TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / b4113bac9ab95d5466c5d8ebfbcca659efd0425e^! / .
commitb4113bac9ab95d5466c5d8ebfbcca659efd0425e[log] [tgz]
authorManuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>Fri Sep 24 10:06:04 2021 +0200
committerGilles Peskine <Gilles.Peskine@arm.com>Fri Sep 24 20:44:03 2021 +0200
tree8112669f14ca76a2783fed1504a82cc6721dcc2d
parent1fa923a5bc93171f8cd0541b43230fa9e66c8836 [diff]
Clarify wording of "not covered" section

The section is about things that are not covered, but some lists are
about things that are covered, which was very confusing.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>

diff --git a/docs/use-psa-crypto.md b/docs/use-psa-crypto.md
index 6300bf0..4292aa6 100644
--- a/docs/use-psa-crypto.md
+++ b/docs/use-psa-crypto.md

@@ -153,27 +153,33 @@
 TLS: key exchanges / asymmetric crypto
 --------------------------------------
 
-- RSA: not covered
-- DHE-RSA: not covered
-- ECDHE-RSA: ECDHE computation client-side only
-- ECDHE-ECDSA:
-  - ECDHE computation client-side
-  - ECDSA verification both sides
-  - ECDSA signature (if using `mbedtls_pk_setup_opaque()`)
-- PSK: PSA-held keys using `mbedtls_ssl_conf_psk_opaque()`
-- DHE-PSK: not covered
-- RSA-PSK: not covered
-- ECDHE-PSK: not covered
-- ECDH-RSA: not covered
-- ECDH-ECDSA: not covered
-- ECJPAKE: not covered
+The following key exchanges are not covered at all:
+
+- RSA
+- DHE-RSA
+- DHE-PSK
+- RSA-PSK
+- ECDHE-PSK
+- ECDH-RSA
+- ECDH-ECDSA
+- ECJPAKE
+
+The following key exchanges are only partially covered:
+
+- ECDHE-RSA: RSA operations are not covered and, server-side, the ECDHE
+  operation isn't either
+- ECDHE-ECDSA: server-side, the ECDHE operation isn't covered. (ECDSA
+  signature generation is only covered if using `mbedtls_pk_setup_opaque()`.)
+
+PSK if covered when the application uses `mbedtls_ssl_conf_psk_opaque()` or
+`mbedtls_ssl_set_hs_psk_opaque()`.
 
 TLS: symmetric crypto
 ---------------------
 
 - some ciphers not supported via PSA yet: ARIA, Camellia, ChachaPoly (silent
   fallback to the legacy APIs)
-- the HMAC part of the CBC and NULL ciphersuites is not covered
+- the HMAC part of the CBC and NULL ciphersuites
 - the HMAC computation in `ssl_cookie.c`
 
 X.509
@@ -181,6 +187,6 @@
 
 - most hash operations are still done via the legacy API, except the few that
   are documented above as using PSA
-- RSA PKCS#1 v1.5 signature generation (from PSA-held keys): not covered
-- RSA PKCS#1 v1.5 signature verification: not covered
-- RSA-PSS signature verification: not covered
+- RSA PKCS#1 v1.5 signature generation (from PSA-held keys)
+- RSA PKCS#1 v1.5 signature verification
+- RSA-PSS signature verification