| Manuel Pégourié-Gonnard | c998e43 | 2022-09-15 12:26:32 +0200 | [diff] [blame] | 1 | Features |
| 2 | * Some crypto modules that previously depended on MD or a low-level hash |
| 3 | module, either unconditionally (RSA, PK, PKCS5, PKCS12, EC J-PAKE), or |
| 4 | for some features (PEM for encrypted files), are now able to use PSA |
| 5 | Crypto instead when the legacy API is not available. This means it is |
| 6 | now possible to use all features from those modules in configurations |
| 7 | where the built-in implementations of hashes are excluded and the hashes |
| 8 | are only provided by PSA drivers. In these configurations, you need to |
| 9 | call `psa_crypto_init()` before you call any function from those |
| 10 | modules; this is not required in configurations where the built-in |
| 11 | implementation is still available. Note that some crypto modules and |
| 12 | features still depend on the built-in implementation of hashes: |
| 13 | MBEDTLS_HKDF_C (but the PSA HKDF function do not depend on it), |
| 14 | MBEDTLS_ENTROPY_C, MBEDTLS_HMAC_DRBG_C and MBEDTLS_ECDSA_DETERMINISTIC. |
| 15 | In particular, for now, compiling without built-in hashes requires use |
| 16 | of MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. |
| 17 | * When MBEDTLS_USE_PSA_CRYPTO is enabled, X.509, TLS 1.2 and TLS 1.3 no |
| 18 | longer depend on MD. This means it is now possible to use them in |
| 19 | configurations where the built-in implementations of hashes are excluded |
| 20 | and the hashes are only provided by PSA drivers. |