Define "light" subset of MD
See docs/architecture/psa-migration/md-cipher-dispatch.md
Regarding testing, the no_md component was never very useful, as that's
not something people are likely to want to do: it was mostly useful as
executable documentation of what depends on MD. It's going to be even
less useful when more and more modules auto-enable MD_LIGHT or even
MD_C. So, recycle it to test the build with only MD_LIGHT, which is
something that might happen in practice, and is necessary to ensure that
the division is consistent.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h
index bbfd5d4..bc94acf 100644
--- a/include/mbedtls/build_info.h
+++ b/include/mbedtls/build_info.h
@@ -80,6 +80,13 @@
#include MBEDTLS_USER_CONFIG_FILE
#endif
+/* Auto-enable MBEDTLS_MD_LIGHT based on MBEDTLS_MD_C.
+ * This allows checking for MD_LIGHT rather than MD_LIGHT || MD_C.
+ */
+#if defined(MBEDTLS_MD_C)
+#define MBEDTLS_MD_LIGHT
+#endif
+
/* The PK wrappers need pk_write functions to format RSA key objects
* when they are dispatching to the PSA API. This happens under USE_PSA_CRYPTO,
* and also even without USE_PSA_CRYPTO for mbedtls_pk_sign_ext().
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index 9ae51c9..41a007e 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -2643,7 +2643,7 @@
/**
* \def MBEDTLS_MD_C
*
- * Enable the generic message digest layer.
+ * Enable the generic layer for message digest (hashing) and HMAC.
*
* Requires: one of: MBEDTLS_MD5_C, MBEDTLS_RIPEMD160_C, MBEDTLS_SHA1_C,
* MBEDTLS_SHA224_C, MBEDTLS_SHA256_C, MBEDTLS_SHA384_C,
@@ -2673,6 +2673,25 @@
#define MBEDTLS_MD_C
/**
+ * \def MBEDTLS_MD_LIGHT
+ *
+ * Enable the "light" subset of MBEDTLS_MD_C: just hashing and basic
+ * meta-data.
+ *
+ * This is automatically enabled whenever MBEDTLS_MD_C is enabled, but it is
+ * possible to enable this with MBEDTLS_MD_C if support for HMAC or extra
+ * metadata functions is not needed.
+ *
+ * Requires: one of: MBEDTLS_MD5_C, MBEDTLS_RIPEMD160_C, MBEDTLS_SHA1_C,
+ * MBEDTLS_SHA224_C, MBEDTLS_SHA256_C, MBEDTLS_SHA384_C,
+ * MBEDTLS_SHA512_C.
+ * Module: library/md.c
+ *
+ * Uncomment to enabled the "light" subsect of MD.
+ */
+#define MBEDTLS_MD_LIGHT
+
+/**
* \def MBEDTLS_MD5_C
*
* Enable the MD5 hash algorithm.
diff --git a/include/mbedtls/md.h b/include/mbedtls/md.h
index bcf56a5..f9349e1 100644
--- a/include/mbedtls/md.h
+++ b/include/mbedtls/md.h
@@ -1,7 +1,15 @@
/**
* \file md.h
*
- * \brief This file contains the generic message-digest wrapper.
+ * \brief This file contains the generic functions for message-digest
+ * (hashing) and HMAC.
+ *
+ * Availability of function in this modules is controled by two
+ * feature macros:
+ * - MBEDTLS_MD_C enables the whole module;
+ * - MBEDTLS_MD_LIGHT enables only functions for hashing an accessing
+ * some hash metadata; is it automatically set whenever MBEDTLS_MD_C
+ * is set.
*
* \author Adriaan de Jong <dejong@fox-it.com>
*/
@@ -107,6 +115,7 @@
void *MBEDTLS_PRIVATE(hmac_ctx);
} mbedtls_md_context_t;
+#if defined(MBEDTLS_MD_C)
/**
* \brief This function returns the list of digests supported by the
* generic digest module.
@@ -130,6 +139,7 @@
* \return NULL if the associated message-digest information is not found.
*/
const mbedtls_md_info_t *mbedtls_md_info_from_string(const char *md_name);
+#endif /* MBEDTLS_MD_C */
/**
* \brief This function returns the message-digest information
@@ -142,6 +152,7 @@
*/
const mbedtls_md_info_t *mbedtls_md_info_from_type(mbedtls_md_type_t md_type);
+#if defined(MBEDTLS_MD_C)
/**
* \brief This function returns the message-digest information
* from the given context.
@@ -154,6 +165,7 @@
*/
const mbedtls_md_info_t *mbedtls_md_info_from_ctx(
const mbedtls_md_context_t *ctx);
+#endif /* MBEDTLS_MD_C */
/**
* \brief This function initializes a message-digest context without
@@ -248,6 +260,7 @@
*/
mbedtls_md_type_t mbedtls_md_get_type(const mbedtls_md_info_t *md_info);
+#if defined(MBEDTLS_MD_C)
/**
* \brief This function extracts the message-digest name from the
* message-digest information structure.
@@ -258,6 +271,7 @@
* \return The name of the message digest.
*/
const char *mbedtls_md_get_name(const mbedtls_md_info_t *md_info);
+#endif /* MBEDTLS_MD_C */
/**
* \brief This function starts a message-digest computation.
@@ -337,7 +351,7 @@
int mbedtls_md(const mbedtls_md_info_t *md_info, const unsigned char *input, size_t ilen,
unsigned char *output);
-#if defined(MBEDTLS_FS_IO)
+#if defined(MBEDTLS_FS_IO) && defined(MBEDTLS_MD_C)
/**
* \brief This function calculates the message-digest checksum
* result of the contents of the provided file.
@@ -358,8 +372,9 @@
MBEDTLS_CHECK_RETURN_TYPICAL
int mbedtls_md_file(const mbedtls_md_info_t *md_info, const char *path,
unsigned char *output);
-#endif /* MBEDTLS_FS_IO */
+#endif /* MBEDTLS_FS_IO && MBEDTLS_MD_C */
+#if defined(MBEDTLS_MD_C)
/**
* \brief This function sets the HMAC key and prepares to
* authenticate a new message.
@@ -470,6 +485,7 @@
int mbedtls_md_hmac(const mbedtls_md_info_t *md_info, const unsigned char *key, size_t keylen,
const unsigned char *input, size_t ilen,
unsigned char *output);
+#endif /* MBEDTLS_MD_C */
#ifdef __cplusplus
}