Add config.h option MBEDTLS_PK_SINGLE_HASH
No effect for now, just declaring it here, implemented in subsequent commits.
The option requires MBEDTLS_USE_TINYCRYPT and is incompatible with
MBEDTLS_PK_RSA_ALT_SUPPORT and MBEDTLS_RSA_C.
Currently users (including the X.509 and SSL libraries) assume that if both PK
and RSA are enabled, then RSA is available through PK. If we allowed RSA to be
enabled together with PK_SINGLE_TYPE, we'd break that assumption. Going
through the code to find all place that rely on that assumption and fix them
would be cumbersome, and people who want PK_SINGLE_TYPE are unlikely to care
about RSA anyway, so let's just make them incompatible.
This is also consistent with what's done in the MD module: MD_SINGLE_HASH
requires that exactly one hash be enabled.
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index 96340e8..982c1b2 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -853,6 +853,18 @@
#undef MBEDTLS_HASHES_ENABLED
#endif /* MBEDTLS_MD_SINGLE_HASH */
+#if defined(MBEDTLS_PK_SINGLE_TYPE) && !defined(MBEDTLS_USE_TINYCRYPT)
+#error "MBEDTLS_PK_SINGLE_TYPE can only be used with MBEDTLS_USE_TINYCRYPT"
+#endif
+
+#if defined(MBEDTLS_PK_SINGLE_TYPE) && defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+#error "MBEDTLS_PK_SINGLE_TYPE is not compatible with MBEDTLS_PK_RSA_ALT_SUPPORT"
+#endif
+
+#if defined(MBEDTLS_PK_SINGLE_TYPE) && defined(MBEDTLS_RSA_C)
+#error "MBEDTLS_PK_SINGLE_TYPE is not compatible with MBEDTLS_RSA_C"
+#endif
+
#if defined(MBEDTLS_THREADING_ALT)
#if !defined(MBEDTLS_THREADING_C) || defined(MBEDTLS_THREADING_IMPL)
#error "MBEDTLS_THREADING_ALT defined, but not all prerequisites"
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index f2daf32..1fca09a 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -3840,6 +3840,17 @@
*/
//#define MBEDTLS_MD_SINGLE_HASH MBEDTLS_MD_INFO_SHA256
+/* Enable support for a single PK type in the PK layer.
+ *
+ * This is mainly intented to reduce code size on highly constrained system
+ * with large control over the set of algorithms they need to support. It will
+ * also reduce dynamic memory allocation.
+ *
+ * Currently this is only supported with EC keys in conjunction with the
+ * MBEDTLS_USE_TINYCRYPT option. Set this to MBEDTLS_PK_INFO_ECKEY to enable.
+ */
+//#define MBEDTLS_PK_SINGLE_TYPE MBEDTLS_PK_INFO_ECKEY
+
/* \} SECTION: Compile-time SSL configuration */
/* Target and application specific configurations
diff --git a/include/mbedtls/pk_internal.h b/include/mbedtls/pk_internal.h
index 0fda01d..032d595 100644
--- a/include/mbedtls/pk_internal.h
+++ b/include/mbedtls/pk_internal.h
@@ -33,6 +33,9 @@
#include "pk.h"
+/* Dummy definition to keep check-names.sh happy - don't uncomment */
+//#define MBEDTLS_PK_INFO_ECKEY
+
struct mbedtls_pk_info_t
{
/** Public key type */