From 3aee15b8e58ae223b3fe6f52134a6c067981b3b5 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 11 Sep 2025 17:04:44 +0200 Subject: [PATCH 1/4] Declare psa_can_do_cipher() in a public header Integrators in a client-server architecture need to provide this function on the client side. Fixes mbedtls/issues#10341. Signed-off-by: Gilles Peskine --- include/psa/crypto_extra.h | 12 ++++++++++++ library/psa_crypto_core.h | 12 ------------ 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 70740901e1..d24911f18c 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -610,6 +610,18 @@ psa_status_t mbedtls_psa_platform_get_builtin_key( */ int psa_can_do_hash(psa_algorithm_t hash_alg); +/** + * Tell if PSA is ready for this cipher. + * + * \note For now, only checks the state of the driver subsystem, + * not the algorithm. Might do more in the future. + * + * \param cipher_alg The cipher algorithm (ignored for now). + * + * \return 1 if the driver subsytem is ready, 0 otherwise. + */ +int psa_can_do_cipher(psa_key_type_t key_type, psa_algorithm_t cipher_alg); + /**@}*/ /** \addtogroup crypto_types diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h index c3c0770142..ac92ea2b37 100644 --- a/library/psa_crypto_core.h +++ b/library/psa_crypto_core.h @@ -24,18 +24,6 @@ #include "mbedtls/threading.h" #endif -/** - * Tell if PSA is ready for this cipher. - * - * \note For now, only checks the state of the driver subsystem, - * not the algorithm. Might do more in the future. - * - * \param cipher_alg The cipher algorithm (ignored for now). - * - * \return 1 if the driver subsytem is ready, 0 otherwise. - */ -int psa_can_do_cipher(psa_key_type_t key_type, psa_algorithm_t cipher_alg); - typedef enum { PSA_SLOT_EMPTY = 0, PSA_SLOT_FILLING, From 447134b704bb1589da054e8bfb9800217353f556 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 11 Sep 2025 17:05:40 +0200 Subject: [PATCH 2/4] Announce psa_can_do_cipher() Signed-off-by: Gilles Peskine --- ChangeLog.d/psa_can_do_cipher.txt | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 ChangeLog.d/psa_can_do_cipher.txt diff --git a/ChangeLog.d/psa_can_do_cipher.txt b/ChangeLog.d/psa_can_do_cipher.txt new file mode 100644 index 0000000000..16598b636e --- /dev/null +++ b/ChangeLog.d/psa_can_do_cipher.txt @@ -0,0 +1,5 @@ +API changes + * When building the library as a PSA client (MBEDTLS_PSA_CRYPTO_CLIENT + enabled and MBEDTLS_PSA_CRYPTO_C disabled), you need to provide the + function psa_can_do_cipher() in addition to psa_can_do_hash(). This + changed was made in Mbed TLS 3.6.0 but was not announced then. From 6e1b66320a5cfd1c36c0caa86abed5dce896cc85 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 11 Sep 2025 18:34:29 +0200 Subject: [PATCH 3/4] Improve documentation Signed-off-by: Gilles Peskine --- include/psa/crypto_extra.h | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index d24911f18c..b36ec6f9b5 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -600,9 +600,10 @@ psa_status_t mbedtls_psa_platform_get_builtin_key( * This means that PSA core was built with the corresponding PSA_WANT_ALG_xxx * set and that psa_crypto_init has already been called. * - * \note When using Mbed TLS version of PSA core (i.e. MBEDTLS_PSA_CRYPTO_C is - * set) for now this function only checks the state of the driver - * subsystem, not the algorithm. This might be improved in the future. + * \note When using the built-in version of the PSA core (i.e. + * #MBEDTLS_PSA_CRYPTO_C is set), for now, this function only checks + * the state of the driver subsystem, not the algorithm. + * This might be improved in the future. * * \param hash_alg The hash algorithm. * @@ -613,12 +614,15 @@ int psa_can_do_hash(psa_algorithm_t hash_alg); /** * Tell if PSA is ready for this cipher. * - * \note For now, only checks the state of the driver subsystem, - * not the algorithm. Might do more in the future. + * \note When using the built-in version of the PSA core (i.e. + * #MBEDTLS_PSA_CRYPTO_C is set), for now, this function only checks + * the state of the driver subsystem, not the key type and algorithm. + * This might be improved in the future. * - * \param cipher_alg The cipher algorithm (ignored for now). + * \param key_type The key type. + * \param cipher_alg The cipher algorithm. * - * \return 1 if the driver subsytem is ready, 0 otherwise. + * \return 1 if the PSA can handle \p hash_alg, 0 otherwise. */ int psa_can_do_cipher(psa_key_type_t key_type, psa_algorithm_t cipher_alg); From 9a5444a3b80d8f45c6943b8cd9722fe27da80a6a Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 12 Sep 2025 11:24:12 +0200 Subject: [PATCH 4/4] Fix copypasta Signed-off-by: Gilles Peskine --- include/psa/crypto_extra.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index b36ec6f9b5..0e7898983b 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -622,7 +622,7 @@ int psa_can_do_hash(psa_algorithm_t hash_alg); * \param key_type The key type. * \param cipher_alg The cipher algorithm. * - * \return 1 if the PSA can handle \p hash_alg, 0 otherwise. + * \return 1 if the PSA can handle \p cipher_alg, 0 otherwise. */ int psa_can_do_cipher(psa_key_type_t key_type, psa_algorithm_t cipher_alg);