From 0dd31fe523f4031ace63e4d847bb896dc06db6fc Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 10 Sep 2025 09:37:46 +0200 Subject: [PATCH 01/10] Introduce MBEDTLS_SSL_NULL_CIPHERSUITES The support for TLS ciphersuites without encryption does not rely anymore on the MBEDTLS_CIPHER_NULL_CIPHER feature of the cipher module. Introduce a specific config option to enable these ciphersuites and use it instead of MBEDTLS_CIPHER_NULL_CIPHER. Signed-off-by: Ronald Cron --- ChangeLog.d/mbedtls-ssl-null-ciphersuites.txt | 4 +++ include/mbedtls/mbedtls_config.h | 12 +++++++ library/ssl_ciphersuites.c | 12 +++---- library/ssl_misc.h | 2 +- tests/scripts/components-configuration-tls.sh | 14 ++++---- tests/suites/test_suite_ssl.data | 32 +++++++++---------- tests/suites/test_suite_ssl_decrypt.function | 2 +- 7 files changed, 47 insertions(+), 31 deletions(-) create mode 100644 ChangeLog.d/mbedtls-ssl-null-ciphersuites.txt diff --git a/ChangeLog.d/mbedtls-ssl-null-ciphersuites.txt b/ChangeLog.d/mbedtls-ssl-null-ciphersuites.txt new file mode 100644 index 0000000000..a1312d0cb4 --- /dev/null +++ b/ChangeLog.d/mbedtls-ssl-null-ciphersuites.txt @@ -0,0 +1,4 @@ +API changes + * Add MBEDTLS_SSL_NULL_CIPHERSUITES configuration option. It enables + TLS 1.2 ciphersuites without encryption and is disabled by default. + This new option replaces MBEDTLS_CIPHER_NULL_CIPHER. diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index f11bcb3fb0..e79911428a 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -191,6 +191,18 @@ * \{ */ +/** + * \def MBEDTLS_SSL_NULL_CIPHERSUITES + * + * Enable ciphersuites without encryption. + * + * Warning: Only do so when you know what you are doing. This allows for + * channels without any encryption. All data are transmitted in clear. + * + * Uncomment this macro to enable the NULL ciphersuites + */ +//#define MBEDTLS_SSL_NULL_CIPHERSUITES + /** * \def MBEDTLS_DEBUG_C * diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c index 39826eee66..6027b7f3c4 100644 --- a/library/ssl_ciphersuites.c +++ b/library/ssl_ciphersuites.c @@ -325,14 +325,14 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #endif /* PSA_WANT_ALG_GCM */ #endif /* PSA_WANT_KEY_TYPE_CAMELLIA */ -#if defined(MBEDTLS_CIPHER_NULL_CIPHER) +#if defined(MBEDTLS_SSL_NULL_CIPHERSUITES) #if defined(PSA_WANT_ALG_SHA_1) { MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA, "TLS-ECDHE-ECDSA-WITH-NULL-SHA", MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA, MBEDTLS_CIPHERSUITE_WEAK, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif /* PSA_WANT_ALG_SHA_1 */ -#endif /* MBEDTLS_CIPHER_NULL_CIPHER */ +#endif /* MBEDTLS_SSL_NULL_CIPHERSUITES */ #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) @@ -415,14 +415,14 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #endif /* PSA_WANT_ALG_GCM */ #endif /* PSA_WANT_KEY_TYPE_CAMELLIA */ -#if defined(MBEDTLS_CIPHER_NULL_CIPHER) +#if defined(MBEDTLS_SSL_NULL_CIPHERSUITES) #if defined(PSA_WANT_ALG_SHA_1) { MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA, "TLS-ECDHE-RSA-WITH-NULL-SHA", MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA, MBEDTLS_CIPHERSUITE_WEAK, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif /* PSA_WANT_ALG_SHA_1 */ -#endif /* MBEDTLS_CIPHER_NULL_CIPHER */ +#endif /* MBEDTLS_SSL_NULL_CIPHERSUITES */ #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) @@ -591,7 +591,7 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #endif /* PSA_WANT_KEY_TYPE_AES */ #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ -#if defined(MBEDTLS_CIPHER_NULL_CIPHER) +#if defined(MBEDTLS_SSL_NULL_CIPHERSUITES) #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) #if defined(PSA_WANT_ALG_SHA_1) { MBEDTLS_TLS_PSK_WITH_NULL_SHA, "TLS-PSK-WITH-NULL-SHA", @@ -637,7 +637,7 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif /* PSA_WANT_ALG_SHA_384 */ #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ -#endif /* MBEDTLS_CIPHER_NULL_CIPHER */ +#endif /* MBEDTLS_SSL_NULL_CIPHERSUITES */ #if defined(PSA_WANT_KEY_TYPE_ARIA) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index ed3c4a776f..9f7ab7f7e4 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -279,7 +279,7 @@ uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type); /* This macro determines whether a ciphersuite using a * stream cipher can be used. */ -#if defined(MBEDTLS_CIPHER_NULL_CIPHER) +#if defined(MBEDTLS_SSL_NULL_CIPHERSUITES) #define MBEDTLS_SSL_SOME_SUITES_USE_STREAM #endif diff --git a/tests/scripts/components-configuration-tls.sh b/tests/scripts/components-configuration-tls.sh index e9f2666d3f..9efc7b2af6 100644 --- a/tests/scripts/components-configuration-tls.sh +++ b/tests/scripts/components-configuration-tls.sh @@ -61,8 +61,8 @@ component_test_tls1_2_default_stream_cipher_only () { scripts/config.py unset PSA_WANT_ALG_CBC_PKCS7 # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC - # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) - scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER + # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_SSL_NULL_CIPHERSUITES)) + scripts/config.py set MBEDTLS_SSL_NULL_CIPHERSUITES # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION scripts/config.py unset MBEDTLS_SSL_TICKET_C @@ -89,8 +89,8 @@ component_test_tls1_2_default_cbc_legacy_cipher_only () { scripts/config.py set PSA_WANT_ALG_CBC_NO_PADDING # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC - # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) - scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER + # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_SSL_NULL_CIPHERSUITES)) + scripts/config.py unset MBEDTLS_SSL_NULL_CIPHERSUITES # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION scripts/config.py unset MBEDTLS_SSL_TICKET_C @@ -118,8 +118,8 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () { scripts/config.py set PSA_WANT_ALG_CBC_NO_PADDING # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC - # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) - scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER + # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_SSL_NULL_CIPHERSUITES)) + scripts/config.py unset MBEDTLS_SSL_NULL_CIPHERSUITES # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION scripts/config.py unset MBEDTLS_SSL_TICKET_C @@ -368,7 +368,7 @@ component_test_when_no_ciphersuites_have_mac () { scripts/config.py unset PSA_WANT_ALG_CMAC scripts/config.py unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 - scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER + scripts/config.py unset MBEDTLS_SSL_NULL_CIPHERSUITES make diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 6c5e718c60..897f90d787 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -1693,35 +1693,35 @@ depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:PSA_WANT_KEY_TYPE_CAMELLIA:MBEDTLS_SSL ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:4:0 Record crypt, NULL cipher, 1.2, SHA-384 -depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384 +depends_on:MBEDTLS_SSL_NULL_CIPHERSUITES:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384 ssl_crypt_record:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0 Record crypt, NULL cipher, 1.2, SHA-384, EtM -depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC +depends_on:MBEDTLS_SSL_NULL_CIPHERSUITES:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC ssl_crypt_record:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0 Record crypt, NULL cipher, 1.2, SHA-256 -depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_256 +depends_on:MBEDTLS_SSL_NULL_CIPHERSUITES:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_256 ssl_crypt_record:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0 Record crypt, NULL cipher, 1.2, SHA-256, EtM -depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_256:MBEDTLS_SSL_ENCRYPT_THEN_MAC +depends_on:MBEDTLS_SSL_NULL_CIPHERSUITES:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_256:MBEDTLS_SSL_ENCRYPT_THEN_MAC ssl_crypt_record:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0 Record crypt, NULL cipher, 1.2, SHA-1 -depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_1 +depends_on:MBEDTLS_SSL_NULL_CIPHERSUITES:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_1 ssl_crypt_record:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0 Record crypt, NULL cipher, 1.2, SHA-1, EtM -depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_1:MBEDTLS_SSL_ENCRYPT_THEN_MAC +depends_on:MBEDTLS_SSL_NULL_CIPHERSUITES:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_1:MBEDTLS_SSL_ENCRYPT_THEN_MAC ssl_crypt_record:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0 Record crypt, NULL cipher, 1.2, MD5 -depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_MD5 +depends_on:MBEDTLS_SSL_NULL_CIPHERSUITES:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_MD5 ssl_crypt_record:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0 Record crypt, NULL cipher, 1.2, MD5, EtM -depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC +depends_on:MBEDTLS_SSL_NULL_CIPHERSUITES:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC ssl_crypt_record:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0 Record crypt, ChachaPoly @@ -2565,35 +2565,35 @@ depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:PSA_WANT_KEY_TYPE_CAMELLIA:MBEDTLS_SSL ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:4:0 Record crypt, little space, NULL cipher, 1.2, SHA-384 -depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384 +depends_on:MBEDTLS_SSL_NULL_CIPHERSUITES:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384 ssl_crypt_record_small:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0 Record crypt, little space, NULL cipher, 1.2, SHA-384, EtM -depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC +depends_on:MBEDTLS_SSL_NULL_CIPHERSUITES:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC ssl_crypt_record_small:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0 Record crypt, little space, NULL cipher, 1.2, SHA-256 -depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_256 +depends_on:MBEDTLS_SSL_NULL_CIPHERSUITES:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_256 ssl_crypt_record_small:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0 Record crypt, little space, NULL cipher, 1.2, SHA-256, EtM -depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_256:MBEDTLS_SSL_ENCRYPT_THEN_MAC +depends_on:MBEDTLS_SSL_NULL_CIPHERSUITES:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_256:MBEDTLS_SSL_ENCRYPT_THEN_MAC ssl_crypt_record_small:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0 Record crypt, little space, NULL cipher, 1.2, SHA-1 -depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_1 +depends_on:MBEDTLS_SSL_NULL_CIPHERSUITES:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_1 ssl_crypt_record_small:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0 Record crypt, little space, NULL cipher, 1.2, SHA-1, EtM -depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_1:MBEDTLS_SSL_ENCRYPT_THEN_MAC +depends_on:MBEDTLS_SSL_NULL_CIPHERSUITES:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_1:MBEDTLS_SSL_ENCRYPT_THEN_MAC ssl_crypt_record_small:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0 Record crypt, little space, NULL cipher, 1.2, MD5 -depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_MD5 +depends_on:MBEDTLS_SSL_NULL_CIPHERSUITES:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_MD5 ssl_crypt_record_small:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0 Record crypt, little space, NULL cipher, 1.2, MD5, EtM -depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC +depends_on:MBEDTLS_SSL_NULL_CIPHERSUITES:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC ssl_crypt_record_small:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0 SSL TLS 1.3 Key schedule: Secret evolution #1 diff --git a/tests/suites/test_suite_ssl_decrypt.function b/tests/suites/test_suite_ssl_decrypt.function index 37265def88..7a22939eb4 100644 --- a/tests/suites/test_suite_ssl_decrypt.function +++ b/tests/suites/test_suite_ssl_decrypt.function @@ -13,7 +13,7 @@ * END_DEPENDENCIES */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CIPHER_NULL_CIPHER */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_NULL_CIPHERSUITES */ void ssl_decrypt_null(int hash_id) { mbedtls_ssl_transform transform_in, transform_out; From 2b7f59535ff319a61a82acdf80806ac9c9018f6c Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 15 Sep 2025 14:03:35 +0200 Subject: [PATCH 02/10] Remove completely MBEDTLS_PLATFORM_GET_ENTROPY_ALT Signed-off-by: Ronald Cron --- scripts/config.py | 1 - tests/scripts/analyze_outcomes.py | 2 -- 2 files changed, 3 deletions(-) diff --git a/scripts/config.py b/scripts/config.py index e60d1606f1..6c4cc151d6 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -120,7 +120,6 @@ def is_seamless_alt(name): an implementation of the relevant functions and an xxx_alt.h header. """ if name in ( - 'MBEDTLS_PLATFORM_GET_ENTROPY_ALT', 'MBEDTLS_PLATFORM_GMTIME_R_ALT', 'MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT', 'MBEDTLS_PLATFORM_MS_TIME_ALT', diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 8660e68942..88c450fc86 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -124,8 +124,6 @@ class CoverageTask(outcome_analysis.CoverageTask): # Untested platform-specific optimizations. # https://github.com/Mbed-TLS/mbedtls/issues/9588 'Config: MBEDTLS_HAVE_SSE2', - # Obsolete config option that we are about to remove - 'Config: MBEDTLS_PLATFORM_GET_ENTROPY_ALT', # Untested aspect of the platform interface. # https://github.com/Mbed-TLS/mbedtls/issues/9589 'Config: MBEDTLS_PLATFORM_NO_STD_FUNCTIONS', From 919a1e4e223a45b10971d8c49b2815a57cadf084 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 15 Sep 2025 14:39:26 +0200 Subject: [PATCH 03/10] Cleanup following the removal of RSA legacy options Signed-off-by: Ronald Cron --- include/mbedtls/mbedtls_config.h | 1 - scripts/config.py | 2 +- tests/scripts/components-configuration-crypto.sh | 3 +-- 3 files changed, 2 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index e79911428a..2bfe4d66d0 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -266,7 +266,6 @@ * Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS. * * Requires: MBEDTLS_ECDH_C or PSA_WANT_ALG_ECDH - * MBEDTLS_RSA_C * PSA_WANT_ALG_RSA_PKCS1V15_SIGN * MBEDTLS_X509_CRT_PARSE_C * diff --git a/scripts/config.py b/scripts/config.py index 6c4cc151d6..175b73cf7f 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -4,7 +4,7 @@ Basic usage, to read the Mbed TLS configuration: config = CombinedConfigFile() - if 'MBEDTLS_RSA_C' in config: print('RSA is enabled') + if 'MBEDTLS_SSL_TLS_C' in config: print('TLS is enabled') """ ## Copyright The Mbed TLS Contributors diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 29e86c34d6..6dab8b6a78 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -1491,8 +1491,7 @@ component_test_new_psa_want_key_pair_symbol () { # Start from crypto configuration scripts/config.py crypto - # Remove RSA support and its dependencies - scripts/config.py unset MBEDTLS_PKCS1_V15 + # Remove RSA dependencies scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT From a19ee2819ec8c88ed86d65a737ff9a8488b3e30c Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 15 Sep 2025 18:25:06 +0200 Subject: [PATCH 04/10] Cleanup following the removal of MBEDTLS_ECDH_C option Signed-off-by: Ronald Cron --- include/mbedtls/mbedtls_config.h | 6 +++--- tests/scripts/components-configuration-crypto.sh | 8 -------- tests/scripts/components-configuration-tls.sh | 4 ---- tests/scripts/depends.py | 2 +- 4 files changed, 4 insertions(+), 16 deletions(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 2bfe4d66d0..118a9631c4 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -223,7 +223,7 @@ * * Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS. * - * Requires: MBEDTLS_ECDH_C or PSA_WANT_ALG_ECDH + * Requires: PSA_WANT_ALG_ECDH * MBEDTLS_ECDSA_C or PSA_WANT_ALG_ECDSA * MBEDTLS_X509_CRT_PARSE_C * @@ -247,7 +247,7 @@ * * Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS. * - * Requires: MBEDTLS_ECDH_C or PSA_WANT_ALG_ECDH + * Requires: PSA_WANT_ALG_ECDH * * This enables the following ciphersuites (if other requisites are * enabled as well): @@ -265,7 +265,7 @@ * * Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS. * - * Requires: MBEDTLS_ECDH_C or PSA_WANT_ALG_ECDH + * Requires: PSA_WANT_ALG_ECDH * PSA_WANT_ALG_RSA_PKCS1V15_SIGN * MBEDTLS_X509_CRT_PARSE_C * diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 6dab8b6a78..8ed678bc40 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -610,9 +610,6 @@ component_test_psa_crypto_config_accel_ecdh () { $(helper_get_psa_key_type_list "ECC") \ $(helper_get_psa_curve_list)" - # Disable the module that's accelerated - scripts/config.py unset MBEDTLS_ECDH_C - # Disable things that depend on it scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED @@ -739,7 +736,6 @@ component_test_psa_crypto_config_accel_ecc_some_key_types () { # Disable modules that are accelerated - some will be re-enabled scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_ECDH_C scripts/config.py unset MBEDTLS_ECJPAKE_C scripts/config.py unset MBEDTLS_ECP_C @@ -803,7 +799,6 @@ common_test_psa_crypto_config_accel_ecc_some_curves () { # Disable modules that are accelerated - some will be re-enabled scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_ECDH_C scripts/config.py unset MBEDTLS_ECJPAKE_C scripts/config.py unset MBEDTLS_ECP_C @@ -915,7 +910,6 @@ config_psa_crypto_config_ecp_light_only () { if [ "$driver_only" -eq 1 ]; then # Disable modules that are accelerated scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_ECDH_C scripts/config.py unset MBEDTLS_ECJPAKE_C scripts/config.py unset MBEDTLS_ECP_C fi @@ -1009,7 +1003,6 @@ config_psa_crypto_no_ecp_at_all () { if [ "$driver_only" -eq 1 ]; then # Disable modules that are accelerated scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_ECDH_C scripts/config.py unset MBEDTLS_ECJPAKE_C # Disable ECP module (entirely) scripts/config.py unset MBEDTLS_ECP_C @@ -1124,7 +1117,6 @@ config_psa_crypto_config_accel_ecc_ffdh_no_bignum () { if [ "$driver_only" -eq 1 ]; then # Disable modules that are accelerated scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_ECDH_C scripts/config.py unset MBEDTLS_ECJPAKE_C # Disable ECP module (entirely) scripts/config.py unset MBEDTLS_ECP_C diff --git a/tests/scripts/components-configuration-tls.sh b/tests/scripts/components-configuration-tls.sh index 9efc7b2af6..323f98ec1c 100644 --- a/tests/scripts/components-configuration-tls.sh +++ b/tests/scripts/components-configuration-tls.sh @@ -438,7 +438,6 @@ component_test_tls13_only_psk () { scripts/config.py unset PSA_WANT_DH_RFC7919_6144 scripts/config.py unset PSA_WANT_DH_RFC7919_8192 # Note: The four unsets below are to be removed for Mbed TLS 4.0 - scripts/config.py unset MBEDTLS_ECDH_C scripts/config.py unset MBEDTLS_ECDSA_C make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" @@ -475,8 +474,6 @@ component_test_tls13_only_ephemeral_ffdh () { scripts/config.py set MBEDTLS_TEST_HOOKS scripts/config.py unset PSA_WANT_ALG_ECDH - # Note: The unset below is to be removed for Mbed TLS 4.0 - scripts/config.py unset MBEDTLS_ECDH_C make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" @@ -531,7 +528,6 @@ component_test_tls13_only_psk_ephemeral_ffdh () { scripts/config.py unset PSA_WANT_ALG_RSA_OAEP scripts/config.py unset PSA_WANT_ALG_RSA_PSS # Note: The three unsets below are to be removed for Mbed TLS 4.0 - scripts/config.py unset MBEDTLS_ECDH_C scripts/config.py unset MBEDTLS_ECDSA_C make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index ad78c26e1c..755585d83e 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -283,7 +283,7 @@ REVERSE_DEPENDENCIES = { 'MBEDTLS_ECDSA_C'], 'PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC': [ 'PSA_WANT_ALG_ECDSA', - 'PSA_WANT_ALG_ECDH', 'MBEDTLS_ECDH_C', + 'PSA_WANT_ALG_ECDH', 'PSA_WANT_ALG_JPAKE', 'PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY', 'PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT', From 3c6bbddfd4daf349c360827d215ca78714a5625d Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 15 Sep 2025 18:28:06 +0200 Subject: [PATCH 05/10] Cleanup following the removal of MBEDTLS_ECDSA_C option Signed-off-by: Ronald Cron --- include/mbedtls/mbedtls_config.h | 4 ++-- tests/scripts/components-configuration-crypto.sh | 9 --------- tests/scripts/components-configuration-tls.sh | 8 -------- tests/scripts/depends.py | 3 +-- tests/scripts/test_config_checks.py | 4 ---- tests/suites/test_suite_x509parse.function | 2 +- 6 files changed, 4 insertions(+), 26 deletions(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 118a9631c4..96521224d5 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -224,7 +224,7 @@ * Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS. * * Requires: PSA_WANT_ALG_ECDH - * MBEDTLS_ECDSA_C or PSA_WANT_ALG_ECDSA + * PSA_WANT_ALG_ECDSA * MBEDTLS_X509_CRT_PARSE_C * * This enables the following ciphersuites (if other requisites are @@ -799,7 +799,7 @@ * Requires: PSA_WANT_ALG_ECDH or PSA_WANT_ALG_FFDH * MBEDTLS_X509_CRT_PARSE_C * and at least one of: - * MBEDTLS_ECDSA_C or PSA_WANT_ALG_ECDSA + * PSA_WANT_ALG_ECDSA * PSA_WANT_ALG_RSA_PSS * * Comment to disable support for the ephemeral key exchange mode in TLS 1.3. diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 8ed678bc40..51f813d16e 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -433,7 +433,6 @@ component_test_everest () { component_test_everest_curve25519_only () { msg "build: Everest ECDH context, only Curve25519" # ~ 6 min scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED - scripts/config.py unset MBEDTLS_ECDSA_C scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ALG_ECDH @@ -569,9 +568,6 @@ component_test_psa_crypto_config_accel_ecdsa () { $(helper_get_psa_key_type_list "ECC") \ $(helper_get_psa_curve_list)" - # Disable the module that's accelerated - scripts/config.py unset MBEDTLS_ECDSA_C - # Disable things that depend on it scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED @@ -735,7 +731,6 @@ component_test_psa_crypto_config_accel_ecc_some_key_types () { $(helper_get_psa_curve_list)" # Disable modules that are accelerated - some will be re-enabled - scripts/config.py unset MBEDTLS_ECDSA_C scripts/config.py unset MBEDTLS_ECJPAKE_C scripts/config.py unset MBEDTLS_ECP_C @@ -798,7 +793,6 @@ common_test_psa_crypto_config_accel_ecc_some_curves () { scripts/config.py unset MBEDTLS_PK_WRITE_C # Disable modules that are accelerated - some will be re-enabled - scripts/config.py unset MBEDTLS_ECDSA_C scripts/config.py unset MBEDTLS_ECJPAKE_C scripts/config.py unset MBEDTLS_ECP_C @@ -909,7 +903,6 @@ config_psa_crypto_config_ecp_light_only () { helper_libtestdriver1_adjust_config "full" if [ "$driver_only" -eq 1 ]; then # Disable modules that are accelerated - scripts/config.py unset MBEDTLS_ECDSA_C scripts/config.py unset MBEDTLS_ECJPAKE_C scripts/config.py unset MBEDTLS_ECP_C fi @@ -1002,7 +995,6 @@ config_psa_crypto_no_ecp_at_all () { if [ "$driver_only" -eq 1 ]; then # Disable modules that are accelerated - scripts/config.py unset MBEDTLS_ECDSA_C scripts/config.py unset MBEDTLS_ECJPAKE_C # Disable ECP module (entirely) scripts/config.py unset MBEDTLS_ECP_C @@ -1116,7 +1108,6 @@ config_psa_crypto_config_accel_ecc_ffdh_no_bignum () { if [ "$driver_only" -eq 1 ]; then # Disable modules that are accelerated - scripts/config.py unset MBEDTLS_ECDSA_C scripts/config.py unset MBEDTLS_ECJPAKE_C # Disable ECP module (entirely) scripts/config.py unset MBEDTLS_ECP_C diff --git a/tests/scripts/components-configuration-tls.sh b/tests/scripts/components-configuration-tls.sh index 323f98ec1c..d69b5853c7 100644 --- a/tests/scripts/components-configuration-tls.sh +++ b/tests/scripts/components-configuration-tls.sh @@ -437,8 +437,6 @@ component_test_tls13_only_psk () { scripts/config.py unset PSA_WANT_DH_RFC7919_4096 scripts/config.py unset PSA_WANT_DH_RFC7919_6144 scripts/config.py unset PSA_WANT_DH_RFC7919_8192 - # Note: The four unsets below are to be removed for Mbed TLS 4.0 - scripts/config.py unset MBEDTLS_ECDSA_C make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" @@ -499,8 +497,6 @@ component_test_tls13_only_psk_ephemeral () { scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA scripts/config.py unset PSA_WANT_ALG_RSA_OAEP scripts/config.py unset PSA_WANT_ALG_RSA_PSS - # Note: The two unsets below are to be removed for Mbed TLS 4.0 - scripts/config.py unset MBEDTLS_ECDSA_C make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" @@ -527,8 +523,6 @@ component_test_tls13_only_psk_ephemeral_ffdh () { scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA scripts/config.py unset PSA_WANT_ALG_RSA_OAEP scripts/config.py unset PSA_WANT_ALG_RSA_PSS - # Note: The three unsets below are to be removed for Mbed TLS 4.0 - scripts/config.py unset MBEDTLS_ECDSA_C make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" @@ -553,8 +547,6 @@ component_test_tls13_only_psk_all () { scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA scripts/config.py unset PSA_WANT_ALG_RSA_OAEP scripts/config.py unset PSA_WANT_ALG_RSA_PSS - # Note: The two unsets below are to be removed for Mbed TLS 4.0 - scripts/config.py unset MBEDTLS_ECDSA_C make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 755585d83e..347634cdff 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -279,8 +279,7 @@ REVERSE_DEPENDENCIES = { 'PSA_WANT_ECC_SECP_K1_192': ['MBEDTLS_ECP_DP_SECP192K1_ENABLED'], 'PSA_WANT_ALG_ECDSA': ['PSA_WANT_ALG_DETERMINISTIC_ECDSA', - 'MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED', - 'MBEDTLS_ECDSA_C'], + 'MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED'], 'PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC': [ 'PSA_WANT_ALG_ECDSA', 'PSA_WANT_ALG_ECDH', diff --git a/tests/scripts/test_config_checks.py b/tests/scripts/test_config_checks.py index 540144923e..7403f7ebdb 100755 --- a/tests/scripts/test_config_checks.py +++ b/tests/scripts/test_config_checks.py @@ -43,7 +43,6 @@ class MbedtlsTestConfigChecks(unittest_config_checks.TestConfigChecks): self.bad_case(''' #undef PSA_WANT_ALG_ECDSA #undef PSA_WANT_ALG_DETERMINISTIC_ECDSA - #undef MBEDTLS_ECDSA_C ''', ''' #if defined(PSA_WANT_ALG_ECDSA) @@ -52,9 +51,6 @@ class MbedtlsTestConfigChecks(unittest_config_checks.TestConfigChecks): #if defined(PSA_WANT_ALG_DETERMINSTIC_ECDSA) #error PSA_WANT_ALG_DETERMINSTIC_ECDSA unexpected #endif - #if defined(MBEDTLS_ECDSA_C) - #error MBEDTLS_ECDSA_C unexpected - #endif ''', error=('MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED')) diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index f813cc1ac3..ccd85378b8 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -655,7 +655,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CRL_PARSE_C:MBEDTLS_ECP_RESTARTABLE:MBEDTLS_ECDSA_C */ +/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CRL_PARSE_C:MBEDTLS_ECP_RESTARTABLE:PSA_WANT_ALG_ECDSA */ void x509_verify_restart(char *crt_file, char *ca_file, int result, int flags_result, int max_ops, int min_restart, int max_restart) From 2ad1e5c1a2f9e755c1c6199d51a00c96b64760d9 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 15 Sep 2025 18:30:07 +0200 Subject: [PATCH 06/10] Cleanup following the removal of MBEDTLS_ECJPAKE_C option Signed-off-by: Ronald Cron --- include/mbedtls/mbedtls_config.h | 2 +- tests/scripts/components-configuration-crypto.sh | 9 --------- tests/scripts/depends.py | 3 +-- 3 files changed, 2 insertions(+), 12 deletions(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 96521224d5..828c0f38dc 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -293,7 +293,7 @@ * Thread v1.0.0 specification; incompatible changes to the specification * might still happen. For this reason, this is disabled by default. * - * Requires: MBEDTLS_ECJPAKE_C or PSA_WANT_ALG_JPAKE + * Requires: PSA_WANT_ALG_JPAKE * PSA_WANT_ALG_SHA_256 * MBEDTLS_ECP_DP_SECP256R1_ENABLED * diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 51f813d16e..3e066d4dc7 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -438,7 +438,6 @@ component_test_everest_curve25519_only () { scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ALG_ECDH scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED - scripts/config.py unset MBEDTLS_ECJPAKE_C scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_JPAKE # Disable all curves @@ -690,7 +689,6 @@ component_test_psa_crypto_config_accel_pake () { $(helper_get_psa_curve_list)" # Make built-in fallback not available - scripts/config.py unset MBEDTLS_ECJPAKE_C scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED # Build @@ -731,7 +729,6 @@ component_test_psa_crypto_config_accel_ecc_some_key_types () { $(helper_get_psa_curve_list)" # Disable modules that are accelerated - some will be re-enabled - scripts/config.py unset MBEDTLS_ECJPAKE_C scripts/config.py unset MBEDTLS_ECP_C # Disable all curves - those that aren't accelerated should be re-enabled @@ -793,7 +790,6 @@ common_test_psa_crypto_config_accel_ecc_some_curves () { scripts/config.py unset MBEDTLS_PK_WRITE_C # Disable modules that are accelerated - some will be re-enabled - scripts/config.py unset MBEDTLS_ECJPAKE_C scripts/config.py unset MBEDTLS_ECP_C # Disable all curves - those that aren't accelerated should be re-enabled @@ -903,7 +899,6 @@ config_psa_crypto_config_ecp_light_only () { helper_libtestdriver1_adjust_config "full" if [ "$driver_only" -eq 1 ]; then # Disable modules that are accelerated - scripts/config.py unset MBEDTLS_ECJPAKE_C scripts/config.py unset MBEDTLS_ECP_C fi @@ -994,8 +989,6 @@ config_psa_crypto_no_ecp_at_all () { helper_libtestdriver1_adjust_config "full" if [ "$driver_only" -eq 1 ]; then - # Disable modules that are accelerated - scripts/config.py unset MBEDTLS_ECJPAKE_C # Disable ECP module (entirely) scripts/config.py unset MBEDTLS_ECP_C fi @@ -1107,8 +1100,6 @@ config_psa_crypto_config_accel_ecc_ffdh_no_bignum () { helper_libtestdriver1_adjust_config "full" if [ "$driver_only" -eq 1 ]; then - # Disable modules that are accelerated - scripts/config.py unset MBEDTLS_ECJPAKE_C # Disable ECP module (entirely) scripts/config.py unset MBEDTLS_ECP_C # Also disable bignum diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 347634cdff..5d2efc724d 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -297,8 +297,7 @@ REVERSE_DEPENDENCIES = { 'MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED', 'MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED', 'MBEDTLS_ECP_C'], - 'PSA_WANT_ALG_JPAKE': ['MBEDTLS_ECJPAKE_C', - 'MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'], + 'PSA_WANT_ALG_JPAKE': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'], 'PSA_WANT_ALG_RSA_OAEP': ['PSA_WANT_ALG_RSA_PSS', 'MBEDTLS_X509_RSASSA_PSS_SUPPORT'], 'PSA_WANT_ALG_RSA_PKCS1V15_CRYPT': ['PSA_WANT_ALG_RSA_PKCS1V15_SIGN', From 6cfab2880a59f435214761fa2510d9226a6915c4 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 15 Sep 2025 18:32:29 +0200 Subject: [PATCH 07/10] Cleanup following the removal of MBEDTLS_ECP_C option Signed-off-by: Ronald Cron --- .../scripts/components-configuration-crypto.sh | 17 ----------------- tests/scripts/depends.py | 3 +-- 2 files changed, 1 insertion(+), 19 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 3e066d4dc7..860371d6fb 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -728,9 +728,6 @@ component_test_psa_crypto_config_accel_ecc_some_key_types () { KEY_TYPE_ECC_KEY_PAIR_EXPORT \ $(helper_get_psa_curve_list)" - # Disable modules that are accelerated - some will be re-enabled - scripts/config.py unset MBEDTLS_ECP_C - # Disable all curves - those that aren't accelerated should be re-enabled helper_disable_builtin_curves @@ -789,9 +786,6 @@ common_test_psa_crypto_config_accel_ecc_some_curves () { scripts/config.py unset MBEDTLS_PK_PARSE_C scripts/config.py unset MBEDTLS_PK_WRITE_C - # Disable modules that are accelerated - some will be re-enabled - scripts/config.py unset MBEDTLS_ECP_C - # Disable all curves - those that aren't accelerated should be re-enabled helper_disable_builtin_curves @@ -897,10 +891,6 @@ config_psa_crypto_config_ecp_light_only () { driver_only="$1" # start with config full for maximum coverage (also enables USE_PSA) helper_libtestdriver1_adjust_config "full" - if [ "$driver_only" -eq 1 ]; then - # Disable modules that are accelerated - scripts/config.py unset MBEDTLS_ECP_C - fi # Restartable feature is not yet supported by PSA. Once it will in # the future, the following line could be removed (see issues @@ -988,11 +978,6 @@ config_psa_crypto_no_ecp_at_all () { # start with full config for maximum coverage (also enables USE_PSA) helper_libtestdriver1_adjust_config "full" - if [ "$driver_only" -eq 1 ]; then - # Disable ECP module (entirely) - scripts/config.py unset MBEDTLS_ECP_C - fi - # Disable all the features that auto-enable ECP_LIGHT (see build_info.h) scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED @@ -1100,8 +1085,6 @@ config_psa_crypto_config_accel_ecc_ffdh_no_bignum () { helper_libtestdriver1_adjust_config "full" if [ "$driver_only" -eq 1 ]; then - # Disable ECP module (entirely) - scripts/config.py unset MBEDTLS_ECP_C # Also disable bignum scripts/config.py unset MBEDTLS_BIGNUM_C fi diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 5d2efc724d..7a7c75483a 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -295,8 +295,7 @@ REVERSE_DEPENDENCIES = { 'MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED', 'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED', 'MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED', - 'MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED', - 'MBEDTLS_ECP_C'], + 'MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED'], 'PSA_WANT_ALG_JPAKE': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'], 'PSA_WANT_ALG_RSA_OAEP': ['PSA_WANT_ALG_RSA_PSS', 'MBEDTLS_X509_RSASSA_PSS_SUPPORT'], From feb5e26619d0adac15e30e77aed57c7e23f3ebb0 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 15 Sep 2025 18:36:39 +0200 Subject: [PATCH 08/10] Cleanup following the removal of MBEDTLS_ECP_DP_.*_ENABLED options Signed-off-by: Ronald Cron --- include/mbedtls/mbedtls_config.h | 2 +- library/ssl_misc.h | 6 +++--- programs/ssl/ssl_test_lib.c | 18 ++++++++-------- .../components-configuration-crypto.sh | 13 ++++++------ tests/scripts/depends.py | 21 +------------------ 5 files changed, 20 insertions(+), 40 deletions(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 828c0f38dc..b7a869ad72 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -295,7 +295,7 @@ * * Requires: PSA_WANT_ALG_JPAKE * PSA_WANT_ALG_SHA_256 - * MBEDTLS_ECP_DP_SECP256R1_ENABLED + * PSA_WANT_ECC_SECP_R1_256 * * This enables the following ciphersuites (if other requisites are * enabled as well): diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 9f7ab7f7e4..5b852bdd19 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2346,15 +2346,15 @@ static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( #if defined(PSA_WANT_ALG_SHA_256) && defined(PSA_WANT_ECC_SECP_R1_256) case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256: break; -#endif /* PSA_WANT_ALG_SHA_256 && MBEDTLS_ECP_DP_SECP256R1_ENABLED */ +#endif /* PSA_WANT_ALG_SHA_256 && PSA_WANT_ECC_SECP_R1_256 */ #if defined(PSA_WANT_ALG_SHA_384) && defined(PSA_WANT_ECC_SECP_R1_384) case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384: break; -#endif /* PSA_WANT_ALG_SHA_384 && MBEDTLS_ECP_DP_SECP384R1_ENABLED */ +#endif /* PSA_WANT_ALG_SHA_384 && PSA_WANT_ECC_SECP_R1_384 */ #if defined(PSA_WANT_ALG_SHA_512) && defined(PSA_WANT_ECC_SECP_R1_521) case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512: break; -#endif /* PSA_WANT_ALG_SHA_512 && MBEDTLS_ECP_DP_SECP521R1_ENABLED */ +#endif /* PSA_WANT_ALG_SHA_512 && PSA_WANT_ECC_SECP_R1_521 */ #endif /* PSA_HAVE_ALG_SOME_ECDSA */ #if defined(PSA_WANT_ALG_RSA_PSS) diff --git a/programs/ssl/ssl_test_lib.c b/programs/ssl/ssl_test_lib.c index 79d3059306..fcbc090500 100644 --- a/programs/ssl/ssl_test_lib.c +++ b/programs/ssl/ssl_test_lib.c @@ -470,47 +470,47 @@ static const struct { uint8_t is_supported; } tls_id_group_name_table[] = { -#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_521) +#if defined(PSA_WANT_ECC_SECP_R1_521) { MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, "secp521r1", 1 }, #else { MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, "secp521r1", 0 }, #endif -#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512) +#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512) { MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, "brainpoolP512r1", 1 }, #else { MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, "brainpoolP512r1", 0 }, #endif -#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_384) +#if defined(PSA_WANT_ECC_SECP_R1_384) { MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, "secp384r1", 1 }, #else { MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, "secp384r1", 0 }, #endif -#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384) +#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384) { MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, "brainpoolP384r1", 1 }, #else { MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, "brainpoolP384r1", 0 }, #endif -#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_256) +#if defined(PSA_WANT_ECC_SECP_R1_256) { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, "secp256r1", 1 }, #else { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, "secp256r1", 0 }, #endif -#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_256) +#if defined(PSA_WANT_ECC_SECP_K1_256) { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1, "secp256k1", 1 }, #else { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1, "secp256k1", 0 }, #endif -#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) +#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) { MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1", 1 }, #else { MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1", 0 }, #endif -#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || defined(PSA_WANT_ECC_MONTGOMERY_255) +#if defined(PSA_WANT_ECC_MONTGOMERY_255) { MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519", 1 }, #else { MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519", 0 }, #endif -#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) || defined(PSA_WANT_ECC_MONTGOMERY_448) +#if defined(PSA_WANT_ECC_MONTGOMERY_448) { MBEDTLS_SSL_IANA_TLS_GROUP_X448, "x448", 1 }, #else { MBEDTLS_SSL_IANA_TLS_GROUP_X448, "x448", 0 }, diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 860371d6fb..ccb4a0bae3 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -433,17 +433,16 @@ component_test_everest () { component_test_everest_curve25519_only () { msg "build: Everest ECDH context, only Curve25519" # ~ 6 min scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA - scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ALG_ECDH + scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA + scripts/config.py unset PSA_WANT_ALG_ECDSA + scripts/config.py set PSA_WANT_ALG_ECDH scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_JPAKE + scripts/config.py unset PSA_WANT_ALG_JPAKE # Disable all curves - scripts/config.py unset-all "MBEDTLS_ECP_DP_[0-9A-Z_a-z]*_ENABLED" - scripts/config.py -c $CRYPTO_CONFIG_H unset-all "PSA_WANT_ECC_[0-9A-Z_a-z]*$" - scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ECC_MONTGOMERY_255 + scripts/config.py unset-all "PSA_WANT_ECC_[0-9A-Z_a-z]*$" + scripts/config.py set PSA_WANT_ECC_MONTGOMERY_255 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 7a7c75483a..11ee5a0680 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -257,26 +257,7 @@ REVERSE_DEPENDENCIES = { 'PSA_WANT_ALG_CCM': ['PSA_WANT_ALG_CCM_STAR_NO_TAG'], 'PSA_WANT_ALG_CMAC': ['PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128'], - # These reverse dependencies can be removed as part of issue - # tf-psa-crypto#364. - 'PSA_WANT_ECC_BRAINPOOL_P_R1_256': ['MBEDTLS_ECP_DP_BP256R1_ENABLED'], - 'PSA_WANT_ECC_BRAINPOOL_P_R1_384': ['MBEDTLS_ECP_DP_BP384R1_ENABLED'], - 'PSA_WANT_ECC_BRAINPOOL_P_R1_512': ['MBEDTLS_ECP_DP_BP512R1_ENABLED'], - 'PSA_WANT_ECC_MONTGOMERY_255': ['MBEDTLS_ECP_DP_CURVE25519_ENABLED'], - 'PSA_WANT_ECC_MONTGOMERY_448': ['MBEDTLS_ECP_DP_CURVE448_ENABLED'], - 'PSA_WANT_ECC_SECP_R1_256': ['PSA_WANT_ALG_JPAKE', - 'MBEDTLS_ECP_DP_SECP256R1_ENABLED'], - 'PSA_WANT_ECC_SECP_R1_384': ['MBEDTLS_ECP_DP_SECP384R1_ENABLED'], - 'PSA_WANT_ECC_SECP_R1_521': ['MBEDTLS_ECP_DP_SECP521R1_ENABLED'], - 'PSA_WANT_ECC_SECP_K1_256': ['MBEDTLS_ECP_DP_SECP256K1_ENABLED'], - - # Support for secp224[k|r]1 was removed in tfpsacrypto#408 while - # secp192[k|r]1 were kept only for internal testing (hidden to the end - # user). We need to keep these reverse dependencies here until - # symbols are hidden/removed from crypto_config.h. - 'PSA_WANT_ECC_SECP_R1_192': ['MBEDTLS_ECP_DP_SECP192R1_ENABLED'], - 'PSA_WANT_ECC_SECP_R1_224': ['MBEDTLS_ECP_DP_SECP224R1_ENABLED'], - 'PSA_WANT_ECC_SECP_K1_192': ['MBEDTLS_ECP_DP_SECP192K1_ENABLED'], + 'PSA_WANT_ECC_SECP_R1_256': ['PSA_WANT_ALG_JPAKE'], 'PSA_WANT_ALG_ECDSA': ['PSA_WANT_ALG_DETERMINISTIC_ECDSA', 'MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED'], From 4fe3760a27a376eada15b6fa489e4aba7afd2771 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 15 Sep 2025 18:45:46 +0200 Subject: [PATCH 09/10] Cleanup following the removal of MBEDTLS_BIGNUM_C option Signed-off-by: Ronald Cron --- include/mbedtls/mbedtls_config.h | 6 +++--- tests/scripts/components-configuration-crypto.sh | 5 ----- 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index b7a869ad72..b1e30ab2d2 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -1043,7 +1043,7 @@ * * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_PK_PARSE_C, * MBEDTLS_X509_CRT_PARSE_C MBEDTLS_X509_CRL_PARSE_C, - * MBEDTLS_BIGNUM_C, MBEDTLS_MD_C + * MBEDTLS_MD_C * * This module is required for the PKCS #7 parsing modules. */ @@ -1056,7 +1056,7 @@ * * Module: library/x509_create.c * - * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_PK_PARSE_C, + * Requires: MBEDTLS_ASN1_WRITE_C, MBEDTLS_PK_PARSE_C * * \warning You must call psa_crypto_init() before doing any X.509 operation. * @@ -1188,7 +1188,7 @@ * library/x509_crt.c * library/x509_csr.c * - * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_PK_PARSE_C + * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_PK_PARSE_C * * \warning You must call psa_crypto_init() before doing any X.509 operation. * diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index ccb4a0bae3..28fc189d0a 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -1083,11 +1083,6 @@ config_psa_crypto_config_accel_ecc_ffdh_no_bignum () { # start with full config for maximum coverage (also enables USE_PSA) helper_libtestdriver1_adjust_config "full" - if [ "$driver_only" -eq 1 ]; then - # Also disable bignum - scripts/config.py unset MBEDTLS_BIGNUM_C - fi - # Disable all the features that auto-enable ECP_LIGHT (see build_info.h) scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED From 3091e40774837dfc25d475dce7a281296535d51e Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 17 Sep 2025 16:02:09 +0200 Subject: [PATCH 10/10] Remove usage of old crypto options in public headers The remaining occurences were related to dead code. Signed-off-by: Ronald Cron --- include/mbedtls/debug.h | 10 ---------- include/mbedtls/x509.h | 4 ---- library/debug_internal.h | 4 +--- 3 files changed, 1 insertion(+), 17 deletions(-) diff --git a/include/mbedtls/debug.h b/include/mbedtls/debug.h index c293e87315..bdfc597e0c 100644 --- a/include/mbedtls/debug.h +++ b/include/mbedtls/debug.h @@ -14,10 +14,6 @@ #include "mbedtls/ssl.h" -#if defined(MBEDTLS_ECP_C) -#include "mbedtls/private/ecp.h" -#endif - #if defined(MBEDTLS_DEBUG_C) #define MBEDTLS_DEBUG_STRIP_PARENS(...) __VA_ARGS__ @@ -32,11 +28,6 @@ #define MBEDTLS_SSL_DEBUG_BUF(level, text, buf, len) \ mbedtls_debug_print_buf(ssl, level, __FILE__, __LINE__, text, buf, len) -#if defined(MBEDTLS_BIGNUM_C) -#define MBEDTLS_SSL_DEBUG_MPI(level, text, X) \ - mbedtls_debug_print_mpi(ssl, level, __FILE__, __LINE__, text, X) -#endif - #if defined(MBEDTLS_X509_CRT_PARSE_C) #if !defined(MBEDTLS_X509_REMOVE_INFO) #define MBEDTLS_SSL_DEBUG_CRT(level, text, crt) \ @@ -51,7 +42,6 @@ #define MBEDTLS_SSL_DEBUG_MSG(level, args) do { } while (0) #define MBEDTLS_SSL_DEBUG_RET(level, text, ret) do { } while (0) #define MBEDTLS_SSL_DEBUG_BUF(level, text, buf, len) do { } while (0) -#define MBEDTLS_SSL_DEBUG_MPI(level, text, X) do { } while (0) #define MBEDTLS_SSL_DEBUG_ECP(level, text, X) do { } while (0) #define MBEDTLS_SSL_DEBUG_CRT(level, text, crt) do { } while (0) diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index f76928aa10..8b6a1daee5 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -16,10 +16,6 @@ #include "mbedtls/asn1.h" #include "mbedtls/pk.h" -#if defined(MBEDTLS_RSA_C) -#include "mbedtls/private/rsa.h" -#endif - /** * \addtogroup x509_module * \{ diff --git a/library/debug_internal.h b/library/debug_internal.h index 3ffcee12bc..79a4c4540c 100644 --- a/library/debug_internal.h +++ b/library/debug_internal.h @@ -73,9 +73,7 @@ void mbedtls_debug_print_buf(const mbedtls_ssl_context *ssl, int level, #if defined(MBEDTLS_BIGNUM_C) /** - * \brief Print a MPI variable to the debug output. This function is always - * used through the MBEDTLS_SSL_DEBUG_MPI() macro, which supplies the - * ssl context, file and line number parameters. + * \brief Print a MPI variable to the debug output. * * \param ssl SSL context * \param level error level of the debug message