TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 9b811658a83d25e56336be5331dcfd5aa0556385 / . / include / mbedtls / config_adjust_legacy_crypto.h
blob: 4480b8caee6bd6a49db9387e9a3a239e9fe89ccb [file] [log] [blame]
Gilles Peskine9d6a63b2023-09-04 17:49:07 +0200[diff] [blame]1/**
2 * \file mbedtls/config_adjust_legacy_crypto.h
3 * \brief Adjust legacy configuration configuration
4 *
5 * Automatically enable certain dependencies. Generally, MBEDLTS_xxx
6 * configurations need to be explicitly enabled by the user: enabling
7 * MBEDTLS_xxx_A but not MBEDTLS_xxx_B when A requires B results in a
8 * compilation error. However, we do automatically enable certain options
9 * in some circumstances. One case is if MBEDTLS_xxx_B is an internal option
10 * used to identify parts of a module that are used by other module, and we
11 * don't want to make the symbol MBEDTLS_xxx_B part of the public API.
12 * Another case is if A didn't depend on B in earlier versions, and we
13 * want to use B in A but we need to preserve backward compatibility with
14 * configurations that explicitly activate MBEDTLS_xxx_A but not
15 * MBEDTLS_xxx_B.
16 */
17/*
18 * Copyright The Mbed TLS Contributors
19 * SPDX-License-Identifier: Apache-2.0
20 *
21 * Licensed under the Apache License, Version 2.0 (the "License"); you may
22 * not use this file except in compliance with the License.
23 * You may obtain a copy of the License at
24 *
25 * http://www.apache.org/licenses/LICENSE-2.0
26 *
27 * Unless required by applicable law or agreed to in writing, software
28 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
29 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
30 * See the License for the specific language governing permissions and
31 * limitations under the License.
32 */
33
34#ifndef MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H
35#define MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H
36
Yanray Wang9b811652023-09-07 16:18:00 +0800[diff] [blame^]37/*
38 * ECB, CBC, XTS, KW modes require both ENCRYPT and DECRYPT directions.
39 * MBEDTLS_CIPHER_ENCRYPT_ONLY is only enabled when those modes
40 * are not requested via the PSA API and are not enabled in the legacy API.
41 *
42 * Note: XTS, KW are not yet supported via the PSA API in Mbed TLS.
43 */
44#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
45#if !defined(PSA_WANT_ALG_ECB_NO_PADDING) && \
46 !defined(PSA_WANT_ALG_CBC_NO_PADDING) && \
47 !defined(PSA_WANT_ALG_CBC_PKCS7) && \
48 !defined(MBEDTLS_CIPHER_MODE_CBC) && \
49 !defined(MBEDTLS_CIPHER_MODE_XTS) && \
50 !defined(MBEDTLS_NIST_KW_C)
51#define MBEDTLS_CIPHER_ENCRYPT_ONLY 1
52#endif
53#endif /* MBEDTLS_PSA_CRYPTO_CONFIG */
54
Gilles Peskine9d6a63b2023-09-04 17:49:07 +0200[diff] [blame]55/* Auto-enable MBEDTLS_MD_LIGHT based on MBEDTLS_MD_C.
56 * This allows checking for MD_LIGHT rather than MD_LIGHT || MD_C.
57 */
58#if defined(MBEDTLS_MD_C)
59#define MBEDTLS_MD_LIGHT
60#endif
61
62/* Auto-enable MBEDTLS_MD_LIGHT if needed by a module that didn't require it
63 * in a previous release, to ensure backwards compatibility.
64 */
65#if defined(MBEDTLS_ECJPAKE_C) || \
66 defined(MBEDTLS_PEM_PARSE_C) || \
67 defined(MBEDTLS_ENTROPY_C) || \
68 defined(MBEDTLS_PK_C) || \
69 defined(MBEDTLS_PKCS12_C) || \
70 defined(MBEDTLS_RSA_C) || \
71 defined(MBEDTLS_SSL_TLS_C) || \
72 defined(MBEDTLS_X509_USE_C) || \
73 defined(MBEDTLS_X509_CREATE_C)
74#define MBEDTLS_MD_LIGHT
75#endif
76
77/* MBEDTLS_ECP_LIGHT is auto-enabled by the following symbols:
78 * - MBEDTLS_ECP_C because now it consists of MBEDTLS_ECP_LIGHT plus functions
79 * for curve arithmetic. As a consequence if MBEDTLS_ECP_C is required for
80 * some reason, then MBEDTLS_ECP_LIGHT should be enabled as well.
81 * - MBEDTLS_PK_PARSE_EC_EXTENDED and MBEDTLS_PK_PARSE_EC_COMPRESSED because
82 * these features are not supported in PSA so the only way to have them is
83 * to enable the built-in solution.
84 * Both of them are temporary dependencies:
85 * - PK_PARSE_EC_EXTENDED will be removed after #7779 and #7789
86 * - support for compressed points should also be added to PSA, but in this
87 * case there is no associated issue to track it yet.
88 * - PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE because Weierstrass key derivation
89 * still depends on ECP_LIGHT.
90 * - PK_C + USE_PSA + PSA_WANT_ALG_ECDSA is a temporary dependency which will
91 * be fixed by #7453.
92 */
93#if defined(MBEDTLS_ECP_C) || \
94 defined(MBEDTLS_PK_PARSE_EC_EXTENDED) || \
95 defined(MBEDTLS_PK_PARSE_EC_COMPRESSED) || \
96 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
97#define MBEDTLS_ECP_LIGHT
98#endif
99
100/* MBEDTLS_PK_PARSE_EC_COMPRESSED is introduced in MbedTLS version 3.5, while
101 * in previous version compressed points were automatically supported as long
102 * as PK_PARSE_C and ECP_C were enabled. As a consequence, for backward
103 * compatibility, we auto-enable PK_PARSE_EC_COMPRESSED when these conditions
104 * are met. */
105#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_ECP_C)
106#define MBEDTLS_PK_PARSE_EC_COMPRESSED
107#endif
108
109/* Helper symbol to state that there is support for ECDH, either through
110 * library implementation (ECDH_C) or through PSA. */
111#if (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_ECDH)) || \
112 (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECDH_C))
113#define MBEDTLS_CAN_ECDH
114#endif
115
116/* PK module can achieve ECDSA functionalities by means of either software
117 * implementations (ECDSA_C) or through a PSA driver. The following defines
118 * are meant to list these capabilities in a general way which abstracts how
119 * they are implemented under the hood. */
120#if !defined(MBEDTLS_USE_PSA_CRYPTO)
121#if defined(MBEDTLS_ECDSA_C)
122#define MBEDTLS_PK_CAN_ECDSA_SIGN
123#define MBEDTLS_PK_CAN_ECDSA_VERIFY
124#endif /* MBEDTLS_ECDSA_C */
125#else /* MBEDTLS_USE_PSA_CRYPTO */
126#if defined(PSA_WANT_ALG_ECDSA)
127#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC)
128#define MBEDTLS_PK_CAN_ECDSA_SIGN
129#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC */
130#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
131#define MBEDTLS_PK_CAN_ECDSA_VERIFY
132#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
133#endif /* PSA_WANT_ALG_ECDSA */
134#endif /* MBEDTLS_USE_PSA_CRYPTO */
135
136#if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY) || defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
137#define MBEDTLS_PK_CAN_ECDSA_SOME
138#endif
139
140/* If MBEDTLS_PSA_CRYPTO_C is defined, make sure MBEDTLS_PSA_CRYPTO_CLIENT
141 * is defined as well to include all PSA code.
142 */
143#if defined(MBEDTLS_PSA_CRYPTO_C)
144#define MBEDTLS_PSA_CRYPTO_CLIENT
145#endif /* MBEDTLS_PSA_CRYPTO_C */
146
147/* The PK wrappers need pk_write functions to format RSA key objects
148 * when they are dispatching to the PSA API. This happens under USE_PSA_CRYPTO,
149 * and also even without USE_PSA_CRYPTO for mbedtls_pk_sign_ext(). */
150#if defined(MBEDTLS_PSA_CRYPTO_C) && defined(MBEDTLS_RSA_C)
151#define MBEDTLS_PK_C
152#define MBEDTLS_PK_WRITE_C
153#define MBEDTLS_PK_PARSE_C
154#endif
155
156/* Helper symbol to state that the PK module has support for EC keys. This
157 * can either be provided through the legacy ECP solution or through the
158 * PSA friendly MBEDTLS_PK_USE_PSA_EC_DATA (see pk.h for its description). */
159#if defined(MBEDTLS_ECP_C) || \
160 (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY))
161#define MBEDTLS_PK_HAVE_ECC_KEYS
162#endif /* MBEDTLS_PK_USE_PSA_EC_DATA || MBEDTLS_ECP_C */
163
164#endif /* MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H */