Modify config option for SHA384.

Although SHA512 is currently required to enable SHA384, this
is expected to change in the future. This commit is an
intermediate step towards fully separating SHA384 and SHA512.

check_config is the only module which enforces that SHA512 is
enabled together with SHA384.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>

include/mbedtls/check_config.h

@@ -618,8 +618,8 @@
 #error "MBEDTLS_X509_RSASSA_PSS_SUPPORT defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_SHA512_NO_SHA384) && !defined(MBEDTLS_SHA512_C)
-#error "MBEDTLS_SHA512_NO_SHA384 defined without MBEDTLS_SHA512_C"
+#if defined(MBEDTLS_SHA384_C) && !defined(MBEDTLS_SHA512_C)
+#error "MBEDTLS_SHA384_C defined without MBEDTLS_SHA512_C"
 #endif
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1) && ( !defined(MBEDTLS_MD5_C) ||     \

include/mbedtls/config.h

@@ -1449,16 +1449,15 @@
 //#define MBEDTLS_SHA512_SMALLER
 
 /**
- * \def MBEDTLS_SHA512_NO_SHA384
+ * \def MBEDTLS_SHA384_C
  *
- * Disable the SHA-384 option of the SHA-512 module. Use this to save some
- * code size on devices that don't use SHA-384.
+ * Enable the SHA-384 option of the SHA-512 module.
  *
  * Requires: MBEDTLS_SHA512_C
  *
- * Uncomment to disable SHA-384
+ * Comment to disable SHA-384
  */
-//#define MBEDTLS_SHA512_NO_SHA384
+#define MBEDTLS_SHA384_C
 
 /**
  * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
@@ -3125,7 +3124,7 @@
 /**
  * \def MBEDTLS_SHA512_C
  *
- * Enable the SHA-384 and SHA-512 cryptographic hash algorithms.
+ * Enable SHA-512 cryptographic hash algorithms.
  *
  * Module:  library/sha512.c
  * Caller:  library/entropy.c
@@ -3133,7 +3132,8 @@
  *          library/ssl_cli.c
  *          library/ssl_srv.c
  *
- * This module adds support for SHA-384 and SHA-512.
+ * This module adds support for SHA-512.
+ * This module is required for SHA-384.
  */
 #define MBEDTLS_SHA512_C
 

include/mbedtls/config_psa.h

@@ -159,7 +159,7 @@ extern "C" {
 
 #if defined(PSA_WANT_ALG_SHA_384) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_384)
 #define MBEDTLS_PSA_BUILTIN_ALG_SHA_384 1
-#define MBEDTLS_SHA512_C
+#define MBEDTLS_SHA384_C
 #endif
 
 #if defined(PSA_WANT_ALG_SHA_512) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_512)
@@ -611,11 +611,12 @@ extern "C" {
 #define PSA_WANT_ALG_SHA_256 1
 #endif
 
-#if defined(MBEDTLS_SHA512_C)
-#if !defined(MBEDTLS_SHA512_NO_SHA384)
+#if defined(MBEDTLS_SHA384_C)
 #define MBEDTLS_PSA_BUILTIN_ALG_SHA_384 1
 #define PSA_WANT_ALG_SHA_384 1
 #endif
+
+#if defined(MBEDTLS_SHA512_C)
 #define MBEDTLS_PSA_BUILTIN_ALG_SHA_512 1
 #define PSA_WANT_ALG_SHA_512 1
 #endif

include/mbedtls/psa_util.h

@@ -142,9 +142,11 @@ static inline psa_algorithm_t mbedtls_psa_translate_md( mbedtls_md_type_t md_alg
     case MBEDTLS_MD_SHA256:
         return( PSA_ALG_SHA_256 );
 #endif
-#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_SHA384_C)
     case MBEDTLS_MD_SHA384:
         return( PSA_ALG_SHA_384 );
+#endif
+#if defined(MBEDTLS_SHA512_C)
     case MBEDTLS_MD_SHA512:
         return( PSA_ALG_SHA_512 );
 #endif

include/mbedtls/sha512.h

@@ -55,7 +55,7 @@ typedef struct mbedtls_sha512_context
     uint64_t total[2];          /*!< The number of Bytes processed. */
     uint64_t state[8];          /*!< The intermediate digest state. */
     unsigned char buffer[128];  /*!< The data block being processed. */
-#if !defined(MBEDTLS_SHA512_NO_SHA384)
+#if defined(MBEDTLS_SHA384_C)
     int is384;                  /*!< Determines which function to use:
                                      0: Use SHA-512, or 1: Use SHA-384. */
 #endif
@@ -101,8 +101,8 @@ void mbedtls_sha512_clone( mbedtls_sha512_context *dst,
  * \param is384    Determines which function to use. This must be
  *                 either \c 0 for SHA-512, or \c 1 for SHA-384.
  *
- * \note           When \c MBEDTLS_SHA512_NO_SHA384 is defined, \p is384 must
- *                 be \c 0, or the function will return
+ * \note           When \c MBEDTLS_SHA384_C is not defined,
+ *                 \p is384 must be \c 0, or the function will return
  *                 #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA.
  *
  * \return         \c 0 on success.
@@ -175,8 +175,8 @@ int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx,
  * \param is384    Determines which function to use. This must be either
  *                 \c 0 for SHA-512, or \c 1 for SHA-384.
  *
- * \note           When \c MBEDTLS_SHA512_NO_SHA384 is defined, \p is384 must
- *                 be \c 0, or the function will return
+ * \note           When \c MBEDTLS_SHA384_C is defined, \p is384 must
+ *                 be \c 1, or the function will return
  *                 #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA.
  *
  * \return         \c 0 on success.