From 68608b23177faf654dc3d774122b478d7a5d0a06 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 8 Feb 2024 11:51:39 +0100 Subject: [PATCH 1/8] Remove redundant helper macros in check_config.h MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/check_config.h | 28 +++++----------------------- 1 file changed, 5 insertions(+), 23 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index b21135686a..40936cd49e 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -281,23 +281,8 @@ #error "MBEDTLS_PK_PARSE_C defined, but not all prerequisites" #endif -/* Helpers for hash dependencies, will be undefined at the end of the file */ -/* Do SHA-256, 384, 512 to cover Entropy and TLS. */ -#if defined(MBEDTLS_SHA256_C) || \ - (defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_256)) -#define MBEDTLS_MD_HAVE_SHA256 -#endif -#if defined(MBEDTLS_SHA384_C) || \ - (defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_384)) -#define MBEDTLS_MD_HAVE_SHA384 -#endif -#if defined(MBEDTLS_SHA512_C) || \ - (defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_512)) -#define MBEDTLS_MD_HAVE_SHA512 -#endif - #if defined(MBEDTLS_ENTROPY_C) && \ - !(defined(MBEDTLS_MD_HAVE_SHA512) || defined(MBEDTLS_MD_HAVE_SHA256)) + !(defined(MBEDTLS_MD_CAN_SHA512) || defined(MBEDTLS_MD_CAN_SHA256)) #error "MBEDTLS_ENTROPY_C defined, but not all prerequisites" #endif #if defined(MBEDTLS_ENTROPY_C) && \ @@ -305,12 +290,12 @@ #error "MBEDTLS_CTR_DRBG_ENTROPY_LEN value too high" #endif #if defined(MBEDTLS_ENTROPY_C) && \ - (defined(MBEDTLS_ENTROPY_FORCE_SHA256) || !defined(MBEDTLS_MD_HAVE_SHA512)) \ + (defined(MBEDTLS_ENTROPY_FORCE_SHA256) || !defined(MBEDTLS_MD_CAN_SHA512)) \ && defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN) && (MBEDTLS_CTR_DRBG_ENTROPY_LEN > 32) #error "MBEDTLS_CTR_DRBG_ENTROPY_LEN value too high" #endif #if defined(MBEDTLS_ENTROPY_C) && \ - defined(MBEDTLS_ENTROPY_FORCE_SHA256) && !defined(MBEDTLS_MD_HAVE_SHA256) + defined(MBEDTLS_ENTROPY_FORCE_SHA256) && !defined(MBEDTLS_MD_CAN_SHA256) #error "MBEDTLS_ENTROPY_FORCE_SHA256 defined, but not all prerequisites" #endif @@ -471,7 +456,7 @@ /* Use of EC J-PAKE in TLS requires SHA-256. */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ - !defined(MBEDTLS_MD_HAVE_SHA256) + !defined(MBEDTLS_MD_CAN_SHA256) #error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites" #endif @@ -975,7 +960,7 @@ #endif #else /* MBEDTLS_USE_PSA_CRYPTO */ #if !defined(MBEDTLS_MD_C) || \ - !(defined(MBEDTLS_MD_HAVE_SHA256) || defined(MBEDTLS_MD_HAVE_SHA384)) + !(defined(MBEDTLS_MD_CAN_SHA256) || defined(MBEDTLS_MD_CAN_SHA384)) #error "MBEDTLS_SSL_TLS_C defined, but not all prerequisites" #endif #endif /* MBEDTLS_USE_PSA_CRYPTO */ @@ -1220,9 +1205,6 @@ /* Undefine helper symbols */ #undef MBEDTLS_PK_HAVE_JPAKE -#undef MBEDTLS_MD_HAVE_SHA256 -#undef MBEDTLS_MD_HAVE_SHA384 -#undef MBEDTLS_MD_HAVE_SHA512 #undef MBEDTLS_PK_HAVE_CURVE_SECP256R1 /* From 7eb3f9a5237e9b18ca1ec6df948b0a710b140151 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 8 Feb 2024 11:56:54 +0100 Subject: [PATCH 2/8] Simplify and fix dependency of MD_C on a hash MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Simplify: let's take advantage of the MD_CAN macros instead of doing it again ourselves. Fix: SHA-3 was forgotten. Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/check_config.h | 30 +++++++++++++----------------- 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 40936cd49e..7852859193 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -468,23 +468,19 @@ #error "!MBEDTLS_SSL_KEEP_PEER_CERTIFICATE requires MBEDTLS_SHA512_C, MBEDTLS_SHA256_C or MBEDTLS_SHA1_C" #endif -#if defined(MBEDTLS_MD_C) && !( \ - defined(MBEDTLS_MD5_C) || \ - defined(MBEDTLS_RIPEMD160_C) || \ - defined(MBEDTLS_SHA1_C) || \ - defined(MBEDTLS_SHA224_C) || \ - defined(MBEDTLS_SHA256_C) || \ - defined(MBEDTLS_SHA384_C) || \ - defined(MBEDTLS_SHA512_C) || \ - (defined(MBEDTLS_PSA_CRYPTO_C) && \ - (defined(PSA_WANT_ALG_MD5) || \ - defined(PSA_WANT_ALG_RIPEMD160) || \ - defined(PSA_WANT_ALG_SHA_1) || \ - defined(PSA_WANT_ALG_SHA_224) || \ - defined(PSA_WANT_ALG_SHA_256) || \ - defined(PSA_WANT_ALG_SHA_384) || \ - defined(PSA_WANT_ALG_SHA_512)))) -#error "MBEDTLS_MD_C defined, but not all prerequisites" +#if defined(MBEDTLS_MD_C) && \ + !defined(MBEDTLS_MD_CAN_MD5) && \ + !defined(MBEDTLS_MD_CAN_RIPEMD160) && \ + !defined(MBEDTLS_MD_CAN_SHA1) && \ + !defined(MBEDTLS_MD_CAN_SHA224) && \ + !defined(MBEDTLS_MD_CAN_SHA256) && \ + !defined(MBEDTLS_MD_CAN_SHA384) && \ + !defined(MBEDTLS_MD_CAN_SHA512) && \ + !defined(MBEDTLS_MD_CAN_SHA3_224) && \ + !defined(MBEDTLS_MD_CAN_SHA3_256) && \ + !defined(MBEDTLS_MD_CAN_SHA3_384) && \ + !defined(MBEDTLS_MD_CAN_SHA3_512) +#error "MBEDTLS_MD_C defined, but no hash algorithm" #endif #if defined(MBEDTLS_LMS_C) && \ From 49f64b4cac9a34405f16bcf9e4e20c7fa0ee3792 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 8 Feb 2024 12:00:28 +0100 Subject: [PATCH 3/8] Fix dependency on low-level hash modules MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit None of the TLS code is calling low-level hash functions directly. So the correct dependencies here are MD_CAN. (I checked and this was the only occurrence.) Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/check_config.h | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 7852859193..8c8130bb91 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -461,11 +461,11 @@ #endif #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) && \ - !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) && \ - ( !defined(MBEDTLS_SHA256_C) && \ - !defined(MBEDTLS_SHA512_C) && \ - !defined(MBEDTLS_SHA1_C) ) -#error "!MBEDTLS_SSL_KEEP_PEER_CERTIFICATE requires MBEDTLS_SHA512_C, MBEDTLS_SHA256_C or MBEDTLS_SHA1_C" + !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) && \ + !defined(MBEDTLS_MD_CAN_SHA256) && \ + !defined(MBEDTLS_MD_CAN_SHA512) && \ + !defined(MBEDTLS_MD_CAN_SHA1) +#error "!MBEDTLS_SSL_KEEP_PEER_CERTIFICATE requires SHA-512, SHA-256 or SHA-1". #endif #if defined(MBEDTLS_MD_C) && \ From 61758e606ea226c275d8c667e539c964ecc0dcfe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 8 Feb 2024 12:03:28 +0100 Subject: [PATCH 4/8] Fix wrong dependency of ECJPAKE_C MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It always uses MD now. (The "fall back" to PSA Crypto was only in the 1st iteration of driver-only hash support, before we changed the architecture to make everything go through MD.) Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/check_config.h | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 8c8130bb91..3be200d836 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -234,9 +234,8 @@ #endif #endif /* MBEDTLS_PK_C && MBEDTLS_USE_PSA_CRYPTO */ -#if defined(MBEDTLS_ECJPAKE_C) && \ - ( !defined(MBEDTLS_ECP_C) || \ - !( defined(MBEDTLS_MD_C) || defined(MBEDTLS_PSA_CRYPTO_C) ) ) +#if defined(MBEDTLS_ECJPAKE_C) && \ + (!defined(MBEDTLS_ECP_C) || !defined(MBEDTLS_MD_C)) #error "MBEDTLS_ECJPAKE_C defined, but not all prerequisites" #endif From e1f3faf5bf920c7788f113b22f50096028360214 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 8 Feb 2024 12:17:20 +0100 Subject: [PATCH 5/8] Remove temporary macros that are not needed MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Those were only used for KEY_EXCHANGE_ECJPAKE, but had a much larger scope than needed. We actually don't need those macros if we distinguish between cases when expressing dependencies for this key exchange. The remaining helper macros are all short lived. Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/check_config.h | 53 +++++++++++----------------------- 1 file changed, 17 insertions(+), 36 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 3be200d836..1dcd903d25 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -300,13 +300,13 @@ #if defined(__has_feature) #if __has_feature(memory_sanitizer) -#define MBEDTLS_HAS_MEMSAN +#define MBEDTLS_HAS_MEMSAN // #undef at the end of this paragraph #endif #endif #if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN) && !defined(MBEDTLS_HAS_MEMSAN) #error "MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN requires building with MemorySanitizer" #endif -#undef MBEDTLS_HAS_MEMSAN +#undef MBEDTLS_HAS_MEMSAN // temporary macro defined above #if defined(MBEDTLS_CCM_C) && \ !(defined(MBEDTLS_CCM_GCM_CAN_AES) || defined(MBEDTLS_CCM_GCM_CAN_ARIA) || \ @@ -372,28 +372,6 @@ #error "MBEDTLS_HMAC_DRBG_C defined, but not all prerequisites" #endif -/* Helper for JPAKE dependencies, will be undefined at the end of the file */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) -#if defined(PSA_WANT_ALG_JPAKE) && defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) -#define MBEDTLS_PK_HAVE_JPAKE -#endif -#else /* MBEDTLS_USE_PSA_CRYPTO */ -#if defined(MBEDTLS_ECJPAKE_C) -#define MBEDTLS_PK_HAVE_JPAKE -#endif -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - -/* Helper for curve SECP256R1 */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) -#if defined(PSA_WANT_ECC_SECP_R1_256) -#define MBEDTLS_PK_HAVE_CURVE_SECP256R1 -#endif -#else /* MBEDTLS_USE_PSA_CRYPTO */ -#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) -#define MBEDTLS_PK_HAVE_CURVE_SECP256R1 -#endif -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) && \ ( !defined(MBEDTLS_CAN_ECDH) || \ !defined(MBEDTLS_PK_CAN_ECDSA_SIGN) || \ @@ -447,11 +425,20 @@ #error "MBEDTLS_KEY_EXCHANGE_RSA_ENABLED defined, but not all prerequisites" #endif -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ - ( !defined(MBEDTLS_PK_HAVE_JPAKE) || \ - !defined(MBEDTLS_PK_HAVE_CURVE_SECP256R1) ) +#if defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ + ( !defined(PSA_WANT_ALG_JPAKE) || \ + !defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \ + !defined(PSA_WANT_ECC_SECP_R1_256) ) #error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites" #endif +#else /* MBEDTLS_USE_PSA_CRYPTO */ +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ + ( !defined(MBEDTLS_ECJPAKE_C) || \ + !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) ) +#error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites" +#endif +#endif /* MBEDTLS_USE_PSA_CRYPTO */ /* Use of EC J-PAKE in TLS requires SHA-256. */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ @@ -1054,20 +1041,18 @@ #if !defined(MBEDTLS_THREADING_C) || defined(MBEDTLS_THREADING_IMPL) #error "MBEDTLS_THREADING_PTHREAD defined, but not all prerequisites" #endif -#define MBEDTLS_THREADING_IMPL +#define MBEDTLS_THREADING_IMPL // undef at the end of this paragraph #endif - #if defined(MBEDTLS_THREADING_ALT) #if !defined(MBEDTLS_THREADING_C) || defined(MBEDTLS_THREADING_IMPL) #error "MBEDTLS_THREADING_ALT defined, but not all prerequisites" #endif -#define MBEDTLS_THREADING_IMPL +#define MBEDTLS_THREADING_IMPL // undef at the end of this paragraph #endif - #if defined(MBEDTLS_THREADING_C) && !defined(MBEDTLS_THREADING_IMPL) #error "MBEDTLS_THREADING_C defined, single threading implementation required" #endif -#undef MBEDTLS_THREADING_IMPL +#undef MBEDTLS_THREADING_IMPL // temporary macro defined above #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_PSA_CRYPTO_C) #error "MBEDTLS_USE_PSA_CRYPTO defined, but not all prerequisites" @@ -1198,10 +1183,6 @@ #error "MBEDTLS_PKCS7_C is defined, but not all prerequisites" #endif -/* Undefine helper symbols */ -#undef MBEDTLS_PK_HAVE_JPAKE -#undef MBEDTLS_PK_HAVE_CURVE_SECP256R1 - /* * Avoid warning from -pedantic. This is a convenient place for this * workaround since this is included by every single file before the From 1463e49a3c2f2bdd7cac52964c0c0c599ef63d94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 8 Feb 2024 12:28:30 +0100 Subject: [PATCH 6/8] Move config adjustment to config_adjust MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit After this change, check_config.h does not have any #defined except: - the standard header double-inclusion guard - short-lived helpers that are #undef-ed in the same paragraph Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/check_config.h | 14 ++------------ include/mbedtls/config_adjust_legacy_crypto.h | 16 ++++++++++++++++ 2 files changed, 18 insertions(+), 12 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 1dcd903d25..1741d8b9c0 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -27,18 +27,8 @@ #if !defined(MBEDTLS_PLATFORM_C) #error "MBEDTLS_PLATFORM_C is required on Windows" #endif - -/* Fix the config here. Not convenient to put an #ifdef _WIN32 in mbedtls_config.h as - * it would confuse config.py. */ -#if !defined(MBEDTLS_PLATFORM_SNPRINTF_ALT) && \ - !defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO) -#define MBEDTLS_PLATFORM_SNPRINTF_ALT -#endif - -#if !defined(MBEDTLS_PLATFORM_VSNPRINTF_ALT) && \ - !defined(MBEDTLS_PLATFORM_VSNPRINTF_MACRO) -#define MBEDTLS_PLATFORM_VSNPRINTF_ALT -#endif +/* See auto-enabling SNPRINTF_ALT and VSNPRINTF_ALT + * in * config_adjust_legacy_crypto.h */ #endif /* _MINGW32__ || (_MSC_VER && (_MSC_VER <= 1900)) */ #if defined(TARGET_LIKE_MBED) && defined(MBEDTLS_NET_C) diff --git a/include/mbedtls/config_adjust_legacy_crypto.h b/include/mbedtls/config_adjust_legacy_crypto.h index 696266c6fb..6126a1e86f 100644 --- a/include/mbedtls/config_adjust_legacy_crypto.h +++ b/include/mbedtls/config_adjust_legacy_crypto.h @@ -22,6 +22,22 @@ #ifndef MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H #define MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H +/* Ideally, we'd set those as defaults in mbedtls_config.h, but + * putting an #ifdef _WIN32 in mbedtls_config.h would confuse config.py. + * + * So, adjust it here. + * Not related to crypto, but this is the bottom of the stack. */ +#if defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER <= 1900) +#if !defined(MBEDTLS_PLATFORM_SNPRINTF_ALT) && \ + !defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO) +#define MBEDTLS_PLATFORM_SNPRINTF_ALT +#endif +#if !defined(MBEDTLS_PLATFORM_VSNPRINTF_ALT) && \ + !defined(MBEDTLS_PLATFORM_VSNPRINTF_MACRO) +#define MBEDTLS_PLATFORM_VSNPRINTF_ALT +#endif +#endif /* _MINGW32__ || (_MSC_VER && (_MSC_VER <= 1900)) */ + /* Auto-enable CIPHER_C when any of the unauthenticated ciphers is builtin * in PSA. */ #if defined(MBEDTLS_PSA_CRYPTO_C) && \ From a6184b2cc88eeb018d6fb1b8c715f98345b00c16 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 8 Feb 2024 12:30:56 +0100 Subject: [PATCH 7/8] Remove redundant check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We're already making sure of that in include/mbedtls/config_adjust_psa_superset_legacy.h - no need to double-check here. Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/check_config.h | 59 ---------------------------------- 1 file changed, 59 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 1741d8b9c0..429bf3e80f 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -44,65 +44,6 @@ #error "MBEDTLS_HAVE_TIME_DATE without MBEDTLS_HAVE_TIME does not make sense" #endif -/* Check that each MBEDTLS_ECP_DP_xxx symbol has its PSA_WANT_ECC_xxx counterpart - * when PSA crypto is enabled. */ -#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) || defined(MBEDTLS_PSA_CRYPTO_C) - -#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) && !defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) -#error "MBEDTLS_ECP_DP_BP256R1_ENABLED defined, but not its PSA counterpart" -#endif - -#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) && !defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384) -#error "MBEDTLS_ECP_DP_BP384R1_ENABLED defined, but not its PSA counterpart" -#endif - -#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) && !defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512) -#error "MBEDTLS_ECP_DP_BP512R1_ENABLED defined, but not its PSA counterpart" -#endif - -#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) && !defined(PSA_WANT_ECC_MONTGOMERY_255) -#error "MBEDTLS_ECP_DP_CURVE25519_ENABLED defined, but not its PSA counterpart" -#endif - -#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) && !defined(PSA_WANT_ECC_MONTGOMERY_448) -#error "MBEDTLS_ECP_DP_CURVE448_ENABLED defined, but not its PSA counterpart" -#endif - -#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) && !defined(PSA_WANT_ECC_SECP_R1_192) -#error "MBEDTLS_ECP_DP_SECP192R1_ENABLED defined, but not its PSA counterpart" -#endif - -#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) && !defined(PSA_WANT_ECC_SECP_R1_224) -#error "MBEDTLS_ECP_DP_SECP224R1_ENABLED defined, but not its PSA counterpart" -#endif - -#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) && !defined(PSA_WANT_ECC_SECP_R1_256) -#error "MBEDTLS_ECP_DP_SECP256R1_ENABLED defined, but not its PSA counterpart" -#endif - -#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) && !defined(PSA_WANT_ECC_SECP_R1_384) -#error "MBEDTLS_ECP_DP_SECP384R1_ENABLED defined, but not its PSA counterpart" -#endif - -#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) && !defined(PSA_WANT_ECC_SECP_R1_521) -#error "MBEDTLS_ECP_DP_SECP521R1_ENABLED defined, but not its PSA counterpart" -#endif - -#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) && !defined(PSA_WANT_ECC_SECP_K1_192) -#error "MBEDTLS_ECP_DP_SECP192K1_ENABLED defined, but not its PSA counterpart" -#endif - -/* SECP224K1 is buggy in PSA API so we skip this check */ -#if 0 && defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) && !defined(PSA_WANT_ECC_SECP_K1_224) -#error "MBEDTLS_ECP_DP_SECP224K1_ENABLED defined, but not its PSA counterpart" -#endif - -#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) && !defined(PSA_WANT_ECC_SECP_K1_256) -#error "MBEDTLS_ECP_DP_SECP256K1_ENABLED defined, but not its PSA counterpart" -#endif - -#endif /* MBEDTLS_PSA_CRYPTO_CONFIG || MBEDTLS_PSA_CRYPTO_C */ - /* Limitations on ECC key types acceleration: if we have any of `PUBLIC_KEY`, * `KEY_PAIR_BASIC`, `KEY_PAIR_IMPORT`, `KEY_PAIR_EXPORT` then we must have * all 4 of them. From ac60afc2d295cc1d0ac2b46f3e04a1c5ea7ead7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 8 Feb 2024 18:45:56 +0100 Subject: [PATCH 8/8] Remove useless overly strong dependency MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ECJPAKE_C only needs MD_LIGHT and it allready auto-enables it in config_adjust_legacy_crypto.h, so nothing to check here. Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/check_config.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 429bf3e80f..a7a346fe53 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -166,7 +166,7 @@ #endif /* MBEDTLS_PK_C && MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_ECJPAKE_C) && \ - (!defined(MBEDTLS_ECP_C) || !defined(MBEDTLS_MD_C)) + !defined(MBEDTLS_ECP_C) #error "MBEDTLS_ECJPAKE_C defined, but not all prerequisites" #endif