TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 91aaba0172dfa1c740bc67a12bc201bad4cd509c / . / include / mbedtls / config_adjust_legacy_crypto.h
blob: 90b522a1e5eb11220b1ee7b26cafdccc6c1ddea2 [file] [log] [blame]
Gilles Peskine9d6a63b2023-09-04 17:49:07 +0200[diff] [blame]1/**
2 * \file mbedtls/config_adjust_legacy_crypto.h
3 * \brief Adjust legacy configuration configuration
4 *
5 * Automatically enable certain dependencies. Generally, MBEDLTS_xxx
6 * configurations need to be explicitly enabled by the user: enabling
7 * MBEDTLS_xxx_A but not MBEDTLS_xxx_B when A requires B results in a
8 * compilation error. However, we do automatically enable certain options
9 * in some circumstances. One case is if MBEDTLS_xxx_B is an internal option
10 * used to identify parts of a module that are used by other module, and we
11 * don't want to make the symbol MBEDTLS_xxx_B part of the public API.
12 * Another case is if A didn't depend on B in earlier versions, and we
13 * want to use B in A but we need to preserve backward compatibility with
14 * configurations that explicitly activate MBEDTLS_xxx_A but not
15 * MBEDTLS_xxx_B.
16 */
17/*
18 * Copyright The Mbed TLS Contributors
19 * SPDX-License-Identifier: Apache-2.0
20 *
21 * Licensed under the Apache License, Version 2.0 (the "License"); you may
22 * not use this file except in compliance with the License.
23 * You may obtain a copy of the License at
24 *
25 * http://www.apache.org/licenses/LICENSE-2.0
26 *
27 * Unless required by applicable law or agreed to in writing, software
28 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
29 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
30 * See the License for the specific language governing permissions and
31 * limitations under the License.
32 */
33
34#ifndef MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H
35#define MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H
36
37/* Auto-enable MBEDTLS_MD_LIGHT based on MBEDTLS_MD_C.
38 * This allows checking for MD_LIGHT rather than MD_LIGHT || MD_C.
39 */
40#if defined(MBEDTLS_MD_C)
41#define MBEDTLS_MD_LIGHT
42#endif
43
44/* Auto-enable MBEDTLS_MD_LIGHT if needed by a module that didn't require it
45 * in a previous release, to ensure backwards compatibility.
46 */
47#if defined(MBEDTLS_ECJPAKE_C) || \
48 defined(MBEDTLS_PEM_PARSE_C) || \
49 defined(MBEDTLS_ENTROPY_C) || \
50 defined(MBEDTLS_PK_C) || \
51 defined(MBEDTLS_PKCS12_C) || \
52 defined(MBEDTLS_RSA_C) || \
53 defined(MBEDTLS_SSL_TLS_C) || \
54 defined(MBEDTLS_X509_USE_C) || \
55 defined(MBEDTLS_X509_CREATE_C)
56#define MBEDTLS_MD_LIGHT
57#endif
58
Valerio Setti85d2a982023-10-06 16:04:49 +0200[diff] [blame]59#if defined(MBEDTLS_MD_LIGHT)
60/*
61 * - MBEDTLS_MD_CAN_xxx is defined if the md module can perform xxx.
62 * - MBEDTLS_MD_xxx_VIA_PSA is defined if the md module may perform xxx via PSA
63 * (see below).
64 * - MBEDTLS_MD_SOME_PSA is defined if at least one algorithm may be performed
65 * via PSA (see below).
66 * - MBEDTLS_MD_SOME_LEGACY is defined if at least one algorithm may be performed
67 * via a direct legacy call (see below).
68 *
69 * The md module performs an algorithm via PSA if there is a PSA hash
70 * accelerator and the PSA driver subsytem is initialized at the time the
71 * operation is started, and makes a direct legacy call otherwise.
72 */
73
74/* PSA accelerated implementations */
75#if defined(MBEDTLS_PSA_CRYPTO_C)
76
77#if defined(MBEDTLS_PSA_ACCEL_ALG_MD5)
78#define MBEDTLS_MD_CAN_MD5
79#define MBEDTLS_MD_MD5_VIA_PSA
80#define MBEDTLS_MD_SOME_PSA
81#endif
82#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_1)
83#define MBEDTLS_MD_CAN_SHA1
84#define MBEDTLS_MD_SHA1_VIA_PSA
85#define MBEDTLS_MD_SOME_PSA
86#endif
87#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_224)
88#define MBEDTLS_MD_CAN_SHA224
89#define MBEDTLS_MD_SHA224_VIA_PSA
90#define MBEDTLS_MD_SOME_PSA
91#endif
92#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_256)
93#define MBEDTLS_MD_CAN_SHA256
94#define MBEDTLS_MD_SHA256_VIA_PSA
95#define MBEDTLS_MD_SOME_PSA
96#endif
97#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_384)
98#define MBEDTLS_MD_CAN_SHA384
99#define MBEDTLS_MD_SHA384_VIA_PSA
100#define MBEDTLS_MD_SOME_PSA
101#endif
102#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_512)
103#define MBEDTLS_MD_CAN_SHA512
104#define MBEDTLS_MD_SHA512_VIA_PSA
105#define MBEDTLS_MD_SOME_PSA
106#endif
107#if defined(MBEDTLS_PSA_ACCEL_ALG_RIPEMD160)
108#define MBEDTLS_MD_CAN_RIPEMD160
109#define MBEDTLS_MD_RIPEMD160_VIA_PSA
110#define MBEDTLS_MD_SOME_PSA
111#endif
112#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_224)
113#define MBEDTLS_MD_CAN_SHA3_224
114#define MBEDTLS_MD_SHA3_224_VIA_PSA
115#define MBEDTLS_MD_SOME_PSA
116#endif
117#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_256)
118#define MBEDTLS_MD_CAN_SHA3_256
119#define MBEDTLS_MD_SHA3_256_VIA_PSA
120#define MBEDTLS_MD_SOME_PSA
121#endif
122#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_384)
123#define MBEDTLS_MD_CAN_SHA3_384
124#define MBEDTLS_MD_SHA3_384_VIA_PSA
125#define MBEDTLS_MD_SOME_PSA
126#endif
127#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_512)
128#define MBEDTLS_MD_CAN_SHA3_512
129#define MBEDTLS_MD_SHA3_512_VIA_PSA
130#define MBEDTLS_MD_SOME_PSA
131#endif
132#endif /* MBEDTLS_PSA_CRYPTO_C */
133
134/* Built-in implementations */
135#if defined(MBEDTLS_MD5_C)
136#define MBEDTLS_MD_CAN_MD5
137#define MBEDTLS_MD_SOME_LEGACY
138#endif
139#if defined(MBEDTLS_SHA1_C)
140#define MBEDTLS_MD_CAN_SHA1
141#define MBEDTLS_MD_SOME_LEGACY
142#endif
143#if defined(MBEDTLS_SHA224_C)
144#define MBEDTLS_MD_CAN_SHA224
145#define MBEDTLS_MD_SOME_LEGACY
146#endif
147#if defined(MBEDTLS_SHA256_C)
148#define MBEDTLS_MD_CAN_SHA256
149#define MBEDTLS_MD_SOME_LEGACY
150#endif
151#if defined(MBEDTLS_SHA384_C)
152#define MBEDTLS_MD_CAN_SHA384
153#define MBEDTLS_MD_SOME_LEGACY
154#endif
155#if defined(MBEDTLS_SHA512_C)
156#define MBEDTLS_MD_CAN_SHA512
157#define MBEDTLS_MD_SOME_LEGACY
158#endif
159#if defined(MBEDTLS_SHA3_C)
160#define MBEDTLS_MD_CAN_SHA3_224
161#define MBEDTLS_MD_CAN_SHA3_256
162#define MBEDTLS_MD_CAN_SHA3_384
163#define MBEDTLS_MD_CAN_SHA3_512
164#define MBEDTLS_MD_SOME_LEGACY
165#endif
166#if defined(MBEDTLS_RIPEMD160_C)
167#define MBEDTLS_MD_CAN_RIPEMD160
168#define MBEDTLS_MD_SOME_LEGACY
169#endif
170
171#endif /* MBEDTLS_MD_LIGHT */
172
Gilles Peskine9d6a63b2023-09-04 17:49:07 +0200[diff] [blame]173/* MBEDTLS_ECP_LIGHT is auto-enabled by the following symbols:
174 * - MBEDTLS_ECP_C because now it consists of MBEDTLS_ECP_LIGHT plus functions
175 * for curve arithmetic. As a consequence if MBEDTLS_ECP_C is required for
176 * some reason, then MBEDTLS_ECP_LIGHT should be enabled as well.
177 * - MBEDTLS_PK_PARSE_EC_EXTENDED and MBEDTLS_PK_PARSE_EC_COMPRESSED because
178 * these features are not supported in PSA so the only way to have them is
179 * to enable the built-in solution.
180 * Both of them are temporary dependencies:
181 * - PK_PARSE_EC_EXTENDED will be removed after #7779 and #7789
182 * - support for compressed points should also be added to PSA, but in this
183 * case there is no associated issue to track it yet.
184 * - PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE because Weierstrass key derivation
185 * still depends on ECP_LIGHT.
186 * - PK_C + USE_PSA + PSA_WANT_ALG_ECDSA is a temporary dependency which will
187 * be fixed by #7453.
188 */
189#if defined(MBEDTLS_ECP_C) || \
190 defined(MBEDTLS_PK_PARSE_EC_EXTENDED) || \
191 defined(MBEDTLS_PK_PARSE_EC_COMPRESSED) || \
192 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
193#define MBEDTLS_ECP_LIGHT
194#endif
195
Thomas Daubney540324c2023-10-06 17:07:24 +0100[diff] [blame]196/* MBEDTLS_PK_PARSE_EC_COMPRESSED is introduced in Mbed TLS version 3.5, while
Gilles Peskine9d6a63b2023-09-04 17:49:07 +0200[diff] [blame]197 * in previous version compressed points were automatically supported as long
198 * as PK_PARSE_C and ECP_C were enabled. As a consequence, for backward
199 * compatibility, we auto-enable PK_PARSE_EC_COMPRESSED when these conditions
200 * are met. */
201#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_ECP_C)
202#define MBEDTLS_PK_PARSE_EC_COMPRESSED
203#endif
204
205/* Helper symbol to state that there is support for ECDH, either through
206 * library implementation (ECDH_C) or through PSA. */
207#if (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_ECDH)) || \
208 (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECDH_C))
209#define MBEDTLS_CAN_ECDH
210#endif
211
212/* PK module can achieve ECDSA functionalities by means of either software
213 * implementations (ECDSA_C) or through a PSA driver. The following defines
214 * are meant to list these capabilities in a general way which abstracts how
215 * they are implemented under the hood. */
216#if !defined(MBEDTLS_USE_PSA_CRYPTO)
217#if defined(MBEDTLS_ECDSA_C)
218#define MBEDTLS_PK_CAN_ECDSA_SIGN
219#define MBEDTLS_PK_CAN_ECDSA_VERIFY
220#endif /* MBEDTLS_ECDSA_C */
221#else /* MBEDTLS_USE_PSA_CRYPTO */
222#if defined(PSA_WANT_ALG_ECDSA)
223#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC)
224#define MBEDTLS_PK_CAN_ECDSA_SIGN
225#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC */
226#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
227#define MBEDTLS_PK_CAN_ECDSA_VERIFY
228#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
229#endif /* PSA_WANT_ALG_ECDSA */
230#endif /* MBEDTLS_USE_PSA_CRYPTO */
231
232#if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY) || defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
233#define MBEDTLS_PK_CAN_ECDSA_SOME
234#endif
235
236/* If MBEDTLS_PSA_CRYPTO_C is defined, make sure MBEDTLS_PSA_CRYPTO_CLIENT
237 * is defined as well to include all PSA code.
238 */
239#if defined(MBEDTLS_PSA_CRYPTO_C)
240#define MBEDTLS_PSA_CRYPTO_CLIENT
241#endif /* MBEDTLS_PSA_CRYPTO_C */
242
243/* The PK wrappers need pk_write functions to format RSA key objects
244 * when they are dispatching to the PSA API. This happens under USE_PSA_CRYPTO,
245 * and also even without USE_PSA_CRYPTO for mbedtls_pk_sign_ext(). */
246#if defined(MBEDTLS_PSA_CRYPTO_C) && defined(MBEDTLS_RSA_C)
247#define MBEDTLS_PK_C
248#define MBEDTLS_PK_WRITE_C
249#define MBEDTLS_PK_PARSE_C
250#endif
251
Valerio Setti67d82e72023-08-16 17:11:53 +0200[diff] [blame]252/* Helpers to state that each key is supported either on the builtin or PSA side. */
253#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_521)
Valerio Settidb6b4db2023-09-01 09:20:51 +0200[diff] [blame]254#define MBEDTLS_ECP_HAVE_SECP521R1
Valerio Setti67d82e72023-08-16 17:11:53 +0200[diff] [blame]255#endif
256#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
Valerio Settidb6b4db2023-09-01 09:20:51 +0200[diff] [blame]257#define MBEDTLS_ECP_HAVE_BP512R1
Valerio Setti67d82e72023-08-16 17:11:53 +0200[diff] [blame]258#endif
259#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) || defined(PSA_WANT_ECC_MONTGOMERY_448)
Valerio Settidb6b4db2023-09-01 09:20:51 +0200[diff] [blame]260#define MBEDTLS_ECP_HAVE_CURVE448
Valerio Setti67d82e72023-08-16 17:11:53 +0200[diff] [blame]261#endif
262#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
Valerio Settidb6b4db2023-09-01 09:20:51 +0200[diff] [blame]263#define MBEDTLS_ECP_HAVE_BP384R1
Valerio Setti67d82e72023-08-16 17:11:53 +0200[diff] [blame]264#endif
265#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_384)
Valerio Settidb6b4db2023-09-01 09:20:51 +0200[diff] [blame]266#define MBEDTLS_ECP_HAVE_SECP384R1
Valerio Setti67d82e72023-08-16 17:11:53 +0200[diff] [blame]267#endif
268#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
Valerio Settidb6b4db2023-09-01 09:20:51 +0200[diff] [blame]269#define MBEDTLS_ECP_HAVE_BP256R1
Valerio Setti67d82e72023-08-16 17:11:53 +0200[diff] [blame]270#endif
271#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_256)
Valerio Settidb6b4db2023-09-01 09:20:51 +0200[diff] [blame]272#define MBEDTLS_ECP_HAVE_SECP256K1
Valerio Setti67d82e72023-08-16 17:11:53 +0200[diff] [blame]273#endif
274#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_256)
Valerio Settidb6b4db2023-09-01 09:20:51 +0200[diff] [blame]275#define MBEDTLS_ECP_HAVE_SECP256R1
Valerio Setti67d82e72023-08-16 17:11:53 +0200[diff] [blame]276#endif
277#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || defined(PSA_WANT_ECC_MONTGOMERY_255)
Valerio Settidb6b4db2023-09-01 09:20:51 +0200[diff] [blame]278#define MBEDTLS_ECP_HAVE_CURVE25519
Valerio Setti67d82e72023-08-16 17:11:53 +0200[diff] [blame]279#endif
280#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_224)
Valerio Settidb6b4db2023-09-01 09:20:51 +0200[diff] [blame]281#define MBEDTLS_ECP_HAVE_SECP224K1
Valerio Setti67d82e72023-08-16 17:11:53 +0200[diff] [blame]282#endif
283#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_224)
Valerio Settidb6b4db2023-09-01 09:20:51 +0200[diff] [blame]284#define MBEDTLS_ECP_HAVE_SECP224R1
Valerio Setti67d82e72023-08-16 17:11:53 +0200[diff] [blame]285#endif
286#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_192)
Valerio Settidb6b4db2023-09-01 09:20:51 +0200[diff] [blame]287#define MBEDTLS_ECP_HAVE_SECP192K1
Valerio Setti67d82e72023-08-16 17:11:53 +0200[diff] [blame]288#endif
289#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_192)
Valerio Settidb6b4db2023-09-01 09:20:51 +0200[diff] [blame]290#define MBEDTLS_ECP_HAVE_SECP192R1
Valerio Setti67d82e72023-08-16 17:11:53 +0200[diff] [blame]291#endif
292
Gilles Peskine9d6a63b2023-09-04 17:49:07 +0200[diff] [blame]293/* Helper symbol to state that the PK module has support for EC keys. This
294 * can either be provided through the legacy ECP solution or through the
295 * PSA friendly MBEDTLS_PK_USE_PSA_EC_DATA (see pk.h for its description). */
296#if defined(MBEDTLS_ECP_C) || \
297 (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY))
298#define MBEDTLS_PK_HAVE_ECC_KEYS
299#endif /* MBEDTLS_PK_USE_PSA_EC_DATA || MBEDTLS_ECP_C */
300
Gilles Peskineca1e6052023-09-25 16:16:26 +0200[diff] [blame]301/* Historically pkparse did not check the CBC padding when decrypting
302 * a key. This was a bug, which is now fixed. As a consequence, pkparse
303 * now needs PKCS7 padding support, but existing configurations might not
304 * enable it, so we enable it here. */
305#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_PKCS5_C) && defined(MBEDTLS_CIPHER_MODE_CBC)
306#define MBEDTLS_CIPHER_PADDING_PKCS7
307#endif
308
Dave Rodgman94a634d2023-10-10 12:59:29 +0100[diff] [blame]309/* Backwards compatibility for some macros which were renamed to reflect that
310 * they are related to Armv8, not aarch64. */
Dave Rodgmanc5861d52023-10-10 14:01:54 +0100[diff] [blame]311#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) && \
Dave Rodgman5b89c552023-10-10 14:59:02 +0100[diff] [blame]312 !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
313#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
Dave Rodgman94a634d2023-10-10 12:59:29 +0100[diff] [blame]314#endif
Dave Rodgman5b89c552023-10-10 14:59:02 +0100[diff] [blame]315#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) && !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
316#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
Dave Rodgman94a634d2023-10-10 12:59:29 +0100[diff] [blame]317#endif
Dave Rodgman94a634d2023-10-10 12:59:29 +0100[diff] [blame]318
Valerio Settie5707042023-10-11 11:54:42 +0200[diff] [blame]319#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_GCM_C)) || \
320 (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_GCM))
321#define MBEDTLS_SSL_HAVE_GCM
322#endif
323
324#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_CCM_C)) || \
325 (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CCM))
326#define MBEDTLS_SSL_HAVE_CCM
327#endif
328
329#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_CHACHAPOLY_C)) || \
330 (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CHACHA20_POLY1305))
331#define MBEDTLS_SSL_HAVE_CHACHAPOLY
332#endif
333
334#if defined(MBEDTLS_SSL_HAVE_GCM) || defined(MBEDTLS_SSL_HAVE_CCM) || \
335 defined(MBEDTLS_SSL_HAVE_CHACHAPOLY)
336#define MBEDTLS_SSL_HAVE_AEAD
337#endif
338
Gilles Peskine9d6a63b2023-09-04 17:49:07 +0200[diff] [blame]339#endif /* MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H */