
- * Comment this macro to generate AES tables in RAM at runtime.
- *
- * Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb
- * (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the
- * initialization time before the first AES operation can be performed.
- * It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c
- * MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded
- * performance if ROM access is slower than RAM access.
- *
- * This option is independent of \c MBEDTLS_AES_FEWER_TABLES.
- */
-//#define MBEDTLS_AES_ROM_TABLES
-
-/**
- * \def MBEDTLS_AES_FEWER_TABLES
- *
- * Use less ROM/RAM for AES tables.
- *
- * Uncommenting this macro omits 75% of the AES tables from
- * ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES)
- * by computing their values on the fly during operations
- * (the tables are entry-wise rotations of one another).
- *
- * Tradeoff: Uncommenting this reduces the RAM / ROM footprint
- * by ~6kb but at the cost of more arithmetic operations during
- * runtime. Specifically, one has to compare 4 accesses within
- * different tables to 4 accesses with additional arithmetic
- * operations within the same table. The performance gain/loss
- * depends on the system and memory details.
- *
- * This option is independent of \c MBEDTLS_AES_ROM_TABLES.
- */
-//#define MBEDTLS_AES_FEWER_TABLES
-
-/**
- * \def MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
- *
- * Use only 128-bit keys in AES operations to save ROM.
- *
- * Uncomment this macro to remove support for AES operations that use 192-
- * or 256-bit keys.
- *
- * Uncommenting this macro reduces the size of AES code by ~300 bytes
- * on v8-M/Thumb2.
- *
- * Module: library/aes.c
- *
- * Requires: MBEDTLS_AES_C
- */
-//#define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-
-/*
- * Disable plain C implementation for AES.
- *
- * When the plain C implementation is enabled, and an implementation using a
- * special CPU feature (such as MBEDTLS_AESCE_C) is also enabled, runtime
- * detection will be used to select between them.
- *
- * If only one implementation is present, runtime detection will not be used.
- * This configuration will crash at runtime if running on a CPU without the
- * necessary features. It will not build unless at least one of MBEDTLS_AESCE_C
- * and/or MBEDTLS_AESNI_C is enabled & present in the build.
- */
-//#define MBEDTLS_AES_USE_HARDWARE_ONLY
-
-/**
- * \def MBEDTLS_CAMELLIA_SMALL_MEMORY
- *
- * Use less ROM for the Camellia implementation (saves about 768 bytes).
- *
- * Uncomment this macro to use less memory for Camellia.
- */
-//#define MBEDTLS_CAMELLIA_SMALL_MEMORY
-
-/**
- * \def MBEDTLS_CHECK_RETURN_WARNING
- *
- * If this macro is defined, emit a compile-time warning if application code
- * calls a function without checking its return value, but the return value
- * should generally be checked in portable applications.
- *
- * This is only supported on platforms where #MBEDTLS_CHECK_RETURN is
- * implemented. Otherwise this option has no effect.
- *
- * Uncomment to get warnings on using fallible functions without checking
- * their return value.
- *
- * \note This feature is a work in progress.
- * Warnings will be added to more functions in the future.
- *
- * \note A few functions are considered critical, and ignoring the return
- * value of these functions will trigger a warning even if this
- * macro is not defined. To completely disable return value check
- * warnings, define #MBEDTLS_CHECK_RETURN with an empty expansion.
- */
-//#define MBEDTLS_CHECK_RETURN_WARNING
-
-/**
- * \def MBEDTLS_CIPHER_MODE_CBC
- *
- * Enable Cipher Block Chaining mode (CBC) for symmetric ciphers.
- */
-#define MBEDTLS_CIPHER_MODE_CBC
-
-/**
- * \def MBEDTLS_CIPHER_MODE_CFB
- *
- * Enable Cipher Feedback mode (CFB) for symmetric ciphers.
- */
-#define MBEDTLS_CIPHER_MODE_CFB
-
-/**
- * \def MBEDTLS_CIPHER_MODE_CTR
- *
- * Enable Counter Block Cipher mode (CTR) for symmetric ciphers.
- */
-#define MBEDTLS_CIPHER_MODE_CTR
-
-/**
- * \def MBEDTLS_CIPHER_MODE_OFB
- *
- * Enable Output Feedback mode (OFB) for symmetric ciphers.
- */
-#define MBEDTLS_CIPHER_MODE_OFB
-
-/**
- * \def MBEDTLS_CIPHER_MODE_XTS
- *
- * Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES.
- */
-#define MBEDTLS_CIPHER_MODE_XTS
-
-/**
- * \def MBEDTLS_CIPHER_NULL_CIPHER
- *
- * Enable NULL cipher.
- * Warning: Only do so when you know what you are doing. This allows for
- * encryption or channels without any security!
- *
- * To enable the following ciphersuites:
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA
- * MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA
- * MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA
- * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384
- * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256
- * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA
- * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384
- * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256
- * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA
- * MBEDTLS_TLS_RSA_WITH_NULL_SHA256
- * MBEDTLS_TLS_RSA_WITH_NULL_SHA
- * MBEDTLS_TLS_RSA_WITH_NULL_MD5
- * MBEDTLS_TLS_PSK_WITH_NULL_SHA384
- * MBEDTLS_TLS_PSK_WITH_NULL_SHA256
- * MBEDTLS_TLS_PSK_WITH_NULL_SHA
- *
- * Uncomment this macro to enable the NULL cipher and ciphersuites
- */
-//#define MBEDTLS_CIPHER_NULL_CIPHER
-
-/**
- * \def MBEDTLS_CIPHER_PADDING_PKCS7
- *
- * MBEDTLS_CIPHER_PADDING_XXX: Uncomment or comment macros to add support for
- * specific padding modes in the cipher layer with cipher modes that support
- * padding (e.g. CBC)
- *
- * If you disable all padding modes, only full blocks can be used with CBC.
- *
- * Enable padding modes in the cipher layer.
- */
-#define MBEDTLS_CIPHER_PADDING_PKCS7
-#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
-#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
-#define MBEDTLS_CIPHER_PADDING_ZEROS
-
-/** \def MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
- *
- * Uncomment this macro to use a 128-bit key in the CTR_DRBG module.
- * Without this, CTR_DRBG uses a 256-bit key
- * unless \c MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH is set.
- */
-//#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
-
-/**
- * Enable the verified implementations of ECDH primitives from Project Everest
- * (currently only Curve25519). This feature changes the layout of ECDH
- * contexts and therefore is a compatibility break for applications that access
- * fields of a mbedtls_ecdh_context structure directly. See also
- * MBEDTLS_ECDH_LEGACY_CONTEXT in include/mbedtls/ecdh.h.
- *
- * The Everest code is provided under the Apache 2.0 license only; therefore enabling this
- * option is not compatible with taking the library under the GPL v2.0-or-later license.
- */
-//#define MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED
-
-/**
- * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED
- *
- * MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve
- * module. By default all supported curves are enabled.
- *
- * Comment macros to disable the curve and functions for it
- */
-/* Short Weierstrass curves (supporting ECP, ECDH, ECDSA) */
-#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
-#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
-#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
-#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
-#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
-#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
-#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
-#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
-#define MBEDTLS_ECP_DP_BP256R1_ENABLED
-#define MBEDTLS_ECP_DP_BP384R1_ENABLED
-#define MBEDTLS_ECP_DP_BP512R1_ENABLED
-/* Montgomery curves (supporting ECP) */
-#define MBEDTLS_ECP_DP_CURVE25519_ENABLED
-#define MBEDTLS_ECP_DP_CURVE448_ENABLED
-
-/**
- * \def MBEDTLS_ECP_NIST_OPTIM
- *
- * Enable specific 'modulo p' routines for each NIST prime.
- * Depending on the prime and architecture, makes operations 4 to 8 times
- * faster on the corresponding curve.
- *
- * Comment this macro to disable NIST curves optimisation.
- */
-#define MBEDTLS_ECP_NIST_OPTIM
-
-/**
- * \def MBEDTLS_ECP_RESTARTABLE
- *
- * Enable "non-blocking" ECC operations that can return early and be resumed.
- *
- * This allows various functions to pause by returning
- * #MBEDTLS_ERR_ECP_IN_PROGRESS (or, for functions in the SSL module,
- * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) and then be called later again in
- * order to further progress and eventually complete their operation. This is
- * controlled through mbedtls_ecp_set_max_ops() which limits the maximum
- * number of ECC operations a function may perform before pausing; see
- * mbedtls_ecp_set_max_ops() for more information.
- *
- * This is useful in non-threaded environments if you want to avoid blocking
- * for too long on ECC (and, hence, X.509 or SSL/TLS) operations.
- *
- * This option:
- * - Adds xxx_restartable() variants of existing operations in the
- * following modules, with corresponding restart context types:
- * - ECP (for Short Weierstrass curves only): scalar multiplication (mul),
- * linear combination (muladd);
- * - ECDSA: signature generation & verification;
- * - PK: signature generation & verification;
- * - X509: certificate chain verification.
- * - Adds mbedtls_ecdh_enable_restart() in the ECDH module.
- * - Changes the behaviour of TLS 1.2 clients (not servers) when using the
- * ECDHE-ECDSA key exchange (not other key exchanges) to make all ECC
- * computations restartable:
- * - ECDH operations from the key exchange, only for Short Weierstrass
- * curves, only when MBEDTLS_USE_PSA_CRYPTO is not enabled.
- * - verification of the server's key exchange signature;
- * - verification of the server's certificate chain;
- * - generation of the client's signature if client authentication is used,
- * with an ECC key/certificate.
- *
- * \note In the cases above, the usual SSL/TLS functions, such as
- * mbedtls_ssl_handshake(), can now return
- * MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS.
- *
- * \note When this option and MBEDTLS_USE_PSA_CRYPTO are both enabled,
- * restartable operations in PK, X.509 and TLS (see above) are not
- * using PSA. On the other hand, ECDH computations in TLS are using
- * PSA, and are not restartable. These are temporary limitations that
- * should be lifted in the future.
- *
- * Requires: MBEDTLS_ECP_C
- *
- * Uncomment this macro to enable restartable ECC computations.
- */
-//#define MBEDTLS_ECP_RESTARTABLE
-
-/**
- * Uncomment to enable using new bignum code in the ECC modules.
- *
- * \warning This is currently experimental, incomplete and therefore should not
- * be used in production.
- */
-//#define MBEDTLS_ECP_WITH_MPI_UINT
-
-/**
- * \def MBEDTLS_ECDSA_DETERMINISTIC
- *
- * Enable deterministic ECDSA (RFC 6979).
- * Standard ECDSA is "fragile" in the sense that lack of entropy when signing
- * may result in a compromise of the long-term signing key. This is avoided by
- * the deterministic variant.
- *
- * Requires: MBEDTLS_HMAC_DRBG_C, MBEDTLS_ECDSA_C
- *
- * Comment this macro to disable deterministic ECDSA.
- */
-#define MBEDTLS_ECDSA_DETERMINISTIC
-
-/**
* \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
*
* Enable the PSK based ciphersuite modes in SSL / TLS.
@@ -729,7 +96,7 @@
*
* Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS.
*
- * Requires: MBEDTLS_ECDH_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDH)
+ * Requires: MBEDTLS_ECDH_C or PSA_WANT_ALG_ECDH
*
* This enables the following ciphersuites (if other requisites are
* enabled as well):
@@ -804,7 +171,7 @@
*
* Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS.
*
- * Requires: MBEDTLS_ECDH_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDH)
+ * Requires: MBEDTLS_ECDH_C or PSA_WANT_ALG_ECDH
* MBEDTLS_RSA_C
* MBEDTLS_PKCS1_V15
* MBEDTLS_X509_CRT_PARSE_C
@@ -829,8 +196,8 @@
*
* Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS.
*
- * Requires: MBEDTLS_ECDH_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDH)
- * MBEDTLS_ECDSA_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDSA)
+ * Requires: MBEDTLS_ECDH_C or PSA_WANT_ALG_ECDH
+ * MBEDTLS_ECDSA_C or PSA_WANT_ALG_ECDSA
* MBEDTLS_X509_CRT_PARSE_C
*
* This enables the following ciphersuites (if other requisites are
@@ -853,8 +220,8 @@
*
* Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS.
*
- * Requires: MBEDTLS_ECDH_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDH)
- * MBEDTLS_ECDSA_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDSA)
+ * Requires: MBEDTLS_ECDH_C or PSA_WANT_ALG_ECDH
+ * MBEDTLS_ECDSA_C or PSA_WANT_ALG_ECDSA
* MBEDTLS_X509_CRT_PARSE_C
*
* This enables the following ciphersuites (if other requisites are
@@ -877,7 +244,7 @@
*
* Enable the ECDH-RSA based ciphersuite modes in SSL / TLS.
*
- * Requires: MBEDTLS_ECDH_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDH)
+ * Requires: MBEDTLS_ECDH_C or PSA_WANT_ALG_ECDH
* MBEDTLS_RSA_C
* MBEDTLS_X509_CRT_PARSE_C
*
@@ -905,14 +272,10 @@
* Thread v1.0.0 specification; incompatible changes to the specification
* might still happen. For this reason, this is disabled by default.
*
- * Requires: MBEDTLS_ECJPAKE_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_JPAKE)
+ * Requires: MBEDTLS_ECJPAKE_C or PSA_WANT_ALG_JPAKE
* SHA-256 (via MBEDTLS_SHA256_C or a PSA driver)
* MBEDTLS_ECP_DP_SECP256R1_ENABLED
*
- * \warning If SHA-256 is provided only by a PSA driver, you must call
- * psa_crypto_init() before the first handshake (even if
- * MBEDTLS_USE_PSA_CRYPTO is disabled).
- *
* This enables the following ciphersuites (if other requisites are
* enabled as well):
* MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8
@@ -920,33 +283,6 @@
//#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
/**
- * \def MBEDTLS_PK_PARSE_EC_EXTENDED
- *
- * Enhance support for reading EC keys using variants of SEC1 not allowed by
- * RFC 5915 and RFC 5480.
- *
- * Currently this means parsing the SpecifiedECDomain choice of EC
- * parameters (only known groups are supported, not arbitrary domains, to
- * avoid validation issues).
- *
- * Disable if you only need to support RFC 5915 + 5480 key formats.
- */
-#define MBEDTLS_PK_PARSE_EC_EXTENDED
-
-/**
- * \def MBEDTLS_PK_PARSE_EC_COMPRESSED
- *
- * Enable the support for parsing public keys of type Short Weierstrass
- * (MBEDTLS_ECP_DP_SECP_XXX and MBEDTLS_ECP_DP_BP_XXX) which are using the
- * compressed point format. This parsing is done through ECP module's functions.
- *
- * \note As explained in the description of MBEDTLS_ECP_PF_COMPRESSED (in ecp.h)
- * the only unsupported curves are MBEDTLS_ECP_DP_SECP224R1 and
- * MBEDTLS_ECP_DP_SECP224K1.
- */
-#define MBEDTLS_PK_PARSE_EC_COMPRESSED
-
-/**
* \def MBEDTLS_ERROR_STRERROR_DUMMY
*
* Enable a dummy error function to make use of mbedtls_strerror() in
@@ -962,385 +298,6 @@
#define MBEDTLS_ERROR_STRERROR_DUMMY
/**
- * \def MBEDTLS_GENPRIME
- *
- * Enable the prime-number generation code.
- *
- * Requires: MBEDTLS_BIGNUM_C
- */
-#define MBEDTLS_GENPRIME
-
-/**
- * \def MBEDTLS_FS_IO
- *
- * Enable functions that use the filesystem.
- */
-#define MBEDTLS_FS_IO
-
-/**
- * \def MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
- *
- * Do not add default entropy sources in mbedtls_entropy_init().
- *
- * This is useful to have more control over the added entropy sources in an
- * application.
- *
- * Uncomment this macro to prevent loading of default entropy functions.
- */
-//#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
-
-/**
- * \def MBEDTLS_NO_PLATFORM_ENTROPY
- *
- * Do not use built-in platform entropy functions.
- * This is useful if your platform does not support
- * standards like the /dev/urandom or Windows CryptoAPI.
- *
- * Uncomment this macro to disable the built-in platform entropy functions.
- */
-//#define MBEDTLS_NO_PLATFORM_ENTROPY
-
-/**
- * \def MBEDTLS_ENTROPY_FORCE_SHA256
- *
- * Force the entropy accumulator to use a SHA-256 accumulator instead of the
- * default SHA-512 based one (if both are available).
- *
- * Requires: MBEDTLS_SHA256_C
- *
- * On 32-bit systems SHA-256 can be much faster than SHA-512. Use this option
- * if you have performance concerns.
- *
- * This option is only useful if both MBEDTLS_SHA256_C and
- * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.
- */
-//#define MBEDTLS_ENTROPY_FORCE_SHA256
-
-/**
- * \def MBEDTLS_ENTROPY_NV_SEED
- *
- * Enable the non-volatile (NV) seed file-based entropy source.
- * (Also enables the NV seed read/write functions in the platform layer)
- *
- * This is crucial (if not required) on systems that do not have a
- * cryptographic entropy source (in hardware or kernel) available.
- *
- * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C
- *
- * \note The read/write functions that are used by the entropy source are
- * determined in the platform layer, and can be modified at runtime and/or
- * compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used.
- *
- * \note If you use the default implementation functions that read a seedfile
- * with regular fopen(), please make sure you make a seedfile with the
- * proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at
- * least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from
- * and written to or you will get an entropy source error! The default
- * implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE
- * bytes from the file.
- *
- * \note The entropy collector will write to the seed file before entropy is
- * given to an external source, to update it.
- */
-//#define MBEDTLS_ENTROPY_NV_SEED
-
-/* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
- *
- * Enable key identifiers that encode a key owner identifier.
- *
- * The owner of a key is identified by a value of type ::mbedtls_key_owner_id_t
- * which is currently hard-coded to be int32_t.
- *
- * Note that this option is meant for internal use only and may be removed
- * without notice.
- */
-//#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
-
-/**
- * \def MBEDTLS_MEMORY_DEBUG
- *
- * Enable debugging of buffer allocator memory issues. Automatically prints
- * (to stderr) all (fatal) messages on memory allocation issues. Enables
- * function for 'debug output' of allocated memory.
- *
- * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C
- *
- * Uncomment this macro to let the buffer allocator print out error messages.
- */
-//#define MBEDTLS_MEMORY_DEBUG
-
-/**
- * \def MBEDTLS_MEMORY_BACKTRACE
- *
- * Include backtrace information with each allocated block.
- *
- * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C
- * GLIBC-compatible backtrace() and backtrace_symbols() support
- *
- * Uncomment this macro to include backtrace information
- */
-//#define MBEDTLS_MEMORY_BACKTRACE
-
-/**
- * \def MBEDTLS_PK_RSA_ALT_SUPPORT
- *
- * Support external private RSA keys (eg from a HSM) in the PK layer.
- *
- * Comment this macro to disable support for external private RSA keys.
- */
-#define MBEDTLS_PK_RSA_ALT_SUPPORT
-
-/**
- * \def MBEDTLS_PKCS1_V15
- *
- * Enable support for PKCS#1 v1.5 encoding.
- *
- * Requires: MBEDTLS_RSA_C
- *
- * This enables support for PKCS#1 v1.5 operations.
- */
-#define MBEDTLS_PKCS1_V15
-
-/**
- * \def MBEDTLS_PKCS1_V21
- *
- * Enable support for PKCS#1 v2.1 encoding.
- *
- * Requires: MBEDTLS_RSA_C
- *
- * \warning If using a hash that is only provided by PSA drivers, you must
- * call psa_crypto_init() before doing any PKCS#1 v2.1 operation.
- *
- * This enables support for RSAES-OAEP and RSASSA-PSS operations.
- */
-#define MBEDTLS_PKCS1_V21
-
-/** \def MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
- *
- * Enable support for platform built-in keys. If you enable this feature,
- * you must implement the function mbedtls_psa_platform_get_builtin_key().
- * See the documentation of that function for more information.
- *
- * Built-in keys are typically derived from a hardware unique key or
- * stored in a secure element.
- *
- * Requires: MBEDTLS_PSA_CRYPTO_C.
- *
- * \warning This interface is experimental and may change or be removed
- * without notice.
- */
-//#define MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
-
-/** \def MBEDTLS_PSA_CRYPTO_CLIENT
- *
- * Enable support for PSA crypto client.
- *
- * \note This option allows to include the code necessary for a PSA
- * crypto client when the PSA crypto implementation is not included in
- * the library (MBEDTLS_PSA_CRYPTO_C disabled). The code included is the
- * code to set and get PSA key attributes.
- * The development of PSA drivers partially relying on the library to
- * fulfill the hardware gaps is another possible usage of this option.
- *
- * \warning This interface is experimental and may change or be removed
- * without notice.
- */
-//#define MBEDTLS_PSA_CRYPTO_CLIENT
-
-/** \def MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
- *
- * Make the PSA Crypto module use an external random generator provided
- * by a driver, instead of Mbed TLS's entropy and DRBG modules.
- *
- * \note This random generator must deliver random numbers with cryptographic
- * quality and high performance. It must supply unpredictable numbers
- * with a uniform distribution. The implementation of this function
- * is responsible for ensuring that the random generator is seeded
- * with sufficient entropy. If you have a hardware TRNG which is slow
- * or delivers non-uniform output, declare it as an entropy source
- * with mbedtls_entropy_add_source() instead of enabling this option.
- *
- * If you enable this option, you must configure the type
- * ::mbedtls_psa_external_random_context_t in psa/crypto_platform.h
- * and define a function called mbedtls_psa_external_get_random()
- * with the following prototype:
- * ```
- * psa_status_t mbedtls_psa_external_get_random(
- * mbedtls_psa_external_random_context_t *context,
- * uint8_t *output, size_t output_size, size_t *output_length);
- * );
- * ```
- * The \c context value is initialized to 0 before the first call.
- * The function must fill the \c output buffer with \c output_size bytes
- * of random data and set \c *output_length to \c output_size.
- *
- * Requires: MBEDTLS_PSA_CRYPTO_C
- *
- * \warning If you enable this option, code that uses the PSA cryptography
- * interface will not use any of the entropy sources set up for
- * the entropy module, nor the NV seed that MBEDTLS_ENTROPY_NV_SEED
- * enables.
- *
- * \note This option is experimental and may be removed without notice.
- */
-//#define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
-
-/**
- * \def MBEDTLS_PSA_CRYPTO_SPM
- *
- * When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure
- * Partition Manager) integration which separates the code into two parts: a
- * NSPE (Non-Secure Process Environment) and an SPE (Secure Process
- * Environment).
- *
- * If you enable this option, your build environment must include a header
- * file `"crypto_spe.h"` (either in the `psa` subdirectory of the Mbed TLS
- * header files, or in another directory on the compiler's include search
- * path). Alternatively, your platform may customize the header
- * `psa/crypto_platform.h`, in which case it can skip or replace the
- * inclusion of `"crypto_spe.h"`.
- *
- * Module: library/psa_crypto.c
- * Requires: MBEDTLS_PSA_CRYPTO_C
- *
- */
-//#define MBEDTLS_PSA_CRYPTO_SPM
-
-/**
- * \def MBEDTLS_PSA_KEY_STORE_DYNAMIC
- *
- * Dynamically resize the PSA key store to accommodate any number of
- * volatile keys (until the heap memory is exhausted).
- *
- * If this option is disabled, the key store has a fixed size
- * #MBEDTLS_PSA_KEY_SLOT_COUNT for volatile keys and loaded persistent keys
- * together.
- *
- * This option has no effect when #MBEDTLS_PSA_CRYPTO_C is disabled.
- *
- * Module: library/psa_crypto.c
- * Requires: MBEDTLS_PSA_CRYPTO_C
- */
-#define MBEDTLS_PSA_KEY_STORE_DYNAMIC
-
-/**
- * Uncomment to enable p256-m. This is an alternative implementation of
- * key generation, ECDH and (randomized) ECDSA on the curve SECP256R1.
- * Compared to the default implementation:
- *
- * - p256-m has a much smaller code size and RAM footprint.
- * - p256-m is only available via the PSA API. This includes the pk module
- * when #MBEDTLS_USE_PSA_CRYPTO is enabled.
- * - p256-m does not support deterministic ECDSA, EC-JPAKE, custom protocols
- * over the core arithmetic, or deterministic derivation of keys.
- *
- * We recommend enabling this option if your application uses the PSA API
- * and the only elliptic curve support it needs is ECDH and ECDSA over
- * SECP256R1.
- *
- * If you enable this option, you do not need to enable any ECC-related
- * MBEDTLS_xxx option. You do need to separately request support for the
- * cryptographic mechanisms through the PSA API:
- * - #MBEDTLS_PSA_CRYPTO_C for PSA-based configuration;
- * - #MBEDTLS_USE_PSA_CRYPTO if you want to use p256-m from PK, X.509 or TLS;
- * - #PSA_WANT_ECC_SECP_R1_256;
- * - #PSA_WANT_ALG_ECDH and/or #PSA_WANT_ALG_ECDSA as needed;
- * - #PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY, #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC,
- * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT,
- * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT and/or
- * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE as needed.
- *
- * \note To benefit from the smaller code size of p256-m, make sure that you
- * do not enable any ECC-related option not supported by p256-m: this
- * would cause the built-in ECC implementation to be built as well, in
- * order to provide the required option.
- * Make sure #PSA_WANT_ALG_DETERMINISTIC_ECDSA, #PSA_WANT_ALG_JPAKE and
- * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE, and curves other than
- * SECP256R1 are disabled as they are not supported by this driver.
- * Also, avoid defining #MBEDTLS_PK_PARSE_EC_COMPRESSED or
- * #MBEDTLS_PK_PARSE_EC_EXTENDED as those currently require a subset of
- * the built-in ECC implementation, see docs/driver-only-builds.md.
- */
-//#define MBEDTLS_PSA_P256M_DRIVER_ENABLED
-
-/**
- * \def MBEDTLS_PSA_INJECT_ENTROPY
- *
- * Enable support for entropy injection at first boot. This feature is
- * required on systems that do not have a built-in entropy source (TRNG).
- * This feature is currently not supported on systems that have a built-in
- * entropy source.
- *
- * Requires: MBEDTLS_PSA_CRYPTO_STORAGE_C, MBEDTLS_ENTROPY_NV_SEED
- *
- */
-//#define MBEDTLS_PSA_INJECT_ENTROPY
-
-/**
- * \def MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS
- *
- * Assume all buffers passed to PSA functions are owned exclusively by the
- * PSA function and are not stored in shared memory.
- *
- * This option may be enabled if all buffers passed to any PSA function reside
- * in memory that is accessible only to the PSA function during its execution.
- *
- * This option MUST be disabled whenever buffer arguments are in memory shared
- * with an untrusted party, for example where arguments to PSA calls are passed
- * across a trust boundary.
- *
- * \note Enabling this option reduces memory usage and code size.
- *
- * \note Enabling this option causes overlap of input and output buffers
- * not to be supported by PSA functions.
- */
-//#define MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS
-
-/**
- * \def MBEDTLS_RSA_NO_CRT
- *
- * Do not use the Chinese Remainder Theorem
- * for the RSA private operation.
- *
- * Uncomment this macro to disable the use of CRT in RSA.
- *
- */
-//#define MBEDTLS_RSA_NO_CRT
-
-/**
- * \def MBEDTLS_SELF_TEST
- *
- * Enable the checkup functions (*_self_test).
- */
-#define MBEDTLS_SELF_TEST
-
-/**
- * \def MBEDTLS_SHA256_SMALLER
- *
- * Enable an implementation of SHA-256 that has lower ROM footprint but also
- * lower performance.
- *
- * The default implementation is meant to be a reasonable compromise between
- * performance and size. This version optimizes more aggressively for size at
- * the expense of performance. Eg on Cortex-M4 it reduces the size of
- * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about
- * 30%.
- *
- * Uncomment to enable the smaller implementation of SHA256.
- */
-//#define MBEDTLS_SHA256_SMALLER
-
-/**
- * \def MBEDTLS_SHA512_SMALLER
- *
- * Enable an implementation of SHA-512 that has lower ROM footprint but also
- * lower performance.
- *
- * Uncomment to enable the smaller implementation of SHA512.
- */
-//#define MBEDTLS_SHA512_SMALLER
-
-/**
* \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
*
* Enable sending of alert messages in case of encountered errors as per RFC.
@@ -1563,15 +520,7 @@
*
* Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled).
*
- * Requires: Without MBEDTLS_USE_PSA_CRYPTO: MBEDTLS_MD_C and
- * (MBEDTLS_SHA256_C or MBEDTLS_SHA384_C or
- * SHA-256 or SHA-512 provided by a PSA driver)
- * With MBEDTLS_USE_PSA_CRYPTO:
- * PSA_WANT_ALG_SHA_256 or PSA_WANT_ALG_SHA_384
- *
- * \warning If building with MBEDTLS_USE_PSA_CRYPTO, or if the hash(es) used
- * are only provided by PSA drivers, you must call psa_crypto_init() before
- * doing any TLS operations.
+ * Requires: PSA_WANT_ALG_SHA_256 or PSA_WANT_ALG_SHA_384
*
* Comment this macro to disable support for TLS 1.2 / DTLS 1.2
*/
@@ -1588,15 +537,6 @@
* Requires: MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
* Requires: MBEDTLS_PSA_CRYPTO_C
*
- * \note TLS 1.3 uses PSA crypto for cryptographic operations that are
- * directly performed by TLS 1.3 code. As a consequence, you must
- * call psa_crypto_init() before the first TLS 1.3 handshake.
- *
- * \note Cryptographic operations performed indirectly via another module
- * (X.509, PK) or by code shared with TLS 1.2 (record protection,
- * running handshake hash) only use PSA crypto if
- * #MBEDTLS_USE_PSA_CRYPTO is enabled.
- *
* Uncomment this macro to enable the support for TLS 1.3.
*/
#define MBEDTLS_SSL_PROTO_TLS1_3
@@ -1643,7 +583,7 @@
* Requires: PSA_WANT_ALG_ECDH or PSA_WANT_ALG_FFDH
* MBEDTLS_X509_CRT_PARSE_C
* and at least one of:
- * MBEDTLS_ECDSA_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDSA)
+ * MBEDTLS_ECDSA_C or PSA_WANT_ALG_ECDSA
* MBEDTLS_PKCS1_V21
*
* Comment to disable support for the ephemeral key exchange mode in TLS 1.3.
@@ -1823,84 +763,6 @@
//#define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
/**
- * \def MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
- *
- * Enable testing of the constant-flow nature of some sensitive functions with
- * clang's MemorySanitizer. This causes some existing tests to also test
- * this non-functional property of the code under test.
- *
- * This setting requires compiling with clang -fsanitize=memory. The test
- * suites can then be run normally.
- *
- * \warning This macro is only used for extended testing; it is not considered
- * part of the library's API, so it may change or disappear at any time.
- *
- * Uncomment to enable testing of the constant-flow nature of selected code.
- */
-//#define MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
-
-/**
- * \def MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND
- *
- * Enable testing of the constant-flow nature of some sensitive functions with
- * valgrind's memcheck tool. This causes some existing tests to also test
- * this non-functional property of the code under test.
- *
- * This setting requires valgrind headers for building, and is only useful for
- * testing if the tests suites are run with valgrind's memcheck. This can be
- * done for an individual test suite with 'valgrind ./test_suite_xxx', or when
- * using CMake, this can be done for all test suites with 'make memcheck'.
- *
- * \warning This macro is only used for extended testing; it is not considered
- * part of the library's API, so it may change or disappear at any time.
- *
- * Uncomment to enable testing of the constant-flow nature of selected code.
- */
-//#define MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND
-
-/**
- * \def MBEDTLS_TEST_HOOKS
- *
- * Enable features for invasive testing such as introspection functions and
- * hooks for fault injection. This enables additional unit tests.
- *
- * Merely enabling this feature should not change the behavior of the product.
- * It only adds new code, and new branching points where the default behavior
- * is the same as when this feature is disabled.
- * However, this feature increases the attack surface: there is an added
- * risk of vulnerabilities, and more gadgets that can make exploits easier.
- * Therefore this feature must never be enabled in production.
- *
- * See `docs/architecture/testing/mbed-crypto-invasive-testing.md` for more
- * information.
- *
- * Uncomment to enable invasive tests.
- */
-//#define MBEDTLS_TEST_HOOKS
-
-/**
- * \def MBEDTLS_THREADING_ALT
- *
- * Provide your own alternate threading implementation.
- *
- * Requires: MBEDTLS_THREADING_C
- *
- * Uncomment this to allow your own alternate threading implementation.
- */
-//#define MBEDTLS_THREADING_ALT
-
-/**
- * \def MBEDTLS_THREADING_PTHREAD
- *
- * Enable the pthread wrapper layer for the threading layer.
- *
- * Requires: MBEDTLS_THREADING_C
- *
- * Uncomment this to enable pthread mutexes.
- */
-//#define MBEDTLS_THREADING_PTHREAD
-
-/**
* \def MBEDTLS_VERSION_FEATURES
*
* Allow run-time checking of compile-time enabled features. Thus allowing users
@@ -1966,417 +828,6 @@
*/
/**
- * \def MBEDTLS_AESNI_C
- *
- * Enable AES-NI support on x86-64 or x86-32.
- *
- * \note AESNI is only supported with certain compilers and target options:
- * - Visual Studio: supported
- * - GCC, x86-64, target not explicitly supporting AESNI:
- * requires MBEDTLS_HAVE_ASM.
- * - GCC, x86-32, target not explicitly supporting AESNI:
- * not supported.
- * - GCC, x86-64 or x86-32, target supporting AESNI: supported.
- * For this assembly-less implementation, you must currently compile
- * `library/aesni.c` and `library/aes.c` with machine options to enable
- * SSE2 and AESNI instructions: `gcc -msse2 -maes -mpclmul` or
- * `clang -maes -mpclmul`.
- * - Non-x86 targets: this option is silently ignored.
- * - Other compilers: this option is silently ignored.
- *
- * \note
- * Above, "GCC" includes compatible compilers such as Clang.
- * The limitations on target support are likely to be relaxed in the future.
- *
- * Module: library/aesni.c
- * Caller: library/aes.c
- *
- * Requires: MBEDTLS_HAVE_ASM (on some platforms, see note)
- *
- * This modules adds support for the AES-NI instructions on x86.
- */
-#define MBEDTLS_AESNI_C
-
-/**
- * \def MBEDTLS_AESCE_C
- *
- * Enable AES cryptographic extension support on Armv8.
- *
- * Module: library/aesce.c
- * Caller: library/aes.c
- *
- * Requires: MBEDTLS_AES_C
- *
- * \warning Runtime detection only works on Linux. For non-Linux operating
- * system, Armv8-A Cryptographic Extensions must be supported by
- * the CPU when this option is enabled.
- *
- * \note Minimum compiler versions for this feature when targeting aarch64
- * are Clang 4.0; armclang 6.6; GCC 6.0; or MSVC 2019 version 16.11.2.
- * Minimum compiler versions for this feature when targeting 32-bit
- * Arm or Thumb are Clang 11.0; armclang 6.20; or GCC 6.0.
- *
- * \note \c CFLAGS must be set to a minimum of \c -march=armv8-a+crypto for
- * armclang <= 6.9
- *
- * This module adds support for the AES Armv8-A Cryptographic Extensions on Armv8 systems.
- */
-#define MBEDTLS_AESCE_C
-
-/**
- * \def MBEDTLS_AES_C
- *
- * Enable the AES block cipher.
- *
- * Module: library/aes.c
- * Caller: library/cipher.c
- * library/pem.c
- * library/ctr_drbg.c
- *
- * This module enables the following ciphersuites (if other requisites are
- * enabled as well):
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
- * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
- * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
- * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
- * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
- * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
- * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
- * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
- * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
- * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
- * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
- * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384
- * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
- * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256
- * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
- * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384
- * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384
- * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
- * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
- *
- * PEM_PARSE uses AES for decrypting encrypted keys.
- */
-#define MBEDTLS_AES_C
-
-/**
- * \def MBEDTLS_ASN1_PARSE_C
- *
- * Enable the generic ASN1 parser.
- *
- * Module: library/asn1.c
- * Caller: library/x509.c
- * library/dhm.c
- * library/pkcs12.c
- * library/pkcs5.c
- * library/pkparse.c
- */
-#define MBEDTLS_ASN1_PARSE_C
-
-/**
- * \def MBEDTLS_ASN1_WRITE_C
- *
- * Enable the generic ASN1 writer.
- *
- * Module: library/asn1write.c
- * Caller: library/ecdsa.c
- * library/pkwrite.c
- * library/x509_create.c
- * library/x509write_crt.c
- * library/x509write_csr.c
- */
-#define MBEDTLS_ASN1_WRITE_C
-
-/**
- * \def MBEDTLS_BASE64_C
- *
- * Enable the Base64 module.
- *
- * Module: library/base64.c
- * Caller: library/pem.c
- *
- * This module is required for PEM support (required by X.509).
- */
-#define MBEDTLS_BASE64_C
-
-/**
- * \def MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
- *
- * Remove decryption operation for AES, ARIA and Camellia block cipher.
- *
- * \note This feature is incompatible with insecure block cipher,
- * MBEDTLS_DES_C, and cipher modes which always require decryption
- * operation, MBEDTLS_CIPHER_MODE_CBC, MBEDTLS_CIPHER_MODE_XTS and
- * MBEDTLS_NIST_KW_C. This feature is incompatible with following
- * supported PSA equivalence PSA_WANT_ALG_ECB_NO_PADDING,
- * PSA_WANT_ALG_CBC_NO_PADDING, PSA_WANT_ALG_CBC_PKCS7 and
- * PSA_WANT_KEY_TYPE_DES.
- *
- * Module: library/aes.c
- * library/aesce.c
- * library/aesni.c
- * library/aria.c
- * library/camellia.c
- * library/cipher.c
- */
-//#define MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
-
-/**
- * \def MBEDTLS_BIGNUM_C
- *
- * Enable the multi-precision integer library.
- *
- * Module: library/bignum.c
- * library/bignum_core.c
- * library/bignum_mod.c
- * library/bignum_mod_raw.c
- * Caller: library/dhm.c
- * library/ecp.c
- * library/ecdsa.c
- * library/rsa.c
- * library/rsa_alt_helpers.c
- * library/ssl_tls.c
- *
- * This module is required for RSA, DHM and ECC (ECDH, ECDSA) support.
- */
-#define MBEDTLS_BIGNUM_C
-
-/**
- * \def MBEDTLS_CAMELLIA_C
- *
- * Enable the Camellia block cipher.
- *
- * Module: library/camellia.c
- * Caller: library/cipher.c
- *
- * This module enables the following ciphersuites (if other requisites are
- * enabled as well):
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
- * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
- * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
- * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
- * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
- * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
- * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
- * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
- * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
- * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
- * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
- * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
- * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
- * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
- * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
- * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
- * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
- * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
- * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
- * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
- * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
- * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
- * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
- * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
- * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
- * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
- * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
- * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
- * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
- * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
- * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
- */
-#define MBEDTLS_CAMELLIA_C
-
-/**
- * \def MBEDTLS_ARIA_C
- *
- * Enable the ARIA block cipher.
- *
- * Module: library/aria.c
- * Caller: library/cipher.c
- *
- * This module enables the following ciphersuites (if other requisites are
- * enabled as well):
- *
- * MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256
- * MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384
- * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256
- * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384
- * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256
- * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384
- * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256
- * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384
- * MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256
- * MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384
- * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256
- * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384
- * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
- * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
- * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256
- * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384
- * MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256
- * MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384
- * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256
- * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384
- * MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256
- * MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384
- * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256
- * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384
- * MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256
- * MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384
- */
-#define MBEDTLS_ARIA_C
-
-/**
- * \def MBEDTLS_CCM_C
- *
- * Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher.
- *
- * Module: library/ccm.c
- *
- * Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or
- * MBEDTLS_ARIA_C
- *
- * This module enables the AES-CCM ciphersuites, if other requisites are
- * enabled as well.
- */
-#define MBEDTLS_CCM_C
-
-/**
- * \def MBEDTLS_CHACHA20_C
- *
- * Enable the ChaCha20 stream cipher.
- *
- * Module: library/chacha20.c
- */
-#define MBEDTLS_CHACHA20_C
-
-/**
- * \def MBEDTLS_CHACHAPOLY_C
- *
- * Enable the ChaCha20-Poly1305 AEAD algorithm.
- *
- * Module: library/chachapoly.c
- *
- * This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C
- */
-#define MBEDTLS_CHACHAPOLY_C
-
-/**
- * \def MBEDTLS_CIPHER_C
- *
- * Enable the generic cipher layer.
- *
- * Module: library/cipher.c
- * Caller: library/ccm.c
- * library/cmac.c
- * library/gcm.c
- * library/nist_kw.c
- * library/pkcs12.c
- * library/pkcs5.c
- * library/psa_crypto_aead.c
- * library/psa_crypto_mac.c
- * library/ssl_ciphersuites.c
- * library/ssl_msg.c
- * library/ssl_ticket.c (unless MBEDTLS_USE_PSA_CRYPTO is enabled)
- * Auto-enabled by: MBEDTLS_PSA_CRYPTO_C depending on which ciphers are enabled
- * (see the documentation of that option for details).
- *
- * Uncomment to enable generic cipher wrappers.
- */
-#define MBEDTLS_CIPHER_C
-
-/**
- * \def MBEDTLS_CMAC_C
- *
- * Enable the CMAC (Cipher-based Message Authentication Code) mode for block
- * ciphers.
- *
- * Module: library/cmac.c
- *
- * Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_DES_C
- *
- */
-#define MBEDTLS_CMAC_C
-
-/**
- * \def MBEDTLS_CTR_DRBG_C
- *
- * Enable the CTR_DRBG AES-based random generator.
- * The CTR_DRBG generator uses AES-256 by default.
- * To use AES-128 instead, enable \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY above.
- *
- * AES support can either be achieved through builtin (MBEDTLS_AES_C) or PSA.
- * Builtin is the default option when MBEDTLS_AES_C is defined otherwise PSA
- * is used.
- *
- * \warning When using PSA, the user should call `psa_crypto_init()` before
- * using any CTR_DRBG operation (except `mbedtls_ctr_drbg_init()`).
- *
- * \note AES-128 will be used if \c MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH is set.
- *
- * \note To achieve a 256-bit security strength with CTR_DRBG,
- * you must use AES-256 *and* use sufficient entropy.
- * See ctr_drbg.h for more details.
- *
- * Module: library/ctr_drbg.c
- * Caller:
- *
- * Requires: MBEDTLS_AES_C or
- * (PSA_WANT_KEY_TYPE_AES and PSA_WANT_ALG_ECB_NO_PADDING and
- * MBEDTLS_PSA_CRYPTO_C)
- *
- * This module provides the CTR_DRBG AES random number generator.
- */
-#define MBEDTLS_CTR_DRBG_C
-
-/**
* \def MBEDTLS_DEBUG_C
*
* Enable the debug functions.
@@ -2392,129 +843,6 @@
#define MBEDTLS_DEBUG_C
/**
- * \def MBEDTLS_DES_C
- *
- * Enable the DES block cipher.
- *
- * Module: library/des.c
- * Caller: library/pem.c
- * library/cipher.c
- *
- * PEM_PARSE uses DES/3DES for decrypting encrypted keys.
- *
- * \warning DES/3DES are considered weak ciphers and their use constitutes a
- * security risk. We recommend considering stronger ciphers instead.
- */
-#define MBEDTLS_DES_C
-
-/**
- * \def MBEDTLS_DHM_C
- *
- * Enable the Diffie-Hellman-Merkle module.
- *
- * Module: library/dhm.c
- * Caller: library/ssl_tls.c
- * library/ssl*_client.c
- * library/ssl*_server.c
- *
- * This module is used by the following key exchanges:
- * DHE-RSA, DHE-PSK
- *
- * \warning Using DHE constitutes a security risk as it
- * is not possible to validate custom DH parameters.
- * If possible, it is recommended users should consider
- * preferring other methods of key exchange.
- * See dhm.h for more details.
- *
- */
-#define MBEDTLS_DHM_C
-
-/**
- * \def MBEDTLS_ECDH_C
- *
- * Enable the elliptic curve Diffie-Hellman library.
- *
- * Module: library/ecdh.c
- * Caller: library/psa_crypto.c
- * library/ssl_tls.c
- * library/ssl*_client.c
- * library/ssl*_server.c
- *
- * This module is used by the following key exchanges:
- * ECDHE-ECDSA, ECDHE-RSA, DHE-PSK
- *
- * Requires: MBEDTLS_ECP_C
- */
-#define MBEDTLS_ECDH_C
-
-/**
- * \def MBEDTLS_ECDSA_C
- *
- * Enable the elliptic curve DSA library.
- *
- * Module: library/ecdsa.c
- * Caller:
- *
- * This module is used by the following key exchanges:
- * ECDHE-ECDSA
- *
- * Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C,
- * and at least one MBEDTLS_ECP_DP_XXX_ENABLED for a
- * short Weierstrass curve.
- */
-#define MBEDTLS_ECDSA_C
-
-/**
- * \def MBEDTLS_ECJPAKE_C
- *
- * Enable the elliptic curve J-PAKE library.
- *
- * \note EC J-PAKE support is based on the Thread v1.0.0 specification.
- * It has not been reviewed for compliance with newer standards such as
- * Thread v1.1 or RFC 8236.
- *
- * Module: library/ecjpake.c
- * Caller:
- *
- * This module is used by the following key exchanges:
- * ECJPAKE
- *
- * Requires: MBEDTLS_ECP_C and either MBEDTLS_MD_C or MBEDTLS_PSA_CRYPTO_C
- *
- * \warning If using a hash that is only provided by PSA drivers, you must
- * call psa_crypto_init() before doing any EC J-PAKE operations.
- */
-#define MBEDTLS_ECJPAKE_C
-
-/**
- * \def MBEDTLS_ECP_C
- *
- * Enable the elliptic curve over GF(p) library.
- *
- * Module: library/ecp.c
- * Caller: library/ecdh.c
- * library/ecdsa.c
- * library/ecjpake.c
- *
- * Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED
- */
-#define MBEDTLS_ECP_C
-
-/**
- * \def MBEDTLS_ENTROPY_C
- *
- * Enable the platform-specific entropy code.
- *
- * Module: library/entropy.c
- * Caller:
- *
- * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C
- *
- * This module provides a generic entropy pool
- */
-#define MBEDTLS_ENTROPY_C
-
-/**
* \def MBEDTLS_ERROR_C
*
* Enable error code to error string conversion.
@@ -2527,175 +855,6 @@
#define MBEDTLS_ERROR_C
/**
- * \def MBEDTLS_GCM_C
- *
- * Enable the Galois/Counter Mode (GCM).
- *
- * Module: library/gcm.c
- *
- * Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or
- * MBEDTLS_ARIA_C
- *
- * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other
- * requisites are enabled as well.
- */
-#define MBEDTLS_GCM_C
-
-/**
- * \def MBEDTLS_GCM_LARGE_TABLE
- *
- * Enable large pre-computed tables for Galois/Counter Mode (GCM).
- * Can significantly increase throughput on systems without GCM hardware
- * acceleration (e.g., AESNI, AESCE).
- *
- * The mbedtls_gcm_context size will increase by 3840 bytes.
- * The code size will increase by roughly 344 bytes.
- *
- * Module: library/gcm.c
- *
- * Requires: MBEDTLS_GCM_C
- */
-//#define MBEDTLS_GCM_LARGE_TABLE
-
-/**
- * \def MBEDTLS_HKDF_C
- *
- * Enable the HKDF algorithm (RFC 5869).
- *
- * Module: library/hkdf.c
- * Caller:
- *
- * Requires: MBEDTLS_MD_C
- *
- * This module adds support for the Hashed Message Authentication Code
- * (HMAC)-based key derivation function (HKDF).
- */
-#define MBEDTLS_HKDF_C
-
-/**
- * \def MBEDTLS_HMAC_DRBG_C
- *
- * Enable the HMAC_DRBG random generator.
- *
- * Module: library/hmac_drbg.c
- * Caller:
- *
- * Requires: MBEDTLS_MD_C
- *
- * Uncomment to enable the HMAC_DRBG random number generator.
- */
-#define MBEDTLS_HMAC_DRBG_C
-
-/**
- * \def MBEDTLS_LMS_C
- *
- * Enable the LMS stateful-hash asymmetric signature algorithm.
- *
- * Module: library/lms.c
- * Caller:
- *
- * Requires: MBEDTLS_PSA_CRYPTO_C
- *
- * Uncomment to enable the LMS verification algorithm and public key operations.
- */
-#define MBEDTLS_LMS_C
-
-/**
- * \def MBEDTLS_LMS_PRIVATE
- *
- * Enable LMS private-key operations and signing code. Functions enabled by this
- * option are experimental, and should not be used in production.
- *
- * Requires: MBEDTLS_LMS_C
- *
- * Uncomment to enable the LMS signature algorithm and private key operations.
- */
-//#define MBEDTLS_LMS_PRIVATE
-
-/**
- * \def MBEDTLS_NIST_KW_C
- *
- * Enable the Key Wrapping mode for 128-bit block ciphers,
- * as defined in NIST SP 800-38F. Only KW and KWP modes
- * are supported. At the moment, only AES is approved by NIST.
- *
- * Module: library/nist_kw.c
- *
- * Requires: MBEDTLS_AES_C and MBEDTLS_CIPHER_C
- */
-#define MBEDTLS_NIST_KW_C
-
-/**
- * \def MBEDTLS_MD_C
- *
- * Enable the generic layer for message digest (hashing) and HMAC.
- *
- * Requires: one of: MBEDTLS_MD5_C, MBEDTLS_RIPEMD160_C, MBEDTLS_SHA1_C,
- * MBEDTLS_SHA224_C, MBEDTLS_SHA256_C, MBEDTLS_SHA384_C,
- * MBEDTLS_SHA512_C, or MBEDTLS_PSA_CRYPTO_C with at least
- * one hash.
- * Module: library/md.c
- * Caller: library/constant_time.c
- * library/ecdsa.c
- * library/ecjpake.c
- * library/hkdf.c
- * library/hmac_drbg.c
- * library/pk.c
- * library/pkcs5.c
- * library/pkcs12.c
- * library/psa_crypto_ecp.c
- * library/psa_crypto_rsa.c
- * library/rsa.c
- * library/ssl_cookie.c
- * library/ssl_msg.c
- * library/ssl_tls.c
- * library/x509.c
- * library/x509_crt.c
- * library/x509write_crt.c
- * library/x509write_csr.c
- *
- * Uncomment to enable generic message digest wrappers.
- */
-#define MBEDTLS_MD_C
-
-/**
- * \def MBEDTLS_MD5_C
- *
- * Enable the MD5 hash algorithm.
- *
- * Module: library/md5.c
- * Caller: library/md.c
- * library/pem.c
- * library/ssl_tls.c
- *
- * This module is required for TLS 1.2 depending on the handshake parameters.
- * Further, it is used for checking MD5-signed certificates, and for PBKDF1
- * when decrypting PEM-encoded encrypted keys.
- *
- * \warning MD5 is considered a weak message digest and its use constitutes a
- * security risk. If possible, we recommend avoiding dependencies on
- * it, and considering stronger message digests instead.
- *
- */
-#define MBEDTLS_MD5_C
-
-/**
- * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C
- *
- * Enable the buffer allocator implementation that makes use of a (stack)
- * based buffer to 'allocate' dynamic memory. (replaces calloc() and free()
- * calls)
- *
- * Module: library/memory_buffer_alloc.c
- *
- * Requires: MBEDTLS_PLATFORM_C
- * MBEDTLS_PLATFORM_MEMORY (to use it within Mbed TLS)
- *
- * Enable this module to enable the buffer memory allocator.
- */
-//#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
-
-/**
* \def MBEDTLS_NET_C
*
* Enable the TCP and UDP over IPv6/IPv4 networking routines.
@@ -2715,130 +874,6 @@
#define MBEDTLS_NET_C
/**
- * \def MBEDTLS_OID_C
- *
- * Enable the OID database.
- *
- * Module: library/oid.c
- * Caller: library/asn1write.c
- * library/pkcs5.c
- * library/pkparse.c
- * library/pkwrite.c
- * library/rsa.c
- * library/x509.c
- * library/x509_create.c
- * library/x509_crl.c
- * library/x509_crt.c
- * library/x509_csr.c
- * library/x509write_crt.c
- * library/x509write_csr.c
- *
- * This modules translates between OIDs and internal values.
- */
-#define MBEDTLS_OID_C
-
-/**
- * \def MBEDTLS_PEM_PARSE_C
- *
- * Enable PEM decoding / parsing.
- *
- * Module: library/pem.c
- * Caller: library/dhm.c
- * library/pkparse.c
- * library/x509_crl.c
- * library/x509_crt.c
- * library/x509_csr.c
- *
- * Requires: MBEDTLS_BASE64_C
- * optionally MBEDTLS_MD5_C, or PSA Crypto with MD5 (see below)
- *
- * \warning When parsing password-protected files, if MD5 is provided only by
- * a PSA driver, you must call psa_crypto_init() before the first file.
- *
- * This modules adds support for decoding / parsing PEM files.
- */
-#define MBEDTLS_PEM_PARSE_C
-
-/**
- * \def MBEDTLS_PEM_WRITE_C
- *
- * Enable PEM encoding / writing.
- *
- * Module: library/pem.c
- * Caller: library/pkwrite.c
- * library/x509write_crt.c
- * library/x509write_csr.c
- *
- * Requires: MBEDTLS_BASE64_C
- *
- * This modules adds support for encoding / writing PEM files.
- */
-#define MBEDTLS_PEM_WRITE_C
-
-/**
- * \def MBEDTLS_PK_C
- *
- * Enable the generic public (asymmetric) key layer.
- *
- * Module: library/pk.c
- * Caller: library/psa_crypto_rsa.c
- * library/ssl_tls.c
- * library/ssl*_client.c
- * library/ssl*_server.c
- * library/x509.c
- *
- * Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C or MBEDTLS_ECP_C
- *
- * Uncomment to enable generic public key wrappers.
- */
-#define MBEDTLS_PK_C
-
-/**
- * \def MBEDTLS_PK_PARSE_C
- *
- * Enable the generic public (asymmetric) key parser.
- *
- * Module: library/pkparse.c
- * Caller: library/x509_crt.c
- * library/x509_csr.c
- *
- * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_OID_C, MBEDTLS_PK_C
- *
- * Uncomment to enable generic public key parse functions.
- */
-#define MBEDTLS_PK_PARSE_C
-
-/**
- * \def MBEDTLS_PK_WRITE_C
- *
- * Enable the generic public (asymmetric) key writer.
- *
- * Module: library/pkwrite.c
- * Caller: library/x509write.c
- *
- * Requires: MBEDTLS_ASN1_WRITE_C, MBEDTLS_OID_C, MBEDTLS_PK_C
- *
- * Uncomment to enable generic public key write functions.
- */
-#define MBEDTLS_PK_WRITE_C
-
-/**
- * \def MBEDTLS_PKCS5_C
- *
- * Enable PKCS#5 functions.
- *
- * Module: library/pkcs5.c
- *
- * Auto-enables: MBEDTLS_MD_C
- *
- * \warning If using a hash that is only provided by PSA drivers, you must
- * call psa_crypto_init() before doing any PKCS5 operations.
- *
- * This module adds support for the PKCS#5 functions.
- */
-#define MBEDTLS_PKCS5_C
-
-/**
* \def MBEDTLS_PKCS7_C
*
* Enable PKCS #7 core for using PKCS #7-formatted signatures.
@@ -2855,395 +890,6 @@
#define MBEDTLS_PKCS7_C
/**
- * \def MBEDTLS_PKCS12_C
- *
- * Enable PKCS#12 PBE functions.
- * Adds algorithms for parsing PKCS#8 encrypted private keys
- *
- * Module: library/pkcs12.c
- * Caller: library/pkparse.c
- *
- * Requires: MBEDTLS_ASN1_PARSE_C and either MBEDTLS_MD_C or
- * MBEDTLS_PSA_CRYPTO_C.
- *
- * \warning If using a hash that is only provided by PSA drivers, you must
- * call psa_crypto_init() before doing any PKCS12 operations.
- *
- * This module enables PKCS#12 functions.
- */
-#define MBEDTLS_PKCS12_C
-
-/**
- * \def MBEDTLS_PLATFORM_C
- *
- * Enable the platform abstraction layer that allows you to re-assign
- * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit().
- *
- * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT
- * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned
- * above to be specified at runtime or compile time respectively.
- *
- * \note This abstraction layer must be enabled on Windows (including MSYS2)
- * as other modules rely on it for a fixed snprintf implementation.
- *
- * Module: library/platform.c
- * Caller: Most other .c files
- *
- * This module enables abstraction of common (libc) functions.
- */
-#define MBEDTLS_PLATFORM_C
-
-/**
- * \def MBEDTLS_POLY1305_C
- *
- * Enable the Poly1305 MAC algorithm.
- *
- * Module: library/poly1305.c
- * Caller: library/chachapoly.c
- */
-#define MBEDTLS_POLY1305_C
-
-/**
- * \def MBEDTLS_PSA_CRYPTO_C
- *
- * Enable the Platform Security Architecture cryptography API.
- *
- * Module: library/psa_crypto.c
- *
- * Requires: either MBEDTLS_CTR_DRBG_C and MBEDTLS_ENTROPY_C,
- * or MBEDTLS_HMAC_DRBG_C and MBEDTLS_ENTROPY_C,
- * or MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG.
- * Auto-enables: MBEDTLS_CIPHER_C if any unauthenticated (ie, non-AEAD) cipher
- * is enabled in PSA (unless it's fully accelerated, see
- * docs/driver-only-builds.md about that).
- */
-#define MBEDTLS_PSA_CRYPTO_C
-
-/**
- * \def MBEDTLS_PSA_CRYPTO_SE_C
- *
- * Enable dynamic secure element support in the Platform Security Architecture
- * cryptography API.
- *
- * \deprecated This feature is deprecated. Please switch to the PSA driver
- * interface.
- *
- * \warning This feature is not thread-safe, and should not be used in a
- * multi-threaded environment.
- *
- * Module: library/psa_crypto_se.c
- *
- * Requires: MBEDTLS_PSA_CRYPTO_C, MBEDTLS_PSA_CRYPTO_STORAGE_C
- *
- */
-//#define MBEDTLS_PSA_CRYPTO_SE_C
-
-/**
- * \def MBEDTLS_PSA_CRYPTO_STORAGE_C
- *
- * Enable the Platform Security Architecture persistent key storage.
- *
- * Module: library/psa_crypto_storage.c
- *
- * Requires: MBEDTLS_PSA_CRYPTO_C,
- * either MBEDTLS_PSA_ITS_FILE_C or a native implementation of
- * the PSA ITS interface
- */
-#define MBEDTLS_PSA_CRYPTO_STORAGE_C
-
-/**
- * \def MBEDTLS_PSA_ITS_FILE_C
- *
- * Enable the emulation of the Platform Security Architecture
- * Internal Trusted Storage (PSA ITS) over files.
- *
- * Module: library/psa_its_file.c
- *
- * Requires: MBEDTLS_FS_IO
- */
-#define MBEDTLS_PSA_ITS_FILE_C
-
-/**
- * \def MBEDTLS_PSA_STATIC_KEY_SLOTS
- *
- * Statically preallocate memory to store keys' material in PSA instead
- * of allocating it dynamically when required. This allows builds without a
- * heap, if none of the enabled cryptographic implementations or other features
- * require it.
- * This feature affects both volatile and persistent keys which means that
- * it's not possible to persistently store a key which is larger than
- * #MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE.
- *
- * \note This feature comes with a (potentially) higher RAM usage since:
- * - All the key slots are allocated no matter if they are used or not.
- * - Each key buffer's length is #MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE bytes.
- *
- * Requires: MBEDTLS_PSA_CRYPTO_C
- *
- */
-//#define MBEDTLS_PSA_STATIC_KEY_SLOTS
-
-/**
- * \def MBEDTLS_RIPEMD160_C
- *
- * Enable the RIPEMD-160 hash algorithm.
- *
- * Module: library/ripemd160.c
- * Caller: library/md.c
- *
- */
-#define MBEDTLS_RIPEMD160_C
-
-/**
- * \def MBEDTLS_RSA_C
- *
- * Enable the RSA public-key cryptosystem.
- *
- * Module: library/rsa.c
- * library/rsa_alt_helpers.c
- * Caller: library/pk.c
- * library/psa_crypto.c
- * library/ssl_tls.c
- * library/ssl*_client.c
- * library/ssl*_server.c
- *
- * This module is used by the following key exchanges:
- * RSA, DHE-RSA, ECDHE-RSA
- *
- * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C
- */
-#define MBEDTLS_RSA_C
-
-/**
- * \def MBEDTLS_SHA1_C
- *
- * Enable the SHA1 cryptographic hash algorithm.
- *
- * Module: library/sha1.c
- * Caller: library/md.c
- * library/psa_crypto_hash.c
- *
- * This module is required for TLS 1.2 depending on the handshake parameters,
- * and for SHA1-signed certificates.
- *
- * \warning SHA-1 is considered a weak message digest and its use constitutes
- * a security risk. If possible, we recommend avoiding dependencies
- * on it, and considering stronger message digests instead.
- *
- */
-#define MBEDTLS_SHA1_C
-
-/**
- * \def MBEDTLS_SHA224_C
- *
- * Enable the SHA-224 cryptographic hash algorithm.
- *
- * Module: library/sha256.c
- * Caller: library/md.c
- * library/ssl_cookie.c
- *
- * This module adds support for SHA-224.
- */
-#define MBEDTLS_SHA224_C
-
-/**
- * \def MBEDTLS_SHA256_C
- *
- * Enable the SHA-256 cryptographic hash algorithm.
- *
- * Module: library/sha256.c
- * Caller: library/entropy.c
- * library/md.c
- * library/ssl_tls.c
- * library/ssl*_client.c
- * library/ssl*_server.c
- *
- * This module adds support for SHA-256.
- * This module is required for the SSL/TLS 1.2 PRF function.
- */
-#define MBEDTLS_SHA256_C
-
-/**
- * \def MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
- *
- * Enable acceleration of the SHA-256 and SHA-224 cryptographic hash algorithms
- * with the ARMv8 cryptographic extensions if they are available at runtime.
- * If not, the library will fall back to the C implementation.
- *
- * \note If MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT is defined when building
- * for a non-Armv8-A build it will be silently ignored.
- *
- * \note Minimum compiler versions for this feature are Clang 4.0,
- * armclang 6.6 or GCC 6.0.
- *
- * \note \c CFLAGS must be set to a minimum of \c -march=armv8-a+crypto for
- * armclang <= 6.9
- *
- * \note This was previously known as MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT.
- * That name is deprecated, but may still be used as an alternative form for this
- * option.
- *
- * \warning MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT cannot be defined at the
- * same time as MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY.
- *
- * Requires: MBEDTLS_SHA256_C.
- *
- * Module: library/sha256.c
- *
- * Uncomment to have the library check for the Armv8-A SHA-256 crypto extensions
- * and use them if available.
- */
-//#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
-
-/**
- * \def MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
- *
- * \deprecated This is now known as MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT.
- * This name is now deprecated, but may still be used as an alternative form for
- * this option.
- */
-//#define MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
-
-/**
- * \def MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
- *
- * Enable acceleration of the SHA-256 and SHA-224 cryptographic hash algorithms
- * with the ARMv8 cryptographic extensions, which must be available at runtime
- * or else an illegal instruction fault will occur.
- *
- * \note This allows builds with a smaller code size than with
- * MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
- *
- * \note Minimum compiler versions for this feature are Clang 4.0,
- * armclang 6.6 or GCC 6.0.
- *
- * \note \c CFLAGS must be set to a minimum of \c -march=armv8-a+crypto for
- * armclang <= 6.9
- *
- * \note This was previously known as MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY.
- * That name is deprecated, but may still be used as an alternative form for this
- * option.
- *
- * \warning MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY cannot be defined at the same
- * time as MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT.
- *
- * Requires: MBEDTLS_SHA256_C.
- *
- * Module: library/sha256.c
- *
- * Uncomment to have the library use the Armv8-A SHA-256 crypto extensions
- * unconditionally.
- */
-//#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
-
-/**
- * \def MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY
- *
- * \deprecated This is now known as MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY.
- * This name is now deprecated, but may still be used as an alternative form for
- * this option.
- */
-//#define MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY
-
-/**
- * \def MBEDTLS_SHA384_C
- *
- * Enable the SHA-384 cryptographic hash algorithm.
- *
- * Module: library/sha512.c
- * Caller: library/md.c
- * library/psa_crypto_hash.c
- * library/ssl_tls.c
- * library/ssl*_client.c
- * library/ssl*_server.c
- *
- * Comment to disable SHA-384
- */
-#define MBEDTLS_SHA384_C
-
-/**
- * \def MBEDTLS_SHA512_C
- *
- * Enable SHA-512 cryptographic hash algorithms.
- *
- * Module: library/sha512.c
- * Caller: library/entropy.c
- * library/md.c
- * library/ssl_tls.c
- * library/ssl_cookie.c
- *
- * This module adds support for SHA-512.
- */
-#define MBEDTLS_SHA512_C
-
-/**
- * \def MBEDTLS_SHA3_C
- *
- * Enable the SHA3 cryptographic hash algorithm.
- *
- * Module: library/sha3.c
- *
- * This module adds support for SHA3.
- */
-#define MBEDTLS_SHA3_C
-
-/**
- * \def MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
- *
- * Enable acceleration of the SHA-512 and SHA-384 cryptographic hash algorithms
- * with the ARMv8 cryptographic extensions if they are available at runtime.
- * If not, the library will fall back to the C implementation.
- *
- * \note If MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT is defined when building
- * for a non-Aarch64 build it will be silently ignored.
- *
- * \note Minimum compiler versions for this feature are Clang 7.0,
- * armclang 6.9 or GCC 8.0.
- *
- * \note \c CFLAGS must be set to a minimum of \c -march=armv8.2-a+sha3 for
- * armclang 6.9
- *
- * \warning MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT cannot be defined at the
- * same time as MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY.
- *
- * Requires: MBEDTLS_SHA512_C.
- *
- * Module: library/sha512.c
- *
- * Uncomment to have the library check for the A64 SHA-512 crypto extensions
- * and use them if available.
- */
-//#define MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
-
-/**
- * \def MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY
- *
- * Enable acceleration of the SHA-512 and SHA-384 cryptographic hash algorithms
- * with the ARMv8 cryptographic extensions, which must be available at runtime
- * or else an illegal instruction fault will occur.
- *
- * \note This allows builds with a smaller code size than with
- * MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
- *
- * \note Minimum compiler versions for this feature are Clang 7.0,
- * armclang 6.9 or GCC 8.0.
- *
- * \note \c CFLAGS must be set to a minimum of \c -march=armv8.2-a+sha3 for
- * armclang 6.9
- *
- * \warning MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY cannot be defined at the same
- * time as MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT.
- *
- * Requires: MBEDTLS_SHA512_C.
- *
- * Module: library/sha512.c
- *
- * Uncomment to have the library use the A64 SHA-512 crypto extensions
- * unconditionally.
- */
-//#define MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY
-
-/**
* \def MBEDTLS_SSL_CACHE_C
*
* Enable simple SSL cache implementation.
@@ -3288,6 +934,8 @@
*
* Requires: MBEDTLS_SSL_TLS_C
*
+ * \warning You must call psa_crypto_init() before doing any TLS operations.
+ *
* This module is required for SSL/TLS client support.
*/
#define MBEDTLS_SSL_CLI_C
@@ -3302,6 +950,8 @@
*
* Requires: MBEDTLS_SSL_TLS_C
*
+ * \warning You must call psa_crypto_init() before doing any TLS operations.
+ *
* This module is required for SSL/TLS server support.
*/
#define MBEDTLS_SSL_SRV_C
@@ -3323,28 +973,6 @@
#define MBEDTLS_SSL_TLS_C
/**
- * \def MBEDTLS_THREADING_C
- *
- * Enable the threading abstraction layer.
- * By default Mbed TLS assumes it is used in a non-threaded environment or that
- * contexts are not shared between threads. If you do intend to use contexts
- * between threads, you will need to enable this layer to prevent race
- * conditions. See also our Knowledge Base article about threading:
- * https://mbed-tls.readthedocs.io/en/latest/kb/development/thread-safety-and-multi-threading
- *
- * Module: library/threading.c
- *
- * This allows different threading implementations (self-implemented or
- * provided).
- *
- * You will have to enable either MBEDTLS_THREADING_ALT or
- * MBEDTLS_THREADING_PTHREAD.
- *
- * Enable this layer to allow use of mutexes within Mbed TLS
- */
-//#define MBEDTLS_THREADING_C
-
-/**
* \def MBEDTLS_TIMING_C
*
* Enable the semi-portable timing interface.
@@ -3389,11 +1017,9 @@
* library/x509_crt.c
* library/x509_csr.c
*
- * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C,
- * (MBEDTLS_MD_C or MBEDTLS_USE_PSA_CRYPTO)
+ * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C
*
- * \warning If building with MBEDTLS_USE_PSA_CRYPTO, you must call
- * psa_crypto_init() before doing any X.509 operation.
+ * \warning You must call psa_crypto_init() before doing any X.509 operation.
*
* This module is required for the X.509 parsing modules.
*/
@@ -3451,10 +1077,8 @@
* Module: library/x509_create.c
*
* Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C,
- * (MBEDTLS_MD_C or MBEDTLS_USE_PSA_CRYPTO)
*
- * \warning If building with MBEDTLS_USE_PSA_CRYPTO, you must call
- * psa_crypto_init() before doing any X.509 create operation.
+ * \warning You must call psa_crypto_init() before doing any X.509 operation.
*
* This module is the basis for creating X.509 certificates and CSRs.
*/
@@ -3533,87 +1157,6 @@
*/
//#define MBEDTLS_USER_CONFIG_FILE "/dev/null"
-/**
- * \def MBEDTLS_PSA_CRYPTO_CONFIG_FILE
- *
- * If defined, this is a header which will be included instead of
- * `"psa/crypto_config.h"`.
- * This header file specifies which cryptographic mechanisms are available
- * through the PSA API.
- *
- * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
- * non-standard feature of the C language, so this feature is only available
- * with compilers that perform macro expansion on an <tt>\#include</tt> line.
- *
- * The value of this symbol is typically a path in double quotes, either
- * absolute or relative to a directory on the include search path.
- */
-//#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h"
-
-/**
- * \def MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE
- *
- * If defined, this is a header which will be included after
- * `"psa/crypto_config.h"` or #MBEDTLS_PSA_CRYPTO_CONFIG_FILE.
- * This allows you to modify the default configuration, including the ability
- * to undefine options that are enabled by default.
- *
- * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
- * non-standard feature of the C language, so this feature is only available
- * with compilers that perform macro expansion on an <tt>\#include</tt> line.
- *
- * The value of this symbol is typically a path in double quotes, either
- * absolute or relative to a directory on the include search path.
- */
-//#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null"
-
-/**
- * \def MBEDTLS_PSA_CRYPTO_PLATFORM_FILE
- *
- * If defined, this is a header which will be included instead of
- * `"psa/crypto_platform.h"`. This file should declare the same identifiers
- * as the one in Mbed TLS, but with definitions adapted to the platform on
- * which the library code will run.
- *
- * \note The required content of this header can vary from one version of
- * Mbed TLS to the next. Integrators who provide an alternative file
- * should review the changes in the original file whenever they
- * upgrade Mbed TLS.
- *
- * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
- * non-standard feature of the C language, so this feature is only available
- * with compilers that perform macro expansion on an <tt>\#include</tt> line.
- *
- * The value of this symbol is typically a path in double quotes, either
- * absolute or relative to a directory on the include search path.
- */
-//#define MBEDTLS_PSA_CRYPTO_PLATFORM_FILE "psa/crypto_platform_alt.h"
-
-/**
- * \def MBEDTLS_PSA_CRYPTO_STRUCT_FILE
- *
- * If defined, this is a header which will be included instead of
- * `"psa/crypto_struct.h"`. This file should declare the same identifiers
- * as the one in Mbed TLS, but with definitions adapted to the environment
- * in which the library code will run. The typical use for this feature
- * is to provide alternative type definitions on the client side in
- * client-server integrations of PSA crypto, where operation structures
- * contain handles instead of cryptographic data.
- *
- * \note The required content of this header can vary from one version of
- * Mbed TLS to the next. Integrators who provide an alternative file
- * should review the changes in the original file whenever they
- * upgrade Mbed TLS.
- *
- * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
- * non-standard feature of the C language, so this feature is only available
- * with compilers that perform macro expansion on an <tt>\#include</tt> line.
- *
- * The value of this symbol is typically a path in double quotes, either
- * absolute or relative to a directory on the include search path.
- */
-//#define MBEDTLS_PSA_CRYPTO_STRUCT_FILE "psa/crypto_struct_alt.h"
-
/** \} name SECTION: General configuration options */
/**
@@ -3635,170 +1178,6 @@
* plus optionally a same-line Doxygen comment here if there is a Doxygen
* comment in the specific module. */
-/* MPI / BIGNUM options */
-//#define MBEDTLS_MPI_WINDOW_SIZE 2 /**< Maximum window size used. */
-//#define MBEDTLS_MPI_MAX_SIZE 1024 /**< Maximum number of bytes for usable MPIs. */
-
-/* CTR_DRBG options */
-//#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 48 /**< Amount of entropy used per seed by default (48 with SHA-512, 32 with SHA-256) */
-//#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */
-//#define MBEDTLS_CTR_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */
-//#define MBEDTLS_CTR_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */
-//#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */
-
-/* HMAC_DRBG options */
-//#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */
-//#define MBEDTLS_HMAC_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */
-//#define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */
-//#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */
-
-/* ECP options */
-//#define MBEDTLS_ECP_WINDOW_SIZE 4 /**< Maximum window size used */
-//#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up */
-
-/* Entropy options */
-//#define MBEDTLS_ENTROPY_MAX_SOURCES 20 /**< Maximum number of sources supported */
-//#define MBEDTLS_ENTROPY_MAX_GATHER 128 /**< Maximum amount requested from entropy sources */
-//#define MBEDTLS_ENTROPY_MIN_HARDWARE 32 /**< Default minimum number of bytes required for the hardware entropy source mbedtls_hardware_poll() before entropy is released */
-
-/* Memory buffer allocator options */
-//#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 4 /**< Align on multiples of this value */
-
-/* Platform options */
-//#define MBEDTLS_PLATFORM_STD_MEM_HDR <stdlib.h> /**< Header to include if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS is defined. Don't define if no header is needed. */
-
-/** \def MBEDTLS_PLATFORM_STD_CALLOC
- *
- * Default allocator to use, can be undefined.
- * It must initialize the allocated buffer memory to zeroes.
- * The size of the buffer is the product of the two parameters.
- * The calloc function returns either a null pointer or a pointer to the allocated space.
- * If the product is 0, the function may either return NULL or a valid pointer to an array of size 0 which is a valid input to the deallocation function.
- * An uninitialized #MBEDTLS_PLATFORM_STD_CALLOC always fails, returning a null pointer.
- * See the description of #MBEDTLS_PLATFORM_MEMORY for more details.
- * The corresponding deallocation function is #MBEDTLS_PLATFORM_STD_FREE.
- */
-//#define MBEDTLS_PLATFORM_STD_CALLOC calloc
-
-/** \def MBEDTLS_PLATFORM_STD_FREE
- *
- * Default free to use, can be undefined.
- * NULL is a valid parameter, and the function must do nothing.
- * A non-null parameter will always be a pointer previously returned by #MBEDTLS_PLATFORM_STD_CALLOC and not yet freed.
- * An uninitialized #MBEDTLS_PLATFORM_STD_FREE does not do anything.
- * See the description of #MBEDTLS_PLATFORM_MEMORY for more details (same principles as for MBEDTLS_PLATFORM_STD_CALLOC apply).
- */
-//#define MBEDTLS_PLATFORM_STD_FREE free
-//#define MBEDTLS_PLATFORM_STD_SETBUF setbuf /**< Default setbuf to use, can be undefined */
-//#define MBEDTLS_PLATFORM_STD_EXIT exit /**< Default exit to use, can be undefined */
-//#define MBEDTLS_PLATFORM_STD_TIME time /**< Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
-//#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< Default fprintf to use, can be undefined */
-//#define MBEDTLS_PLATFORM_STD_PRINTF printf /**< Default printf to use, can be undefined */
-/* Note: your snprintf must correctly zero-terminate the buffer! */
-//#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf /**< Default snprintf to use, can be undefined */
-//#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS 0 /**< Default exit value to use, can be undefined */
-//#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE 1 /**< Default exit value to use, can be undefined */
-//#define MBEDTLS_PLATFORM_STD_NV_SEED_READ mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
-//#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
-//#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE "seedfile" /**< Seed file to read/write with default implementation */
-
-/* To use the following function macros, MBEDTLS_PLATFORM_C must be enabled. */
-/* MBEDTLS_PLATFORM_XXX_MACRO and MBEDTLS_PLATFORM_XXX_ALT cannot both be defined */
-//#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc /**< Default allocator macro to use, can be undefined. See MBEDTLS_PLATFORM_STD_CALLOC for requirements. */
-//#define MBEDTLS_PLATFORM_FREE_MACRO free /**< Default free macro to use, can be undefined. See MBEDTLS_PLATFORM_STD_FREE for requirements. */
-//#define MBEDTLS_PLATFORM_EXIT_MACRO exit /**< Default exit macro to use, can be undefined */
-//#define MBEDTLS_PLATFORM_SETBUF_MACRO setbuf /**< Default setbuf macro to use, can be undefined */
-//#define MBEDTLS_PLATFORM_TIME_MACRO time /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
-//#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO time_t /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
-//#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf /**< Default fprintf macro to use, can be undefined */
-//#define MBEDTLS_PLATFORM_PRINTF_MACRO printf /**< Default printf macro to use, can be undefined */
-/* Note: your snprintf must correctly zero-terminate the buffer! */
-//#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf /**< Default snprintf macro to use, can be undefined */
-//#define MBEDTLS_PLATFORM_VSNPRINTF_MACRO vsnprintf /**< Default vsnprintf macro to use, can be undefined */
-//#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
-//#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
-//#define MBEDTLS_PLATFORM_MS_TIME_TYPE_MACRO int64_t //#define MBEDTLS_PLATFORM_MS_TIME_TYPE_MACRO int64_t /**< Default milliseconds time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled. It must be signed, and at least 64 bits. If it is changed from the default, MBEDTLS_PRINTF_MS_TIME must be updated to match.*/
-//#define MBEDTLS_PRINTF_MS_TIME PRId64 /**< Default fmt for printf. That's avoid compiler warning if mbedtls_ms_time_t is redefined */
-
-/** \def MBEDTLS_CHECK_RETURN
- *
- * This macro is used at the beginning of the declaration of a function
- * to indicate that its return value should be checked. It should
- * instruct the compiler to emit a warning or an error if the function
- * is called without checking its return value.
- *
- * There is a default implementation for popular compilers in platform_util.h.
- * You can override the default implementation by defining your own here.
- *
- * If the implementation here is empty, this will effectively disable the
- * checking of functions' return values.
- */
-//#define MBEDTLS_CHECK_RETURN __attribute__((__warn_unused_result__))
-
-/** \def MBEDTLS_IGNORE_RETURN
- *
- * This macro requires one argument, which should be a C function call.
- * If that function call would cause a #MBEDTLS_CHECK_RETURN warning, this
- * warning is suppressed.
- */
-//#define MBEDTLS_IGNORE_RETURN( result ) ((void) !(result))
-
-/* PSA options */
-/**
- * Use HMAC_DRBG with the specified hash algorithm for HMAC_DRBG for the
- * PSA crypto subsystem.
- *
- * If this option is unset, the library chooses a hash (currently between
- * #MBEDTLS_MD_SHA512 and #MBEDTLS_MD_SHA256) based on availability and
- * unspecified heuristics.
- *
- * \note The PSA crypto subsystem uses the first available mechanism amongst
- * the following:
- * - #MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG if enabled;
- * - Entropy from #MBEDTLS_ENTROPY_C plus CTR_DRBG with AES
- * if #MBEDTLS_CTR_DRBG_C is enabled;
- * - Entropy from #MBEDTLS_ENTROPY_C plus HMAC_DRBG.
- *
- * A future version may reevaluate the prioritization of DRBG mechanisms.
- */
-//#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256
-
-/** \def MBEDTLS_PSA_KEY_SLOT_COUNT
- *
- * When #MBEDTLS_PSA_KEY_STORE_DYNAMIC is disabled,
- * the maximum amount of PSA keys simultaneously in memory. This counts all
- * volatile keys, plus loaded persistent keys.
- *
- * When #MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled,
- * the maximum number of loaded persistent keys.
- *
- * Currently, persistent keys do not need to be loaded all the time while
- * a multipart operation is in progress, only while the operation is being
- * set up. This may change in future versions of the library.
- *
- * Currently, the library traverses of the whole table on each access to a
- * persistent key. Therefore large values may cause poor performance.
- *
- * This option has no effect when #MBEDTLS_PSA_CRYPTO_C is disabled.
- */
-//#define MBEDTLS_PSA_KEY_SLOT_COUNT 32
-
-/**
- * \def MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE
- *
- * Define the size (in bytes) of each static key buffer when
- * #MBEDTLS_PSA_STATIC_KEY_SLOTS is set. If not
- * explicitly defined then it's automatically guessed from available PSA keys
- * enabled in the build through PSA_WANT_xxx symbols.
- * If required by the application this parameter can be set to higher values
- * in order to store larger objects (ex: raw keys), but please note that this
- * will increase RAM usage.
- */
-//#define MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE 256
-
-/* RSA OPTIONS */
-//#define MBEDTLS_RSA_GEN_KEY_MIN_BITS 1024 /**< Minimum RSA key size that can be generated in bits (Minimum possible value is 128 bits) */
-
/* SSL Cache options */
//#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 /**< 1 day */
//#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 /**< Maximum entries in cache */
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 9353eb4..fff5339 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1984,9 +1984,8 @@
* Calling mbedtls_ssl_setup again is not supported, even
* if no session is active.
*
- * \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
- * subsystem must have been initialized by calling
- * psa_crypto_init() before calling this function.
+ * \note The PSA crypto subsystem must have been initialized by
+ * calling psa_crypto_init() before calling this function.
*
* \param ssl SSL context
* \param conf SSL configuration to use
@@ -4920,10 +4919,8 @@
* currently being processed might or might not contain further
* DTLS records.
*
- * \note If the context is configured to allow TLS 1.3, or if
- * #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
- * subsystem must have been initialized by calling
- * psa_crypto_init() before calling this function.
+ * \note The PSA crypto subsystem must have been initialized by
+ * calling psa_crypto_init() before calling this function.
*/
int mbedtls_ssl_handshake(mbedtls_ssl_context *ssl);
diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h
index 3e235f3..18e3c4a 100644
--- a/include/mbedtls/ssl_ciphersuites.h
+++ b/include/mbedtls/ssl_ciphersuites.h
@@ -389,7 +389,7 @@
#endif
/* The handshake params structure has a set of fields called xxdh_psa which are used:
- * - by TLS 1.2 with `USE_PSA` to do ECDH or ECDHE;
+ * - by TLS 1.2 to do ECDH or ECDHE;
* - by TLS 1.3 to do ECDHE or FFDHE.
* The following macros can be used to guard their declaration and use.
*/
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/timing.h b/include/mbedtls/timing.h
similarity index 100%
rename from tf-psa-crypto/drivers/builtin/include/mbedtls/timing.h
rename to include/mbedtls/timing.h
diff --git a/include/mbedtls/x509_crl.h b/include/mbedtls/x509_crl.h
index 6625a44..e08767e 100644
--- a/include/mbedtls/x509_crl.h
+++ b/include/mbedtls/x509_crl.h
@@ -95,9 +95,8 @@
/**
* \brief Parse a DER-encoded CRL and append it to the chained list
*
- * \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
- * subsystem must have been initialized by calling
- * psa_crypto_init() before calling this function.
+ * \note The PSA crypto subsystem must have been initialized by
+ * calling psa_crypto_init() before calling this function.
*
* \param chain points to the start of the chain
* \param buf buffer holding the CRL data in DER format
@@ -113,9 +112,8 @@
*
* \note Multiple CRLs are accepted only if using PEM format
*
- * \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
- * subsystem must have been initialized by calling
- * psa_crypto_init() before calling this function.
+ * \note The PSA crypto subsystem must have been initialized by
+ * calling psa_crypto_init() before calling this function.
*
* \param chain points to the start of the chain
* \param buf buffer holding the CRL data in PEM or DER format
@@ -132,9 +130,8 @@
*
* \note Multiple CRLs are accepted only if using PEM format
*
- * \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
- * subsystem must have been initialized by calling
- * psa_crypto_init() before calling this function.
+ * \note The PSA crypto subsystem must have been initialized by
+ * calling psa_crypto_init() before calling this function.
*
* \param chain points to the start of the chain
* \param path filename to read the CRLs from (in PEM or DER encoding)
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index e57a5df..491343f 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -345,9 +345,8 @@
* \brief Parse a single DER formatted certificate and add it
* to the end of the provided chained list.
*
- * \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
- * subsystem must have been initialized by calling
- * psa_crypto_init() before calling this function.
+ * \note The PSA crypto subsystem must have been initialized by
+ * calling psa_crypto_init() before calling this function.
*
* \param chain The pointer to the start of the CRT chain to attach to.
* When parsing the first CRT in a chain, this should point
@@ -410,9 +409,8 @@
* \brief Parse a single DER formatted certificate and add it
* to the end of the provided chained list.
*
- * \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
- * subsystem must have been initialized by calling
- * psa_crypto_init() before calling this function.
+ * \note The PSA crypto subsystem must have been initialized by
+ * calling psa_crypto_init() before calling this function.
*
* \param chain The pointer to the start of the CRT chain to attach to.
* When parsing the first CRT in a chain, this should point
@@ -464,9 +462,8 @@
* temporary ownership of the CRT buffer until the CRT
* is destroyed.
*
- * \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
- * subsystem must have been initialized by calling
- * psa_crypto_init() before calling this function.
+ * \note The PSA crypto subsystem must have been initialized by
+ * calling psa_crypto_init() before calling this function.
*
* \param chain The pointer to the start of the CRT chain to attach to.
* When parsing the first CRT in a chain, this should point
@@ -508,9 +505,8 @@
* long as the certificates are enclosed in the PEM specific
* '-----{BEGIN/END} CERTIFICATE-----' delimiters.
*
- * \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
- * subsystem must have been initialized by calling
- * psa_crypto_init() before calling this function.
+ * \note The PSA crypto subsystem must have been initialized by
+ * calling psa_crypto_init() before calling this function.
*
* \param chain The chain to which to add the parsed certificates.
* \param buf The buffer holding the certificate data in PEM or DER format.
@@ -536,9 +532,8 @@
* of failed certificates it encountered. If none complete
* correctly, the first error is returned.
*
- * \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
- * subsystem must have been initialized by calling
- * psa_crypto_init() before calling this function.
+ * \note The PSA crypto subsystem must have been initialized by
+ * calling psa_crypto_init() before calling this function.
*
* \param chain points to the start of the chain
* \param path filename to read the certificates from
diff --git a/include/mbedtls/x509_csr.h b/include/mbedtls/x509_csr.h
index 8c31c09..08e585f 100644
--- a/include/mbedtls/x509_csr.h
+++ b/include/mbedtls/x509_csr.h
@@ -79,9 +79,8 @@
* ignored, unless the critical flag is set, in which case
* the CSR is rejected.
*
- * \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
- * subsystem must have been initialized by calling
- * psa_crypto_init() before calling this function.
+ * \note The PSA crypto subsystem must have been initialized by
+ * calling psa_crypto_init() before calling this function.
*
* \param csr CSR context to fill
* \param buf buffer holding the CRL data
@@ -135,9 +134,8 @@
* the result of the callback function decides whether
* CSR is rejected.
*
- * \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
- * subsystem must have been initialized by calling
- * psa_crypto_init() before calling this function.
+ * \note The PSA crypto subsystem must have been initialized by
+ * calling psa_crypto_init() before calling this function.
*
* \param csr CSR context to fill
* \param buf buffer holding the CRL data
@@ -158,9 +156,8 @@
*
* \note See notes for \c mbedtls_x509_csr_parse_der()
*
- * \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
- * subsystem must have been initialized by calling
- * psa_crypto_init() before calling this function.
+ * \note The PSA crypto subsystem must have been initialized by
+ * calling psa_crypto_init() before calling this function.
*
* \param csr CSR context to fill
* \param buf buffer holding the CRL data
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index c6ee8eb..a32b4bc 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -30,6 +30,7 @@
ssl_tls13_server.c
ssl_tls13_client.c
ssl_tls13_generic.c
+ timing.c
version.c
version_features.c
)
diff --git a/library/Makefile b/library/Makefile
index 29fd376..b874acf 100644
--- a/library/Makefile
+++ b/library/Makefile
@@ -186,7 +186,6 @@
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/sha512.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/sha3.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/threading.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/timing.o \
# This line is intentionally left blank
THIRDPARTY_DIR := $(MBEDTLS_PATH)/tf-psa-crypto/drivers
@@ -227,6 +226,7 @@
ssl_tls13_client.o \
ssl_tls13_server.o \
ssl_tls13_generic.o \
+ timing.o \
version.o \
version_features.o \
# This line is intentionally left blank
@@ -389,12 +389,12 @@
GENERATED_WRAPPER_FILES = \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers.h \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.c
-$(GENERATED_WRAPPER_FILES): ../scripts/generate_driver_wrappers.py
-$(GENERATED_WRAPPER_FILES): ../scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja
-$(GENERATED_WRAPPER_FILES): ../scripts/data_files/driver_templates/psa_crypto_driver_wrappers_no_static.c.jinja
+$(GENERATED_WRAPPER_FILES): ../tf-psa-crypto/scripts/generate_driver_wrappers.py
+$(GENERATED_WRAPPER_FILES): ../tf-psa-crypto/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja
+$(GENERATED_WRAPPER_FILES): ../tf-psa-crypto/scripts/data_files/driver_templates/psa_crypto_driver_wrappers_no_static.c.jinja
$(GENERATED_WRAPPER_FILES):
echo " Gen $(GENERATED_WRAPPER_FILES)"
- $(PYTHON) ../scripts/generate_driver_wrappers.py $(TF_PSA_CRYPTO_CORE_PATH)
+ $(PYTHON) ../tf-psa-crypto/scripts/generate_driver_wrappers.py $(TF_PSA_CRYPTO_CORE_PATH)
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto.o:$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers.h
diff --git a/library/net_sockets.c b/library/net_sockets.c
index f752d13..ca70f37 100644
--- a/library/net_sockets.c
+++ b/library/net_sockets.c
@@ -524,8 +524,8 @@
#else
struct timeval tv;
tv.tv_sec = usec / 1000000;
-#if defined(__unix__) || defined(__unix) || \
- (defined(__APPLE__) && defined(__MACH__))
+#if (defined(__unix__) || defined(__unix) || \
+ (defined(__APPLE__) && defined(__MACH__))) && !defined(__DJGPP__)
tv.tv_usec = (suseconds_t) usec % 1000000;
#else
tv.tv_usec = usec % 1000000;
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 8b8f519..ae4fd89 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2452,6 +2452,17 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
+const mbedtls_error_pair_t psa_to_ssl_errors[] =
+{
+ { PSA_SUCCESS, 0 },
+ { PSA_ERROR_INSUFFICIENT_MEMORY, MBEDTLS_ERR_SSL_ALLOC_FAILED },
+ { PSA_ERROR_NOT_SUPPORTED, MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE },
+ { PSA_ERROR_INVALID_SIGNATURE, MBEDTLS_ERR_SSL_INVALID_MAC },
+ { PSA_ERROR_INVALID_ARGUMENT, MBEDTLS_ERR_SSL_BAD_INPUT_DATA },
+ { PSA_ERROR_BAD_STATE, MBEDTLS_ERR_SSL_INTERNAL_ERROR },
+ { PSA_ERROR_BUFFER_TOO_SMALL, MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL }
+};
+
psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type,
size_t taglen,
psa_algorithm_t *alg,
diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c
index 96aad1c..5128a41 100644
--- a/library/ssl_tls13_keys.c
+++ b/library/ssl_tls13_keys.c
@@ -12,7 +12,6 @@
#include <stdint.h>
#include <string.h>
-#include "mbedtls/hkdf.h"
#include "debug_internal.h"
#include "mbedtls/error.h"
#include "mbedtls/platform.h"
diff --git a/tf-psa-crypto/drivers/builtin/src/timing.c b/library/timing.c
similarity index 98%
rename from tf-psa-crypto/drivers/builtin/src/timing.c
rename to library/timing.c
index 58f1c1e..1ed8863 100644
--- a/tf-psa-crypto/drivers/builtin/src/timing.c
+++ b/library/timing.c
@@ -5,7 +5,7 @@
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
-#include "common.h"
+#include "ssl_misc.h"
#if defined(MBEDTLS_TIMING_C)
diff --git a/programs/.gitignore b/programs/.gitignore
index e0c4987..c3e61c1 100644
--- a/programs/.gitignore
+++ b/programs/.gitignore
@@ -33,12 +33,6 @@
pkey/rsa_sign_pss
pkey/rsa_verify
pkey/rsa_verify_pss
-psa/aead_demo
-psa/crypto_examples
-psa/hmac_demo
-psa/key_ladder_demo
-psa/psa_constant_names
-psa/psa_hash
random/gen_entropy
random/gen_random_ctr_drbg
ssl/dtls_client
@@ -75,7 +69,6 @@
###START_GENERATED_FILES###
# Generated source files
-/psa/psa_constant_names_generated.c
/test/query_config.c
# Generated data files
diff --git a/programs/CMakeLists.txt b/programs/CMakeLists.txt
index aaf93ba..87b9a1b 100644
--- a/programs/CMakeLists.txt
+++ b/programs/CMakeLists.txt
@@ -8,7 +8,7 @@
endif()
add_subdirectory(hash)
add_subdirectory(pkey)
-add_subdirectory(psa)
+add_subdirectory(../tf-psa-crypto/programs/psa ../tf-psa-crypto/programs/psa)
add_subdirectory(random)
add_subdirectory(ssl)
add_subdirectory(test)
diff --git a/programs/Makefile b/programs/Makefile
index 13fb793..0b3025d 100644
--- a/programs/Makefile
+++ b/programs/Makefile
@@ -29,6 +29,9 @@
## be declared by appending with `APPS += ...` afterwards.
## See the get_app_list function in scripts/generate_visualc_files.pl and
## make sure to check that it still works if you tweak the format here.
+##
+## Note: Variables cannot be used to define an apps path. This cannot be
+## substituted by the script generate_visualc_files.pl.
APPS = \
aes/crypt_and_hash \
cipher/cipher_aead_demo \
@@ -55,12 +58,12 @@
pkey/rsa_sign_pss \
pkey/rsa_verify \
pkey/rsa_verify_pss \
- psa/aead_demo \
- psa/crypto_examples \
- psa/hmac_demo \
- psa/key_ladder_demo \
- psa/psa_constant_names \
- psa/psa_hash \
+ ../tf-psa-crypto/programs/psa/aead_demo \
+ ../tf-psa-crypto/programs/psa/crypto_examples \
+ ../tf-psa-crypto/programs/psa/hmac_demo \
+ ../tf-psa-crypto/programs/psa/key_ladder_demo \
+ ../tf-psa-crypto/programs/psa/psa_constant_names \
+ ../tf-psa-crypto/programs/psa/psa_hash \
random/gen_entropy \
random/gen_random_ctr_drbg \
ssl/dtls_client \
@@ -132,13 +135,13 @@
GENERATED_FILES = psa/psa_constant_names_generated.c test/query_config.c
generated_files: $(GENERATED_FILES)
-psa/psa_constant_names_generated.c: $(gen_file_dep) ../scripts/generate_psa_constants.py
+../tf-psa-crypto/psa/psa_constant_names_generated.c: $(gen_file_dep) ../tf-psa-crypto/scripts/generate_psa_constants.py
psa/psa_constant_names_generated.c: $(gen_file_dep) ../tf-psa-crypto/include/psa/crypto_values.h
psa/psa_constant_names_generated.c: $(gen_file_dep) ../tf-psa-crypto/include/psa/crypto_extra.h
psa/psa_constant_names_generated.c: $(gen_file_dep) ../tf-psa-crypto/tests/suites/test_suite_psa_crypto_metadata.data
psa/psa_constant_names_generated.c:
echo " Gen $@"
- $(PYTHON) ../scripts/generate_psa_constants.py
+ cd ../tf-psa-crypto; $(PYTHON) ./scripts/generate_psa_constants.py
test/query_config.c: $(gen_file_dep) ../scripts/generate_query_config.pl
## The generated file only depends on the options that are present in mbedtls_config.h,
@@ -252,29 +255,29 @@
echo " CC pkey/rsa_encrypt.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/rsa_encrypt.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-psa/aead_demo$(EXEXT): psa/aead_demo.c $(DEP)
+../tf-psa-crypto/programs/psa/aead_demo$(EXEXT): ../tf-psa-crypto/programs/psa/aead_demo.c $(DEP)
echo " CC psa/aead_demo.c"
- $(CC) $(LOCAL_CFLAGS) $(CFLAGS) psa/aead_demo.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+ $(CC) $(LOCAL_CFLAGS) $(CFLAGS) ../tf-psa-crypto/programs/psa/aead_demo.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-psa/crypto_examples$(EXEXT): psa/crypto_examples.c $(DEP)
+../tf-psa-crypto/programs/psa/crypto_examples$(EXEXT): ../tf-psa-crypto/programs/psa/crypto_examples.c $(DEP)
echo " CC psa/crypto_examples.c"
- $(CC) $(LOCAL_CFLAGS) $(CFLAGS) psa/crypto_examples.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+ $(CC) $(LOCAL_CFLAGS) $(CFLAGS) ../tf-psa-crypto/programs/psa/crypto_examples.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-psa/hmac_demo$(EXEXT): psa/hmac_demo.c $(DEP)
+../tf-psa-crypto/programs/psa/hmac_demo$(EXEXT): ../tf-psa-crypto/programs/psa/hmac_demo.c $(DEP)
echo " CC psa/hmac_demo.c"
- $(CC) $(LOCAL_CFLAGS) $(CFLAGS) psa/hmac_demo.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+ $(CC) $(LOCAL_CFLAGS) $(CFLAGS) ../tf-psa-crypto/programs/psa/hmac_demo.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-psa/key_ladder_demo$(EXEXT): psa/key_ladder_demo.c $(DEP)
+../tf-psa-crypto/programs/psa/key_ladder_demo$(EXEXT): ../tf-psa-crypto/programs/psa/key_ladder_demo.c $(DEP)
echo " CC psa/key_ladder_demo.c"
- $(CC) $(LOCAL_CFLAGS) $(CFLAGS) psa/key_ladder_demo.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+ $(CC) $(LOCAL_CFLAGS) $(CFLAGS) ../tf-psa-crypto/programs/psa/key_ladder_demo.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-psa/psa_constant_names$(EXEXT): psa/psa_constant_names.c psa/psa_constant_names_generated.c $(DEP)
+../tf-psa-crypto/programs/psa/psa_constant_names$(EXEXT): ../tf-psa-crypto/programs/psa/psa_constant_names.c psa/psa_constant_names_generated.c $(DEP)
echo " CC psa/psa_constant_names.c"
- $(CC) $(LOCAL_CFLAGS) $(CFLAGS) psa/psa_constant_names.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+ $(CC) $(LOCAL_CFLAGS) $(CFLAGS) ../tf-psa-crypto/programs/psa/psa_constant_names.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-psa/psa_hash$(EXEXT): psa/psa_hash.c $(DEP)
+../tf-psa-crypto/programs/psa/psa_hash$(EXEXT): ../tf-psa-crypto/programs/psa/psa_hash.c $(DEP)
echo " CC psa/psa_hash.c"
- $(CC) $(LOCAL_CFLAGS) $(CFLAGS) psa/psa_hash.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+ $(CC) $(LOCAL_CFLAGS) $(CFLAGS) ../tf-psa-crypto/programs/psa/psa_hash.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
random/gen_entropy$(EXEXT): random/gen_entropy.c $(DEP)
echo " CC random/gen_entropy.c"
diff --git a/programs/fuzz/CMakeLists.txt b/programs/fuzz/CMakeLists.txt
index baa5ad9..57cfeee 100644
--- a/programs/fuzz/CMakeLists.txt
+++ b/programs/fuzz/CMakeLists.txt
@@ -28,7 +28,10 @@
foreach(exe IN LISTS executables_no_common_c executables_with_common_c)
- set(exe_sources ${exe}.c $<TARGET_OBJECTS:tf_psa_crypto_test>)
+ set(exe_sources
+ ${exe}.c
+ $<TARGET_OBJECTS:mbedtls_test_helpers>
+ $<TARGET_OBJECTS:tf_psa_crypto_test>)
if(NOT FUZZINGENGINE_LIB)
list(APPEND exe_sources onefile.c)
endif()
diff --git a/programs/pkey/gen_key.c b/programs/pkey/gen_key.c
index da7d262..99999c7 100644
--- a/programs/pkey/gen_key.c
+++ b/programs/pkey/gen_key.c
@@ -22,11 +22,9 @@
}
#else
-#include "mbedtls/error.h"
#include "mbedtls/pk.h"
#include "mbedtls/ecdsa.h"
#include "mbedtls/rsa.h"
-#include "mbedtls/error.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
diff --git a/programs/pkey/key_app.c b/programs/pkey/key_app.c
index 5ccb063..d01aa88 100644
--- a/programs/pkey/key_app.c
+++ b/programs/pkey/key_app.c
@@ -12,7 +12,6 @@
#if defined(MBEDTLS_BIGNUM_C) && \
defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_FS_IO) && \
defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_CTR_DRBG_C)
-#include "mbedtls/error.h"
#include "mbedtls/rsa.h"
#include "mbedtls/pk.h"
#include "mbedtls/entropy.h"
diff --git a/programs/pkey/key_app_writer.c b/programs/pkey/key_app_writer.c
index a460b18..d34cbe1 100644
--- a/programs/pkey/key_app_writer.c
+++ b/programs/pkey/key_app_writer.c
@@ -24,9 +24,7 @@
}
#else
-#include "mbedtls/error.h"
#include "mbedtls/pk.h"
-#include "mbedtls/error.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
diff --git a/programs/pkey/pk_decrypt.c b/programs/pkey/pk_decrypt.c
index 025f69c..3dbfde0 100644
--- a/programs/pkey/pk_decrypt.c
+++ b/programs/pkey/pk_decrypt.c
@@ -12,7 +12,6 @@
#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_PK_PARSE_C) && \
defined(MBEDTLS_FS_IO) && defined(MBEDTLS_ENTROPY_C) && \
defined(MBEDTLS_CTR_DRBG_C)
-#include "mbedtls/error.h"
#include "mbedtls/pk.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
diff --git a/programs/pkey/pk_encrypt.c b/programs/pkey/pk_encrypt.c
index 9ada67d..a3a7c1b 100644
--- a/programs/pkey/pk_encrypt.c
+++ b/programs/pkey/pk_encrypt.c
@@ -12,7 +12,6 @@
#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_PK_PARSE_C) && \
defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_FS_IO) && \
defined(MBEDTLS_CTR_DRBG_C)
-#include "mbedtls/error.h"
#include "mbedtls/pk.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
diff --git a/programs/pkey/pk_sign.c b/programs/pkey/pk_sign.c
index b8f06c4..c1640d6 100644
--- a/programs/pkey/pk_sign.c
+++ b/programs/pkey/pk_sign.c
@@ -25,7 +25,6 @@
}
#else
-#include "mbedtls/error.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/pk.h"
diff --git a/programs/pkey/pk_verify.c b/programs/pkey/pk_verify.c
index 063abd7..7b88cab 100644
--- a/programs/pkey/pk_verify.c
+++ b/programs/pkey/pk_verify.c
@@ -23,7 +23,6 @@
}
#else
-#include "mbedtls/error.h"
#include "mbedtls/pk.h"
#include <stdio.h>
diff --git a/programs/ssl/CMakeLists.txt b/programs/ssl/CMakeLists.txt
index 23faf71..513c866 100644
--- a/programs/ssl/CMakeLists.txt
+++ b/programs/ssl/CMakeLists.txt
@@ -38,7 +38,10 @@
${CMAKE_CURRENT_SOURCE_DIR}/../test/query_config.h
${CMAKE_CURRENT_BINARY_DIR}/../test/query_config.c)
endif()
- add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:tf_psa_crypto_test>
+ add_executable(${exe}
+ ${exe}.c
+ $<TARGET_OBJECTS:mbedtls_test_helpers>
+ $<TARGET_OBJECTS:tf_psa_crypto_test>
${extra_sources})
set_base_compile_options(${exe})
target_link_libraries(${exe} ${libs} ${CMAKE_THREAD_LIBS_INIT})
@@ -54,7 +57,10 @@
endforeach()
if(THREADS_FOUND)
- add_executable(ssl_pthread_server ssl_pthread_server.c $<TARGET_OBJECTS:tf_psa_crypto_test>)
+ add_executable(ssl_pthread_server
+ ssl_pthread_server.c
+ $<TARGET_OBJECTS:mbedtls_test_helpers>
+ $<TARGET_OBJECTS:tf_psa_crypto_test>)
set_base_compile_options(ssl_pthread_server)
target_include_directories(ssl_pthread_server PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../framework/tests/include
${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
diff --git a/programs/test/CMakeLists.txt b/programs/test/CMakeLists.txt
index 99dcd4a..285da13 100644
--- a/programs/test/CMakeLists.txt
+++ b/programs/test/CMakeLists.txt
@@ -4,6 +4,7 @@
set(executables_libs
metatest
+ query_compile_time_config
query_included_headers
selftest
udp_proxy
@@ -13,7 +14,6 @@
set(executables_mbedcrypto
benchmark
- query_compile_time_config
zeroize
)
add_dependencies(${programs_target} ${executables_mbedcrypto})
diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c
index 36ac022..c878e34 100644
--- a/programs/test/benchmark.c
+++ b/programs/test/benchmark.c
@@ -46,7 +46,7 @@
#include "mbedtls/ecdsa.h"
#include "mbedtls/ecdh.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
/* *INDENT-OFF* */
#ifndef asm
diff --git a/programs/x509/CMakeLists.txt b/programs/x509/CMakeLists.txt
index 1c91461..c3ee348 100644
--- a/programs/x509/CMakeLists.txt
+++ b/programs/x509/CMakeLists.txt
@@ -20,6 +20,8 @@
endforeach()
target_link_libraries(cert_app ${mbedtls_target})
+# For mbedtls_timing_get_timer()
+target_link_libraries(load_roots ${mbedtls_target})
install(TARGETS ${executables}
DESTINATION "bin"
diff --git a/scripts/config.py b/scripts/config.py
index 69ee3ef..cf0755b 100755
--- a/scripts/config.py
+++ b/scripts/config.py
@@ -220,6 +220,7 @@
'MBEDTLS_DEBUG_C', # part of libmbedtls
'MBEDTLS_NET_C', # part of libmbedtls
'MBEDTLS_PKCS7_C', # part of libmbedx509
+ 'MBEDTLS_TIMING_C', # part of libmbedtls
'MBEDTLS_ERROR_C', # part of libmbedx509
'MBEDTLS_ERROR_STRERROR_DUMMY', # part of libmbedx509
]:
@@ -420,7 +421,7 @@
raise ValueError(f'Feature is unstable: \'{name}\'')
# The default value in the crypto config is '1'
- if not value:
+ if not value and re.match(self._crypto_regexp, name):
value = '1'
if name not in self.settings:
diff --git a/scripts/generate_visualc_files.pl b/scripts/generate_visualc_files.pl
index 76a6c32..d0fcb7d 100755
--- a/scripts/generate_visualc_files.pl
+++ b/scripts/generate_visualc_files.pl
@@ -21,7 +21,9 @@
my $vsx_sln_tpl_file = "scripts/data_files/vs2017-sln-template.sln";
my $vsx_sln_file = "$vsx_dir/mbedTLS.sln";
-my $programs_dir = 'programs';
+my $mbedtls_programs_dir = "programs";
+my $tfpsacrypto_programs_dir = "tf-psa-crypto/programs";
+
my $mbedtls_header_dir = 'include/mbedtls';
my $drivers_builtin_header_dir = 'tf-psa-crypto/drivers/builtin/include/mbedtls';
my $psa_header_dir = 'tf-psa-crypto/include/psa';
@@ -122,7 +124,8 @@
&& -d $test_header_dir
&& -d $tls_test_header_dir
&& -d $test_drivers_header_dir
- && -d $programs_dir;
+ && -d $mbedtls_programs_dir
+ && -d $tfpsacrypto_programs_dir;
}
sub slurp_file {
diff --git a/scripts/make_generated_files.bat b/scripts/make_generated_files.bat
index 4612cc2..fb4a225 100644
--- a/scripts/make_generated_files.bat
+++ b/scripts/make_generated_files.bat
@@ -9,7 +9,7 @@
@rem @@@@ library\** @@@@
@rem psa_crypto_driver_wrappers.h needs to be generated prior to
@rem generate_visualc_files.pl being invoked.
-python scripts\generate_driver_wrappers.py || exit /b 1
+python tf-psa-crypto\scripts\generate_driver_wrappers.py || exit /b 1
perl scripts\generate_errors.pl || exit /b 1
perl scripts\generate_query_config.pl || exit /b 1
perl scripts\generate_features.pl || exit /b 1
@@ -19,7 +19,9 @@
perl scripts\generate_visualc_files.pl || exit /b 1
@rem @@@@ programs\** @@@@
+cd tf-psa-crypto
python scripts\generate_psa_constants.py || exit /b 1
+cd ..
@rem @@@@ tests\** @@@@
python framework\scripts\generate_bignum_tests.py --directory tf-psa-crypto\tests\suites || exit /b 1
diff --git a/tests/Makefile b/tests/Makefile
index bde6c1b..69285b6 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -310,7 +310,6 @@
define libtestdriver1_rewrite :=
s!^(\s*#\s*include\s*[\"<])mbedtls/build_info.h!$${1}libtestdriver1/include/mbedtls/build_info.h!; \
s!^(\s*#\s*include\s*[\"<])mbedtls/mbedtls_config.h!$${1}libtestdriver1/include/mbedtls/mbedtls_config.h!; \
- s!^(\s*#\s*include\s*[\"<])mbedtls/config_adjust_legacy_crypto.h!$${1}libtestdriver1/include/mbedtls/config_adjust_legacy_crypto.h!; \
s!^(\s*#\s*include\s*[\"<])mbedtls/config_adjust_x509.h!$${1}libtestdriver1/include/mbedtls/config_adjust_x509.h!; \
s!^(\s*#\s*include\s*[\"<])mbedtls/config_adjust_ssl.h!$${1}libtestdriver1/include/mbedtls/config_adjust_ssl.h!; \
s!^(\s*#\s*include\s*[\"<])mbedtls/check_config.h!$${1}libtestdriver1/include/mbedtls/check_config.h!; \
@@ -333,21 +332,28 @@
cp -Rf ../framework ./libtestdriver1
cp -Rf ../library ./libtestdriver1
cp -Rf ../include ./libtestdriver1
+ cp -Rf ../scripts ./libtestdriver1
cp -Rf ../tf-psa-crypto/core ./libtestdriver1/tf-psa-crypto
cp -Rf ../tf-psa-crypto/include ./libtestdriver1/tf-psa-crypto
cp -Rf ../tf-psa-crypto/drivers/builtin ./libtestdriver1/tf-psa-crypto/drivers
- cp -Rf ../scripts ./libtestdriver1
+ cp -Rf ../tf-psa-crypto/scripts ./libtestdriver1/tf-psa-crypto
# Set the test driver base (minimal) configuration.
cp ../tf-psa-crypto/tests/configs/config_test_driver.h ./libtestdriver1/include/mbedtls/mbedtls_config.h
+ cp ../tf-psa-crypto/tests/configs/crypto_config_test_driver.h ./libtestdriver1/tf-psa-crypto/include/psa/crypto_config.h
# Set the PSA cryptography configuration for the test library.
- # It is set from the copied include/psa/crypto_config.h of the Mbed TLS
- # library the test library is intended to be linked with extended by
- # ../tf-psa-crypto/tests/configs/crypto_config_test_driver_extension.h
- # to mirror the PSA_ACCEL_* macros.
+ # The configuration is created by joining the base
+ # ../tf-psa-crypto/tests/configs/crypto_config_test_driver.h,
+ # with the the library's PSA_WANT_* macros extracted from
+ # ./tf-psa-crypto/include/psa/crypto_config.h
+ # and then extended with entries of
+ # ../tf-psa-crypto/tests/configs/crypto_config_test_driver_extension.h
+ # to mirror the PSA_ACCEL_* macros.
+
mv ./libtestdriver1/tf-psa-crypto/include/psa/crypto_config.h ./libtestdriver1/tf-psa-crypto/include/psa/crypto_config.h.bak
head -n -1 ./libtestdriver1/tf-psa-crypto/include/psa/crypto_config.h.bak > ./libtestdriver1/tf-psa-crypto/include/psa/crypto_config.h
+ grep '^#define PSA_WANT_*' ../tf-psa-crypto/include/psa/crypto_config.h >> ./libtestdriver1/tf-psa-crypto/include/psa/crypto_config.h
cat ../tf-psa-crypto/tests/configs/crypto_config_test_driver_extension.h >> ./libtestdriver1/tf-psa-crypto/include/psa/crypto_config.h
echo "#endif /* PSA_CRYPTO_CONFIG_H */" >> ./libtestdriver1/tf-psa-crypto/include/psa/crypto_config.h
diff --git a/tests/configs/user-config-for-test.h b/tests/configs/user-config-for-test.h
index e543297..f230fd3 100644
--- a/tests/configs/user-config-for-test.h
+++ b/tests/configs/user-config-for-test.h
@@ -1,8 +1,8 @@
-/* MBEDTLS_USER_CONFIG_FILE for testing.
+/* TF_PSA_CRYPTO_USER_CONFIG_FILE for testing.
* Only used for a few test configurations.
*
* Typical usage (note multiple levels of quoting):
- * make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'"
+ * make CFLAGS="'-DTF_PSA_CRYPTO_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'"
*/
/*
diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index f6f7d87..3a31fdb 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -87,11 +87,6 @@
re.compile(r'EC restart:.*no USE_PSA.*'),
],
'test_suite_config.mbedtls_boolean': [
- # https://github.com/Mbed-TLS/mbedtls/issues/9583
- 'Config: !MBEDTLS_ECP_NIST_OPTIM',
- # We never test without the PSA client code. Should we?
- # https://github.com/Mbed-TLS/TF-PSA-Crypto/issues/112
- 'Config: !MBEDTLS_PSA_CRYPTO_CLIENT',
# Missing coverage of test configurations.
# https://github.com/Mbed-TLS/mbedtls/issues/9585
'Config: !MBEDTLS_SSL_DTLS_ANTI_REPLAY',
@@ -101,34 +96,6 @@
# We don't run test_suite_config when we test this.
# https://github.com/Mbed-TLS/mbedtls/issues/9586
'Config: !MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED',
- # We only test multithreading with pthreads.
- # https://github.com/Mbed-TLS/mbedtls/issues/9584
- 'Config: !MBEDTLS_THREADING_PTHREAD',
- # Built but not tested.
- # https://github.com/Mbed-TLS/mbedtls/issues/9587
- 'Config: MBEDTLS_AES_USE_HARDWARE_ONLY',
- # Untested platform-specific optimizations.
- # https://github.com/Mbed-TLS/mbedtls/issues/9588
- 'Config: MBEDTLS_HAVE_SSE2',
- # Obsolete configuration option, to be replaced by
- # PSA entropy drivers.
- # https://github.com/Mbed-TLS/mbedtls/issues/8150
- 'Config: MBEDTLS_NO_PLATFORM_ENTROPY',
- # Untested aspect of the platform interface.
- # https://github.com/Mbed-TLS/mbedtls/issues/9589
- 'Config: MBEDTLS_PLATFORM_NO_STD_FUNCTIONS',
- # In a client-server build, test_suite_config runs in the
- # client configuration, so it will never report
- # MBEDTLS_PSA_CRYPTO_SPM as enabled. That's ok.
- 'Config: MBEDTLS_PSA_CRYPTO_SPM',
- # We don't test on armv8 yet.
- 'Config: MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT',
- 'Config: MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY',
- 'Config: MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY',
- 'Config: MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY',
- # We don't run test_suite_config when we test this.
- # https://github.com/Mbed-TLS/mbedtls/issues/9586
- 'Config: MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND',
],
'test_suite_config.psa_boolean': [
# We don't test with HMAC disabled.
@@ -174,6 +141,39 @@
'Config: PSA_WANT_KEY_TYPE_ECC_KEY_PAIR',
'Config: PSA_WANT_KEY_TYPE_RSA_KEY_PAIR',
'Config: PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE',
+ # https://github.com/Mbed-TLS/mbedtls/issues/9583
+ 'Config: !MBEDTLS_ECP_NIST_OPTIM',
+ # We never test without the PSA client code. Should we?
+ # https://github.com/Mbed-TLS/TF-PSA-Crypto/issues/112
+ 'Config: !MBEDTLS_PSA_CRYPTO_CLIENT',
+ # We only test multithreading with pthreads.
+ # https://github.com/Mbed-TLS/mbedtls/issues/9584
+ 'Config: !MBEDTLS_THREADING_PTHREAD',
+ # Built but not tested.
+ # https://github.com/Mbed-TLS/mbedtls/issues/9587
+ 'Config: MBEDTLS_AES_USE_HARDWARE_ONLY',
+ # Untested platform-specific optimizations.
+ # https://github.com/Mbed-TLS/mbedtls/issues/9588
+ 'Config: MBEDTLS_HAVE_SSE2',
+ # Obsolete configuration option, to be replaced by
+ # PSA entropy drivers.
+ # https://github.com/Mbed-TLS/mbedtls/issues/8150
+ 'Config: MBEDTLS_NO_PLATFORM_ENTROPY',
+ # Untested aspect of the platform interface.
+ # https://github.com/Mbed-TLS/mbedtls/issues/9589
+ 'Config: MBEDTLS_PLATFORM_NO_STD_FUNCTIONS',
+ # In a client-server build, test_suite_config runs in the
+ # client configuration, so it will never report
+ # MBEDTLS_PSA_CRYPTO_SPM as enabled. That's ok.
+ 'Config: MBEDTLS_PSA_CRYPTO_SPM',
+ # We don't test on armv8 yet.
+ 'Config: MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT',
+ 'Config: MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY',
+ 'Config: MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY',
+ 'Config: MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY',
+ # We don't run test_suite_config when we test this.
+ # https://github.com/Mbed-TLS/mbedtls/issues/9586
+ 'Config: MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND',
],
'test_suite_config.psa_combinations': [
# We don't test this unusual, but sensible configuration.
diff --git a/tests/scripts/check-generated-files.sh b/tests/scripts/check-generated-files.sh
index 865e247..a66c370 100755
--- a/tests/scripts/check-generated-files.sh
+++ b/tests/scripts/check-generated-files.sh
@@ -140,11 +140,14 @@
# directory in Mbed TLS that is not just a TF-PSA-Crypto submodule.
if [ -d tf-psa-crypto ]; then
cd tf-psa-crypto
+ check scripts/generate_psa_constants.py ./programs/psa/psa_constant_names_generated.c
check ../framework/scripts/generate_bignum_tests.py $(../framework/scripts/generate_bignum_tests.py --list)
check ../framework/scripts/generate_config_tests.py tests/suites/test_suite_config.psa_boolean.data
check ../framework/scripts/generate_ecp_tests.py $(../framework/scripts/generate_ecp_tests.py --list)
check ../framework/scripts/generate_psa_tests.py $(../framework/scripts/generate_psa_tests.py --list)
cd ..
+ check tf-psa-crypto/scripts/generate_driver_wrappers.py ${crypto_core_dir}/psa_crypto_driver_wrappers.h \
+ ${crypto_core_dir}/psa_crypto_driver_wrappers_no_static.c
check framework/scripts/generate_config_tests.py tests/suites/test_suite_config.mbedtls_boolean.data
else
check framework/scripts/generate_bignum_tests.py $(framework/scripts/generate_bignum_tests.py --list)
@@ -155,12 +158,11 @@
fi
check framework/scripts/generate_ecp_tests.py $(framework/scripts/generate_ecp_tests.py --list)
check framework/scripts/generate_psa_tests.py $(framework/scripts/generate_psa_tests.py --list)
+ check scripts/generate_driver_wrappers.py ${crypto_core_dir}/psa_crypto_driver_wrappers.h \
+ ${crypto_core_dir}/psa_crypto_driver_wrappers_no_static.c
fi
-check scripts/generate_psa_constants.py programs/psa/psa_constant_names_generated.c
check framework/scripts/generate_test_keys.py framework/tests/src/test_keys.h
-check scripts/generate_driver_wrappers.py ${crypto_core_dir}/psa_crypto_driver_wrappers.h \
- ${crypto_core_dir}/psa_crypto_driver_wrappers_no_static.c
# Additional checks for Mbed TLS only
if in_mbedtls_repo; then
@@ -179,4 +181,4 @@
# Generated files that are present in the repository even in the development
# branch. (This is intended to be temporary, until the generator scripts are
# fully reviewed and the build scripts support a generated header file.)
-check framework/scripts/generate_psa_wrappers.py tests/include/test/psa_test_wrappers.h tests/src/psa_test_wrappers.c
+check framework/scripts/generate_psa_wrappers.py tf-psa-crypto/tests/include/test/psa_test_wrappers.h tf-psa-crypto/tests/src/psa_test_wrappers.c
diff --git a/tests/scripts/check_names.py b/tests/scripts/check_names.py
index 3ac4d45..7c232ab 100755
--- a/tests/scripts/check_names.py
+++ b/tests/scripts/check_names.py
@@ -50,7 +50,7 @@
# Naming patterns to check against. These are defined outside the NameCheck
# class for ease of modification.
-PUBLIC_MACRO_PATTERN = r"^(MBEDTLS|PSA)_[0-9A-Z_]*[0-9A-Z]$"
+PUBLIC_MACRO_PATTERN = r"^(MBEDTLS|PSA|TF_PSA)_[0-9A-Z_]*[0-9A-Z]$"
INTERNAL_MACRO_PATTERN = r"^[0-9A-Za-z_]*[0-9A-Z]$"
CONSTANTS_PATTERN = PUBLIC_MACRO_PATTERN
IDENTIFIER_PATTERN = r"^(mbedtls|psa)_[0-9a-z_]*[0-9a-z]$"
diff --git a/tests/scripts/components-build-system.sh b/tests/scripts/components-build-system.sh
index 7ebe627..f3a8d19 100644
--- a/tests/scripts/components-build-system.sh
+++ b/tests/scripts/components-build-system.sh
@@ -167,6 +167,7 @@
component_build_cmake_custom_config_file () {
# Make a copy of config file to use for the in-tree test
cp "$CONFIG_H" include/mbedtls_config_in_tree_copy.h
+ cp "$CRYPTO_CONFIG_H" include/mbedtls_crypto_config_in_tree_copy.h
MBEDTLS_ROOT_DIR="$PWD"
mkdir "$OUT_OF_SOURCE_DIR"
@@ -177,21 +178,27 @@
make
msg "build: cmake with -DMBEDTLS_CONFIG_FILE"
- scripts/config.py -w full_config.h full
+ cd "$MBEDTLS_ROOT_DIR"
+ scripts/config.py full
+ cp include/mbedtls/mbedtls_config.h $OUT_OF_SOURCE_DIR/full_config.h
+ cp tf-psa-crypto/include/psa/crypto_config.h $OUT_OF_SOURCE_DIR/full_crypto_config.h
+ cd "$OUT_OF_SOURCE_DIR"
echo '#error "cmake -DMBEDTLS_CONFIG_FILE is not working."' > "$MBEDTLS_ROOT_DIR/$CONFIG_H"
- cmake -DGEN_FILES=OFF -DMBEDTLS_CONFIG_FILE=full_config.h "$MBEDTLS_ROOT_DIR"
+ cmake -DGEN_FILES=OFF -DMBEDTLS_CONFIG_FILE=full_config.h -DTF_PSA_CRYPTO_CONFIG_FILE=full_crypto_config.h "$MBEDTLS_ROOT_DIR"
make
- msg "build: cmake with -DMBEDTLS_CONFIG_FILE + -DMBEDTLS_USER_CONFIG_FILE"
+ msg "build: cmake with -DMBEDTLS/TF_PSA_CRYPTO_CONFIG_FILE + -DMBEDTLS/TF_PSA_CRYPTO_USER_CONFIG_FILE"
# In the user config, disable one feature (for simplicity, pick a feature
# that nothing else depends on).
- echo '#undef MBEDTLS_NIST_KW_C' >user_config.h
+ echo '#undef MBEDTLS_SSL_ALL_ALERT_MESSAGES' >user_config.h
+ echo '#undef MBEDTLS_NIST_KW_C' >crypto_user_config.h
- cmake -DGEN_FILES=OFF -DMBEDTLS_CONFIG_FILE=full_config.h -DMBEDTLS_USER_CONFIG_FILE=user_config.h "$MBEDTLS_ROOT_DIR"
+ cmake -DGEN_FILES=OFF -DMBEDTLS_CONFIG_FILE=full_config.h -DMBEDTLS_USER_CONFIG_FILE=user_config.h -DTF_PSA_CRYPTO_CONFIG_FILE=full_crypto_config.h -DTF_PSA_CRYPTO_USER_CONFIG_FILE=crypto_user_config.h "$MBEDTLS_ROOT_DIR"
make
+ not programs/test/query_compile_time_config MBEDTLS_SSL_ALL_ALERT_MESSAGES
not programs/test/query_compile_time_config MBEDTLS_NIST_KW_C
- rm -f user_config.h full_config.h
+ rm -f user_config.h full_config.h full_crypto_config.h
cd "$MBEDTLS_ROOT_DIR"
rm -rf "$OUT_OF_SOURCE_DIR"
@@ -200,24 +207,29 @@
# Restore config for the in-tree test
mv include/mbedtls_config_in_tree_copy.h "$CONFIG_H"
+ mv include/mbedtls_crypto_config_in_tree_copy.h "$CRYPTO_CONFIG_H"
# Build once to get the generated files (which need an intact config)
cmake .
make
msg "build: cmake (in-tree) with -DMBEDTLS_CONFIG_FILE"
- scripts/config.py -w full_config.h full
+ cp include/mbedtls/mbedtls_config.h full_config.h
+ cp tf-psa-crypto/include/psa/crypto_config.h full_crypto_config.h
+
echo '#error "cmake -DMBEDTLS_CONFIG_FILE is not working."' > "$MBEDTLS_ROOT_DIR/$CONFIG_H"
- cmake -DGEN_FILES=OFF -DMBEDTLS_CONFIG_FILE=full_config.h .
+ cmake -DGEN_FILES=OFF -DTF_PSA_CRYPTO_CONFIG_FILE=full_crypto_config.h -DMBEDTLS_CONFIG_FILE=full_config.h .
make
- msg "build: cmake (in-tree) with -DMBEDTLS_CONFIG_FILE + -DMBEDTLS_USER_CONFIG_FILE"
+ msg "build: cmake (in-tree) with -DMBEDTLS/TF_PSA_CRYPTO_CONFIG_FILE + -DMBEDTLS/TF_PSA_CRYPTO_USER_CONFIG_FILE"
# In the user config, disable one feature (for simplicity, pick a feature
# that nothing else depends on).
- echo '#undef MBEDTLS_NIST_KW_C' >user_config.h
+ echo '#undef MBEDTLS_SSL_ALL_ALERT_MESSAGES' >user_config.h
+ echo '#undef MBEDTLS_NIST_KW_C' >crypto_user_config.h
- cmake -DGEN_FILES=OFF -DMBEDTLS_CONFIG_FILE=full_config.h -DMBEDTLS_USER_CONFIG_FILE=user_config.h .
+ cmake -DGEN_FILES=OFF -DMBEDTLS_CONFIG_FILE=full_config.h -DMBEDTLS_USER_CONFIG_FILE=user_config.h -DTF_PSA_CRYPTO_CONFIG_FILE=full_crypto_config.h -DTF_PSA_CRYPTO_USER_CONFIG_FILE=crypto_user_config.h .
make
+ not programs/test/query_compile_time_config MBEDTLS_SSL_ALL_ALERT_MESSAGES
not programs/test/query_compile_time_config MBEDTLS_NIST_KW_C
rm -f user_config.h full_config.h
diff --git a/tests/scripts/components-compiler.sh b/tests/scripts/components-compiler.sh
index a4b2323..4237305 100644
--- a/tests/scripts/components-compiler.sh
+++ b/tests/scripts/components-compiler.sh
@@ -16,6 +16,7 @@
component_build_tfm_armcc () {
# test the TF-M configuration can build cleanly with various warning flags enabled
cp configs/config-tfm.h "$CONFIG_H"
+ cp configs/ext/crypto_config_profile_medium.h "$CRYPTO_CONFIG_H"
msg "build: TF-M config, armclang armv7-m thumb2"
helper_armc6_build_test "--target=arm-arm-none-eabi -march=armv7-m -mthumb -Os -std=c99 -Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wasm-operand-widths -Wunused -I../framework/tests/include/spe"
diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh
index 0cf2ca9..fe8fe91 100644
--- a/tests/scripts/components-configuration-crypto.sh
+++ b/tests/scripts/components-configuration-crypto.sh
@@ -82,22 +82,22 @@
msg "crypto without heap: build libtestdriver1"
# Disable PSA features that cannot be accelerated and whose builtin support
# requires calloc/free.
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
- scripts/config.py -f $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_HKDF"
- scripts/config.py -f $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_PBKDF2_"
- scripts/config.py -f $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_TLS12_"
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
+ scripts/config.py -c $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_HKDF"
+ scripts/config.py -c $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_PBKDF2_"
+ scripts/config.py -c $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_TLS12_"
# RSA key support requires ASN1 parse/write support for testing, but ASN1
# is disabled below.
- scripts/config.py -f $CRYPTO_CONFIG_H unset-all "^PSA_WANT_KEY_TYPE_RSA_"
- scripts/config.py -f $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_RSA_"
+ scripts/config.py -c $CRYPTO_CONFIG_H unset-all "^PSA_WANT_KEY_TYPE_RSA_"
+ scripts/config.py -c $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_RSA_"
# DES requires built-in support for key generation (parity check) so it
# cannot be accelerated
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES
# EC-JPAKE use calloc/free in PSA core
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_JPAKE
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_JPAKE
# Accelerate all PSA features (which are still enabled in CRYPTO_CONFIG_H).
- PSA_SYM_LIST=$(./scripts/config.py -f $CRYPTO_CONFIG_H get-all-enabled PSA_WANT)
+ PSA_SYM_LIST=$(./scripts/config.py -c $CRYPTO_CONFIG_H get-all-enabled PSA_WANT)
loc_accel_list=$(echo $PSA_SYM_LIST | sed 's/PSA_WANT_//g')
helper_libtestdriver1_adjust_config crypto
@@ -139,7 +139,7 @@
component_test_no_rsa_key_pair_generation () {
msg "build: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE"
scripts/config.py unset MBEDTLS_GENPRIME
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
make
msg "test: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE"
@@ -270,7 +270,7 @@
scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
scripts/config.py unset MBEDTLS_PLATFORM_STD_NV_SEED_READ
scripts/config.py unset MBEDTLS_PLATFORM_STD_NV_SEED_WRITE
- make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'" LDFLAGS="$ASAN_CFLAGS"
+ make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS '-DTF_PSA_CRYPTO_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'" LDFLAGS="$ASAN_CFLAGS"
msg "test: full + MBEDTLS_PSA_INJECT_ENTROPY"
make test
@@ -305,7 +305,7 @@
scripts/config.py unset MBEDTLS_PKCS7_C
# Disable indirect dependencies of MD_C
scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # needs HMAC_DRBG
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
# Disable things that would auto-enable MD_C
scripts/config.py unset MBEDTLS_PKCS5_C
@@ -331,17 +331,17 @@
# on CIPHER_C so we disable them.
# This does not hold for KEY_TYPE_CHACHA20 and ALG_CHACHA20_POLY1305
# so we keep them enabled.
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CMAC
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CFB
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CTR
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_OFB
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_STREAM_CIPHER
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CMAC
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CFB
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CTR
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_OFB
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_STREAM_CIPHER
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES
# The following modules directly depends on CIPHER_C
scripts/config.py unset MBEDTLS_CMAC_C
@@ -411,7 +411,8 @@
component_test_config_symmetric_only () {
msg "build: configs/config-symmetric-only.h"
- cp configs/config-symmetric-only.h "$CONFIG_H"
+ MBEDTLS_CONFIG="configs/config-symmetric-only.h"
+ CRYPTO_CONFIG="configs/crypto-config-symmetric-only.h"
# test-ref-configs works by overwriting mbedtls_config.h; this makes cmake
# want to re-generate generated files that depend on it, quite correctly.
# However this doesn't work as the generation script expects a specific
@@ -421,7 +422,7 @@
# whether they're on or off. So, disable cmake's (over-sensitive here)
# dependency resolution for generated files and just rely on them being
# present (thanks to pre_generate_files) by turning GEN_FILES off.
- CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan .
+ CC=$ASAN_CC cmake -D GEN_FILES=Off -DMBEDTLS_CONFIG_FILE="$MBEDTLS_CONFIG" -DTF_PSA_CRYPTO_CONFIG_FILE="$CRYPTO_CONFIG" -D CMAKE_BUILD_TYPE:String=Asan .
make
msg "test: configs/config-symmetric-only.h - unit tests"
@@ -452,18 +453,18 @@
msg "build: Everest ECDH context, only Curve25519" # ~ 6 min
scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED
scripts/config.py unset MBEDTLS_ECDSA_C
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA
- scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_ECDH
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA
+ scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ALG_ECDH
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
scripts/config.py unset MBEDTLS_ECJPAKE_C
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_JPAKE
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_JPAKE
# Disable all curves
scripts/config.py unset-all "MBEDTLS_ECP_DP_[0-9A-Z_a-z]*_ENABLED"
- scripts/config.py -f $CRYPTO_CONFIG_H unset-all "PSA_WANT_ECC_[0-9A-Z_a-z]*$"
- scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ECC_MONTGOMERY_255
+ scripts/config.py -c $CRYPTO_CONFIG_H unset-all "PSA_WANT_ECC_[0-9A-Z_a-z]*$"
+ scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ECC_MONTGOMERY_255
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
@@ -1402,8 +1403,9 @@
component_test_tfm_config_as_is () {
msg "build: configs/config-tfm.h"
- cp configs/config-tfm.h "$CONFIG_H"
- CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
+ MBEDTLS_CONFIG="configs/config-tfm.h"
+ CRYPTO_CONFIG="configs/ext/crypto_config_profile_medium.h"
+ CC=$ASAN_CC cmake -DMBEDTLS_CONFIG_FILE="$MBEDTLS_CONFIG" -DTF_PSA_CRYPTO_CONFIG_FILE="$CRYPTO_CONFIG" -D CMAKE_BUILD_TYPE:String=Asan .
make
msg "test: configs/config-tfm.h - unit tests"
@@ -1416,14 +1418,13 @@
common_tfm_config () {
# Enable TF-M config
cp configs/config-tfm.h "$CONFIG_H"
- echo "#undef MBEDTLS_PSA_CRYPTO_CONFIG_FILE" >> "$CONFIG_H"
cp configs/ext/crypto_config_profile_medium.h "$CRYPTO_CONFIG_H"
# Config adjustment for better test coverage in our environment.
# This is not needed just to build and pass tests.
#
# Enable filesystem I/O for the benefit of PK parse/write tests.
- echo "#define MBEDTLS_FS_IO" >> "$CONFIG_H"
+ sed -i '/PROFILE_M_PSA_CRYPTO_CONFIG_H/i #define MBEDTLS_FS_IO' "$CRYPTO_CONFIG_H"
}
# Keep this in sync with component_test_tfm_config() as they are both meant
@@ -1465,7 +1466,7 @@
# Disable P256M driver, which is on by default, so that analyze_outcomes
# can compare this test with test_tfm_config_p256m_driver_accel_ec
- echo "#undef MBEDTLS_PSA_P256M_DRIVER_ENABLED" >> "$CONFIG_H"
+ sed -i '/PROFILE_M_PSA_CRYPTO_CONFIG_H/i #undef MBEDTLS_PSA_P256M_DRIVER_ENABLED' "$CRYPTO_CONFIG_H"
msg "build: TF-M config without p256m"
make CFLAGS='-Werror -Wall -Wextra -I../framework/tests/include/spe' tests
@@ -1534,8 +1535,8 @@
# We need PEM parsing in the test library as well to support the import
# of PEM encoded RSA keys.
- scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_PEM_PARSE_C
- scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_BASE64_C
+ scripts/config.py -c "$CONFIG_TEST_DRIVER_H" set MBEDTLS_PEM_PARSE_C
+ scripts/config.py -c "$CONFIG_TEST_DRIVER_H" set MBEDTLS_BASE64_C
fi
}
@@ -2164,11 +2165,9 @@
component_test_ccm_aes_sha256 () {
msg "build: CCM + AES + SHA256 configuration"
- cp "$CONFIG_TEST_DRIVER_H" "$CONFIG_H"
- cp configs/crypto-config-ccm-aes-sha256.h "$CRYPTO_CONFIG_H"
-
+ # Setting a blank config disables everyhing in the library side.
+ echo '#define MBEDTLS_CONFIG_H ' >"$CONFIG_H"
make
-
msg "test: CCM + AES + SHA256 configuration"
make test
}
@@ -2281,10 +2280,10 @@
scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
scripts/config.py unset MBEDTLS_NIST_KW_C
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES
# Note: The two unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
scripts/config.py unset MBEDTLS_DES_C
@@ -2649,22 +2648,22 @@
}
component_build_psa_config_file () {
- msg "build: make with MBEDTLS_PSA_CRYPTO_CONFIG_FILE" # ~40s
+ msg "build: make with TF_PSA_CRYPTO_CONFIG_FILE" # ~40s
cp "$CRYPTO_CONFIG_H" psa_test_config.h
- echo '#error "MBEDTLS_PSA_CRYPTO_CONFIG_FILE is not working"' >"$CRYPTO_CONFIG_H"
- make CFLAGS="-I '$PWD' -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"'"
+ echo '#error "TF_PSA_CRYPTO_CONFIG_FILE is not working"' >"$CRYPTO_CONFIG_H"
+ make CFLAGS="-I '$PWD' -DTF_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"'"
# Make sure this feature is enabled. We'll disable it in the next phase.
programs/test/query_compile_time_config MBEDTLS_CMAC_C
make clean
- msg "build: make with MBEDTLS_PSA_CRYPTO_CONFIG_FILE + MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE" # ~40s
+ msg "build: make with TF_PSA_CRYPTO_CONFIG_FILE + TF_PSA_CRYPTO_USER_CONFIG_FILE" # ~40s
# In the user config, disable one feature and its dependencies, which will
# reflect on the mbedtls configuration so we can query it with
# query_compile_time_config.
echo '#undef PSA_WANT_ALG_CMAC' >psa_user_config.h
echo '#undef PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128' >> psa_user_config.h
- scripts/config.py unset MBEDTLS_CMAC_C
- make CFLAGS="-I '$PWD' -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"' -DMBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE='\"psa_user_config.h\"'"
+ echo '#undef MBEDTLS_CMAC_C' >> psa_user_config.h
+ make CFLAGS="-I '$PWD' -DTF_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"' -DTF_PSA_CRYPTO_USER_CONFIG_FILE='\"psa_user_config.h\"'"
not programs/test/query_compile_time_config MBEDTLS_CMAC_C
rm -f psa_test_config.h psa_user_config.h
diff --git a/tests/scripts/components-configuration-tls.sh b/tests/scripts/components-configuration-tls.sh
index b522419..a60bb93 100644
--- a/tests/scripts/components-configuration-tls.sh
+++ b/tests/scripts/components-configuration-tls.sh
@@ -11,7 +11,8 @@
component_test_config_suite_b () {
msg "build: configs/config-suite-b.h"
- cp configs/config-suite-b.h "$CONFIG_H"
+ MBEDTLS_CONFIG="configs/config-suite-b.h"
+ CRYPTO_CONFIG="configs/crypto-config-suite-b.h"
# test-ref-configs works by overwriting mbedtls_config.h; this makes cmake
# want to re-generate generated files that depend on it, quite correctly.
# However this doesn't work as the generation script expects a specific
@@ -21,7 +22,7 @@
# whether they're on or off. So, disable cmake's (over-sensitive here)
# dependency resolution for generated files and just rely on them being
# present (thanks to pre_generate_files) by turning GEN_FILES off.
- CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan .
+ CC=$ASAN_CC cmake -D GEN_FILES=Off -DMBEDTLS_CONFIG_FILE="$MBEDTLS_CONFIG" -DTF_PSA_CRYPTO_CONFIG_FILE="$CRYPTO_CONFIG" -D CMAKE_BUILD_TYPE:String=Asan .
make
msg "test: configs/config-suite-b.h - unit tests"
@@ -33,8 +34,8 @@
msg "build: configs/config-suite-b.h + DEBUG"
MBEDTLS_TEST_CONFIGURATION="$MBEDTLS_TEST_CONFIGURATION+DEBUG"
make clean
- scripts/config.py set MBEDTLS_DEBUG_C
- scripts/config.py set MBEDTLS_ERROR_C
+ scripts/config.py -f "$MBEDTLS_CONFIG" set MBEDTLS_DEBUG_C
+ scripts/config.py -f "$MBEDTLS_CONFIG" set MBEDTLS_ERROR_C
make ssl-opt
msg "test: configs/config-suite-b.h + DEBUG - ssl-opt.sh"
@@ -58,10 +59,10 @@
msg "build: default with only stream cipher use psa"
# Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
# Note: The three unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_GCM_C
scripts/config.py unset MBEDTLS_CCM_C
@@ -69,8 +70,8 @@
#Disable TLS 1.3 (as no AEAD)
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
# Disable CBC. Note: When implemented, PSA_WANT_ALG_CBC_MAC will also need to be unset here to fully disable CBC
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7
# Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
# Note: The unset below is to be removed for 4.0
scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
@@ -94,10 +95,10 @@
msg "build: default with only CBC-legacy cipher use psa"
# Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
# Note: The three unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_GCM_C
scripts/config.py unset MBEDTLS_CCM_C
@@ -105,7 +106,7 @@
#Disable TLS 1.3 (as no AEAD)
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
# Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
- scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
+ scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
# Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
# Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
@@ -127,10 +128,10 @@
msg "build: default with only CBC-legacy and CBC-EtM ciphers use psa"
# Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
# Note: The three unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_GCM_C
scripts/config.py unset MBEDTLS_CCM_C
@@ -138,7 +139,7 @@
#Disable TLS 1.3 (as no AEAD)
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
# Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
- scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
+ scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
# Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC
# Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
@@ -158,7 +159,8 @@
component_test_config_thread () {
msg "build: configs/config-thread.h"
- cp configs/config-thread.h "$CONFIG_H"
+ MBEDTLS_CONFIG="configs/config-thread.h"
+ CRYPTO_CONFIG="configs/crypto-config-thread.h"
# test-ref-configs works by overwriting mbedtls_config.h; this makes cmake
# want to re-generate generated files that depend on it, quite correctly.
# However this doesn't work as the generation script expects a specific
@@ -168,7 +170,7 @@
# whether they're on or off. So, disable cmake's (over-sensitive here)
# dependency resolution for generated files and just rely on them being
# present (thanks to pre_generate_files) by turning GEN_FILES off.
- CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan .
+ CC=$ASAN_CC cmake -D GEN_FILES=Off -DMBEDTLS_CONFIG_FILE="$MBEDTLS_CONFIG" -DTF_PSA_CRYPTO_CONFIG_FILE="$CRYPTO_CONFIG" -D CMAKE_BUILD_TYPE:String=Asan .
make
msg "test: configs/config-thread.h - unit tests"
@@ -180,7 +182,8 @@
component_test_tls1_2_ccm_psk () {
msg "build: configs/config-ccm-psk-tls1_2.h"
- cp configs/config-ccm-psk-tls1_2.h "$CONFIG_H"
+ MBEDTLS_CONFIG="configs/config-ccm-psk-tls1_2.h"
+ CRYPTO_CONFIG="configs/crypto-config-ccm-psk-tls1_2.h"
# test-ref-configs works by overwriting mbedtls_config.h; this makes cmake
# want to re-generate generated files that depend on it, quite correctly.
# However this doesn't work as the generation script expects a specific
@@ -190,7 +193,7 @@
# whether they're on or off. So, disable cmake's (over-sensitive here)
# dependency resolution for generated files and just rely on them being
# present (thanks to pre_generate_files) by turning GEN_FILES off.
- CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan .
+ CC=$ASAN_CC cmake -D GEN_FILES=Off -DMBEDTLS_CONFIG_FILE="$MBEDTLS_CONFIG" -DTF_PSA_CRYPTO_CONFIG_FILE="$CRYPTO_CONFIG" -D CMAKE_BUILD_TYPE:String=Asan .
make
msg "test: configs/config-ccm-psk-tls1_2.h - unit tests"
@@ -202,7 +205,8 @@
component_test_tls1_2_ccm_psk_dtls () {
msg "build: configs/config-ccm-psk-dtls1_2.h"
- cp configs/config-ccm-psk-dtls1_2.h "$CONFIG_H"
+ MBEDTLS_CONFIG="configs/config-ccm-psk-dtls1_2.h"
+ CRYPTO_CONFIG="configs/crypto-config-ccm-psk-tls1_2.h"
# test-ref-configs works by overwriting mbedtls_config.h; this makes cmake
# want to re-generate generated files that depend on it, quite correctly.
# However this doesn't work as the generation script expects a specific
@@ -212,7 +216,7 @@
# whether they're on or off. So, disable cmake's (over-sensitive here)
# dependency resolution for generated files and just rely on them being
# present (thanks to pre_generate_files) by turning GEN_FILES off.
- CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan .
+ CC=$ASAN_CC cmake -D GEN_FILES=Off -DMBEDTLS_CONFIG_FILE="$MBEDTLS_CONFIG" -DTF_PSA_CRYPTO_CONFIG_FILE="$CRYPTO_CONFIG" -D CMAKE_BUILD_TYPE:String=Asan .
make
msg "test: configs/config-ccm-psk-dtls1_2.h - unit tests"
@@ -224,8 +228,8 @@
msg "build: configs/config-ccm-psk-dtls1_2.h + DEBUG"
MBEDTLS_TEST_CONFIGURATION="$MBEDTLS_TEST_CONFIGURATION+DEBUG"
make clean
- scripts/config.py set MBEDTLS_DEBUG_C
- scripts/config.py set MBEDTLS_ERROR_C
+ scripts/config.py -f "$MBEDTLS_CONFIG" set MBEDTLS_DEBUG_C
+ scripts/config.py -f "$MBEDTLS_CONFIG" set MBEDTLS_ERROR_C
make ssl-opt
msg "test: configs/config-ccm-psk-dtls1_2.h + DEBUG - ssl-opt.sh"
@@ -478,22 +482,22 @@
scripts/config.py unset MBEDTLS_PKCS7_C
scripts/config.py set MBEDTLS_SSL_EARLY_DATA
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDH
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_OAEP
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_FFDH
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_DH_RFC7919_2048
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_DH_RFC7919_3072
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_DH_RFC7919_4096
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_DH_RFC7919_6144
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_DH_RFC7919_8192
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDH
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_OAEP
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_FFDH
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_DH_RFC7919_2048
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_DH_RFC7919_3072
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_DH_RFC7919_4096
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_DH_RFC7919_6144
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_DH_RFC7919_8192
# Note: The four unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_ECDH_C
scripts/config.py unset MBEDTLS_ECDSA_C
@@ -529,7 +533,7 @@
scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
scripts/config.py unset MBEDTLS_SSL_EARLY_DATA
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDH
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDH
# Note: The unset below is to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_ECDH_C
@@ -552,10 +556,10 @@
scripts/config.py unset MBEDTLS_PKCS7_C
scripts/config.py set MBEDTLS_SSL_EARLY_DATA
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_OAEP
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_OAEP
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS
# Note: The two unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_ECDSA_C
scripts/config.py unset MBEDTLS_PKCS1_V21
@@ -579,11 +583,11 @@
scripts/config.py unset MBEDTLS_PKCS7_C
scripts/config.py set MBEDTLS_SSL_EARLY_DATA
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDH
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_OAEP
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDH
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_OAEP
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS
# Note: The three unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_ECDH_C
scripts/config.py unset MBEDTLS_ECDSA_C
@@ -607,10 +611,10 @@
scripts/config.py unset MBEDTLS_PKCS7_C
scripts/config.py set MBEDTLS_SSL_EARLY_DATA
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_OAEP
- scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_OAEP
+ scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS
# Note: The two unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_ECDSA_C
scripts/config.py unset MBEDTLS_PKCS1_V21
diff --git a/tests/scripts/components-configuration.sh b/tests/scripts/components-configuration.sh
index 4b7162a..6d1f2a8 100644
--- a/tests/scripts/components-configuration.sh
+++ b/tests/scripts/components-configuration.sh
@@ -236,6 +236,7 @@
# the configuration that works on mainstream platforms is in
# configs/config-tfm.h, tested via test-ref-configs.pl.
cp configs/config-tfm.h "$CONFIG_H"
+ cp configs/ext/crypto_config_profile_medium.h "$CRYPTO_CONFIG_H"
msg "build: TF-M config, clang, armv7-m thumb2"
make lib CC="clang" CFLAGS="--target=arm-linux-gnueabihf -march=armv7-m -mthumb -Os -std=c99 -Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wasm-operand-widths -Wunused -I../framework/tests/include/spe"
@@ -292,15 +293,15 @@
echo '#error "MBEDTLS_CONFIG_FILE is not working"' >"$CONFIG_H"
make CFLAGS="-I '$PWD' -DMBEDTLS_CONFIG_FILE='\"full_config.h\"'"
# Make sure this feature is enabled. We'll disable it in the next phase.
- programs/test/query_compile_time_config MBEDTLS_NIST_KW_C
+ programs/test/query_compile_time_config MBEDTLS_SSL_ALL_ALERT_MESSAGES
make clean
msg "build: make with MBEDTLS_CONFIG_FILE + MBEDTLS_USER_CONFIG_FILE"
# In the user config, disable one feature (for simplicity, pick a feature
# that nothing else depends on).
- echo '#undef MBEDTLS_NIST_KW_C' >user_config.h
+ echo '#undef MBEDTLS_SSL_ALL_ALERT_MESSAGES' >user_config.h
make CFLAGS="-I '$PWD' -DMBEDTLS_CONFIG_FILE='\"full_config.h\"' -DMBEDTLS_USER_CONFIG_FILE='\"user_config.h\"'"
- not programs/test/query_compile_time_config MBEDTLS_NIST_KW_C
+ not programs/test/query_compile_time_config MBEDTLS_SSL_ALL_ALERT_MESSAGES
rm -f user_config.h full_config.h
}
diff --git a/tests/scripts/components-sanitizers.sh b/tests/scripts/components-sanitizers.sh
index 7a67027..2496c3d 100644
--- a/tests/scripts/components-sanitizers.sh
+++ b/tests/scripts/components-sanitizers.sh
@@ -49,7 +49,7 @@
scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm
scripts/config.py unset MBEDTLS_HAVE_ASM
- CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan .
+ CC=clang cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=MemSan .
make
msg "test: main suites (Msan + constant flow)"
diff --git a/tests/scripts/psa_collect_statuses.py b/tests/scripts/psa_collect_statuses.py
index 11bbebc..d835ba7 100755
--- a/tests/scripts/psa_collect_statuses.py
+++ b/tests/scripts/psa_collect_statuses.py
@@ -21,7 +21,7 @@
import sys
DEFAULT_STATUS_LOG_FILE = 'tests/statuses.log'
-DEFAULT_PSA_CONSTANT_NAMES = 'programs/psa/psa_constant_names'
+DEFAULT_PSA_CONSTANT_NAMES = 'tf-psa-crypto/programs/psa/psa_constant_names'
class Statuses:
"""Information about observed return statues of API functions."""
diff --git a/tests/scripts/run_demos.py b/tests/scripts/run_demos.py
index 6a63d23..f9a8100 100755
--- a/tests/scripts/run_demos.py
+++ b/tests/scripts/run_demos.py
@@ -44,7 +44,9 @@
Return True if all demos passed and False if a demo fails.
"""
- all_demos = glob.glob('programs/*/*_demo.sh')
+ mbedtls_demos = glob.glob('programs/*/*_demo.sh')
+ tf_psa_crypto_demos = glob.glob('tf-psa-crypto/programs/*/*_demo.sh')
+ all_demos = mbedtls_demos + tf_psa_crypto_demos
if not all_demos:
# Keep the message on one line. pylint: disable=line-too-long
raise Exception('No demos found. run_demos needs to operate from the Mbed TLS toplevel directory.')
diff --git a/tests/scripts/test_psa_constant_names.py b/tests/scripts/test_psa_constant_names.py
index 8ed0fee..e697d17 100755
--- a/tests/scripts/test_psa_constant_names.py
+++ b/tests/scripts/test_psa_constant_names.py
@@ -173,7 +173,7 @@
action='store_false', dest='keep_c',
help='Don\'t keep the intermediate C file (default)')
parser.add_argument('--program',
- default='programs/psa/psa_constant_names',
+ default='tf-psa-crypto/programs/psa/psa_constant_names',
help='Program to test')
parser.add_argument('--show',
action='store_true',
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 74d0bbc..1c4fae7 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -232,9 +232,11 @@
# Read boolean configuration options from mbedtls_config.h for easy and quick
# testing. Skip non-boolean options (with something other than spaces
# and a comment after "#define SYMBOL"). The variable contains a
-# space-separated list of symbols.
+# space-separated list of symbols. The list should always be
+# terminated by a single whitespace character, otherwise the last entry
+# will not get matched by the parsing regex.
if [ "$LIST_TESTS" -eq 0 ];then
- CONFIGS_ENABLED=" $(echo `$P_QUERY -l` )"
+ CONFIGS_ENABLED=" $(echo `$P_QUERY -l` ) "
else
P_QUERY=":"
CONFIGS_ENABLED=""
diff --git a/tf-psa-crypto/tests/suites/test_suite_timing.data b/tests/suites/test_suite_timing.data
similarity index 100%
rename from tf-psa-crypto/tests/suites/test_suite_timing.data
rename to tests/suites/test_suite_timing.data
diff --git a/tf-psa-crypto/tests/suites/test_suite_timing.function b/tests/suites/test_suite_timing.function
similarity index 100%
rename from tf-psa-crypto/tests/suites/test_suite_timing.function
rename to tests/suites/test_suite_timing.function
diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data
index 3a21f1b..3c81858 100644
--- a/tests/suites/test_suite_version.data
+++ b/tests/suites/test_suite_version.data
@@ -7,9 +7,9 @@
Check for MBEDTLS_VERSION_C
check_feature:"MBEDTLS_VERSION_C":0
-Check for MBEDTLS_AES_C when already present
-depends_on:MBEDTLS_AES_C
-check_feature:"MBEDTLS_AES_C":0
+Check for MBEDTLS_TIMING_C when already present
+depends_on:MBEDTLS_TIMING_C
+check_feature:"MBEDTLS_TIMING_C":0
Check for unknown define
check_feature:"MBEDTLS_UNKNOWN":-1
diff --git a/tf-psa-crypto/CMakeLists.txt b/tf-psa-crypto/CMakeLists.txt
index d30b787..a55b162 100644
--- a/tf-psa-crypto/CMakeLists.txt
+++ b/tf-psa-crypto/CMakeLists.txt
@@ -65,7 +65,7 @@
# Set the project, Mbed TLS and framework root directory.
set(TF_PSA_CRYPTO_DIR ${CMAKE_CURRENT_SOURCE_DIR})
set(MBEDTLS_DIR ${CMAKE_CURRENT_SOURCE_DIR}/..)
-set(MBEDTLS_FRAMEWORK_DIR ${CMAKE_CURRENT_SOURCE_DIR}/../framework)
+set(TF_PSA_CRYPTO_FRAMEWORK_DIR ${CMAKE_CURRENT_SOURCE_DIR}/../framework)
# Put the version numbers into relevant files
set(version_number_files
@@ -359,11 +359,11 @@
endif()
if(TF_PSA_CRYPTO_CONFIG_FILE)
target_compile_definitions(${target}
- PUBLIC MBEDTLS_PSA_CRYPTO_CONFIG_FILE="${TF_PSA_CRYPTO_CONFIG_FILE}")
+ PUBLIC TF_PSA_CRYPTO_CONFIG_FILE="${TF_PSA_CRYPTO_CONFIG_FILE}")
endif()
if(TF_PSA_CRYPTO_USER_CONFIG_FILE)
target_compile_definitions(${target}
- PUBLIC MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE="${TF_PSA_CRYPTO_USER_CONFIG_FILE}")
+ PUBLIC TF_PSA_CRYPTO_USER_CONFIG_FILE="${TF_PSA_CRYPTO_USER_CONFIG_FILE}")
endif()
endfunction(set_config_files_compile_definitions)
@@ -376,8 +376,8 @@
endif()
endif()
-if (NOT EXISTS "${MBEDTLS_FRAMEWORK_DIR}/CMakeLists.txt")
- message(FATAL_ERROR "${MBEDTLS_FRAMEWORK_DIR}/CMakeLists.txt not found. Run `git submodule update --init` from the source tree to fetch the submodule contents.")
+if (NOT EXISTS "${TF_PSA_CRYPTO_FRAMEWORK_DIR}/CMakeLists.txt")
+ message(FATAL_ERROR "${TF_PSA_CRYPTO_FRAMEWORK_DIR}/CMakeLists.txt not found. Run `git submodule update --init` from the source tree to fetch the submodule contents.")
endif()
add_subdirectory(include)
@@ -401,46 +401,32 @@
#
if(ENABLE_TESTING OR ENABLE_PROGRAMS)
file(GLOB MBEDTLS_TEST_FILES
- ${MBEDTLS_FRAMEWORK_DIR}/tests/src/*.c
- ${MBEDTLS_FRAMEWORK_DIR}/tests/src/drivers/*.c
- ${MBEDTLS_DIR}/tests/src/*.c)
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/tests/src/*.c
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/tests/src/drivers/*.c
+ ${TF_PSA_CRYPTO_DIR}/tests/src/*.c)
add_library(tf_psa_crypto_test OBJECT ${MBEDTLS_TEST_FILES})
set_base_compile_options(tf_psa_crypto_test)
if(GEN_FILES)
add_custom_command(
OUTPUT
- ${MBEDTLS_FRAMEWORK_DIR}/tests/src/test_keys.h
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/tests/src/test_keys.h
WORKING_DIRECTORY
${MBEDTLS_DIR}/tests
COMMAND
"${TF_PSA_CRYPTO_PYTHON_EXECUTABLE}"
- "${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_test_keys.py"
+ "${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/generate_test_keys.py"
"--output"
- "${MBEDTLS_FRAMEWORK_DIR}/tests/src/test_keys.h"
+ "${TF_PSA_CRYPTO_FRAMEWORK_DIR}/tests/src/test_keys.h"
DEPENDS
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_test_keys.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/generate_test_keys.py
)
- add_custom_target(tf_psa_crypto_test_keys_header DEPENDS ${MBEDTLS_FRAMEWORK_DIR}/tests/src/test_keys.h)
-
- add_custom_command(
- OUTPUT
- ${MBEDTLS_DIR}/tests/src/test_certs.h
- WORKING_DIRECTORY
- ${MBEDTLS_DIR}/tests
- COMMAND
- "${TF_PSA_CRYPTO_PYTHON_EXECUTABLE}"
- "${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_test_cert_macros.py"
- "--output"
- "${MBEDTLS_DIR}/tests/src/test_certs.h"
- DEPENDS
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_test_cert_macros.py
- )
- add_custom_target(tf_psa_crypto_test_certs_header DEPENDS ${MBEDTLS_DIR}/tests/src/test_certs.h)
- add_dependencies(tf_psa_crypto_test tf_psa_crypto_test_keys_header tf_psa_crypto_test_certs_header)
+ add_custom_target(tf_psa_crypto_test_keys_header
+ DEPENDS ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/tests/src/test_keys.h)
+ add_dependencies(tf_psa_crypto_test tf_psa_crypto_test_keys_header)
endif()
target_include_directories(tf_psa_crypto_test
- PRIVATE ${MBEDTLS_FRAMEWORK_DIR}/tests/include
- PRIVATE ${MBEDTLS_DIR}/tests/include
+ PRIVATE ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/tests/include
+ PRIVATE ${TF_PSA_CRYPTO_DIR}/tests/include
PRIVATE ${MBEDTLS_DIR}/include
PRIVATE include
PRIVATE drivers/builtin/include
diff --git a/tf-psa-crypto/core/CMakeLists.txt b/tf-psa-crypto/core/CMakeLists.txt
index 3e4092c..ccf1148 100644
--- a/tf-psa-crypto/core/CMakeLists.txt
+++ b/tf-psa-crypto/core/CMakeLists.txt
@@ -15,12 +15,12 @@
${CMAKE_CURRENT_BINARY_DIR}/psa_crypto_driver_wrappers_no_static.c
COMMAND
${TF_PSA_CRYPTO_PYTHON_EXECUTABLE}
- ${MBEDTLS_DIR}/scripts/generate_driver_wrappers.py
+ ${TF_PSA_CRYPTO_DIR}/scripts/generate_driver_wrappers.py
${CMAKE_CURRENT_BINARY_DIR}
DEPENDS
- ${MBEDTLS_DIR}/scripts/generate_driver_wrappers.py
- ${MBEDTLS_DIR}/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja
- ${MBEDTLS_DIR}/scripts/data_files/driver_templates/psa_crypto_driver_wrappers_no_static.c.jinja
+ ${TF_PSA_CRYPTO_DIR}/scripts/generate_driver_wrappers.py
+ ${TF_PSA_CRYPTO_DIR}/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja
+ ${TF_PSA_CRYPTO_DIR}/scripts/data_files/driver_templates/psa_crypto_driver_wrappers_no_static.c.jinja
)
else()
link_to_source(psa_crypto_driver_wrappers.h)
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/cipher.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/cipher.h
index 1dc31c9..75e95d3 100644
--- a/tf-psa-crypto/drivers/builtin/include/mbedtls/cipher.h
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/cipher.h
@@ -642,8 +642,6 @@
* Please use psa_aead_xxx() / psa_cipher_xxx() directly
* instead.
*
- * \note See #MBEDTLS_USE_PSA_CRYPTO for information on PSA.
- *
* \param ctx The context to initialize. May not be \c NULL.
* \param cipher_info The cipher to use.
* \param taglen For AEAD ciphers, the length in bytes of the
diff --git a/include/mbedtls/config_adjust_legacy_crypto.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/config_adjust_legacy_crypto.h
similarity index 98%
rename from include/mbedtls/config_adjust_legacy_crypto.h
rename to tf-psa-crypto/drivers/builtin/include/mbedtls/config_adjust_legacy_crypto.h
index 40ef083..c9e3d18 100644
--- a/include/mbedtls/config_adjust_legacy_crypto.h
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/config_adjust_legacy_crypto.h
@@ -271,8 +271,6 @@
* case there is no associated issue to track it yet.
* - PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE because Weierstrass key derivation
* still depends on ECP_LIGHT.
- * - PK_C + USE_PSA + PSA_WANT_ALG_ECDSA is a temporary dependency which will
- * be fixed by #7453.
*/
#if defined(MBEDTLS_ECP_C) || \
defined(MBEDTLS_PK_PARSE_EC_EXTENDED) || \
diff --git a/include/mbedtls/hkdf.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/hkdf.h
similarity index 100%
rename from include/mbedtls/hkdf.h
rename to tf-psa-crypto/drivers/builtin/include/mbedtls/hkdf.h
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/pk.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/pk.h
index 52f4cc6..3c0f6e1 100644
--- a/tf-psa-crypto/drivers/builtin/include/mbedtls/pk.h
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/pk.h
@@ -88,20 +88,17 @@
typedef struct mbedtls_pk_rsassa_pss_options {
/** The digest to use for MGF1 in PSS.
*
- * \note When #MBEDTLS_USE_PSA_CRYPTO is enabled and #MBEDTLS_RSA_C is
- * disabled, this must be equal to the \c md_alg argument passed
- * to mbedtls_pk_verify_ext(). In a future version of the library,
- * this constraint may apply whenever #MBEDTLS_USE_PSA_CRYPTO is
- * enabled regardless of the status of #MBEDTLS_RSA_C.
+ * \note When #MBEDTLS_RSA_C is disabled, this must be equal to the \c md_alg argument passed
+ * to mbedtls_pk_verify_ext(). In a future version of the library, this constraint may
+ * apply regardless of the status of #MBEDTLS_RSA_C.
*/
mbedtls_md_type_t mgf1_hash_id;
/** The expected length of the salt, in bytes. This may be
* #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length.
*
- * \note When #MBEDTLS_USE_PSA_CRYPTO is enabled, only
- * #MBEDTLS_RSA_SALT_LEN_ANY is valid. Any other value may be
- * ignored (allowing any salt length).
+ * \note Only #MBEDTLS_RSA_SALT_LEN_ANY is valid. Any other value may be ignored (allowing any
+ * salt length).
*/
int expected_salt_len;
@@ -165,7 +162,8 @@
* which functions are used for various operations. The overall picture looks
* like this:
* - if USE_PSA is not defined and ECP_C is defined then use ecp_keypair data
- * structure and legacy functions
+ * structure and legacy functions. (MBEDTLS_USE_PSA_CRYPTO is always on and
+ * although this codepath remains present, it never will be taken.)
* - if USE_PSA is defined and
* - if ECP_C then use ecp_keypair structure, convert data to a PSA friendly
* format and use PSA functions
@@ -222,7 +220,7 @@
void *MBEDTLS_PRIVATE(pk_ctx); /**< Underlying public key context */
/* The following field is used to store the ID of a private key in the
* following cases:
- * - opaque key when MBEDTLS_USE_PSA_CRYPTO is defined
+ * - opaque key
* - normal key when MBEDTLS_PK_USE_PSA_EC_DATA is defined. In this case:
* - the pk_ctx above is not not used to store the private key anymore.
* Actually that field not populated at all in this case because also
@@ -805,9 +803,9 @@
*
* \note If type is MBEDTLS_PK_RSASSA_PSS, then options must point
* to a mbedtls_pk_rsassa_pss_options structure,
- * otherwise it must be NULL. Note that if
- * #MBEDTLS_USE_PSA_CRYPTO is defined, the salt length is not
- * verified as PSA_ALG_RSA_PSS_ANY_SALT is used.
+ * otherwise it must be NULL. Note that the salt length is not
+ * verified as contexes have PSA_ALG_RSA_PSS_ANY_SALT as default
+ * and that is the only valid value.
*/
int mbedtls_pk_verify_ext(mbedtls_pk_type_t type, const void *options,
mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
@@ -1075,9 +1073,8 @@
/**
* \brief Parse a private key in PEM or DER format
*
- * \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
- * subsystem must have been initialized by calling
- * psa_crypto_init() before calling this function.
+ * \note The PSA crypto subsystem must have been initialized by
+ * calling psa_crypto_init() before calling this function.
*
* \param ctx The PK context to fill. It must have been initialized
* but not set up.
@@ -1115,9 +1112,8 @@
/**
* \brief Parse a public key in PEM or DER format
*
- * \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
- * subsystem must have been initialized by calling
- * psa_crypto_init() before calling this function.
+ * \note The PSA crypto subsystem must have been initialized by
+ * calling psa_crypto_init() before calling this function.
*
* \param ctx The PK context to fill. It must have been initialized
* but not set up.
@@ -1148,9 +1144,8 @@
/**
* \brief Load and parse a private key
*
- * \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
- * subsystem must have been initialized by calling
- * psa_crypto_init() before calling this function.
+ * \note The PSA crypto subsystem must have been initialized by
+ * calling psa_crypto_init() before calling this function.
*
* \param ctx The PK context to fill. It must have been initialized
* but not set up.
diff --git a/tf-psa-crypto/drivers/builtin/src/psa_util.c b/tf-psa-crypto/drivers/builtin/src/psa_util.c
index b2d2cd9..f441779 100644
--- a/tf-psa-crypto/drivers/builtin/src/psa_util.c
+++ b/tf-psa-crypto/drivers/builtin/src/psa_util.c
@@ -28,10 +28,6 @@
#if defined(MBEDTLS_LMS_C)
#include <mbedtls/lms.h>
#endif
-#if defined(MBEDTLS_SSL_TLS_C) && \
- (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
-#include <mbedtls/ssl.h>
-#endif
#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) || \
defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
#include <mbedtls/rsa.h>
@@ -79,20 +75,6 @@
};
#endif
-#if defined(MBEDTLS_SSL_TLS_C) && \
- (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
-const mbedtls_error_pair_t psa_to_ssl_errors[] =
-{
- { PSA_SUCCESS, 0 },
- { PSA_ERROR_INSUFFICIENT_MEMORY, MBEDTLS_ERR_SSL_ALLOC_FAILED },
- { PSA_ERROR_NOT_SUPPORTED, MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE },
- { PSA_ERROR_INVALID_SIGNATURE, MBEDTLS_ERR_SSL_INVALID_MAC },
- { PSA_ERROR_INVALID_ARGUMENT, MBEDTLS_ERR_SSL_BAD_INPUT_DATA },
- { PSA_ERROR_BAD_STATE, MBEDTLS_ERR_SSL_INTERNAL_ERROR },
- { PSA_ERROR_BUFFER_TOO_SMALL, MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL }
-};
-#endif
-
#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) || \
defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
const mbedtls_error_pair_t psa_to_pk_rsa_errors[] =
diff --git a/tf-psa-crypto/include/psa/crypto_config.h b/tf-psa-crypto/include/psa/crypto_config.h
index 59fac26..13015fa 100644
--- a/tf-psa-crypto/include/psa/crypto_config.h
+++ b/tf-psa-crypto/include/psa/crypto_config.h
@@ -29,6 +29,13 @@
#ifndef PSA_CRYPTO_CONFIG_H
#define PSA_CRYPTO_CONFIG_H
+/**
+ * \name SECTION: SECTION Cryptographic mechanism selection (PSA API)
+ *
+ * This section sets PSA API settings.
+ * \{
+ */
+
/*
* CBC-MAC is not yet supported via the PSA API in Mbed TLS.
*/
@@ -146,5 +153,2656 @@
#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT 1
#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE 1
//#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_DERIVE 1 /* Not supported */
+/** \} name SECTION Cryptographic mechanism selection (PSA API) */
+
+/**
+ * \name SECTION: Platform abstraction layer
+ *
+ * This section sets platform specific settings.
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C
+ *
+ * Enable the buffer allocator implementation that makes use of a (stack)
+ * based buffer to 'allocate' dynamic memory. (replaces calloc() and free()
+ * calls)
+ *
+ * Module: library/memory_buffer_alloc.c
+ *
+ * Requires: MBEDTLS_PLATFORM_C
+ * MBEDTLS_PLATFORM_MEMORY (to use it within Mbed TLS)
+ *
+ * Enable this module to enable the buffer memory allocator.
+ */
+//#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
+
+/**
+ * \def MBEDTLS_FS_IO
+ *
+ * Enable functions that use the filesystem.
+ */
+#define MBEDTLS_FS_IO
+
+/**
+ * \def MBEDTLS_HAVE_TIME
+ *
+ * System has time.h and time().
+ * The time does not need to be correct, only time differences are used,
+ * by contrast with MBEDTLS_HAVE_TIME_DATE
+ *
+ * Defining MBEDTLS_HAVE_TIME allows you to specify MBEDTLS_PLATFORM_TIME_ALT,
+ * MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and
+ * MBEDTLS_PLATFORM_STD_TIME.
+ *
+ * Comment if your system does not support time functions.
+ *
+ * \note If MBEDTLS_TIMING_C is set - to enable the semi-portable timing
+ * interface - timing.c will include time.h on suitable platforms
+ * regardless of the setting of MBEDTLS_HAVE_TIME, unless
+ * MBEDTLS_TIMING_ALT is used. See timing.c for more information.
+ */
+#define MBEDTLS_HAVE_TIME
+
+/**
+ * \def MBEDTLS_HAVE_TIME_DATE
+ *
+ * System has time.h, time(), and an implementation for
+ * mbedtls_platform_gmtime_r() (see below).
+ * The time needs to be correct (not necessarily very accurate, but at least
+ * the date should be correct). This is used to verify the validity period of
+ * X.509 certificates.
+ *
+ * Comment if your system does not have a correct clock.
+ *
+ * \note mbedtls_platform_gmtime_r() is an abstraction in platform_util.h that
+ * behaves similarly to the gmtime_r() function from the C standard. Refer to
+ * the documentation for mbedtls_platform_gmtime_r() for more information.
+ *
+ * \note It is possible to configure an implementation for
+ * mbedtls_platform_gmtime_r() at compile-time by using the macro
+ * MBEDTLS_PLATFORM_GMTIME_R_ALT.
+ */
+#define MBEDTLS_HAVE_TIME_DATE
+
+/**
+ * \def MBEDTLS_MEMORY_DEBUG
+ *
+ * Enable debugging of buffer allocator memory issues. Automatically prints
+ * (to stderr) all (fatal) messages on memory allocation issues. Enables
+ * function for 'debug output' of allocated memory.
+ *
+ * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C
+ *
+ * Uncomment this macro to let the buffer allocator print out error messages.
+ */
+//#define MBEDTLS_MEMORY_DEBUG
+
+/**
+ * \def MBEDTLS_MEMORY_BACKTRACE
+ *
+ * Include backtrace information with each allocated block.
+ *
+ * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C
+ * GLIBC-compatible backtrace() and backtrace_symbols() support
+ *
+ * Uncomment this macro to include backtrace information
+ */
+//#define MBEDTLS_MEMORY_BACKTRACE
+
+/**
+ * \def MBEDTLS_PLATFORM_C
+ *
+ * Enable the platform abstraction layer that allows you to re-assign
+ * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit().
+ *
+ * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT
+ * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned
+ * above to be specified at runtime or compile time respectively.
+ *
+ * \note This abstraction layer must be enabled on Windows (including MSYS2)
+ * as other modules rely on it for a fixed snprintf implementation.
+ *
+ * Module: library/platform.c
+ * Caller: Most other .c files
+ *
+ * This module enables abstraction of common (libc) functions.
+ */
+#define MBEDTLS_PLATFORM_C
+
+/**
+ * \def MBEDTLS_PLATFORM_EXIT_ALT
+ *
+ * MBEDTLS_PLATFORM_XXX_ALT: Uncomment a macro to let Mbed TLS support the
+ * function in the platform abstraction layer.
+ *
+ * Example: In case you uncomment MBEDTLS_PLATFORM_PRINTF_ALT, Mbed TLS will
+ * provide a function "mbedtls_platform_set_printf()" that allows you to set an
+ * alternative printf function pointer.
+ *
+ * All these define require MBEDTLS_PLATFORM_C to be defined!
+ *
+ * \note MBEDTLS_PLATFORM_SNPRINTF_ALT is required on Windows;
+ * it will be enabled automatically by check_config.h
+ *
+ * \warning MBEDTLS_PLATFORM_XXX_ALT cannot be defined at the same time as
+ * MBEDTLS_PLATFORM_XXX_MACRO!
+ *
+ * Requires: MBEDTLS_PLATFORM_TIME_ALT requires MBEDTLS_HAVE_TIME
+ *
+ * Uncomment a macro to enable alternate implementation of specific base
+ * platform function
+ */
+//#define MBEDTLS_PLATFORM_SETBUF_ALT
+//#define MBEDTLS_PLATFORM_EXIT_ALT
+//#define MBEDTLS_PLATFORM_TIME_ALT
+//#define MBEDTLS_PLATFORM_FPRINTF_ALT
+//#define MBEDTLS_PLATFORM_PRINTF_ALT
+//#define MBEDTLS_PLATFORM_SNPRINTF_ALT
+//#define MBEDTLS_PLATFORM_VSNPRINTF_ALT
+//#define MBEDTLS_PLATFORM_NV_SEED_ALT
+//#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT
+//#define MBEDTLS_PLATFORM_MS_TIME_ALT
+
+/**
+ * Uncomment the macro to let Mbed TLS use your alternate implementation of
+ * mbedtls_platform_gmtime_r(). This replaces the default implementation in
+ * platform_util.c.
+ *
+ * gmtime() is not a thread-safe function as defined in the C standard. The
+ * library will try to use safer implementations of this function, such as
+ * gmtime_r() when available. However, if Mbed TLS cannot identify the target
+ * system, the implementation of mbedtls_platform_gmtime_r() will default to
+ * using the standard gmtime(). In this case, calls from the library to
+ * gmtime() will be guarded by the global mutex mbedtls_threading_gmtime_mutex
+ * if MBEDTLS_THREADING_C is enabled. We recommend that calls from outside the
+ * library are also guarded with this mutex to avoid race conditions. However,
+ * if the macro MBEDTLS_PLATFORM_GMTIME_R_ALT is defined, Mbed TLS will
+ * unconditionally use the implementation for mbedtls_platform_gmtime_r()
+ * supplied at compile time.
+ */
+//#define MBEDTLS_PLATFORM_GMTIME_R_ALT
+
+/**
+ * \def MBEDTLS_PLATFORM_MEMORY
+ *
+ * Enable the memory allocation layer.
+ *
+ * By default Mbed TLS uses the system-provided calloc() and free().
+ * This allows different allocators (self-implemented or provided) to be
+ * provided to the platform abstraction layer.
+ *
+ * Enabling #MBEDTLS_PLATFORM_MEMORY without the
+ * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide
+ * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and
+ * free() function pointer at runtime.
+ *
+ * Enabling #MBEDTLS_PLATFORM_MEMORY and specifying
+ * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the
+ * alternate function at compile time.
+ *
+ * An overview of how the value of mbedtls_calloc is determined:
+ *
+ * - if !MBEDTLS_PLATFORM_MEMORY
+ * - mbedtls_calloc = calloc
+ * - if MBEDTLS_PLATFORM_MEMORY
+ * - if (MBEDTLS_PLATFORM_CALLOC_MACRO && MBEDTLS_PLATFORM_FREE_MACRO):
+ * - mbedtls_calloc = MBEDTLS_PLATFORM_CALLOC_MACRO
+ * - if !(MBEDTLS_PLATFORM_CALLOC_MACRO && MBEDTLS_PLATFORM_FREE_MACRO):
+ * - Dynamic setup via mbedtls_platform_set_calloc_free is now possible with a default value MBEDTLS_PLATFORM_STD_CALLOC.
+ * - How is MBEDTLS_PLATFORM_STD_CALLOC handled?
+ * - if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS:
+ * - MBEDTLS_PLATFORM_STD_CALLOC is not set to anything;
+ * - MBEDTLS_PLATFORM_STD_MEM_HDR can be included if present;
+ * - if !MBEDTLS_PLATFORM_NO_STD_FUNCTIONS:
+ * - if MBEDTLS_PLATFORM_STD_CALLOC is present:
+ * - User-defined MBEDTLS_PLATFORM_STD_CALLOC is respected;
+ * - if !MBEDTLS_PLATFORM_STD_CALLOC:
+ * - MBEDTLS_PLATFORM_STD_CALLOC = calloc
+ *
+ * - At this point the presence of MBEDTLS_PLATFORM_STD_CALLOC is checked.
+ * - if !MBEDTLS_PLATFORM_STD_CALLOC
+ * - MBEDTLS_PLATFORM_STD_CALLOC = uninitialized_calloc
+ *
+ * - mbedtls_calloc = MBEDTLS_PLATFORM_STD_CALLOC.
+ *
+ * Defining MBEDTLS_PLATFORM_CALLOC_MACRO and #MBEDTLS_PLATFORM_STD_CALLOC at the same time is not possible.
+ * MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_FREE_MACRO must both be defined or undefined at the same time.
+ * #MBEDTLS_PLATFORM_STD_CALLOC and #MBEDTLS_PLATFORM_STD_FREE do not have to be defined at the same time, as, if they are used,
+ * dynamic setup of these functions is possible. See the tree above to see how are they handled in all cases.
+ * An uninitialized #MBEDTLS_PLATFORM_STD_CALLOC always fails, returning a null pointer.
+ * An uninitialized #MBEDTLS_PLATFORM_STD_FREE does not do anything.
+ *
+ * Requires: MBEDTLS_PLATFORM_C
+ *
+ * Enable this layer to allow use of alternative memory allocators.
+ */
+//#define MBEDTLS_PLATFORM_MEMORY
+
+/**
+ * \def MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+ *
+ * Do not assign standard functions in the platform layer (e.g. calloc() to
+ * MBEDTLS_PLATFORM_STD_CALLOC and printf() to MBEDTLS_PLATFORM_STD_PRINTF)
+ *
+ * This makes sure there are no linking errors on platforms that do not support
+ * these functions. You will HAVE to provide alternatives, either at runtime
+ * via the platform_set_xxx() functions or at compile time by setting
+ * the MBEDTLS_PLATFORM_STD_XXX defines, or enabling a
+ * MBEDTLS_PLATFORM_XXX_MACRO.
+ *
+ * Requires: MBEDTLS_PLATFORM_C
+ *
+ * Uncomment to prevent default assignment of standard functions in the
+ * platform layer.
+ */
+//#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+
+/**
+ * Uncomment the macro to let Mbed TLS use your alternate implementation of
+ * mbedtls_platform_zeroize(), to wipe sensitive data in memory. This replaces
+ * the default implementation in platform_util.c.
+ *
+ * By default, the library uses a system function such as memset_s()
+ * (optional feature of C11), explicit_bzero() (BSD and compatible), or
+ * SecureZeroMemory (Windows). If no such function is detected, the library
+ * falls back to a plain C implementation. Compilers are technically
+ * permitted to optimize this implementation out, meaning that the memory is
+ * not actually wiped. The library tries to prevent that, but the C language
+ * makes it impossible to guarantee that the memory will always be wiped.
+ *
+ * If your platform provides a guaranteed method to wipe memory which
+ * `platform_util.c` does not detect, define this macro to the name of
+ * a function that takes two arguments, a `void *` pointer and a length,
+ * and wipes that many bytes starting at the specified address. For example,
+ * if your platform has explicit_bzero() but `platform_util.c` does not
+ * detect its presence, define `MBEDTLS_PLATFORM_ZEROIZE_ALT` to be
+ * `explicit_bzero` to use that function as mbedtls_platform_zeroize().
+ */
+//#define MBEDTLS_PLATFORM_ZEROIZE_ALT
+
+/**
+ * \def MBEDTLS_THREADING_ALT
+ *
+ * Provide your own alternate threading implementation.
+ *
+ * Requires: MBEDTLS_THREADING_C
+ *
+ * Uncomment this to allow your own alternate threading implementation.
+ */
+//#define MBEDTLS_THREADING_ALT
+
+/**
+ * \def MBEDTLS_THREADING_PTHREAD
+ *
+ * Enable the pthread wrapper layer for the threading layer.
+ *
+ * Requires: MBEDTLS_THREADING_C
+ *
+ * Uncomment this to enable pthread mutexes.
+ */
+//#define MBEDTLS_THREADING_PTHREAD
+
+/**
+ * \def MBEDTLS_THREADING_C
+ *
+ * Enable the threading abstraction layer.
+ * By default Mbed TLS assumes it is used in a non-threaded environment or that
+ * contexts are not shared between threads. If you do intend to use contexts
+ * between threads, you will need to enable this layer to prevent race
+ * conditions. See also our Knowledge Base article about threading:
+ * https://mbed-tls.readthedocs.io/en/latest/kb/development/thread-safety-and-multi-threading
+ *
+ * Module: library/threading.c
+ *
+ * This allows different threading implementations (self-implemented or
+ * provided).
+ *
+ * You will have to enable either MBEDTLS_THREADING_ALT or
+ * MBEDTLS_THREADING_PTHREAD.
+ *
+ * Enable this layer to allow use of mutexes within Mbed TLS
+ */
+//#define MBEDTLS_THREADING_C
+
+/* Memory buffer allocator options */
+//#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 4 /**< Align on multiples of this value */
+
+/* To use the following function macros, MBEDTLS_PLATFORM_C must be enabled. */
+/* MBEDTLS_PLATFORM_XXX_MACRO and MBEDTLS_PLATFORM_XXX_ALT cannot both be defined */
+//#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc /**< Default allocator macro to use, can be undefined. See MBEDTLS_PLATFORM_STD_CALLOC for requirements. */
+//#define MBEDTLS_PLATFORM_EXIT_MACRO exit /**< Default exit macro to use, can be undefined */
+//#define MBEDTLS_PLATFORM_FREE_MACRO free /**< Default free macro to use, can be undefined. See MBEDTLS_PLATFORM_STD_FREE for requirements. */
+//#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf /**< Default fprintf macro to use, can be undefined */
+//#define MBEDTLS_PLATFORM_MS_TIME_TYPE_MACRO int64_t //#define MBEDTLS_PLATFORM_MS_TIME_TYPE_MACRO int64_t /**< Default milliseconds time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled. It must be signed, and at least 64 bits. If it is changed from the default, MBEDTLS_PRINTF_MS_TIME must be updated to match.*/
+//#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
+//#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
+//#define MBEDTLS_PLATFORM_PRINTF_MACRO printf /**< Default printf macro to use, can be undefined */
+//#define MBEDTLS_PLATFORM_SETBUF_MACRO setbuf /**< Default setbuf macro to use, can be undefined */
+/* Note: your snprintf must correctly zero-terminate the buffer! */
+//#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf /**< Default snprintf macro to use, can be undefined */
+
+/** \def MBEDTLS_PLATFORM_STD_CALLOC
+ *
+ * Default allocator to use, can be undefined.
+ * It must initialize the allocated buffer memory to zeroes.
+ * The size of the buffer is the product of the two parameters.
+ * The calloc function returns either a null pointer or a pointer to the allocated space.
+ * If the product is 0, the function may either return NULL or a valid pointer to an array of size 0 which is a valid input to the deallocation function.
+ * An uninitialized #MBEDTLS_PLATFORM_STD_CALLOC always fails, returning a null pointer.
+ * See the description of #MBEDTLS_PLATFORM_MEMORY for more details.
+ * The corresponding deallocation function is #MBEDTLS_PLATFORM_STD_FREE.
+ */
+//#define MBEDTLS_PLATFORM_STD_CALLOC calloc
+
+//#define MBEDTLS_PLATFORM_STD_EXIT exit /**< Default exit to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE 1 /**< Default exit value to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS 0 /**< Default exit value to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< Default fprintf to use, can be undefined */
+
+/** \def MBEDTLS_PLATFORM_STD_FREE
+ *
+ * Default free to use, can be undefined.
+ * NULL is a valid parameter, and the function must do nothing.
+ * A non-null parameter will always be a pointer previously returned by #MBEDTLS_PLATFORM_STD_CALLOC and not yet freed.
+ * An uninitialized #MBEDTLS_PLATFORM_STD_FREE does not do anything.
+ * See the description of #MBEDTLS_PLATFORM_MEMORY for more details (same principles as for MBEDTLS_PLATFORM_STD_CALLOC apply).
+ */
+//#define MBEDTLS_PLATFORM_STD_FREE free
+
+//#define MBEDTLS_PLATFORM_STD_MEM_HDR <stdlib.h> /**< Header to include if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS is defined. Don't define if no header is needed. */
+//#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE "seedfile" /**< Seed file to read/write with default implementation */
+//#define MBEDTLS_PLATFORM_STD_NV_SEED_READ mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_PRINTF printf /**< Default printf to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_SETBUF setbuf /**< Default setbuf to use, can be undefined */
+/* Note: your snprintf must correctly zero-terminate the buffer! */
+//#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf /**< Default snprintf to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_TIME time /**< Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
+//#define MBEDTLS_PLATFORM_TIME_MACRO time /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
+//#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO time_t /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
+//#define MBEDTLS_PLATFORM_VSNPRINTF_MACRO vsnprintf /**< Default vsnprintf macro to use, can be undefined */
+//#define MBEDTLS_PRINTF_MS_TIME PRId64 /**< Default fmt for printf. That's avoid compiler warning if mbedtls_ms_time_t is redefined */
+
+/** \} name SECTION: Platform abstraction layer */
+
+/**
+ * \name SECTION: General and test configuration options
+ *
+ * This section sets test specific settings.
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_CHECK_RETURN_WARNING
+ *
+ * If this macro is defined, emit a compile-time warning if application code
+ * calls a function without checking its return value, but the return value
+ * should generally be checked in portable applications.
+ *
+ * This is only supported on platforms where #MBEDTLS_CHECK_RETURN is
+ * implemented. Otherwise this option has no effect.
+ *
+ * Uncomment to get warnings on using fallible functions without checking
+ * their return value.
+ *
+ * \note This feature is a work in progress.
+ * Warnings will be added to more functions in the future.
+ *
+ * \note A few functions are considered critical, and ignoring the return
+ * value of these functions will trigger a warning even if this
+ * macro is not defined. To completely disable return value check
+ * warnings, define #MBEDTLS_CHECK_RETURN with an empty expansion.
+ */
+//#define MBEDTLS_CHECK_RETURN_WARNING
+
+/**
+ * \def MBEDTLS_DEPRECATED_WARNING
+ *
+ * Mark deprecated functions and features so that they generate a warning if
+ * used. Functionality deprecated in one version will usually be removed in the
+ * next version. You can enable this to help you prepare the transition to a
+ * new major version by making sure your code is not using this functionality.
+ *
+ * This only works with GCC and Clang. With other compilers, you may want to
+ * use MBEDTLS_DEPRECATED_REMOVED
+ *
+ * Uncomment to get warnings on using deprecated functions and features.
+ */
+//#define MBEDTLS_DEPRECATED_WARNING
+
+/**
+ * \def MBEDTLS_DEPRECATED_REMOVED
+ *
+ * Remove deprecated functions and features so that they generate an error if
+ * used. Functionality deprecated in one version will usually be removed in the
+ * next version. You can enable this to help you prepare the transition to a
+ * new major version by making sure your code is not using this functionality.
+ *
+ * Uncomment to get errors on using deprecated functions and features.
+ */
+//#define MBEDTLS_DEPRECATED_REMOVED
+
+/** \def MBEDTLS_CHECK_RETURN
+ *
+ * This macro is used at the beginning of the declaration of a function
+ * to indicate that its return value should be checked. It should
+ * instruct the compiler to emit a warning or an error if the function
+ * is called without checking its return value.
+ *
+ * There is a default implementation for popular compilers in platform_util.h.
+ * You can override the default implementation by defining your own here.
+ *
+ * If the implementation here is empty, this will effectively disable the
+ * checking of functions' return values.
+ */
+//#define MBEDTLS_CHECK_RETURN __attribute__((__warn_unused_result__))
+
+/** \def MBEDTLS_IGNORE_RETURN
+ *
+ * This macro requires one argument, which should be a C function call.
+ * If that function call would cause a #MBEDTLS_CHECK_RETURN warning, this
+ * warning is suppressed.
+ */
+//#define MBEDTLS_IGNORE_RETURN( result ) ((void) !(result))
+
+/**
+ * \def TF_PSA_CRYPTO_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included instead of
+ * `"psa/crypto_config.h"`.
+ * This header file specifies which cryptographic mechanisms are available
+ * through the PSA API.
+ *
+ * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an <tt>\#include</tt> line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define TF_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h"
+
+/**
+ * \def TF_PSA_CRYPTO_USER_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included after
+ * `"psa/crypto_config.h"` or #TF_PSA_CRYPTO_CONFIG_FILE.
+ * This allows you to modify the default configuration, including the ability
+ * to undefine options that are enabled by default.
+ *
+ * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an <tt>\#include</tt> line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define TF_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null"
+
+/**
+ * \def MBEDTLS_SELF_TEST
+ *
+ * Enable the checkup functions (*_self_test).
+ */
+#define MBEDTLS_SELF_TEST
+
+/**
+ * \def MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
+ *
+ * Enable testing of the constant-flow nature of some sensitive functions with
+ * clang's MemorySanitizer. This causes some existing tests to also test
+ * this non-functional property of the code under test.
+ *
+ * This setting requires compiling with clang -fsanitize=memory. The test
+ * suites can then be run normally.
+ *
+ * \warning This macro is only used for extended testing; it is not considered
+ * part of the library's API, so it may change or disappear at any time.
+ *
+ * Uncomment to enable testing of the constant-flow nature of selected code.
+ */
+//#define MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
+
+/**
+ * \def MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND
+ *
+ * Enable testing of the constant-flow nature of some sensitive functions with
+ * valgrind's memcheck tool. This causes some existing tests to also test
+ * this non-functional property of the code under test.
+ *
+ * This setting requires valgrind headers for building, and is only useful for
+ * testing if the tests suites are run with valgrind's memcheck. This can be
+ * done for an individual test suite with 'valgrind ./test_suite_xxx', or when
+ * using CMake, this can be done for all test suites with 'make memcheck'.
+ *
+ * \warning This macro is only used for extended testing; it is not considered
+ * part of the library's API, so it may change or disappear at any time.
+ *
+ * Uncomment to enable testing of the constant-flow nature of selected code.
+ */
+//#define MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND
+
+/**
+ * \def MBEDTLS_TEST_HOOKS
+ *
+ * Enable features for invasive testing such as introspection functions and
+ * hooks for fault injection. This enables additional unit tests.
+ *
+ * Merely enabling this feature should not change the behavior of the product.
+ * It only adds new code, and new branching points where the default behavior
+ * is the same as when this feature is disabled.
+ * However, this feature increases the attack surface: there is an added
+ * risk of vulnerabilities, and more gadgets that can make exploits easier.
+ * Therefore this feature must never be enabled in production.
+ *
+ * See `docs/architecture/testing/mbed-crypto-invasive-testing.md` for more
+ * information.
+ *
+ * Uncomment to enable invasive tests.
+ */
+//#define MBEDTLS_TEST_HOOKS
+
+/** \} name SECTION: General and test configuration options */
+
+/**
+ * \name SECTION: Cryptographic mechanism selection (extended API)
+ *
+ * This section sets cryptographic mechanism settings.
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_LMS_C
+ *
+ * Enable the LMS stateful-hash asymmetric signature algorithm.
+ *
+ * Module: library/lms.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C
+ *
+ * Uncomment to enable the LMS verification algorithm and public key operations.
+ */
+#define MBEDTLS_LMS_C
+
+/**
+ * \def MBEDTLS_LMS_PRIVATE
+ *
+ * Enable LMS private-key operations and signing code. Functions enabled by this
+ * option are experimental, and should not be used in production.
+ *
+ * Requires: MBEDTLS_LMS_C
+ *
+ * Uncomment to enable the LMS signature algorithm and private key operations.
+ */
+//#define MBEDTLS_LMS_PRIVATE
+
+/**
+ * \def MBEDTLS_MD_C
+ *
+ * Enable the generic layer for message digest (hashing) and HMAC.
+ *
+ * Requires: one of: MBEDTLS_MD5_C, MBEDTLS_RIPEMD160_C, MBEDTLS_SHA1_C,
+ * MBEDTLS_SHA224_C, MBEDTLS_SHA256_C, MBEDTLS_SHA384_C,
+ * MBEDTLS_SHA512_C, or MBEDTLS_PSA_CRYPTO_C with at least
+ * one hash.
+ * Module: library/md.c
+ * Caller: library/constant_time.c
+ * library/ecdsa.c
+ * library/ecjpake.c
+ * library/hkdf.c
+ * library/hmac_drbg.c
+ * library/pk.c
+ * library/pkcs5.c
+ * library/pkcs12.c
+ * library/psa_crypto_ecp.c
+ * library/psa_crypto_rsa.c
+ * library/rsa.c
+ * library/ssl_cookie.c
+ * library/ssl_msg.c
+ * library/ssl_tls.c
+ * library/x509.c
+ * library/x509_crt.c
+ * library/x509write_crt.c
+ * library/x509write_csr.c
+ *
+ * Uncomment to enable generic message digest wrappers.
+ */
+#define MBEDTLS_MD_C
+
+/**
+ * \def MBEDTLS_NIST_KW_C
+ *
+ * Enable the Key Wrapping mode for 128-bit block ciphers,
+ * as defined in NIST SP 800-38F. Only KW and KWP modes
+ * are supported. At the moment, only AES is approved by NIST.
+ *
+ * Module: library/nist_kw.c
+ *
+ * Requires: MBEDTLS_AES_C and MBEDTLS_CIPHER_C
+ */
+#define MBEDTLS_NIST_KW_C
+
+/**
+ * \def MBEDTLS_PK_C
+ *
+ * Enable the generic public (asymmetric) key layer.
+ *
+ * Module: library/pk.c
+ * Caller: library/psa_crypto_rsa.c
+ * library/ssl_tls.c
+ * library/ssl*_client.c
+ * library/ssl*_server.c
+ * library/x509.c
+ *
+ * Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C or MBEDTLS_ECP_C
+ *
+ * Uncomment to enable generic public key wrappers.
+ */
+#define MBEDTLS_PK_C
+
+/**
+ * \def MBEDTLS_PKCS5_C
+ *
+ * Enable PKCS#5 functions.
+ *
+ * Module: library/pkcs5.c
+ *
+ * Auto-enables: MBEDTLS_MD_C
+ *
+ * \warning If using a hash that is only provided by PSA drivers, you must
+ * call psa_crypto_init() before doing any PKCS5 operations.
+ *
+ * This module adds support for the PKCS#5 functions.
+ */
+#define MBEDTLS_PKCS5_C
+
+/**
+ * \def MBEDTLS_PKCS12_C
+ *
+ * Enable PKCS#12 PBE functions.
+ * Adds algorithms for parsing PKCS#8 encrypted private keys
+ *
+ * Module: library/pkcs12.c
+ * Caller: library/pkparse.c
+ *
+ * Requires: MBEDTLS_ASN1_PARSE_C and either MBEDTLS_MD_C or
+ * MBEDTLS_PSA_CRYPTO_C.
+ *
+ * \warning If using a hash that is only provided by PSA drivers, you must
+ * call psa_crypto_init() before doing any PKCS12 operations.
+ *
+ * This module enables PKCS#12 functions.
+ */
+#define MBEDTLS_PKCS12_C
+
+/**
+ * \def MBEDTLS_PK_PARSE_C
+ *
+ * Enable the generic public (asymmetric) key parser.
+ *
+ * Module: library/pkparse.c
+ * Caller: library/x509_crt.c
+ * library/x509_csr.c
+ *
+ * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_OID_C, MBEDTLS_PK_C
+ *
+ * Uncomment to enable generic public key parse functions.
+ */
+#define MBEDTLS_PK_PARSE_C
+
+/**
+ * \def MBEDTLS_PK_PARSE_EC_EXTENDED
+ *
+ * Enhance support for reading EC keys using variants of SEC1 not allowed by
+ * RFC 5915 and RFC 5480.
+ *
+ * Currently this means parsing the SpecifiedECDomain choice of EC
+ * parameters (only known groups are supported, not arbitrary domains, to
+ * avoid validation issues).
+ *
+ * Disable if you only need to support RFC 5915 + 5480 key formats.
+ */
+#define MBEDTLS_PK_PARSE_EC_EXTENDED
+
+/**
+ * \def MBEDTLS_PK_PARSE_EC_COMPRESSED
+ *
+ * Enable the support for parsing public keys of type Short Weierstrass
+ * (MBEDTLS_ECP_DP_SECP_XXX and MBEDTLS_ECP_DP_BP_XXX) which are using the
+ * compressed point format. This parsing is done through ECP module's functions.
+ *
+ * \note As explained in the description of MBEDTLS_ECP_PF_COMPRESSED (in ecp.h)
+ * the only unsupported curves are MBEDTLS_ECP_DP_SECP224R1 and
+ * MBEDTLS_ECP_DP_SECP224K1.
+ */
+#define MBEDTLS_PK_PARSE_EC_COMPRESSED
+
+/**
+ * \def MBEDTLS_PK_RSA_ALT_SUPPORT
+ *
+ * Support external private RSA keys (eg from a HSM) in the PK layer.
+ *
+ * Comment this macro to disable support for external private RSA keys.
+ */
+#define MBEDTLS_PK_RSA_ALT_SUPPORT
+
+/**
+ * \def MBEDTLS_PK_WRITE_C
+ *
+ * Enable the generic public (asymmetric) key writer.
+ *
+ * Module: library/pkwrite.c
+ * Caller: library/x509write.c
+ *
+ * Requires: MBEDTLS_ASN1_WRITE_C, MBEDTLS_OID_C, MBEDTLS_PK_C
+ *
+ * Uncomment to enable generic public key write functions.
+ */
+#define MBEDTLS_PK_WRITE_C
+
+/* CTR_DRBG options */
+//#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 48 /**< Amount of entropy used per seed by default (48 with SHA-512, 32 with SHA-256) */
+//#define MBEDTLS_CTR_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */
+//#define MBEDTLS_CTR_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */
+//#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */
+//#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */
+
+/* HMAC_DRBG options */
+//#define MBEDTLS_HMAC_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */
+//#define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */
+//#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */
+//#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */
+
+/* PSA options */
+/**
+ * Use HMAC_DRBG with the specified hash algorithm for HMAC_DRBG for the
+ * PSA crypto subsystem.
+ *
+ * If this option is unset, the library chooses a hash (currently between
+ * #MBEDTLS_MD_SHA512 and #MBEDTLS_MD_SHA256) based on availability and
+ * unspecified heuristics.
+ *
+ * \note The PSA crypto subsystem uses the first available mechanism amongst
+ * the following:
+ * - #MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG if enabled;
+ * - Entropy from #MBEDTLS_ENTROPY_C plus CTR_DRBG with AES
+ * if #MBEDTLS_CTR_DRBG_C is enabled;
+ * - Entropy from #MBEDTLS_ENTROPY_C plus HMAC_DRBG.
+ *
+ * A future version may reevaluate the prioritization of DRBG mechanisms.
+ */
+//#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256
+
+/** \} name SECTION: Cryptographic mechanism selection (extended API) */
+
+/**
+ * \name SECTION: Data format support
+ *
+ * This section sets data-format specific settings.
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_ASN1_PARSE_C
+ *
+ * Enable the generic ASN1 parser.
+ *
+ * Module: library/asn1.c
+ * Caller: library/x509.c
+ * library/dhm.c
+ * library/pkcs12.c
+ * library/pkcs5.c
+ * library/pkparse.c
+ */
+#define MBEDTLS_ASN1_PARSE_C
+
+/**
+ * \def MBEDTLS_ASN1_WRITE_C
+ *
+ * Enable the generic ASN1 writer.
+ *
+ * Module: library/asn1write.c
+ * Caller: library/ecdsa.c
+ * library/pkwrite.c
+ * library/x509_create.c
+ * library/x509write_crt.c
+ * library/x509write_csr.c
+ */
+#define MBEDTLS_ASN1_WRITE_C
+
+/**
+ * \def MBEDTLS_BASE64_C
+ *
+ * Enable the Base64 module.
+ *
+ * Module: library/base64.c
+ * Caller: library/pem.c
+ *
+ * This module is required for PEM support (required by X.509).
+ */
+#define MBEDTLS_BASE64_C
+
+/**
+ * \def MBEDTLS_OID_C
+ *
+ * Enable the OID database.
+ *
+ * Module: library/oid.c
+ * Caller: library/asn1write.c
+ * library/pkcs5.c
+ * library/pkparse.c
+ * library/pkwrite.c
+ * library/rsa.c
+ * library/x509.c
+ * library/x509_create.c
+ * library/x509_crl.c
+ * library/x509_crt.c
+ * library/x509_csr.c
+ * library/x509write_crt.c
+ * library/x509write_csr.c
+ *
+ * This modules translates between OIDs and internal values.
+ */
+#define MBEDTLS_OID_C
+
+/**
+ * \def MBEDTLS_PEM_PARSE_C
+ *
+ * Enable PEM decoding / parsing.
+ *
+ * Module: library/pem.c
+ * Caller: library/dhm.c
+ * library/pkparse.c
+ * library/x509_crl.c
+ * library/x509_crt.c
+ * library/x509_csr.c
+ *
+ * Requires: MBEDTLS_BASE64_C
+ * optionally MBEDTLS_MD5_C, or PSA Crypto with MD5 (see below)
+ *
+ * \warning When parsing password-protected files, if MD5 is provided only by
+ * a PSA driver, you must call psa_crypto_init() before the first file.
+ *
+ * This modules adds support for decoding / parsing PEM files.
+ */
+#define MBEDTLS_PEM_PARSE_C
+
+/**
+ * \def MBEDTLS_PEM_WRITE_C
+ *
+ * Enable PEM encoding / writing.
+ *
+ * Module: library/pem.c
+ * Caller: library/pkwrite.c
+ * library/x509write_crt.c
+ * library/x509write_csr.c
+ *
+ * Requires: MBEDTLS_BASE64_C
+ *
+ * This modules adds support for encoding / writing PEM files.
+ */
+#define MBEDTLS_PEM_WRITE_C
+
+/** \} name SECTION: Data format support */
+
+/**
+ * \name SECTION: PSA core
+ *
+ * This section sets PSA specific settings.
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_ENTROPY_C
+ *
+ * Enable the platform-specific entropy code.
+ *
+ * Module: library/entropy.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C
+ *
+ * This module provides a generic entropy pool
+ */
+#define MBEDTLS_ENTROPY_C
+
+/**
+ * \def MBEDTLS_ENTROPY_FORCE_SHA256
+ *
+ * Force the entropy accumulator to use a SHA-256 accumulator instead of the
+ * default SHA-512 based one (if both are available).
+ *
+ * Requires: MBEDTLS_SHA256_C
+ *
+ * On 32-bit systems SHA-256 can be much faster than SHA-512. Use this option
+ * if you have performance concerns.
+ *
+ * This option is only useful if both MBEDTLS_SHA256_C and
+ * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.
+ */
+//#define MBEDTLS_ENTROPY_FORCE_SHA256
+
+/**
+ * \def MBEDTLS_ENTROPY_HARDWARE_ALT
+ *
+ * Uncomment this macro to let Mbed TLS use your own implementation of a
+ * hardware entropy collector.
+ *
+ * Your function must be called \c mbedtls_hardware_poll(), have the same
+ * prototype as declared in library/entropy_poll.h, and accept NULL as first
+ * argument.
+ *
+ * Uncomment to use your own hardware entropy collector.
+ */
+//#define MBEDTLS_ENTROPY_HARDWARE_ALT
+
+/**
+ * \def MBEDTLS_ENTROPY_NV_SEED
+ *
+ * Enable the non-volatile (NV) seed file-based entropy source.
+ * (Also enables the NV seed read/write functions in the platform layer)
+ *
+ * This is crucial (if not required) on systems that do not have a
+ * cryptographic entropy source (in hardware or kernel) available.
+ *
+ * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C
+ *
+ * \note The read/write functions that are used by the entropy source are
+ * determined in the platform layer, and can be modified at runtime and/or
+ * compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used.
+ *
+ * \note If you use the default implementation functions that read a seedfile
+ * with regular fopen(), please make sure you make a seedfile with the
+ * proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at
+ * least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from
+ * and written to or you will get an entropy source error! The default
+ * implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE
+ * bytes from the file.
+ *
+ * \note The entropy collector will write to the seed file before entropy is
+ * given to an external source, to update it.
+ */
+//#define MBEDTLS_ENTROPY_NV_SEED
+
+/**
+ * \def MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+ *
+ * Do not add default entropy sources in mbedtls_entropy_init().
+ *
+ * This is useful to have more control over the added entropy sources in an
+ * application.
+ *
+ * Uncomment this macro to prevent loading of default entropy functions.
+ */
+//#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+
+/**
+ * \def MBEDTLS_NO_PLATFORM_ENTROPY
+ *
+ * Do not use built-in platform entropy functions.
+ * This is useful if your platform does not support
+ * standards like the /dev/urandom or Windows CryptoAPI.
+ *
+ * Uncomment this macro to disable the built-in platform entropy functions.
+ */
+//#define MBEDTLS_NO_PLATFORM_ENTROPY
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_C
+ *
+ * Enable the Platform Security Architecture cryptography API.
+ *
+ * Module: library/psa_crypto.c
+ *
+ * Requires: either MBEDTLS_CTR_DRBG_C and MBEDTLS_ENTROPY_C,
+ * or MBEDTLS_HMAC_DRBG_C and MBEDTLS_ENTROPY_C,
+ * or MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG.
+ * Auto-enables: MBEDTLS_CIPHER_C if any unauthenticated (ie, non-AEAD) cipher
+ * is enabled in PSA (unless it's fully accelerated, see
+ * docs/driver-only-builds.md about that).
+ */
+#define MBEDTLS_PSA_CRYPTO_C
+
+/**
+ * \def MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS
+ *
+ * Assume all buffers passed to PSA functions are owned exclusively by the
+ * PSA function and are not stored in shared memory.
+ *
+ * This option may be enabled if all buffers passed to any PSA function reside
+ * in memory that is accessible only to the PSA function during its execution.
+ *
+ * This option MUST be disabled whenever buffer arguments are in memory shared
+ * with an untrusted party, for example where arguments to PSA calls are passed
+ * across a trust boundary.
+ *
+ * \note Enabling this option reduces memory usage and code size.
+ *
+ * \note Enabling this option causes overlap of input and output buffers
+ * not to be supported by PSA functions.
+ */
+//#define MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS
+
+/** \def MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
+ *
+ * Enable support for platform built-in keys. If you enable this feature,
+ * you must implement the function mbedtls_psa_platform_get_builtin_key().
+ * See the documentation of that function for more information.
+ *
+ * Built-in keys are typically derived from a hardware unique key or
+ * stored in a secure element.
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C.
+ *
+ * \warning This interface is experimental and may change or be removed
+ * without notice.
+ */
+//#define MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
+
+/** \def MBEDTLS_PSA_CRYPTO_CLIENT
+ *
+ * Enable support for PSA crypto client.
+ *
+ * \note This option allows to include the code necessary for a PSA
+ * crypto client when the PSA crypto implementation is not included in
+ * the library (MBEDTLS_PSA_CRYPTO_C disabled). The code included is the
+ * code to set and get PSA key attributes.
+ * The development of PSA drivers partially relying on the library to
+ * fulfill the hardware gaps is another possible usage of this option.
+ *
+ * \warning This interface is experimental and may change or be removed
+ * without notice.
+ */
+//#define MBEDTLS_PSA_CRYPTO_CLIENT
+
+/** \def MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
+ *
+ * Make the PSA Crypto module use an external random generator provided
+ * by a driver, instead of Mbed TLS's entropy and DRBG modules.
+ *
+ * \note This random generator must deliver random numbers with cryptographic
+ * quality and high performance. It must supply unpredictable numbers
+ * with a uniform distribution. The implementation of this function
+ * is responsible for ensuring that the random generator is seeded
+ * with sufficient entropy. If you have a hardware TRNG which is slow
+ * or delivers non-uniform output, declare it as an entropy source
+ * with mbedtls_entropy_add_source() instead of enabling this option.
+ *
+ * If you enable this option, you must configure the type
+ * ::mbedtls_psa_external_random_context_t in psa/crypto_platform.h
+ * and define a function called mbedtls_psa_external_get_random()
+ * with the following prototype:
+ * ```
+ * psa_status_t mbedtls_psa_external_get_random(
+ * mbedtls_psa_external_random_context_t *context,
+ * uint8_t *output, size_t output_size, size_t *output_length);
+ * );
+ * ```
+ * The \c context value is initialized to 0 before the first call.
+ * The function must fill the \c output buffer with \c output_size bytes
+ * of random data and set \c *output_length to \c output_size.
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C
+ *
+ * \warning If you enable this option, code that uses the PSA cryptography
+ * interface will not use any of the entropy sources set up for
+ * the entropy module, nor the NV seed that MBEDTLS_ENTROPY_NV_SEED
+ * enables.
+ *
+ * \note This option is experimental and may be removed without notice.
+ */
+//#define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
+
+/* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
+ *
+ * Enable key identifiers that encode a key owner identifier.
+ *
+ * The owner of a key is identified by a value of type ::mbedtls_key_owner_id_t
+ * which is currently hard-coded to be int32_t.
+ *
+ * Note that this option is meant for internal use only and may be removed
+ * without notice.
+ */
+//#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_SPM
+ *
+ * When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure
+ * Partition Manager) integration which separates the code into two parts: a
+ * NSPE (Non-Secure Process Environment) and an SPE (Secure Process
+ * Environment).
+ *
+ * If you enable this option, your build environment must include a header
+ * file `"crypto_spe.h"` (either in the `psa` subdirectory of the Mbed TLS
+ * header files, or in another directory on the compiler's include search
+ * path). Alternatively, your platform may customize the header
+ * `psa/crypto_platform.h`, in which case it can skip or replace the
+ * inclusion of `"crypto_spe.h"`.
+ *
+ * Module: library/psa_crypto.c
+ * Requires: MBEDTLS_PSA_CRYPTO_C
+ *
+ */
+//#define MBEDTLS_PSA_CRYPTO_SPM
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_STORAGE_C
+ *
+ * Enable the Platform Security Architecture persistent key storage.
+ *
+ * Module: library/psa_crypto_storage.c
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C,
+ * either MBEDTLS_PSA_ITS_FILE_C or a native implementation of
+ * the PSA ITS interface
+ */
+#define MBEDTLS_PSA_CRYPTO_STORAGE_C
+
+/**
+ * \def MBEDTLS_PSA_INJECT_ENTROPY
+ *
+ * Enable support for entropy injection at first boot. This feature is
+ * required on systems that do not have a built-in entropy source (TRNG).
+ * This feature is currently not supported on systems that have a built-in
+ * entropy source.
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_STORAGE_C, MBEDTLS_ENTROPY_NV_SEED
+ *
+ */
+//#define MBEDTLS_PSA_INJECT_ENTROPY
+
+/**
+ * \def MBEDTLS_PSA_ITS_FILE_C
+ *
+ * Enable the emulation of the Platform Security Architecture
+ * Internal Trusted Storage (PSA ITS) over files.
+ *
+ * Module: library/psa_its_file.c
+ *
+ * Requires: MBEDTLS_FS_IO
+ */
+#define MBEDTLS_PSA_ITS_FILE_C
+
+/**
+ * \def MBEDTLS_PSA_KEY_STORE_DYNAMIC
+ *
+ * Dynamically resize the PSA key store to accommodate any number of
+ * volatile keys (until the heap memory is exhausted).
+ *
+ * If this option is disabled, the key store has a fixed size
+ * #MBEDTLS_PSA_KEY_SLOT_COUNT for volatile keys and loaded persistent keys
+ * together.
+ *
+ * This option has no effect when #MBEDTLS_PSA_CRYPTO_C is disabled.
+ *
+ * Module: library/psa_crypto.c
+ * Requires: MBEDTLS_PSA_CRYPTO_C
+ */
+#define MBEDTLS_PSA_KEY_STORE_DYNAMIC
+
+/**
+ * \def MBEDTLS_PSA_STATIC_KEY_SLOTS
+ *
+ * Statically preallocate memory to store keys' material in PSA instead
+ * of allocating it dynamically when required. This allows builds without a
+ * heap, if none of the enabled cryptographic implementations or other features
+ * require it.
+ * This feature affects both volatile and persistent keys which means that
+ * it's not possible to persistently store a key which is larger than
+ * #MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE.
+ *
+ * \note This feature comes with a (potentially) higher RAM usage since:
+ * - All the key slots are allocated no matter if they are used or not.
+ * - Each key buffer's length is #MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE bytes.
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C
+ *
+ */
+//#define MBEDTLS_PSA_STATIC_KEY_SLOTS
+
+/* Entropy options */
+//#define MBEDTLS_ENTROPY_MAX_GATHER 128 /**< Maximum amount requested from entropy sources */
+//#define MBEDTLS_ENTROPY_MAX_SOURCES 20 /**< Maximum number of sources supported */
+//#define MBEDTLS_ENTROPY_MIN_HARDWARE 32 /**< Default minimum number of bytes required for the hardware entropy source mbedtls_hardware_poll() before entropy is released */
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_PLATFORM_FILE
+ *
+ * If defined, this is a header which will be included instead of
+ * `"psa/crypto_platform.h"`. This file should declare the same identifiers
+ * as the one in Mbed TLS, but with definitions adapted to the platform on
+ * which the library code will run.
+ *
+ * \note The required content of this header can vary from one version of
+ * Mbed TLS to the next. Integrators who provide an alternative file
+ * should review the changes in the original file whenever they
+ * upgrade Mbed TLS.
+ *
+ * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an <tt>\#include</tt> line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_PSA_CRYPTO_PLATFORM_FILE "psa/crypto_platform_alt.h"
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_STRUCT_FILE
+ *
+ * If defined, this is a header which will be included instead of
+ * `"psa/crypto_struct.h"`. This file should declare the same identifiers
+ * as the one in Mbed TLS, but with definitions adapted to the environment
+ * in which the library code will run. The typical use for this feature
+ * is to provide alternative type definitions on the client side in
+ * client-server integrations of PSA crypto, where operation structures
+ * contain handles instead of cryptographic data.
+ *
+ * \note The required content of this header can vary from one version of
+ * Mbed TLS to the next. Integrators who provide an alternative file
+ * should review the changes in the original file whenever they
+ * upgrade Mbed TLS.
+ *
+ * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an <tt>\#include</tt> line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_PSA_CRYPTO_STRUCT_FILE "psa/crypto_struct_alt.h"
+
+/** \def MBEDTLS_PSA_KEY_SLOT_COUNT
+ *
+ * When #MBEDTLS_PSA_KEY_STORE_DYNAMIC is disabled,
+ * the maximum amount of PSA keys simultaneously in memory. This counts all
+ * volatile keys, plus loaded persistent keys.
+ *
+ * When #MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled,
+ * the maximum number of loaded persistent keys.
+ *
+ * Currently, persistent keys do not need to be loaded all the time while
+ * a multipart operation is in progress, only while the operation is being
+ * set up. This may change in future versions of the library.
+ *
+ * Currently, the library traverses of the whole table on each access to a
+ * persistent key. Therefore large values may cause poor performance.
+ *
+ * This option has no effect when #MBEDTLS_PSA_CRYPTO_C is disabled.
+ */
+//#define MBEDTLS_PSA_KEY_SLOT_COUNT 32
+
+/**
+ * \def MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE
+ *
+ * Define the size (in bytes) of each static key buffer when
+ * #MBEDTLS_PSA_STATIC_KEY_SLOTS is set. If not
+ * explicitly defined then it's automatically guessed from available PSA keys
+ * enabled in the build through PSA_WANT_xxx symbols.
+ * If required by the application this parameter can be set to higher values
+ * in order to store larger objects (ex: raw keys), but please note that this
+ * will increase RAM usage.
+ */
+//#define MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE 256
+
+/** \} name SECTION: PSA core */
+
+/**
+ * \name SECTION: Builtin drivers
+ *
+ * This section sets driver specific settings.
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_AESNI_C
+ *
+ * Enable AES-NI support on x86-64 or x86-32.
+ *
+ * \note AESNI is only supported with certain compilers and target options:
+ * - Visual Studio: supported
+ * - GCC, x86-64, target not explicitly supporting AESNI:
+ * requires MBEDTLS_HAVE_ASM.
+ * - GCC, x86-32, target not explicitly supporting AESNI:
+ * not supported.
+ * - GCC, x86-64 or x86-32, target supporting AESNI: supported.
+ * For this assembly-less implementation, you must currently compile
+ * `library/aesni.c` and `library/aes.c` with machine options to enable
+ * SSE2 and AESNI instructions: `gcc -msse2 -maes -mpclmul` or
+ * `clang -maes -mpclmul`.
+ * - Non-x86 targets: this option is silently ignored.
+ * - Other compilers: this option is silently ignored.
+ *
+ * \note
+ * Above, "GCC" includes compatible compilers such as Clang.
+ * The limitations on target support are likely to be relaxed in the future.
+ *
+ * Module: library/aesni.c
+ * Caller: library/aes.c
+ *
+ * Requires: MBEDTLS_HAVE_ASM (on some platforms, see note)
+ *
+ * This modules adds support for the AES-NI instructions on x86.
+ */
+#define MBEDTLS_AESNI_C
+
+/**
+ * \def MBEDTLS_AESCE_C
+ *
+ * Enable AES cryptographic extension support on Armv8.
+ *
+ * Module: library/aesce.c
+ * Caller: library/aes.c
+ *
+ * Requires: MBEDTLS_AES_C
+ *
+ * \warning Runtime detection only works on Linux. For non-Linux operating
+ * system, Armv8-A Cryptographic Extensions must be supported by
+ * the CPU when this option is enabled.
+ *
+ * \note Minimum compiler versions for this feature when targeting aarch64
+ * are Clang 4.0; armclang 6.6; GCC 6.0; or MSVC 2019 version 16.11.2.
+ * Minimum compiler versions for this feature when targeting 32-bit
+ * Arm or Thumb are Clang 11.0; armclang 6.20; or GCC 6.0.
+ *
+ * \note \c CFLAGS must be set to a minimum of \c -march=armv8-a+crypto for
+ * armclang <= 6.9
+ *
+ * This module adds support for the AES Armv8-A Cryptographic Extensions on Armv8 systems.
+ */
+#define MBEDTLS_AESCE_C
+
+/**
+ * \def MBEDTLS_AES_ROM_TABLES
+ *
+ * Use precomputed AES tables stored in ROM.
+ *
+ * Uncomment this macro to use precomputed AES tables stored in ROM.
+ * Comment this macro to generate AES tables in RAM at runtime.
+ *
+ * Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb
+ * (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the
+ * initialization time before the first AES operation can be performed.
+ * It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c
+ * MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded
+ * performance if ROM access is slower than RAM access.
+ *
+ * This option is independent of \c MBEDTLS_AES_FEWER_TABLES.
+ */
+//#define MBEDTLS_AES_ROM_TABLES
+
+/**
+ * \def MBEDTLS_AES_FEWER_TABLES
+ *
+ * Use less ROM/RAM for AES tables.
+ *
+ * Uncommenting this macro omits 75% of the AES tables from
+ * ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES)
+ * by computing their values on the fly during operations
+ * (the tables are entry-wise rotations of one another).
+ *
+ * Tradeoff: Uncommenting this reduces the RAM / ROM footprint
+ * by ~6kb but at the cost of more arithmetic operations during
+ * runtime. Specifically, one has to compare 4 accesses within
+ * different tables to 4 accesses with additional arithmetic
+ * operations within the same table. The performance gain/loss
+ * depends on the system and memory details.
+ *
+ * This option is independent of \c MBEDTLS_AES_ROM_TABLES.
+ */
+//#define MBEDTLS_AES_FEWER_TABLES
+
+/**
+ * \def MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+ *
+ * Use only 128-bit keys in AES operations to save ROM.
+ *
+ * Uncomment this macro to remove support for AES operations that use 192-
+ * or 256-bit keys.
+ *
+ * Uncommenting this macro reduces the size of AES code by ~300 bytes
+ * on v8-M/Thumb2.
+ *
+ * Module: library/aes.c
+ *
+ * Requires: MBEDTLS_AES_C
+ */
+//#define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+
+/*
+ * Disable plain C implementation for AES.
+ *
+ * When the plain C implementation is enabled, and an implementation using a
+ * special CPU feature (such as MBEDTLS_AESCE_C) is also enabled, runtime
+ * detection will be used to select between them.
+ *
+ * If only one implementation is present, runtime detection will not be used.
+ * This configuration will crash at runtime if running on a CPU without the
+ * necessary features. It will not build unless at least one of MBEDTLS_AESCE_C
+ * and/or MBEDTLS_AESNI_C is enabled & present in the build.
+ */
+//#define MBEDTLS_AES_USE_HARDWARE_ONLY
+
+/**
+ * \def MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
+ *
+ * Remove decryption operation for AES, ARIA and Camellia block cipher.
+ *
+ * \note This feature is incompatible with insecure block cipher,
+ * MBEDTLS_DES_C, and cipher modes which always require decryption
+ * operation, MBEDTLS_CIPHER_MODE_CBC, MBEDTLS_CIPHER_MODE_XTS and
+ * MBEDTLS_NIST_KW_C. This feature is incompatible with following
+ * supported PSA equivalence PSA_WANT_ALG_ECB_NO_PADDING,
+ * PSA_WANT_ALG_CBC_NO_PADDING, PSA_WANT_ALG_CBC_PKCS7 and
+ * PSA_WANT_KEY_TYPE_DES.
+ *
+ * Module: library/aes.c
+ * library/aesce.c
+ * library/aesni.c
+ * library/aria.c
+ * library/camellia.c
+ * library/cipher.c
+ */
+//#define MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
+
+/**
+ * \def MBEDTLS_CAMELLIA_SMALL_MEMORY
+ *
+ * Use less ROM for the Camellia implementation (saves about 768 bytes).
+ *
+ * Uncomment this macro to use less memory for Camellia.
+ */
+//#define MBEDTLS_CAMELLIA_SMALL_MEMORY
+
+/**
+ * Enable the verified implementations of ECDH primitives from Project Everest
+ * (currently only Curve25519). This feature changes the layout of ECDH
+ * contexts and therefore is a compatibility break for applications that access
+ * fields of a mbedtls_ecdh_context structure directly. See also
+ * MBEDTLS_ECDH_LEGACY_CONTEXT in include/mbedtls/ecdh.h.
+ *
+ * The Everest code is provided under the Apache 2.0 license only; therefore enabling this
+ * option is not compatible with taking the library under the GPL v2.0-or-later license.
+ */
+//#define MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED
+
+/**
+ * \def MBEDTLS_ECP_NIST_OPTIM
+ *
+ * Enable specific 'modulo p' routines for each NIST prime.
+ * Depending on the prime and architecture, makes operations 4 to 8 times
+ * faster on the corresponding curve.
+ *
+ * Comment this macro to disable NIST curves optimisation.
+ */
+#define MBEDTLS_ECP_NIST_OPTIM
+
+/**
+ * \def MBEDTLS_ECP_RESTARTABLE
+ *
+ * Enable "non-blocking" ECC operations that can return early and be resumed.
+ *
+ * This allows various functions to pause by returning
+ * #MBEDTLS_ERR_ECP_IN_PROGRESS (or, for functions in the SSL module,
+ * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) and then be called later again in
+ * order to further progress and eventually complete their operation. This is
+ * controlled through mbedtls_ecp_set_max_ops() which limits the maximum
+ * number of ECC operations a function may perform before pausing; see
+ * mbedtls_ecp_set_max_ops() for more information.
+ *
+ * This is useful in non-threaded environments if you want to avoid blocking
+ * for too long on ECC (and, hence, X.509 or SSL/TLS) operations.
+ *
+ * This option:
+ * - Adds xxx_restartable() variants of existing operations in the
+ * following modules, with corresponding restart context types:
+ * - ECP (for Short Weierstrass curves only): scalar multiplication (mul),
+ * linear combination (muladd);
+ * - ECDSA: signature generation & verification;
+ * - PK: signature generation & verification;
+ * - X509: certificate chain verification.
+ * - Adds mbedtls_ecdh_enable_restart() in the ECDH module.
+ * - Changes the behaviour of TLS 1.2 clients (not servers) when using the
+ * ECDHE-ECDSA key exchange (not other key exchanges) to make all ECC
+ * computations restartable:
+ * - verification of the server's key exchange signature;
+ * - verification of the server's certificate chain;
+ * - generation of the client's signature if client authentication is used,
+ * with an ECC key/certificate.
+ *
+ * \note In the cases above, the usual SSL/TLS functions, such as
+ * mbedtls_ssl_handshake(), can now return
+ * MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS.
+ *
+ * \note When this option is enabled, restartable operations in PK, X.509
+ * and TLS (see above) are not using PSA. On the other hand, ECDH
+ * computations in TLS are using PSA, and are not restartable. These
+ * are temporary limitations that should be lifted in the future. (See
+ * https://github.com/Mbed-TLS/mbedtls/issues/9784 and
+ * https://github.com/Mbed-TLS/mbedtls/issues/9817)
+ *
+ * Requires: MBEDTLS_ECP_C
+ *
+ * Uncomment this macro to enable restartable ECC computations.
+ */
+//#define MBEDTLS_ECP_RESTARTABLE
+
+/**
+ * Uncomment to enable using new bignum code in the ECC modules.
+ *
+ * \warning This is currently experimental, incomplete and therefore should not
+ * be used in production.
+ */
+//#define MBEDTLS_ECP_WITH_MPI_UINT
+
+/**
+ * \def MBEDTLS_GCM_LARGE_TABLE
+ *
+ * Enable large pre-computed tables for Galois/Counter Mode (GCM).
+ * Can significantly increase throughput on systems without GCM hardware
+ * acceleration (e.g., AESNI, AESCE).
+ *
+ * The mbedtls_gcm_context size will increase by 3840 bytes.
+ * The code size will increase by roughly 344 bytes.
+ *
+ * Module: library/gcm.c
+ *
+ * Requires: MBEDTLS_GCM_C
+ */
+//#define MBEDTLS_GCM_LARGE_TABLE
+
+/**
+ * \def MBEDTLS_HAVE_ASM
+ *
+ * The compiler has support for asm().
+ *
+ * Requires support for asm() in compiler.
+ *
+ * Used in:
+ * library/aesni.h
+ * library/aria.c
+ * library/bn_mul.h
+ * library/constant_time.c
+ *
+ * Required by:
+ * MBEDTLS_AESCE_C
+ * MBEDTLS_AESNI_C (on some platforms)
+ *
+ * Comment to disable the use of assembly code.
+ */
+#define MBEDTLS_HAVE_ASM
+
+/**
+ * \def MBEDTLS_HAVE_SSE2
+ *
+ * CPU supports SSE2 instruction set.
+ *
+ * Uncomment if the CPU supports SSE2 (IA-32 specific).
+ */
+//#define MBEDTLS_HAVE_SSE2
+
+/**
+ * \def MBEDTLS_NO_UDBL_DIVISION
+ *
+ * The platform lacks support for double-width integer division (64-bit
+ * division on a 32-bit platform, 128-bit division on a 64-bit platform).
+ *
+ * Used in:
+ * include/mbedtls/bignum.h
+ * library/bignum.c
+ *
+ * The bignum code uses double-width division to speed up some operations.
+ * Double-width division is often implemented in software that needs to
+ * be linked with the program. The presence of a double-width integer
+ * type is usually detected automatically through preprocessor macros,
+ * but the automatic detection cannot know whether the code needs to
+ * and can be linked with an implementation of division for that type.
+ * By default division is assumed to be usable if the type is present.
+ * Uncomment this option to prevent the use of double-width division.
+ *
+ * Note that division for the native integer type is always required.
+ * Furthermore, a 64-bit type is always required even on a 32-bit
+ * platform, but it need not support multiplication or division. In some
+ * cases it is also desirable to disable some double-width operations. For
+ * example, if double-width division is implemented in software, disabling
+ * it can reduce code size in some embedded targets.
+ */
+//#define MBEDTLS_NO_UDBL_DIVISION
+
+/**
+ * \def MBEDTLS_NO_64BIT_MULTIPLICATION
+ *
+ * The platform lacks support for 32x32 -> 64-bit multiplication.
+ *
+ * Used in:
+ * library/poly1305.c
+ *
+ * Some parts of the library may use multiplication of two unsigned 32-bit
+ * operands with a 64-bit result in order to speed up computations. On some
+ * platforms, this is not available in hardware and has to be implemented in
+ * software, usually in a library provided by the toolchain.
+ *
+ * Sometimes it is not desirable to have to link to that library. This option
+ * removes the dependency of that library on platforms that lack a hardware
+ * 64-bit multiplier by embedding a software implementation in Mbed TLS.
+ *
+ * Note that depending on the compiler, this may decrease performance compared
+ * to using the library function provided by the toolchain.
+ */
+//#define MBEDTLS_NO_64BIT_MULTIPLICATION
+
+/**
+ * Uncomment to enable p256-m. This is an alternative implementation of
+ * key generation, ECDH and (randomized) ECDSA on the curve SECP256R1.
+ * Compared to the default implementation:
+ *
+ * - p256-m has a much smaller code size and RAM footprint.
+ * - p256-m is only available via the PSA API. This includes the pk module.
+ * - p256-m does not support deterministic ECDSA, EC-JPAKE, custom protocols
+ * over the core arithmetic, or deterministic derivation of keys.
+ *
+ * We recommend enabling this option if your application uses the PSA API
+ * and the only elliptic curve support it needs is ECDH and ECDSA over
+ * SECP256R1.
+ *
+ * If you enable this option, you do not need to enable any ECC-related
+ * MBEDTLS_xxx option. You do need to separately request support for the
+ * cryptographic mechanisms through the PSA API:
+ * - #MBEDTLS_PSA_CRYPTO_C for PSA-based configuration;
+ * - #PSA_WANT_ECC_SECP_R1_256;
+ * - #PSA_WANT_ALG_ECDH and/or #PSA_WANT_ALG_ECDSA as needed;
+ * - #PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY, #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC,
+ * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT,
+ * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT and/or
+ * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE as needed.
+ *
+ * \note To benefit from the smaller code size of p256-m, make sure that you
+ * do not enable any ECC-related option not supported by p256-m: this
+ * would cause the built-in ECC implementation to be built as well, in
+ * order to provide the required option.
+ * Make sure #PSA_WANT_ALG_DETERMINISTIC_ECDSA, #PSA_WANT_ALG_JPAKE and
+ * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE, and curves other than
+ * SECP256R1 are disabled as they are not supported by this driver.
+ * Also, avoid defining #MBEDTLS_PK_PARSE_EC_COMPRESSED or
+ * #MBEDTLS_PK_PARSE_EC_EXTENDED as those currently require a subset of
+ * the built-in ECC implementation, see docs/driver-only-builds.md.
+ */
+//#define MBEDTLS_PSA_P256M_DRIVER_ENABLED
+
+/**
+ * \def MBEDTLS_RSA_NO_CRT
+ *
+ * Do not use the Chinese Remainder Theorem
+ * for the RSA private operation.
+ *
+ * Uncomment this macro to disable the use of CRT in RSA.
+ *
+ */
+//#define MBEDTLS_RSA_NO_CRT
+
+/**
+ * \def MBEDTLS_SHA256_SMALLER
+ *
+ * Enable an implementation of SHA-256 that has lower ROM footprint but also
+ * lower performance.
+ *
+ * The default implementation is meant to be a reasonable compromise between
+ * performance and size. This version optimizes more aggressively for size at
+ * the expense of performance. Eg on Cortex-M4 it reduces the size of
+ * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about
+ * 30%.
+ *
+ * Uncomment to enable the smaller implementation of SHA256.
+ */
+//#define MBEDTLS_SHA256_SMALLER
+
+/**
+ * \def MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
+ *
+ * Enable acceleration of the SHA-256 and SHA-224 cryptographic hash algorithms
+ * with the ARMv8 cryptographic extensions if they are available at runtime.
+ * If not, the library will fall back to the C implementation.
+ *
+ * \note If MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT is defined when building
+ * for a non-Armv8-A build it will be silently ignored.
+ *
+ * \note Minimum compiler versions for this feature are Clang 4.0,
+ * armclang 6.6 or GCC 6.0.
+ *
+ * \note \c CFLAGS must be set to a minimum of \c -march=armv8-a+crypto for
+ * armclang <= 6.9
+ *
+ * \note This was previously known as MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT.
+ * That name is deprecated, but may still be used as an alternative form for this
+ * option.
+ *
+ * \warning MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT cannot be defined at the
+ * same time as MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY.
+ *
+ * Requires: MBEDTLS_SHA256_C.
+ *
+ * Module: library/sha256.c
+ *
+ * Uncomment to have the library check for the Armv8-A SHA-256 crypto extensions
+ * and use them if available.
+ */
+//#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
+
+/**
+ * \def MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
+ *
+ * \deprecated This is now known as MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT.
+ * This name is now deprecated, but may still be used as an alternative form for
+ * this option.
+ */
+//#define MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
+
+/**
+ * \def MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
+ *
+ * Enable acceleration of the SHA-256 and SHA-224 cryptographic hash algorithms
+ * with the ARMv8 cryptographic extensions, which must be available at runtime
+ * or else an illegal instruction fault will occur.
+ *
+ * \note This allows builds with a smaller code size than with
+ * MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
+ *
+ * \note Minimum compiler versions for this feature are Clang 4.0,
+ * armclang 6.6 or GCC 6.0.
+ *
+ * \note \c CFLAGS must be set to a minimum of \c -march=armv8-a+crypto for
+ * armclang <= 6.9
+ *
+ * \note This was previously known as MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY.
+ * That name is deprecated, but may still be used as an alternative form for this
+ * option.
+ *
+ * \warning MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY cannot be defined at the same
+ * time as MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT.
+ *
+ * Requires: MBEDTLS_SHA256_C.
+ *
+ * Module: library/sha256.c
+ *
+ * Uncomment to have the library use the Armv8-A SHA-256 crypto extensions
+ * unconditionally.
+ */
+//#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
+
+/**
+ * \def MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY
+ *
+ * \deprecated This is now known as MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY.
+ * This name is now deprecated, but may still be used as an alternative form for
+ * this option.
+ */
+//#define MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY
+
+/**
+ * \def MBEDTLS_SHA512_SMALLER
+ *
+ * Enable an implementation of SHA-512 that has lower ROM footprint but also
+ * lower performance.
+ *
+ * Uncomment to enable the smaller implementation of SHA512.
+ */
+//#define MBEDTLS_SHA512_SMALLER
+
+/**
+ * \def MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
+ *
+ * Enable acceleration of the SHA-512 and SHA-384 cryptographic hash algorithms
+ * with the ARMv8 cryptographic extensions if they are available at runtime.
+ * If not, the library will fall back to the C implementation.
+ *
+ * \note If MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT is defined when building
+ * for a non-Aarch64 build it will be silently ignored.
+ *
+ * \note Minimum compiler versions for this feature are Clang 7.0,
+ * armclang 6.9 or GCC 8.0.
+ *
+ * \note \c CFLAGS must be set to a minimum of \c -march=armv8.2-a+sha3 for
+ * armclang 6.9
+ *
+ * \warning MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT cannot be defined at the
+ * same time as MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY.
+ *
+ * Requires: MBEDTLS_SHA512_C.
+ *
+ * Module: library/sha512.c
+ *
+ * Uncomment to have the library check for the A64 SHA-512 crypto extensions
+ * and use them if available.
+ */
+//#define MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
+
+/**
+ * \def MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY
+ *
+ * Enable acceleration of the SHA-512 and SHA-384 cryptographic hash algorithms
+ * with the ARMv8 cryptographic extensions, which must be available at runtime
+ * or else an illegal instruction fault will occur.
+ *
+ * \note This allows builds with a smaller code size than with
+ * MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
+ *
+ * \note Minimum compiler versions for this feature are Clang 7.0,
+ * armclang 6.9 or GCC 8.0.
+ *
+ * \note \c CFLAGS must be set to a minimum of \c -march=armv8.2-a+sha3 for
+ * armclang 6.9
+ *
+ * \warning MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY cannot be defined at the same
+ * time as MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT.
+ *
+ * Requires: MBEDTLS_SHA512_C.
+ *
+ * Module: library/sha512.c
+ *
+ * Uncomment to have the library use the A64 SHA-512 crypto extensions
+ * unconditionally.
+ */
+//#define MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY
+
+/* ECP options */
+//#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up */
+//#define MBEDTLS_ECP_WINDOW_SIZE 4 /**< Maximum window size used */
+
+/* MPI / BIGNUM options */
+//#define MBEDTLS_MPI_MAX_SIZE 1024 /**< Maximum number of bytes for usable MPIs. */
+//#define MBEDTLS_MPI_WINDOW_SIZE 2 /**< Maximum window size used. */
+
+/* RSA OPTIONS */
+//#define MBEDTLS_RSA_GEN_KEY_MIN_BITS 1024 /**< Minimum RSA key size that can be generated in bits (Minimum possible value is 128 bits) */
+
+/** \} name SECTION: Builtin drivers */
+
+/**
+ * \name SECTION: Legacy cryptography
+ *
+ * This section sets legacy settings.
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_AES_C
+ *
+ * Enable the AES block cipher.
+ *
+ * Module: library/aes.c
+ * Caller: library/cipher.c
+ * library/pem.c
+ * library/ctr_drbg.c
+ *
+ * This module enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+ * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+ * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
+ * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
+ * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
+ * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
+ * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
+ * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
+ * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
+ * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
+ * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
+ * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+ * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+ * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+ * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+ * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+ * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+ * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+ * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+ * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+ * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+ * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+ * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+ * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
+ * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
+ * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
+ * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
+ * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
+ * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA
+ * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
+ * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
+ * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
+ * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
+ * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
+ * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384
+ * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
+ * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
+ * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256
+ * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
+ * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
+ * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384
+ * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384
+ * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA
+ * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
+ * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
+ * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
+ *
+ * PEM_PARSE uses AES for decrypting encrypted keys.
+ */
+#define MBEDTLS_AES_C
+
+/**
+ * \def MBEDTLS_ARIA_C
+ *
+ * Enable the ARIA block cipher.
+ *
+ * Module: library/aria.c
+ * Caller: library/cipher.c
+ *
+ * This module enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *
+ * MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256
+ * MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384
+ * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256
+ * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384
+ * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256
+ * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384
+ * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256
+ * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384
+ * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256
+ * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384
+ * MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256
+ * MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384
+ * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256
+ * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384
+ * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256
+ * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384
+ * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
+ * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
+ * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256
+ * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384
+ * MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256
+ * MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384
+ * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256
+ * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384
+ * MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256
+ * MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384
+ * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256
+ * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384
+ * MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256
+ * MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384
+ */
+#define MBEDTLS_ARIA_C
+
+/**
+ * \def MBEDTLS_BIGNUM_C
+ *
+ * Enable the multi-precision integer library.
+ *
+ * Module: library/bignum.c
+ * library/bignum_core.c
+ * library/bignum_mod.c
+ * library/bignum_mod_raw.c
+ * Caller: library/dhm.c
+ * library/ecp.c
+ * library/ecdsa.c
+ * library/rsa.c
+ * library/rsa_alt_helpers.c
+ * library/ssl_tls.c
+ *
+ * This module is required for RSA, DHM and ECC (ECDH, ECDSA) support.
+ */
+#define MBEDTLS_BIGNUM_C
+
+/**
+ * \def MBEDTLS_CAMELLIA_C
+ *
+ * Enable the Camellia block cipher.
+ *
+ * Module: library/camellia.c
+ * Caller: library/cipher.c
+ *
+ * This module enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
+ * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
+ * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
+ * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
+ * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
+ * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
+ * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
+ * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
+ * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
+ * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
+ * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
+ * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
+ * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
+ * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
+ * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
+ * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
+ * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
+ * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
+ * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
+ * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ */
+#define MBEDTLS_CAMELLIA_C
+
+/**
+ * \def MBEDTLS_CCM_C
+ *
+ * Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher.
+ *
+ * Module: library/ccm.c
+ *
+ * Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or
+ * MBEDTLS_ARIA_C
+ *
+ * This module enables the AES-CCM ciphersuites, if other requisites are
+ * enabled as well.
+ */
+#define MBEDTLS_CCM_C
+
+/**
+ * \def MBEDTLS_CHACHA20_C
+ *
+ * Enable the ChaCha20 stream cipher.
+ *
+ * Module: library/chacha20.c
+ */
+#define MBEDTLS_CHACHA20_C
+
+/**
+ * \def MBEDTLS_CHACHAPOLY_C
+ *
+ * Enable the ChaCha20-Poly1305 AEAD algorithm.
+ *
+ * Module: library/chachapoly.c
+ *
+ * This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C
+ */
+#define MBEDTLS_CHACHAPOLY_C
+
+/**
+ * \def MBEDTLS_CIPHER_C
+ *
+ * Enable the generic cipher layer.
+ *
+ * Module: library/cipher.c
+ * Caller: library/ccm.c
+ * library/cmac.c
+ * library/gcm.c
+ * library/nist_kw.c
+ * library/pkcs12.c
+ * library/pkcs5.c
+ * library/psa_crypto_aead.c
+ * library/psa_crypto_mac.c
+ * library/ssl_ciphersuites.c
+ * library/ssl_msg.c
+ * Auto-enabled by: MBEDTLS_PSA_CRYPTO_C depending on which ciphers are enabled
+ * (see the documentation of that option for details).
+ *
+ * Uncomment to enable generic cipher wrappers.
+ */
+#define MBEDTLS_CIPHER_C
+
+/**
+ * \def MBEDTLS_CIPHER_MODE_CBC
+ *
+ * Enable Cipher Block Chaining mode (CBC) for symmetric ciphers.
+ */
+#define MBEDTLS_CIPHER_MODE_CBC
+
+/**
+ * \def MBEDTLS_CIPHER_MODE_CFB
+ *
+ * Enable Cipher Feedback mode (CFB) for symmetric ciphers.
+ */
+#define MBEDTLS_CIPHER_MODE_CFB
+
+/**
+ * \def MBEDTLS_CIPHER_MODE_CTR
+ *
+ * Enable Counter Block Cipher mode (CTR) for symmetric ciphers.
+ */
+#define MBEDTLS_CIPHER_MODE_CTR
+
+/**
+ * \def MBEDTLS_CIPHER_MODE_OFB
+ *
+ * Enable Output Feedback mode (OFB) for symmetric ciphers.
+ */
+#define MBEDTLS_CIPHER_MODE_OFB
+
+/**
+ * \def MBEDTLS_CIPHER_MODE_XTS
+ *
+ * Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES.
+ */
+#define MBEDTLS_CIPHER_MODE_XTS
+
+/**
+ * \def MBEDTLS_CIPHER_NULL_CIPHER
+ *
+ * Enable NULL cipher.
+ * Warning: Only do so when you know what you are doing. This allows for
+ * encryption or channels without any security!
+ *
+ * To enable the following ciphersuites:
+ * MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA
+ * MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA
+ * MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA
+ * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384
+ * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256
+ * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA
+ * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384
+ * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256
+ * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA
+ * MBEDTLS_TLS_RSA_WITH_NULL_SHA256
+ * MBEDTLS_TLS_RSA_WITH_NULL_SHA
+ * MBEDTLS_TLS_RSA_WITH_NULL_MD5
+ * MBEDTLS_TLS_PSK_WITH_NULL_SHA384
+ * MBEDTLS_TLS_PSK_WITH_NULL_SHA256
+ * MBEDTLS_TLS_PSK_WITH_NULL_SHA
+ *
+ * Uncomment this macro to enable the NULL cipher and ciphersuites
+ */
+//#define MBEDTLS_CIPHER_NULL_CIPHER
+
+/**
+ * \def MBEDTLS_CIPHER_PADDING_PKCS7
+ *
+ * MBEDTLS_CIPHER_PADDING_XXX: Uncomment or comment macros to add support for
+ * specific padding modes in the cipher layer with cipher modes that support
+ * padding (e.g. CBC)
+ *
+ * If you disable all padding modes, only full blocks can be used with CBC.
+ *
+ * Enable padding modes in the cipher layer.
+ */
+#define MBEDTLS_CIPHER_PADDING_PKCS7
+#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
+#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
+#define MBEDTLS_CIPHER_PADDING_ZEROS
+
+/**
+ * \def MBEDTLS_CMAC_C
+ *
+ * Enable the CMAC (Cipher-based Message Authentication Code) mode for block
+ * ciphers.
+ *
+ * Module: library/cmac.c
+ *
+ * Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_DES_C
+ *
+ */
+#define MBEDTLS_CMAC_C
+
+/**
+ * \def MBEDTLS_CTR_DRBG_C
+ *
+ * Enable the CTR_DRBG AES-based random generator.
+ * The CTR_DRBG generator uses AES-256 by default.
+ * To use AES-128 instead, enable \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY above.
+ *
+ * AES support can either be achieved through builtin (MBEDTLS_AES_C) or PSA.
+ * Builtin is the default option when MBEDTLS_AES_C is defined otherwise PSA
+ * is used.
+ *
+ * \warning When using PSA, the user should call `psa_crypto_init()` before
+ * using any CTR_DRBG operation (except `mbedtls_ctr_drbg_init()`).
+ *
+ * \note AES-128 will be used if \c MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH is set.
+ *
+ * \note To achieve a 256-bit security strength with CTR_DRBG,
+ * you must use AES-256 *and* use sufficient entropy.
+ * See ctr_drbg.h for more details.
+ *
+ * Module: library/ctr_drbg.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_AES_C or
+ * (PSA_WANT_KEY_TYPE_AES and PSA_WANT_ALG_ECB_NO_PADDING and
+ * MBEDTLS_PSA_CRYPTO_C)
+ *
+ * This module provides the CTR_DRBG AES random number generator.
+ */
+#define MBEDTLS_CTR_DRBG_C
+
+/** \def MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ *
+ * Uncomment this macro to use a 128-bit key in the CTR_DRBG module.
+ * Without this, CTR_DRBG uses a 256-bit key
+ * unless \c MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH is set.
+ */
+//#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+
+/**
+ * \def MBEDTLS_DES_C
+ *
+ * Enable the DES block cipher.
+ *
+ * Module: library/des.c
+ * Caller: library/pem.c
+ * library/cipher.c
+ *
+ * PEM_PARSE uses DES/3DES for decrypting encrypted keys.
+ *
+ * \warning DES/3DES are considered weak ciphers and their use constitutes a
+ * security risk. We recommend considering stronger ciphers instead.
+ */
+#define MBEDTLS_DES_C
+
+/**
+ * \def MBEDTLS_DHM_C
+ *
+ * Enable the Diffie-Hellman-Merkle module.
+ *
+ * Module: library/dhm.c
+ * Caller: library/ssl_tls.c
+ * library/ssl*_client.c
+ * library/ssl*_server.c
+ *
+ * This module is used by the following key exchanges:
+ * DHE-RSA, DHE-PSK
+ *
+ * \warning Using DHE constitutes a security risk as it
+ * is not possible to validate custom DH parameters.
+ * If possible, it is recommended users should consider
+ * preferring other methods of key exchange.
+ * See dhm.h for more details.
+ *
+ */
+#define MBEDTLS_DHM_C
+
+/**
+ * \def MBEDTLS_ECDH_C
+ *
+ * Enable the elliptic curve Diffie-Hellman library.
+ *
+ * Module: library/ecdh.c
+ * Caller: library/psa_crypto.c
+ * library/ssl_tls.c
+ * library/ssl*_client.c
+ * library/ssl*_server.c
+ *
+ * This module is used by the following key exchanges:
+ * ECDHE-ECDSA, ECDHE-RSA, DHE-PSK
+ *
+ * Requires: MBEDTLS_ECP_C
+ */
+#define MBEDTLS_ECDH_C
+
+/**
+ * \def MBEDTLS_ECP_C
+ *
+ * Enable the elliptic curve over GF(p) library.
+ *
+ * Module: library/ecp.c
+ * Caller: library/ecdh.c
+ * library/ecdsa.c
+ * library/ecjpake.c
+ *
+ * Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED
+ */
+#define MBEDTLS_ECP_C
+
+/**
+ * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED
+ *
+ * MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve
+ * module. By default all supported curves are enabled.
+ *
+ * Comment macros to disable the curve and functions for it
+ */
+/* Short Weierstrass curves (supporting ECP, ECDH, ECDSA) */
+#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
+#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
+#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
+#define MBEDTLS_ECP_DP_BP256R1_ENABLED
+#define MBEDTLS_ECP_DP_BP384R1_ENABLED
+#define MBEDTLS_ECP_DP_BP512R1_ENABLED
+/* Montgomery curves (supporting ECP) */
+#define MBEDTLS_ECP_DP_CURVE25519_ENABLED
+#define MBEDTLS_ECP_DP_CURVE448_ENABLED
+
+/**
+ * \def MBEDTLS_ECDSA_C
+ *
+ * Enable the elliptic curve DSA library.
+ *
+ * Module: library/ecdsa.c
+ * Caller:
+ *
+ * This module is used by the following key exchanges:
+ * ECDHE-ECDSA
+ *
+ * Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C,
+ * and at least one MBEDTLS_ECP_DP_XXX_ENABLED for a
+ * short Weierstrass curve.
+ */
+#define MBEDTLS_ECDSA_C
+
+/**
+ * \def MBEDTLS_ECDSA_DETERMINISTIC
+ *
+ * Enable deterministic ECDSA (RFC 6979).
+ * Standard ECDSA is "fragile" in the sense that lack of entropy when signing
+ * may result in a compromise of the long-term signing key. This is avoided by
+ * the deterministic variant.
+ *
+ * Requires: MBEDTLS_HMAC_DRBG_C, MBEDTLS_ECDSA_C
+ *
+ * Comment this macro to disable deterministic ECDSA.
+ */
+#define MBEDTLS_ECDSA_DETERMINISTIC
+
+/**
+ * \def MBEDTLS_ECJPAKE_C
+ *
+ * Enable the elliptic curve J-PAKE library.
+ *
+ * \note EC J-PAKE support is based on the Thread v1.0.0 specification.
+ * It has not been reviewed for compliance with newer standards such as
+ * Thread v1.1 or RFC 8236.
+ *
+ * Module: library/ecjpake.c
+ * Caller:
+ *
+ * This module is used by the following key exchanges:
+ * ECJPAKE
+ *
+ * Requires: MBEDTLS_ECP_C and either MBEDTLS_MD_C or MBEDTLS_PSA_CRYPTO_C
+ *
+ * \warning If using a hash that is only provided by PSA drivers, you must
+ * call psa_crypto_init() before doing any EC J-PAKE operations.
+ */
+#define MBEDTLS_ECJPAKE_C
+
+/**
+ * \def MBEDTLS_GCM_C
+ *
+ * Enable the Galois/Counter Mode (GCM).
+ *
+ * Module: library/gcm.c
+ *
+ * Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or
+ * MBEDTLS_ARIA_C
+ *
+ * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other
+ * requisites are enabled as well.
+ */
+#define MBEDTLS_GCM_C
+
+/**
+ * \def MBEDTLS_GENPRIME
+ *
+ * Enable the prime-number generation code.
+ *
+ * Requires: MBEDTLS_BIGNUM_C
+ */
+#define MBEDTLS_GENPRIME
+
+/**
+ * \def MBEDTLS_HKDF_C
+ *
+ * Enable the HKDF algorithm (RFC 5869).
+ *
+ * Module: library/hkdf.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_MD_C
+ *
+ * This module adds support for the Hashed Message Authentication Code
+ * (HMAC)-based key derivation function (HKDF).
+ */
+#define MBEDTLS_HKDF_C
+
+/**
+ * \def MBEDTLS_HMAC_DRBG_C
+ *
+ * Enable the HMAC_DRBG random generator.
+ *
+ * Module: library/hmac_drbg.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_MD_C
+ *
+ * Uncomment to enable the HMAC_DRBG random number generator.
+ */
+#define MBEDTLS_HMAC_DRBG_C
+
+/**
+ * \def MBEDTLS_MD5_C
+ *
+ * Enable the MD5 hash algorithm.
+ *
+ * Module: library/md5.c
+ * Caller: library/md.c
+ * library/pem.c
+ * library/ssl_tls.c
+ *
+ * This module is required for TLS 1.2 depending on the handshake parameters.
+ * Further, it is used for checking MD5-signed certificates, and for PBKDF1
+ * when decrypting PEM-encoded encrypted keys.
+ *
+ * \warning MD5 is considered a weak message digest and its use constitutes a
+ * security risk. If possible, we recommend avoiding dependencies on
+ * it, and considering stronger message digests instead.
+ *
+ */
+#define MBEDTLS_MD5_C
+
+/**
+ * \def MBEDTLS_PKCS1_V15
+ *
+ * Enable support for PKCS#1 v1.5 encoding.
+ *
+ * Requires: MBEDTLS_RSA_C
+ *
+ * This enables support for PKCS#1 v1.5 operations.
+ */
+#define MBEDTLS_PKCS1_V15
+
+/**
+ * \def MBEDTLS_PKCS1_V21
+ *
+ * Enable support for PKCS#1 v2.1 encoding.
+ *
+ * Requires: MBEDTLS_RSA_C
+ *
+ * \warning If using a hash that is only provided by PSA drivers, you must
+ * call psa_crypto_init() before doing any PKCS#1 v2.1 operation.
+ *
+ * This enables support for RSAES-OAEP and RSASSA-PSS operations.
+ */
+#define MBEDTLS_PKCS1_V21
+
+/**
+ * \def MBEDTLS_POLY1305_C
+ *
+ * Enable the Poly1305 MAC algorithm.
+ *
+ * Module: library/poly1305.c
+ * Caller: library/chachapoly.c
+ */
+#define MBEDTLS_POLY1305_C
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_SE_C
+ *
+ * Enable dynamic secure element support in the Platform Security Architecture
+ * cryptography API.
+ *
+ * \deprecated This feature is deprecated. Please switch to the PSA driver
+ * interface.
+ *
+ * \warning This feature is not thread-safe, and should not be used in a
+ * multi-threaded environment.
+ *
+ * Module: library/psa_crypto_se.c
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C, MBEDTLS_PSA_CRYPTO_STORAGE_C
+ *
+ */
+//#define MBEDTLS_PSA_CRYPTO_SE_C
+
+/**
+ * \def MBEDTLS_RIPEMD160_C
+ *
+ * Enable the RIPEMD-160 hash algorithm.
+ *
+ * Module: library/ripemd160.c
+ * Caller: library/md.c
+ *
+ */
+#define MBEDTLS_RIPEMD160_C
+
+/**
+ * \def MBEDTLS_RSA_C
+ *
+ * Enable the RSA public-key cryptosystem.
+ *
+ * Module: library/rsa.c
+ * library/rsa_alt_helpers.c
+ * Caller: library/pk.c
+ * library/psa_crypto.c
+ * library/ssl_tls.c
+ * library/ssl*_client.c
+ * library/ssl*_server.c
+ *
+ * This module is used by the following key exchanges:
+ * RSA, DHE-RSA, ECDHE-RSA
+ *
+ * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C
+ */
+#define MBEDTLS_RSA_C
+
+/**
+ * \def MBEDTLS_SHA1_C
+ *
+ * Enable the SHA1 cryptographic hash algorithm.
+ *
+ * Module: library/sha1.c
+ * Caller: library/md.c
+ * library/psa_crypto_hash.c
+ *
+ * This module is required for TLS 1.2 depending on the handshake parameters,
+ * and for SHA1-signed certificates.
+ *
+ * \warning SHA-1 is considered a weak message digest and its use constitutes
+ * a security risk. If possible, we recommend avoiding dependencies
+ * on it, and considering stronger message digests instead.
+ *
+ */
+#define MBEDTLS_SHA1_C
+
+/**
+ * \def MBEDTLS_SHA224_C
+ *
+ * Enable the SHA-224 cryptographic hash algorithm.
+ *
+ * Module: library/sha256.c
+ * Caller: library/md.c
+ * library/ssl_cookie.c
+ *
+ * This module adds support for SHA-224.
+ */
+#define MBEDTLS_SHA224_C
+
+/**
+ * \def MBEDTLS_SHA256_C
+ *
+ * Enable the SHA-256 cryptographic hash algorithm.
+ *
+ * Module: library/sha256.c
+ * Caller: library/entropy.c
+ * library/md.c
+ * library/ssl_tls.c
+ * library/ssl*_client.c
+ * library/ssl*_server.c
+ *
+ * This module adds support for SHA-256.
+ * This module is required for the SSL/TLS 1.2 PRF function.
+ */
+#define MBEDTLS_SHA256_C
+
+/**
+ * \def MBEDTLS_SHA384_C
+ *
+ * Enable the SHA-384 cryptographic hash algorithm.
+ *
+ * Module: library/sha512.c
+ * Caller: library/md.c
+ * library/psa_crypto_hash.c
+ * library/ssl_tls.c
+ * library/ssl*_client.c
+ * library/ssl*_server.c
+ *
+ * Comment to disable SHA-384
+ */
+#define MBEDTLS_SHA384_C
+
+/**
+ * \def MBEDTLS_SHA512_C
+ *
+ * Enable SHA-512 cryptographic hash algorithms.
+ *
+ * Module: library/sha512.c
+ * Caller: library/entropy.c
+ * library/md.c
+ * library/ssl_tls.c
+ * library/ssl_cookie.c
+ *
+ * This module adds support for SHA-512.
+ */
+#define MBEDTLS_SHA512_C
+
+/**
+ * \def MBEDTLS_SHA3_C
+ *
+ * Enable the SHA3 cryptographic hash algorithm.
+ *
+ * Module: library/sha3.c
+ *
+ * This module adds support for SHA3.
+ */
+#define MBEDTLS_SHA3_C
+
+/** \} name SECTION: Legacy cryptography */
#endif /* PSA_CRYPTO_CONFIG_H */
diff --git a/tf-psa-crypto/programs/.gitignore b/tf-psa-crypto/programs/.gitignore
index e69de29..55c6e56 100644
--- a/tf-psa-crypto/programs/.gitignore
+++ b/tf-psa-crypto/programs/.gitignore
@@ -0,0 +1,10 @@
+psa/aead_demo
+psa/crypto_examples
+psa/hmac_demo
+psa/key_ladder_demo
+psa/psa_constant_names
+psa/psa_hash
+
+###START_GENERATED_FILES###
+# Generated source files
+psa/psa_constant_names_generated.c
diff --git a/programs/psa/CMakeLists.txt b/tf-psa-crypto/programs/psa/CMakeLists.txt
similarity index 90%
rename from programs/psa/CMakeLists.txt
rename to tf-psa-crypto/programs/psa/CMakeLists.txt
index 3c20a70..2356c81 100644
--- a/programs/psa/CMakeLists.txt
+++ b/tf-psa-crypto/programs/psa/CMakeLists.txt
@@ -20,8 +20,8 @@
${CMAKE_CURRENT_SOURCE_DIR}/../..
DEPENDS
${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/generate_psa_constants.py
- ${CMAKE_CURRENT_SOURCE_DIR}/../../tf-psa-crypto/include/psa/crypto_values.h
- ${CMAKE_CURRENT_SOURCE_DIR}/../../tf-psa-crypto/include/psa/crypto_extra.h
+ ${CMAKE_CURRENT_SOURCE_DIR}/../../include/psa/crypto_values.h
+ ${CMAKE_CURRENT_SOURCE_DIR}/../../include/psa/crypto_extra.h
)
else()
link_to_source(psa_constant_names_generated.c)
diff --git a/programs/psa/aead_demo.c b/tf-psa-crypto/programs/psa/aead_demo.c
similarity index 100%
rename from programs/psa/aead_demo.c
rename to tf-psa-crypto/programs/psa/aead_demo.c
diff --git a/programs/psa/crypto_examples.c b/tf-psa-crypto/programs/psa/crypto_examples.c
similarity index 100%
rename from programs/psa/crypto_examples.c
rename to tf-psa-crypto/programs/psa/crypto_examples.c
diff --git a/programs/psa/hmac_demo.c b/tf-psa-crypto/programs/psa/hmac_demo.c
similarity index 100%
rename from programs/psa/hmac_demo.c
rename to tf-psa-crypto/programs/psa/hmac_demo.c
diff --git a/programs/psa/key_ladder_demo.c b/tf-psa-crypto/programs/psa/key_ladder_demo.c
similarity index 100%
rename from programs/psa/key_ladder_demo.c
rename to tf-psa-crypto/programs/psa/key_ladder_demo.c
diff --git a/programs/psa/key_ladder_demo.sh b/tf-psa-crypto/programs/psa/key_ladder_demo.sh
similarity index 97%
rename from programs/psa/key_ladder_demo.sh
rename to tf-psa-crypto/programs/psa/key_ladder_demo.sh
index e55da7e..526fde5 100755
--- a/programs/psa/key_ladder_demo.sh
+++ b/tf-psa-crypto/programs/psa/key_ladder_demo.sh
@@ -3,7 +3,7 @@
# Copyright The Mbed TLS Contributors
# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
-. "${0%/*}/../demo_common.sh"
+. "${0%/*}/../../../programs/demo_common.sh"
msg <<'EOF'
This script demonstrates the use of the PSA cryptography interface to
diff --git a/programs/psa/psa_constant_names.c b/tf-psa-crypto/programs/psa/psa_constant_names.c
similarity index 100%
rename from programs/psa/psa_constant_names.c
rename to tf-psa-crypto/programs/psa/psa_constant_names.c
diff --git a/programs/psa/psa_hash.c b/tf-psa-crypto/programs/psa/psa_hash.c
similarity index 100%
rename from programs/psa/psa_hash.c
rename to tf-psa-crypto/programs/psa/psa_hash.c
diff --git a/programs/psa/psa_hash_demo.sh b/tf-psa-crypto/programs/psa/psa_hash_demo.sh
similarity index 89%
rename from programs/psa/psa_hash_demo.sh
rename to tf-psa-crypto/programs/psa/psa_hash_demo.sh
index a26697c..5e257d7 100755
--- a/programs/psa/psa_hash_demo.sh
+++ b/tf-psa-crypto/programs/psa/psa_hash_demo.sh
@@ -3,7 +3,7 @@
# Copyright The Mbed TLS Contributors
# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
-. "${0%/*}/../demo_common.sh"
+. "${0%/*}/../../../programs/demo_common.sh"
msg <<'EOF'
This program demonstrates the use of the PSA cryptography interface to
diff --git a/scripts/data_files/driver_jsons/driver_opaque_schema.json b/tf-psa-crypto/scripts/data_files/driver_jsons/driver_opaque_schema.json
similarity index 100%
rename from scripts/data_files/driver_jsons/driver_opaque_schema.json
rename to tf-psa-crypto/scripts/data_files/driver_jsons/driver_opaque_schema.json
diff --git a/scripts/data_files/driver_jsons/driver_transparent_schema.json b/tf-psa-crypto/scripts/data_files/driver_jsons/driver_transparent_schema.json
similarity index 100%
rename from scripts/data_files/driver_jsons/driver_transparent_schema.json
rename to tf-psa-crypto/scripts/data_files/driver_jsons/driver_transparent_schema.json
diff --git a/scripts/data_files/driver_jsons/driverlist.json b/tf-psa-crypto/scripts/data_files/driver_jsons/driverlist.json
similarity index 100%
rename from scripts/data_files/driver_jsons/driverlist.json
rename to tf-psa-crypto/scripts/data_files/driver_jsons/driverlist.json
diff --git a/scripts/data_files/driver_jsons/mbedtls_test_opaque_driver.json b/tf-psa-crypto/scripts/data_files/driver_jsons/mbedtls_test_opaque_driver.json
similarity index 100%
rename from scripts/data_files/driver_jsons/mbedtls_test_opaque_driver.json
rename to tf-psa-crypto/scripts/data_files/driver_jsons/mbedtls_test_opaque_driver.json
diff --git a/scripts/data_files/driver_jsons/mbedtls_test_transparent_driver.json b/tf-psa-crypto/scripts/data_files/driver_jsons/mbedtls_test_transparent_driver.json
similarity index 100%
rename from scripts/data_files/driver_jsons/mbedtls_test_transparent_driver.json
rename to tf-psa-crypto/scripts/data_files/driver_jsons/mbedtls_test_transparent_driver.json
diff --git a/scripts/data_files/driver_jsons/p256_transparent_driver.json b/tf-psa-crypto/scripts/data_files/driver_jsons/p256_transparent_driver.json
similarity index 100%
rename from scripts/data_files/driver_jsons/p256_transparent_driver.json
rename to tf-psa-crypto/scripts/data_files/driver_jsons/p256_transparent_driver.json
diff --git a/scripts/data_files/driver_templates/OS-template-opaque.jinja b/tf-psa-crypto/scripts/data_files/driver_templates/OS-template-opaque.jinja
similarity index 100%
rename from scripts/data_files/driver_templates/OS-template-opaque.jinja
rename to tf-psa-crypto/scripts/data_files/driver_templates/OS-template-opaque.jinja
diff --git a/scripts/data_files/driver_templates/OS-template-transparent.jinja b/tf-psa-crypto/scripts/data_files/driver_templates/OS-template-transparent.jinja
similarity index 100%
rename from scripts/data_files/driver_templates/OS-template-transparent.jinja
rename to tf-psa-crypto/scripts/data_files/driver_templates/OS-template-transparent.jinja
diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja b/tf-psa-crypto/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja
similarity index 100%
rename from scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja
rename to tf-psa-crypto/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja
diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers_no_static.c.jinja b/tf-psa-crypto/scripts/data_files/driver_templates/psa_crypto_driver_wrappers_no_static.c.jinja
similarity index 100%
rename from scripts/data_files/driver_templates/psa_crypto_driver_wrappers_no_static.c.jinja
rename to tf-psa-crypto/scripts/data_files/driver_templates/psa_crypto_driver_wrappers_no_static.c.jinja
diff --git a/tf-psa-crypto/scripts/framework_scripts_path.py b/tf-psa-crypto/scripts/framework_scripts_path.py
new file mode 100644
index 0000000..fd39ce3
--- /dev/null
+++ b/tf-psa-crypto/scripts/framework_scripts_path.py
@@ -0,0 +1,18 @@
+"""Add our Python library directory to the module search path.
+
+Usage:
+
+ import framework_scripts_path # pylint: disable=unused-import
+"""
+
+# Copyright The Mbed TLS Contributors
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+#
+
+import os
+import sys
+
+sys.path.append(os.path.join(os.path.dirname(__file__),
+ os.path.pardir,
+ os.path.pardir,
+ 'framework', 'scripts'))
diff --git a/scripts/generate_driver_wrappers.py b/tf-psa-crypto/scripts/generate_driver_wrappers.py
similarity index 98%
rename from scripts/generate_driver_wrappers.py
rename to tf-psa-crypto/scripts/generate_driver_wrappers.py
index 9579764..7f5be2a 100755
--- a/scripts/generate_driver_wrappers.py
+++ b/tf-psa-crypto/scripts/generate_driver_wrappers.py
@@ -179,6 +179,8 @@
args = parser.parse_args()
project_root = os.path.abspath(args.project_root)
+ if build_tree.looks_like_mbedtls_root(project_root):
+ project_root = os.path.join(project_root, 'tf-psa-crypto')
crypto_core_directory = build_tree.crypto_core_directory(project_root)
diff --git a/scripts/generate_psa_constants.py b/tf-psa-crypto/scripts/generate_psa_constants.py
similarity index 98%
rename from scripts/generate_psa_constants.py
rename to tf-psa-crypto/scripts/generate_psa_constants.py
index d472c6d..a22e406 100755
--- a/scripts/generate_psa_constants.py
+++ b/tf-psa-crypto/scripts/generate_psa_constants.py
@@ -329,6 +329,6 @@
# Allow to change the directory where psa_constant_names_generated.c is written to.
OUTPUT_FILE_DIR = sys.argv[1] if len(sys.argv) == 2 else "programs/psa"
- generate_psa_constants(['tf-psa-crypto/include/psa/crypto_values.h',
- 'tf-psa-crypto/include/psa/crypto_extra.h'],
+ generate_psa_constants(['include/psa/crypto_values.h',
+ 'include/psa/crypto_extra.h'],
OUTPUT_FILE_DIR + '/psa_constant_names_generated.c')
diff --git a/tf-psa-crypto/tests/CMakeLists.txt b/tf-psa-crypto/tests/CMakeLists.txt
index c5813a6..2929cf3 100644
--- a/tf-psa-crypto/tests/CMakeLists.txt
+++ b/tf-psa-crypto/tests/CMakeLists.txt
@@ -14,7 +14,7 @@
execute_process(
COMMAND
${TF_PSA_CRYPTO_PYTHON_EXECUTABLE}
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_bignum_tests.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/generate_bignum_tests.py
--list-for-cmake
WORKING_DIRECTORY
${CMAKE_CURRENT_SOURCE_DIR}/..
@@ -26,7 +26,7 @@
execute_process(
COMMAND
${TF_PSA_CRYPTO_PYTHON_EXECUTABLE}
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_config_tests.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/generate_config_tests.py
--list-for-cmake
WORKING_DIRECTORY
${CMAKE_CURRENT_SOURCE_DIR}/..
@@ -45,7 +45,7 @@
execute_process(
COMMAND
${TF_PSA_CRYPTO_PYTHON_EXECUTABLE}
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_ecp_tests.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/generate_ecp_tests.py
--list-for-cmake
WORKING_DIRECTORY
${CMAKE_CURRENT_SOURCE_DIR}/..
@@ -57,7 +57,7 @@
execute_process(
COMMAND
${TF_PSA_CRYPTO_PYTHON_EXECUTABLE}
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_psa_tests.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/generate_psa_tests.py
--list-for-cmake
WORKING_DIRECTORY
${CMAKE_CURRENT_SOURCE_DIR}/..
@@ -98,16 +98,16 @@
${CMAKE_CURRENT_SOURCE_DIR}/..
COMMAND
${TF_PSA_CRYPTO_PYTHON_EXECUTABLE}
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_bignum_tests.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/generate_bignum_tests.py
--directory ${CMAKE_CURRENT_BINARY_DIR}/suites
DEPENDS
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_bignum_tests.py
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/mbedtls_framework/bignum_common.py
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/mbedtls_framework/bignum_core.py
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/mbedtls_framework/bignum_mod_raw.py
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/mbedtls_framework/bignum_mod.py
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/mbedtls_framework/test_case.py
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/mbedtls_framework/test_data_generation.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/generate_bignum_tests.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/mbedtls_framework/bignum_common.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/mbedtls_framework/bignum_core.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/mbedtls_framework/bignum_mod_raw.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/mbedtls_framework/bignum_mod.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/mbedtls_framework/test_case.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/mbedtls_framework/test_data_generation.py
)
add_custom_command(
OUTPUT
@@ -116,11 +116,11 @@
${CMAKE_CURRENT_SOURCE_DIR}/..
COMMAND
${TF_PSA_CRYPTO_PYTHON_EXECUTABLE}
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_config_tests.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/generate_config_tests.py
--directory ${CMAKE_CURRENT_BINARY_DIR}/suites
${config_generated_data_files}
DEPENDS
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_config_tests.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/generate_config_tests.py
# Do not declare the configuration files as dependencies: they
# change too often in ways that don't affect the result
# ((un)commenting some options).
@@ -132,14 +132,14 @@
${CMAKE_CURRENT_SOURCE_DIR}/..
COMMAND
${TF_PSA_CRYPTO_PYTHON_EXECUTABLE}
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_ecp_tests.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/generate_ecp_tests.py
--directory ${CMAKE_CURRENT_BINARY_DIR}/suites
DEPENDS
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_ecp_tests.py
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/mbedtls_framework/bignum_common.py
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/mbedtls_framework/ecp.py
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/mbedtls_framework/test_case.py
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/mbedtls_framework/test_data_generation.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/generate_ecp_tests.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/mbedtls_framework/bignum_common.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/mbedtls_framework/ecp.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/mbedtls_framework/test_case.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/mbedtls_framework/test_data_generation.py
)
add_custom_command(
OUTPUT
@@ -148,17 +148,17 @@
${CMAKE_CURRENT_SOURCE_DIR}/..
COMMAND
${TF_PSA_CRYPTO_PYTHON_EXECUTABLE}
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_psa_tests.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/generate_psa_tests.py
--directory ${CMAKE_CURRENT_BINARY_DIR}/suites
DEPENDS
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_psa_tests.py
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/mbedtls_framework/crypto_data_tests.py
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/mbedtls_framework/crypto_knowledge.py
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/mbedtls_framework/macro_collector.py
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/mbedtls_framework/psa_information.py
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/mbedtls_framework/psa_storage.py
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/mbedtls_framework/test_case.py
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/mbedtls_framework/test_data_generation.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/generate_psa_tests.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/mbedtls_framework/crypto_data_tests.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/mbedtls_framework/crypto_knowledge.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/mbedtls_framework/macro_collector.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/mbedtls_framework/psa_information.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/mbedtls_framework/psa_storage.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/mbedtls_framework/test_case.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/mbedtls_framework/test_data_generation.py
${CMAKE_CURRENT_SOURCE_DIR}/../include/psa/crypto_config.h
${CMAKE_CURRENT_SOURCE_DIR}/../include/psa/crypto_values.h
${CMAKE_CURRENT_SOURCE_DIR}/../include/psa/crypto_extra.h
@@ -272,7 +272,7 @@
test_suite_${data_name}.c
COMMAND
${TF_PSA_CRYPTO_PYTHON_EXECUTABLE}
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_test_code.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/generate_test_code.py
-f ${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${suite_name}.function
-d ${data_file}
-t ${CMAKE_CURRENT_SOURCE_DIR}/suites/main_test.function
@@ -281,7 +281,7 @@
--helpers-file ${CMAKE_CURRENT_SOURCE_DIR}/suites/helpers.function
-o .
DEPENDS
- ${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_test_code.py
+ ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/generate_test_code.py
${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${suite_name}.function
${data_file}
${CMAKE_CURRENT_SOURCE_DIR}/suites/main_test.function
@@ -303,7 +303,7 @@
# files are automatically included because the library targets declare
# them as PUBLIC.
target_include_directories(test_suite_${data_name}
- PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../framework/tests/include
+ PRIVATE ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/tests/include
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../library
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../core
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../drivers/builtin/src)
diff --git a/tf-psa-crypto/tests/configs/config_test_driver.h b/tf-psa-crypto/tests/configs/config_test_driver.h
index ed3b640..0ade508 100644
--- a/tf-psa-crypto/tests/configs/config_test_driver.h
+++ b/tf-psa-crypto/tests/configs/config_test_driver.h
@@ -17,29 +17,4 @@
#define _CRT_SECURE_NO_DEPRECATE 1
#endif
-#define MBEDTLS_PSA_CRYPTO_C
-
-/* PSA core mandatory configuration options */
-#define MBEDTLS_CIPHER_C
-#define MBEDTLS_AES_C
-#define MBEDTLS_SHA256_C
-#define MBEDTLS_PSA_BUILTIN_ALG_SHA_256 1
-#define MBEDTLS_CTR_DRBG_C
-#define MBEDTLS_ENTROPY_C
-#define MBEDTLS_ENTROPY_FORCE_SHA256
-
-/*
- * Configuration options that may need to be additionally enabled for the
- * purpose of a specific set of tests.
- */
-//#define MBEDTLS_SHA1_C
-//#define MBEDTLS_SHA224_C
-//#define MBEDTLS_SHA384_C
-//#define MBEDTLS_SHA512_C
-//#define MBEDTLS_MD_C
-//#define MBEDTLS_PEM_PARSE_C
-//#define MBEDTLS_BASE64_C
-//#define MBEDTLS_THREADING_C
-//#define MBEDTLS_THREADING_PTHREAD
-
#endif /* MBEDTLS_CONFIG_H */
diff --git a/tf-psa-crypto/tests/configs/crypto_config_test_driver.h b/tf-psa-crypto/tests/configs/crypto_config_test_driver.h
new file mode 100644
index 0000000..2e75b78
--- /dev/null
+++ b/tf-psa-crypto/tests/configs/crypto_config_test_driver.h
@@ -0,0 +1,40 @@
+/*
+ * PSA Crypto configuration base for PSA test driver libraries. It includes:
+ * . the minimum set of modules needed by the PSA core.
+ * . the Mbed TLS configuration options that may need to be additionally
+ * enabled for the purpose of a specific test.
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_CONFIG_H
+#define PSA_CRYPTO_CONFIG_H
+
+#define MBEDTLS_PSA_CRYPTO_C
+
+/* PSA core mandatory configuration options */
+#define MBEDTLS_CIPHER_C
+#define MBEDTLS_AES_C
+#define MBEDTLS_SHA256_C
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA_256 1
+#define MBEDTLS_CTR_DRBG_C
+#define MBEDTLS_ENTROPY_C
+#define MBEDTLS_ENTROPY_FORCE_SHA256
+
+/*
+ * Configuration options that may need to be additionally enabled for the
+ * purpose of a specific set of tests.
+ */
+//#define MBEDTLS_SHA1_C
+//#define MBEDTLS_SHA224_C
+//#define MBEDTLS_SHA384_C
+//#define MBEDTLS_SHA512_C
+//#define MBEDTLS_MD_C
+//#define MBEDTLS_PEM_PARSE_C
+//#define MBEDTLS_BASE64_C
+//#define MBEDTLS_THREADING_C
+//#define MBEDTLS_THREADING_PTHREAD
+
+#endif /* PSA_CRYPTO_CONFIG_H */
diff --git a/tests/include/test/psa_test_wrappers.h b/tf-psa-crypto/tests/include/test/psa_test_wrappers.h
similarity index 100%
rename from tests/include/test/psa_test_wrappers.h
rename to tf-psa-crypto/tests/include/test/psa_test_wrappers.h
diff --git a/tests/src/psa_test_wrappers.c b/tf-psa-crypto/tests/src/psa_test_wrappers.c
similarity index 100%
rename from tests/src/psa_test_wrappers.c
rename to tf-psa-crypto/tests/src/psa_test_wrappers.c