From 59c9ebfaae6010e019037792739885c2fb050fcb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 1 Dec 2025 09:59:54 +0100 Subject: [PATCH 01/10] ssl: rm useless private includes in public headers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/ssl.h | 7 ------- include/mbedtls/ssl_ciphersuites.h | 1 - 2 files changed, 8 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 02e527cdf5..6c86c57345 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -14,9 +14,6 @@ #include "mbedtls/build_info.h" -#include "mbedtls/private/bignum.h" -#include "mbedtls/private/ecp.h" - #include "mbedtls/ssl_ciphersuites.h" #if defined(MBEDTLS_X509_CRT_PARSE_C) @@ -26,10 +23,6 @@ #include "mbedtls/md.h" -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) -#include "mbedtls/private/ecdh.h" -#endif - #if defined(MBEDTLS_HAVE_TIME) #include "mbedtls/platform_time.h" #endif diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h index dfd369416b..9af1e5a668 100644 --- a/include/mbedtls/ssl_ciphersuites.h +++ b/include/mbedtls/ssl_ciphersuites.h @@ -14,7 +14,6 @@ #include "mbedtls/build_info.h" #include "mbedtls/pk.h" -#include "mbedtls/private/cipher.h" #include "mbedtls/md.h" #ifdef __cplusplus From 53c511578a7eb6c305f9895009873a95a95a8c0e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 1 Dec 2025 10:03:20 +0100 Subject: [PATCH 02/10] x509: rm useless private include in public header MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/x509_crt.h | 1 - 1 file changed, 1 deletion(-) diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 3352e3824a..9e607ad29a 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -15,7 +15,6 @@ #include "mbedtls/x509.h" #include "mbedtls/x509_crl.h" -#include "mbedtls/private/bignum.h" /** * \addtogroup x509_module From 4b663abecc3e62e68482750f11e25317544cfc91 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 1 Dec 2025 10:16:52 +0100 Subject: [PATCH 03/10] ssl: rm useless private includes in internal headers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_ciphersuites_internal.h | 3 --- library/ssl_misc.h | 24 +----------------------- 2 files changed, 1 insertion(+), 26 deletions(-) diff --git a/library/ssl_ciphersuites_internal.h b/library/ssl_ciphersuites_internal.h index 9a9b42b998..864e6bf6b7 100644 --- a/library/ssl_ciphersuites_internal.h +++ b/library/ssl_ciphersuites_internal.h @@ -11,9 +11,6 @@ #define MBEDTLS_SSL_CIPHERSUITES_INTERNAL_H #include "mbedtls/pk.h" -#if defined(MBEDTLS_PK_HAVE_PRIVATE_HEADER) -#include -#endif /* MBEDTLS_PK_HAVE_PRIVATE_HEADER */ #if defined(MBEDTLS_PK_C) mbedtls_pk_sigalg_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphersuite_t *info); diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 083a5adc31..9f9ed0bf70 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -19,35 +19,13 @@ #include "mbedtls/debug.h" #include "debug_internal.h" -#include "mbedtls/private/cipher.h" - #include "psa/crypto.h" -#include "psa_util_internal.h" +#include "psa_util_internal.h" // XXX: internal crypto header extern const mbedtls_error_pair_t psa_to_ssl_errors[7]; -#if defined(PSA_WANT_ALG_MD5) -#include "mbedtls/private/md5.h" -#endif - -#if defined(PSA_WANT_ALG_SHA_1) -#include "mbedtls/private/sha1.h" -#endif - -#if defined(PSA_WANT_ALG_SHA_256) -#include "mbedtls/private/sha256.h" -#endif - -#if defined(PSA_WANT_ALG_SHA_512) -#include "mbedtls/private/sha512.h" -#endif - #include "mbedtls/pk.h" -#if defined(MBEDTLS_PK_HAVE_PRIVATE_HEADER) -#include -#endif /* MBEDTLS_PK_HAVE_PRIVATE_HEADER */ #include "ssl_ciphersuites_internal.h" #include "x509_internal.h" -#include "pk_internal.h" /* Shorthand for restartable ECC */ #if defined(MBEDTLS_ECP_RESTARTABLE) && \ From c53c43c2961ccbf172a041b9f51ddfeb26b3e9e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 1 Dec 2025 10:20:53 +0100 Subject: [PATCH 04/10] x509: rm useless private includes in internal headers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/x509_internal.h | 6 ++---- library/x509_oid.h | 3 --- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/library/x509_internal.h b/library/x509_internal.h index 5505b9778c..9bad6a2ad8 100644 --- a/library/x509_internal.h +++ b/library/x509_internal.h @@ -16,11 +16,9 @@ #include "mbedtls/x509.h" #include "mbedtls/asn1.h" -#include "pk_internal.h" -#if defined(MBEDTLS_RSA_C) -#include "mbedtls/private/rsa.h" -#endif +// XXX: internal crypto header - used for mbedtls_pk_load_file() +#include "pk_internal.h" int mbedtls_x509_get_name(unsigned char **p, const unsigned char *end, mbedtls_x509_name *cur); diff --git a/library/x509_oid.h b/library/x509_oid.h index 0752953aac..5721d8586c 100644 --- a/library/x509_oid.h +++ b/library/x509_oid.h @@ -13,9 +13,6 @@ #include "mbedtls/asn1.h" #include "mbedtls/pk.h" -#if defined(MBEDTLS_PK_HAVE_PRIVATE_HEADER) -#include -#endif /* MBEDTLS_PK_HAVE_PRIVATE_HEADER */ #include "mbedtls/x509.h" #include From eab6d3276bd6fd07be3f1f4084514e30eb6172d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 1 Dec 2025 10:26:28 +0100 Subject: [PATCH 05/10] ssl: rm useless private include in C file MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_tls12_server.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 6b37a954d4..1917af3ab4 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -32,10 +32,6 @@ static int local_err_translation(psa_status_t status) #define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status) #endif -#if defined(MBEDTLS_ECP_C) -#include "mbedtls/private/ecp.h" -#endif - #if defined(MBEDTLS_HAVE_TIME) #include "mbedtls/platform_time.h" #endif From 411282d126afbb30856e010d0de599cb51736146 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 1 Dec 2025 11:05:39 +0100 Subject: [PATCH 06/10] x509: rm useless private include in C file MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/x509_crt.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/library/x509_crt.c b/library/x509_crt.c index e6b9252859..e18dbe777e 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -35,9 +35,7 @@ #endif #include "psa/crypto.h" -#include "psa_util_internal.h" #include "mbedtls/psa_util.h" -#include "pk_internal.h" #include "mbedtls/platform.h" From d6551eaaa61f0411507c95c95896565418888dcc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 1 Dec 2025 10:30:09 +0100 Subject: [PATCH 07/10] Add comment about internal crypto include MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Besides using an internal crypto header, error.h is arguably the wrong place: this file's docstring says it's about "Error to string translation", quite unrelated to the things we use from error_common.h. This is not surprising given the history, but no longer makes sense today. Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/error.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index ee3d093c93..21707b1ca3 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -11,6 +11,10 @@ #define MBEDTLS_ERROR_H #include "mbedtls/build_info.h" +// XXX: internal crypto include, used for: +// - MBEDTLS_ERROR_ADD +// - MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED +// - possibly others (the above are just the first build errors) #include "mbedtls/private/error_common.h" #include From 3e6455d50ec0ee2fe9970e6a135c530fec3c9d5c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 2 Dec 2025 12:00:34 +0100 Subject: [PATCH 08/10] Remove useless includes of psa_util_internal MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Those in SSL modules were redundant because it's already included from ssl_misc.h. Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_msg.c | 1 - library/ssl_tls.c | 1 - library/ssl_tls12_client.c | 1 - library/ssl_tls13_generic.c | 1 - library/x509write_crt.c | 1 - library/x509write_csr.c | 1 - 6 files changed, 6 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index e1198fa627..4430db993e 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -26,7 +26,6 @@ #include -#include "psa_util_internal.h" #include "psa/crypto.h" #if defined(MBEDTLS_X509_CRT_PARSE_C) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 550f79de29..ea5924c3c1 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -30,7 +30,6 @@ #include "mbedtls/psa_util.h" #include "md_psa.h" -#include "psa_util_internal.h" #include "psa/crypto.h" #if defined(MBEDTLS_X509_CRT_PARSE_C) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 4024c0014b..c4f75b63de 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -17,7 +17,6 @@ #include "mbedtls/error.h" #include "mbedtls/constant_time.h" -#include "psa_util_internal.h" #include "psa/crypto.h" #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) /* Define a local translating function to save code size by not using too many diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index f8aca908c4..c7d3d48561 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -24,7 +24,6 @@ #include "ssl_debug_helpers.h" #include "psa/crypto.h" -#include "psa_util_internal.h" #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED) /* Define a local translating function to save code size by not using too many diff --git a/library/x509write_crt.c b/library/x509write_crt.c index e4cdd5064b..399c923097 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -32,7 +32,6 @@ #endif /* MBEDTLS_PEM_WRITE_C */ #include "psa/crypto.h" -#include "psa_util_internal.h" #include "mbedtls/psa_util.h" void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx) diff --git a/library/x509write_csr.c b/library/x509write_csr.c index 0fac775106..8a81f7ee56 100644 --- a/library/x509write_csr.c +++ b/library/x509write_csr.c @@ -22,7 +22,6 @@ #include "mbedtls/platform_util.h" #include "psa/crypto.h" -#include "psa_util_internal.h" #include "mbedtls/psa_util.h" #include From ea5718721f4a3647b22523d05c93c1d3eacbcd08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 2 Dec 2025 12:06:39 +0100 Subject: [PATCH 09/10] Remove two more useless internal includes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_tls12_server.c | 1 - library/x509write.c | 1 - 2 files changed, 2 deletions(-) diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 1917af3ab4..1f4ac3ea79 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -15,7 +15,6 @@ #include "debug_internal.h" #include "mbedtls/error.h" #include "mbedtls/platform_util.h" -#include "constant_time_internal.h" #include "mbedtls/constant_time.h" #include diff --git a/library/x509write.c b/library/x509write.c index 0906a5a9d1..c038bdfcda 100644 --- a/library/x509write.c +++ b/library/x509write.c @@ -24,7 +24,6 @@ #include "psa/crypto.h" #include "mbedtls/psa_util.h" -#include "md_psa.h" #define CHECK_OVERFLOW_ADD(a, b) \ do \ From 5341c8687773252ac3fd841ddd8c78ad4e1ecc9b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 2 Dec 2025 12:35:20 +0100 Subject: [PATCH 10/10] Add comments for remaining internal includes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/error.h | 8 +++----- library/ssl_misc.h | 2 +- library/ssl_msg.c | 2 +- library/ssl_tls.c | 2 +- library/x509_internal.h | 3 +-- 5 files changed, 7 insertions(+), 10 deletions(-) diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index 21707b1ca3..738440398c 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -11,11 +11,9 @@ #define MBEDTLS_ERROR_H #include "mbedtls/build_info.h" -// XXX: internal crypto include, used for: -// - MBEDTLS_ERROR_ADD -// - MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED -// - possibly others (the above are just the first build errors) -#include "mbedtls/private/error_common.h" +#include "mbedtls/private/error_common.h" // for MBEDTLS_ERROR_ADD + see below +// MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED +// MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED #include diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 9f9ed0bf70..f8c03dfa2f 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -20,7 +20,7 @@ #include "debug_internal.h" #include "psa/crypto.h" -#include "psa_util_internal.h" // XXX: internal crypto header +#include "psa_util_internal.h" // for mbedtls_error_pair_t, psa_status_to_mbedtls extern const mbedtls_error_pair_t psa_to_ssl_errors[7]; #include "mbedtls/pk.h" diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 4430db993e..d4b915aa74 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -21,7 +21,7 @@ #include "mbedtls/error.h" #include "mbedtls/platform_util.h" #include "mbedtls/version.h" -#include "constant_time_internal.h" +#include "constant_time_internal.h" // for internal mbedtls_ct_xxx functions #include "mbedtls/constant_time.h" #include diff --git a/library/ssl_tls.c b/library/ssl_tls.c index ea5924c3c1..36c6bf9586 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -29,7 +29,7 @@ #include #include "mbedtls/psa_util.h" -#include "md_psa.h" +#include "md_psa.h" // for mbedtls_md_error_from_psa() #include "psa/crypto.h" #if defined(MBEDTLS_X509_CRT_PARSE_C) diff --git a/library/x509_internal.h b/library/x509_internal.h index 9bad6a2ad8..ea3aeb6351 100644 --- a/library/x509_internal.h +++ b/library/x509_internal.h @@ -17,8 +17,7 @@ #include "mbedtls/x509.h" #include "mbedtls/asn1.h" -// XXX: internal crypto header - used for mbedtls_pk_load_file() -#include "pk_internal.h" +#include "pk_internal.h" // for a lot of things, including in SSL int mbedtls_x509_get_name(unsigned char **p, const unsigned char *end, mbedtls_x509_name *cur);