mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-09-04 03:22:10 +03:00
Merge pull request #10004 from gilles-peskine-arm/doc-threading-needed-by-psa-3.6
Backport 3.6: Document PSA's need for threading
This commit is contained in:
Gilles Peskine
GitHub
@@ -1807,6 +1807,11 @@
|
|||||||
* running handshake hash) only use PSA crypto if
|
* running handshake hash) only use PSA crypto if
|
||||||
* #MBEDTLS_USE_PSA_CRYPTO is enabled.
|
* #MBEDTLS_USE_PSA_CRYPTO is enabled.
|
||||||
*
|
*
|
||||||
|
* \note In multithreaded applications, you must also enable
|
||||||
|
* #MBEDTLS_THREADING_C, even if individual TLS contexts are not
|
||||||
|
* shared between threads, unless only one thread ever calls
|
||||||
|
* TLS functions.
|
||||||
|
*
|
||||||
* Uncomment this macro to enable the support for TLS 1.3.
|
* Uncomment this macro to enable the support for TLS 1.3.
|
||||||
*/
|
*/
|
||||||
#define MBEDTLS_SSL_PROTO_TLS1_3
|
#define MBEDTLS_SSL_PROTO_TLS1_3
|
||||||
@@ -2125,6 +2130,10 @@
|
|||||||
* before calling any function from the SSL/TLS, X.509 or PK modules, except
|
* before calling any function from the SSL/TLS, X.509 or PK modules, except
|
||||||
* for the various mbedtls_xxx_init() functions which can be called at any time.
|
* for the various mbedtls_xxx_init() functions which can be called at any time.
|
||||||
*
|
*
|
||||||
|
* \warning In multithreaded applications, you must also enable
|
||||||
|
* #MBEDTLS_THREADING_C, unless only one thread ever calls PSA functions
|
||||||
|
* (`psa_xxx()`), including indirect calls through SSL/TLS, X.509 or PK.
|
||||||
|
*
|
||||||
* \note An important and desirable effect of this option is that it allows
|
* \note An important and desirable effect of this option is that it allows
|
||||||
* PK, X.509 and TLS to take advantage of PSA drivers. For example, enabling
|
* PK, X.509 and TLS to take advantage of PSA drivers. For example, enabling
|
||||||
* this option is what allows use of drivers for ECDSA, ECDH and EC J-PAKE in
|
* this option is what allows use of drivers for ECDSA, ECDH and EC J-PAKE in
|
||||||
@@ -3211,7 +3220,18 @@
|
|||||||
/**
|
/**
|
||||||
* \def MBEDTLS_PSA_CRYPTO_C
|
* \def MBEDTLS_PSA_CRYPTO_C
|
||||||
*
|
*
|
||||||
* Enable the Platform Security Architecture cryptography API.
|
* Enable the Platform Security Architecture (PSA) cryptography API.
|
||||||
|
*
|
||||||
|
* \note In multithreaded applications, you must enable #MBEDTLS_THREADING_C,
|
||||||
|
* unless only one thread ever calls `psa_xxx()` functions.
|
||||||
|
* That includes indirect calls, such as:
|
||||||
|
* - performing a TLS handshake if support for TLS 1.3 is enabled;
|
||||||
|
* - using a TLS 1.3 connection;
|
||||||
|
* - indirect calls from PK, X.509 or SSL functions when
|
||||||
|
* #MBEDTLS_USE_PSA_CRYPTO is enabled;
|
||||||
|
* - indirect calls to calculate a hash when #MBEDTLS_MD_C is disabled;
|
||||||
|
* - any other call to a function that requires calling psa_crypto_init()
|
||||||
|
* beforehand.
|
||||||
*
|
*
|
||||||
* Module: library/psa_crypto.c
|
* Module: library/psa_crypto.c
|
||||||
*
|
*
|
||||||
@@ -3631,10 +3651,38 @@
|
|||||||
* \def MBEDTLS_THREADING_C
|
* \def MBEDTLS_THREADING_C
|
||||||
*
|
*
|
||||||
* Enable the threading abstraction layer.
|
* Enable the threading abstraction layer.
|
||||||
* By default Mbed TLS assumes it is used in a non-threaded environment or that
|
*
|
||||||
* contexts are not shared between threads. If you do intend to use contexts
|
* Traditionally, Mbed TLS assumes it is used in a non-threaded environment or
|
||||||
|
* that contexts are not shared between threads. If you do intend to use contexts
|
||||||
* between threads, you will need to enable this layer to prevent race
|
* between threads, you will need to enable this layer to prevent race
|
||||||
* conditions. See also our Knowledge Base article about threading:
|
* conditions.
|
||||||
|
*
|
||||||
|
* The PSA subsystem has an implicit shared context. Therefore, you must
|
||||||
|
* enable this option if more than one thread may use any part of
|
||||||
|
* Mbed TLS that is implemented on top of the PSA subsystem.
|
||||||
|
*
|
||||||
|
* You must enable this option in multithreaded applications where more than
|
||||||
|
* one thread performs any of the following operations:
|
||||||
|
*
|
||||||
|
* - Any call to a PSA function (`psa_xxx()`).
|
||||||
|
* - Any call to a TLS, X.509 or PK function (`mbedtls_ssl_xxx()`,
|
||||||
|
* `mbedtls_x509_xxx()`, `mbedtls_pkcs7_xxx()`, `mbedtls_pk_xxx()`)
|
||||||
|
* if `MBEDTLS_USE_PSA_CRYPTO` is enabled (regardless of whether individual
|
||||||
|
* TLS, X.509 or PK contexts are shared between threads).
|
||||||
|
* - A TLS 1.3 connection, regardless of the compile-time configuration.
|
||||||
|
* - Any library feature that calculates a hash, if `MBEDTLS_MD_C` is disabled.
|
||||||
|
* As an exception, algorithm-specific low-level modules do not require
|
||||||
|
* threading protection unless the contexts are shared between threads.
|
||||||
|
* - Any library feature that performs symmetric encryption or decryption,
|
||||||
|
* if `MBEDTLS_CIPHER_C` is disabled.
|
||||||
|
* As an exception, algorithm-specific low-level modules do not require
|
||||||
|
* threading protection unless the contexts are shared between threads.
|
||||||
|
* - Any use of a cryptographic context if the same context is used in
|
||||||
|
* multiple threads.
|
||||||
|
* - Any call to a function where the documentation specifies that
|
||||||
|
* psa_crypto_init() must be called prior to that function.
|
||||||
|
*
|
||||||
|
* See also our Knowledge Base article about threading:
|
||||||
* https://mbed-tls.readthedocs.io/en/latest/kb/development/thread-safety-and-multi-threading
|
* https://mbed-tls.readthedocs.io/en/latest/kb/development/thread-safety-and-multi-threading
|
||||||
*
|
*
|
||||||
* Module: library/threading.c
|
* Module: library/threading.c
|
||||||
|
|||||||
Reference in New Issue
Block a user