TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / HEAD / . / include / mbedtls / config_adjust_legacy_crypto.h
blob: 331ac9b2daae537822600974c05cf2b7413f3e4e [file] [log] [blame]
Gilles Peskine9d6a63b2023-09-04 17:49:07 +0200[diff] [blame]1/**
2 * \file mbedtls/config_adjust_legacy_crypto.h
3 * \brief Adjust legacy configuration configuration
4 *
Gilles Peskinee0ec8f52024-04-26 14:18:10 +0200[diff] [blame]5 * This is an internal header. Do not include it directly.
6 *
Wenxing Hou848bccf2024-06-19 11:04:13 +0800[diff] [blame]7 * Automatically enable certain dependencies. Generally, MBEDTLS_xxx
Gilles Peskine9d6a63b2023-09-04 17:49:07 +0200[diff] [blame]8 * configurations need to be explicitly enabled by the user: enabling
9 * MBEDTLS_xxx_A but not MBEDTLS_xxx_B when A requires B results in a
10 * compilation error. However, we do automatically enable certain options
11 * in some circumstances. One case is if MBEDTLS_xxx_B is an internal option
12 * used to identify parts of a module that are used by other module, and we
13 * don't want to make the symbol MBEDTLS_xxx_B part of the public API.
14 * Another case is if A didn't depend on B in earlier versions, and we
15 * want to use B in A but we need to preserve backward compatibility with
16 * configurations that explicitly activate MBEDTLS_xxx_A but not
17 * MBEDTLS_xxx_B.
18 */
19/*
20 * Copyright The Mbed TLS Contributors
Dave Rodgman16799db2023-11-02 19:47:20 +0000[diff] [blame]21 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Gilles Peskine9d6a63b2023-09-04 17:49:07 +0200[diff] [blame]22 */
23
24#ifndef MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H
25#define MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H
26
Gilles Peskine66b27422024-05-16 14:46:09 +0200[diff] [blame]27#if !defined(MBEDTLS_CONFIG_FILES_READ)
28#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \
29 "up to and including runtime errors such as buffer overflows. " \
30 "If you're trying to fix a complaint from check_config.h, just remove " \
31 "it from your configuration file: since Mbed TLS 3.0, it is included " \
Gilles Peskined5377992024-05-29 09:33:04 +0200[diff] [blame]32 "automatically at the right point."
Gilles Peskine66b27422024-05-16 14:46:09 +0200[diff] [blame]33#endif /* */
34
Manuel Pégourié-Gonnard1463e492024-02-08 12:28:30 +0100[diff] [blame]35/* Ideally, we'd set those as defaults in mbedtls_config.h, but
36 * putting an #ifdef _WIN32 in mbedtls_config.h would confuse config.py.
37 *
38 * So, adjust it here.
39 * Not related to crypto, but this is the bottom of the stack. */
40#if defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER <= 1900)
41#if !defined(MBEDTLS_PLATFORM_SNPRINTF_ALT) && \
42 !defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO)
43#define MBEDTLS_PLATFORM_SNPRINTF_ALT
44#endif
45#if !defined(MBEDTLS_PLATFORM_VSNPRINTF_ALT) && \
46 !defined(MBEDTLS_PLATFORM_VSNPRINTF_MACRO)
47#define MBEDTLS_PLATFORM_VSNPRINTF_ALT
48#endif
49#endif /* _MINGW32__ || (_MSC_VER && (_MSC_VER <= 1900)) */
50
Valerio Setti2c1de042024-09-13 16:45:07 +0200[diff] [blame]51/* If MBEDTLS_PSA_CRYPTO_C is defined, make sure MBEDTLS_PSA_CRYPTO_CLIENT
52 * is defined as well to include all PSA code.
53 */
54#if defined(MBEDTLS_PSA_CRYPTO_C)
55#define MBEDTLS_PSA_CRYPTO_CLIENT
56#endif /* MBEDTLS_PSA_CRYPTO_C */
57
Valerio Setti97726422023-12-28 09:55:09 +0100[diff] [blame]58/* Auto-enable CIPHER_C when any of the unauthenticated ciphers is builtin
59 * in PSA. */
60#if defined(MBEDTLS_PSA_CRYPTO_C) && \
61 (defined(MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER) || \
62 defined(MBEDTLS_PSA_BUILTIN_ALG_CTR) || \
63 defined(MBEDTLS_PSA_BUILTIN_ALG_CFB) || \
64 defined(MBEDTLS_PSA_BUILTIN_ALG_OFB) || \
65 defined(MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING) || \
66 defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING) || \
67 defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7) || \
Valerio Setti6b2120f2024-05-24 14:37:05 +0200[diff] [blame]68 defined(MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG) || \
69 defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC))
Valerio Setti97726422023-12-28 09:55:09 +0100[diff] [blame]70#define MBEDTLS_CIPHER_C
71#endif
72
Gilles Peskine9d6a63b2023-09-04 17:49:07 +0200[diff] [blame]73/* Auto-enable MBEDTLS_MD_LIGHT based on MBEDTLS_MD_C.
74 * This allows checking for MD_LIGHT rather than MD_LIGHT || MD_C.
75 */
76#if defined(MBEDTLS_MD_C)
77#define MBEDTLS_MD_LIGHT
78#endif
79
80/* Auto-enable MBEDTLS_MD_LIGHT if needed by a module that didn't require it
81 * in a previous release, to ensure backwards compatibility.
82 */
83#if defined(MBEDTLS_ECJPAKE_C) || \
84 defined(MBEDTLS_PEM_PARSE_C) || \
85 defined(MBEDTLS_ENTROPY_C) || \
86 defined(MBEDTLS_PK_C) || \
87 defined(MBEDTLS_PKCS12_C) || \
88 defined(MBEDTLS_RSA_C) || \
89 defined(MBEDTLS_SSL_TLS_C) || \
90 defined(MBEDTLS_X509_USE_C) || \
91 defined(MBEDTLS_X509_CREATE_C)
92#define MBEDTLS_MD_LIGHT
93#endif
94
Valerio Setti85d2a982023-10-06 16:04:49 +0200[diff] [blame]95#if defined(MBEDTLS_MD_LIGHT)
96/*
97 * - MBEDTLS_MD_CAN_xxx is defined if the md module can perform xxx.
98 * - MBEDTLS_MD_xxx_VIA_PSA is defined if the md module may perform xxx via PSA
99 * (see below).
100 * - MBEDTLS_MD_SOME_PSA is defined if at least one algorithm may be performed
101 * via PSA (see below).
102 * - MBEDTLS_MD_SOME_LEGACY is defined if at least one algorithm may be performed
103 * via a direct legacy call (see below).
104 *
105 * The md module performs an algorithm via PSA if there is a PSA hash
106 * accelerator and the PSA driver subsytem is initialized at the time the
107 * operation is started, and makes a direct legacy call otherwise.
108 */
109
110/* PSA accelerated implementations */
Valerio Setti460d2ee2024-09-17 11:40:40 +0200[diff] [blame]111#if defined(MBEDTLS_PSA_CRYPTO_C)
112
113#if defined(MBEDTLS_PSA_ACCEL_ALG_MD5)
114#define MBEDTLS_MD_CAN_MD5
115#define MBEDTLS_MD_MD5_VIA_PSA
116#define MBEDTLS_MD_SOME_PSA
117#endif
118#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_1)
119#define MBEDTLS_MD_CAN_SHA1
120#define MBEDTLS_MD_SHA1_VIA_PSA
121#define MBEDTLS_MD_SOME_PSA
122#endif
123#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_224)
124#define MBEDTLS_MD_CAN_SHA224
125#define MBEDTLS_MD_SHA224_VIA_PSA
126#define MBEDTLS_MD_SOME_PSA
127#endif
128#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_256)
129#define MBEDTLS_MD_CAN_SHA256
130#define MBEDTLS_MD_SHA256_VIA_PSA
131#define MBEDTLS_MD_SOME_PSA
132#endif
133#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_384)
134#define MBEDTLS_MD_CAN_SHA384
135#define MBEDTLS_MD_SHA384_VIA_PSA
136#define MBEDTLS_MD_SOME_PSA
137#endif
138#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_512)
139#define MBEDTLS_MD_CAN_SHA512
140#define MBEDTLS_MD_SHA512_VIA_PSA
141#define MBEDTLS_MD_SOME_PSA
142#endif
143#if defined(MBEDTLS_PSA_ACCEL_ALG_RIPEMD160)
144#define MBEDTLS_MD_CAN_RIPEMD160
145#define MBEDTLS_MD_RIPEMD160_VIA_PSA
146#define MBEDTLS_MD_SOME_PSA
147#endif
148#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_224)
149#define MBEDTLS_MD_CAN_SHA3_224
150#define MBEDTLS_MD_SHA3_224_VIA_PSA
151#define MBEDTLS_MD_SOME_PSA
152#endif
153#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_256)
154#define MBEDTLS_MD_CAN_SHA3_256
155#define MBEDTLS_MD_SHA3_256_VIA_PSA
156#define MBEDTLS_MD_SOME_PSA
157#endif
158#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_384)
159#define MBEDTLS_MD_CAN_SHA3_384
160#define MBEDTLS_MD_SHA3_384_VIA_PSA
161#define MBEDTLS_MD_SOME_PSA
162#endif
163#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_512)
164#define MBEDTLS_MD_CAN_SHA3_512
165#define MBEDTLS_MD_SHA3_512_VIA_PSA
166#define MBEDTLS_MD_SOME_PSA
167#endif
168
169#elif defined(MBEDTLS_PSA_CRYPTO_CLIENT)
Valerio Setti85d2a982023-10-06 16:04:49 +0200[diff] [blame]170
Valerio Settic5163072024-09-13 10:55:22 +0200[diff] [blame]171#if defined(PSA_WANT_ALG_MD5)
Valerio Setti85d2a982023-10-06 16:04:49 +0200[diff] [blame]172#define MBEDTLS_MD_CAN_MD5
173#define MBEDTLS_MD_MD5_VIA_PSA
174#define MBEDTLS_MD_SOME_PSA
175#endif
Valerio Settic5163072024-09-13 10:55:22 +0200[diff] [blame]176#if defined(PSA_WANT_ALG_SHA_1)
Valerio Setti85d2a982023-10-06 16:04:49 +0200[diff] [blame]177#define MBEDTLS_MD_CAN_SHA1
178#define MBEDTLS_MD_SHA1_VIA_PSA
179#define MBEDTLS_MD_SOME_PSA
180#endif
Valerio Settic5163072024-09-13 10:55:22 +0200[diff] [blame]181#if defined(PSA_WANT_ALG_SHA_224)
Valerio Setti85d2a982023-10-06 16:04:49 +0200[diff] [blame]182#define MBEDTLS_MD_CAN_SHA224
183#define MBEDTLS_MD_SHA224_VIA_PSA
184#define MBEDTLS_MD_SOME_PSA
185#endif
Valerio Settic5163072024-09-13 10:55:22 +0200[diff] [blame]186#if defined(PSA_WANT_ALG_SHA_256)
Valerio Setti85d2a982023-10-06 16:04:49 +0200[diff] [blame]187#define MBEDTLS_MD_CAN_SHA256
188#define MBEDTLS_MD_SHA256_VIA_PSA
189#define MBEDTLS_MD_SOME_PSA
190#endif
Valerio Settic5163072024-09-13 10:55:22 +0200[diff] [blame]191#if defined(PSA_WANT_ALG_SHA_384)
Valerio Setti85d2a982023-10-06 16:04:49 +0200[diff] [blame]192#define MBEDTLS_MD_CAN_SHA384
193#define MBEDTLS_MD_SHA384_VIA_PSA
194#define MBEDTLS_MD_SOME_PSA
195#endif
Valerio Settic5163072024-09-13 10:55:22 +0200[diff] [blame]196#if defined(PSA_WANT_ALG_SHA_512)
Valerio Setti85d2a982023-10-06 16:04:49 +0200[diff] [blame]197#define MBEDTLS_MD_CAN_SHA512
198#define MBEDTLS_MD_SHA512_VIA_PSA
199#define MBEDTLS_MD_SOME_PSA
200#endif
Valerio Settic5163072024-09-13 10:55:22 +0200[diff] [blame]201#if defined(PSA_WANT_ALG_RIPEMD160)
Valerio Setti85d2a982023-10-06 16:04:49 +0200[diff] [blame]202#define MBEDTLS_MD_CAN_RIPEMD160
203#define MBEDTLS_MD_RIPEMD160_VIA_PSA
204#define MBEDTLS_MD_SOME_PSA
205#endif
Valerio Settic5163072024-09-13 10:55:22 +0200[diff] [blame]206#if defined(PSA_WANT_ALG_SHA3_224)
Valerio Setti85d2a982023-10-06 16:04:49 +0200[diff] [blame]207#define MBEDTLS_MD_CAN_SHA3_224
208#define MBEDTLS_MD_SHA3_224_VIA_PSA
209#define MBEDTLS_MD_SOME_PSA
210#endif
Valerio Settic5163072024-09-13 10:55:22 +0200[diff] [blame]211#if defined(PSA_WANT_ALG_SHA3_256)
Valerio Setti85d2a982023-10-06 16:04:49 +0200[diff] [blame]212#define MBEDTLS_MD_CAN_SHA3_256
213#define MBEDTLS_MD_SHA3_256_VIA_PSA
214#define MBEDTLS_MD_SOME_PSA
215#endif
Valerio Settic5163072024-09-13 10:55:22 +0200[diff] [blame]216#if defined(PSA_WANT_ALG_SHA3_384)
Valerio Setti85d2a982023-10-06 16:04:49 +0200[diff] [blame]217#define MBEDTLS_MD_CAN_SHA3_384
218#define MBEDTLS_MD_SHA3_384_VIA_PSA
219#define MBEDTLS_MD_SOME_PSA
220#endif
Valerio Settic5163072024-09-13 10:55:22 +0200[diff] [blame]221#if defined(PSA_WANT_ALG_SHA3_512)
Valerio Setti85d2a982023-10-06 16:04:49 +0200[diff] [blame]222#define MBEDTLS_MD_CAN_SHA3_512
223#define MBEDTLS_MD_SHA3_512_VIA_PSA
224#define MBEDTLS_MD_SOME_PSA
225#endif
Valerio Setti460d2ee2024-09-17 11:40:40 +0200[diff] [blame]226
227#endif /* !MBEDTLS_PSA_CRYPTO_CLIENT && !MBEDTLS_PSA_CRYPTO_C */
Valerio Setti85d2a982023-10-06 16:04:49 +0200[diff] [blame]228
229/* Built-in implementations */
230#if defined(MBEDTLS_MD5_C)
231#define MBEDTLS_MD_CAN_MD5
232#define MBEDTLS_MD_SOME_LEGACY
233#endif
234#if defined(MBEDTLS_SHA1_C)
235#define MBEDTLS_MD_CAN_SHA1
236#define MBEDTLS_MD_SOME_LEGACY
237#endif
238#if defined(MBEDTLS_SHA224_C)
239#define MBEDTLS_MD_CAN_SHA224
240#define MBEDTLS_MD_SOME_LEGACY
241#endif
242#if defined(MBEDTLS_SHA256_C)
243#define MBEDTLS_MD_CAN_SHA256
244#define MBEDTLS_MD_SOME_LEGACY
245#endif
246#if defined(MBEDTLS_SHA384_C)
247#define MBEDTLS_MD_CAN_SHA384
248#define MBEDTLS_MD_SOME_LEGACY
249#endif
250#if defined(MBEDTLS_SHA512_C)
251#define MBEDTLS_MD_CAN_SHA512
252#define MBEDTLS_MD_SOME_LEGACY
253#endif
254#if defined(MBEDTLS_SHA3_C)
255#define MBEDTLS_MD_CAN_SHA3_224
256#define MBEDTLS_MD_CAN_SHA3_256
257#define MBEDTLS_MD_CAN_SHA3_384
258#define MBEDTLS_MD_CAN_SHA3_512
259#define MBEDTLS_MD_SOME_LEGACY
260#endif
261#if defined(MBEDTLS_RIPEMD160_C)
262#define MBEDTLS_MD_CAN_RIPEMD160
263#define MBEDTLS_MD_SOME_LEGACY
264#endif
265
266#endif /* MBEDTLS_MD_LIGHT */
267
Valerio Setti8bba0872023-12-12 11:49:02 +0100[diff] [blame]268/* BLOCK_CIPHER module can dispatch to PSA when:
269 * - PSA is enabled and drivers have been initialized
270 * - desired key type is supported on the PSA side
271 * If the above conditions are not met, but the legacy support is enabled, then
Valerio Setti2684e3f2023-12-13 16:53:02 +0100[diff] [blame]272 * BLOCK_CIPHER will dynamically fallback to it.
Valerio Setti4a5d57d2023-12-14 09:34:15 +0100[diff] [blame]273 *
274 * In case BLOCK_CIPHER is defined (see below) the following symbols/helpers
275 * can be used to define its capabilities:
276 * - MBEDTLS_BLOCK_CIPHER_SOME_PSA: there is at least 1 key type between AES,
277 * ARIA and Camellia which is supported through a driver;
278 * - MBEDTLS_BLOCK_CIPHER_xxx_VIA_PSA: xxx key type is supported through a
279 * driver;
280 * - MBEDTLS_BLOCK_CIPHER_xxx_VIA_LEGACY: xxx key type is supported through
281 * a legacy module (i.e. MBEDTLS_xxx_C)
Valerio Setti8bba0872023-12-12 11:49:02 +0100[diff] [blame]282 */
Valerio Setti8bba0872023-12-12 11:49:02 +0100[diff] [blame]283#if defined(MBEDTLS_PSA_CRYPTO_C)
284#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_AES)
285#define MBEDTLS_BLOCK_CIPHER_AES_VIA_PSA
286#define MBEDTLS_BLOCK_CIPHER_SOME_PSA
287#endif
288#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ARIA)
289#define MBEDTLS_BLOCK_CIPHER_ARIA_VIA_PSA
290#define MBEDTLS_BLOCK_CIPHER_SOME_PSA
291#endif
292#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA)
293#define MBEDTLS_BLOCK_CIPHER_CAMELLIA_VIA_PSA
294#define MBEDTLS_BLOCK_CIPHER_SOME_PSA
295#endif
296#endif /* MBEDTLS_PSA_CRYPTO_C */
297
298#if defined(MBEDTLS_AES_C)
299#define MBEDTLS_BLOCK_CIPHER_AES_VIA_LEGACY
300#endif
301#if defined(MBEDTLS_ARIA_C)
302#define MBEDTLS_BLOCK_CIPHER_ARIA_VIA_LEGACY
303#endif
304#if defined(MBEDTLS_CAMELLIA_C)
305#define MBEDTLS_BLOCK_CIPHER_CAMELLIA_VIA_LEGACY
306#endif
307
Valerio Setti4a5d57d2023-12-14 09:34:15 +0100[diff] [blame]308/* Helpers to state that BLOCK_CIPHER module supports AES, ARIA and/or Camellia
309 * block ciphers via either PSA or legacy. */
Valerio Setti8bba0872023-12-12 11:49:02 +0100[diff] [blame]310#if defined(MBEDTLS_BLOCK_CIPHER_AES_VIA_PSA) || \
311 defined(MBEDTLS_BLOCK_CIPHER_AES_VIA_LEGACY)
312#define MBEDTLS_BLOCK_CIPHER_CAN_AES
313#endif
314#if defined(MBEDTLS_BLOCK_CIPHER_ARIA_VIA_PSA) || \
315 defined(MBEDTLS_BLOCK_CIPHER_ARIA_VIA_LEGACY)
316#define MBEDTLS_BLOCK_CIPHER_CAN_ARIA
317#endif
318#if defined(MBEDTLS_BLOCK_CIPHER_CAMELLIA_VIA_PSA) || \
319 defined(MBEDTLS_BLOCK_CIPHER_CAMELLIA_VIA_LEGACY)
320#define MBEDTLS_BLOCK_CIPHER_CAN_CAMELLIA
321#endif
322
Valerio Setti4a5d57d2023-12-14 09:34:15 +0100[diff] [blame]323/* GCM_C and CCM_C can either depend on (in order of preference) BLOCK_CIPHER_C
324 * or CIPHER_C. The former is auto-enabled when:
325 * - CIPHER_C is not defined, which is also the legacy solution;
326 * - BLOCK_CIPHER_SOME_PSA because in this case BLOCK_CIPHER can take advantage
327 * of the driver's acceleration.
328 */
329#if (defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C)) && \
330 (!defined(MBEDTLS_CIPHER_C) || defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA))
331#define MBEDTLS_BLOCK_CIPHER_C
332#endif
333
Valerio Settibfa675f2023-12-20 09:52:08 +0100[diff] [blame]334/* Helpers for GCM/CCM capabilities */
335#if (defined(MBEDTLS_CIPHER_C) && defined(MBEDTLS_AES_C)) || \
336 (defined(MBEDTLS_BLOCK_CIPHER_C) && defined(MBEDTLS_BLOCK_CIPHER_CAN_AES))
337#define MBEDTLS_CCM_GCM_CAN_AES
338#endif
339
340#if (defined(MBEDTLS_CIPHER_C) && defined(MBEDTLS_ARIA_C)) || \
341 (defined(MBEDTLS_BLOCK_CIPHER_C) && defined(MBEDTLS_BLOCK_CIPHER_CAN_ARIA))
342#define MBEDTLS_CCM_GCM_CAN_ARIA
343#endif
344
345#if (defined(MBEDTLS_CIPHER_C) && defined(MBEDTLS_CAMELLIA_C)) || \
346 (defined(MBEDTLS_BLOCK_CIPHER_C) && defined(MBEDTLS_BLOCK_CIPHER_CAN_CAMELLIA))
347#define MBEDTLS_CCM_GCM_CAN_CAMELLIA
348#endif
349
Gilles Peskine9d6a63b2023-09-04 17:49:07 +0200[diff] [blame]350/* MBEDTLS_ECP_LIGHT is auto-enabled by the following symbols:
351 * - MBEDTLS_ECP_C because now it consists of MBEDTLS_ECP_LIGHT plus functions
352 * for curve arithmetic. As a consequence if MBEDTLS_ECP_C is required for
353 * some reason, then MBEDTLS_ECP_LIGHT should be enabled as well.
354 * - MBEDTLS_PK_PARSE_EC_EXTENDED and MBEDTLS_PK_PARSE_EC_COMPRESSED because
355 * these features are not supported in PSA so the only way to have them is
356 * to enable the built-in solution.
357 * Both of them are temporary dependencies:
358 * - PK_PARSE_EC_EXTENDED will be removed after #7779 and #7789
359 * - support for compressed points should also be added to PSA, but in this
360 * case there is no associated issue to track it yet.
361 * - PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE because Weierstrass key derivation
362 * still depends on ECP_LIGHT.
363 * - PK_C + USE_PSA + PSA_WANT_ALG_ECDSA is a temporary dependency which will
364 * be fixed by #7453.
365 */
366#if defined(MBEDTLS_ECP_C) || \
367 defined(MBEDTLS_PK_PARSE_EC_EXTENDED) || \
368 defined(MBEDTLS_PK_PARSE_EC_COMPRESSED) || \
369 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
370#define MBEDTLS_ECP_LIGHT
371#endif
372
Valerio Setti11530fd2024-04-18 06:54:32 +0200[diff] [blame]373/* Backward compatibility: after #8740 the RSA module offers functions to parse
374 * and write RSA private/public keys without relying on the PK one. Of course
375 * this needs ASN1 support to do so, so we enable it here. */
376#if defined(MBEDTLS_RSA_C)
377#define MBEDTLS_ASN1_PARSE_C
378#define MBEDTLS_ASN1_WRITE_C
379#endif
380
Thomas Daubney540324c2023-10-06 17:07:24 +0100[diff] [blame]381/* MBEDTLS_PK_PARSE_EC_COMPRESSED is introduced in Mbed TLS version 3.5, while
Gilles Peskine9d6a63b2023-09-04 17:49:07 +0200[diff] [blame]382 * in previous version compressed points were automatically supported as long
383 * as PK_PARSE_C and ECP_C were enabled. As a consequence, for backward
384 * compatibility, we auto-enable PK_PARSE_EC_COMPRESSED when these conditions
385 * are met. */
386#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_ECP_C)
387#define MBEDTLS_PK_PARSE_EC_COMPRESSED
388#endif
389
390/* Helper symbol to state that there is support for ECDH, either through
391 * library implementation (ECDH_C) or through PSA. */
392#if (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_ECDH)) || \
393 (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECDH_C))
394#define MBEDTLS_CAN_ECDH
395#endif
396
397/* PK module can achieve ECDSA functionalities by means of either software
398 * implementations (ECDSA_C) or through a PSA driver. The following defines
399 * are meant to list these capabilities in a general way which abstracts how
400 * they are implemented under the hood. */
401#if !defined(MBEDTLS_USE_PSA_CRYPTO)
402#if defined(MBEDTLS_ECDSA_C)
403#define MBEDTLS_PK_CAN_ECDSA_SIGN
404#define MBEDTLS_PK_CAN_ECDSA_VERIFY
405#endif /* MBEDTLS_ECDSA_C */
406#else /* MBEDTLS_USE_PSA_CRYPTO */
407#if defined(PSA_WANT_ALG_ECDSA)
408#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC)
409#define MBEDTLS_PK_CAN_ECDSA_SIGN
410#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC */
411#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
412#define MBEDTLS_PK_CAN_ECDSA_VERIFY
413#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
414#endif /* PSA_WANT_ALG_ECDSA */
415#endif /* MBEDTLS_USE_PSA_CRYPTO */
416
417#if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY) || defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
418#define MBEDTLS_PK_CAN_ECDSA_SOME
419#endif
420
Valerio Setti67d82e72023-08-16 17:11:53 +0200[diff] [blame]421/* Helpers to state that each key is supported either on the builtin or PSA side. */
422#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_521)
Valerio Settidb6b4db2023-09-01 09:20:51 +0200[diff] [blame]423#define MBEDTLS_ECP_HAVE_SECP521R1
Valerio Setti67d82e72023-08-16 17:11:53 +0200[diff] [blame]424#endif
425#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
Valerio Settidb6b4db2023-09-01 09:20:51 +0200[diff] [blame]426#define MBEDTLS_ECP_HAVE_BP512R1
Valerio Setti67d82e72023-08-16 17:11:53 +0200[diff] [blame]427#endif
428#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) || defined(PSA_WANT_ECC_MONTGOMERY_448)
Valerio Settidb6b4db2023-09-01 09:20:51 +0200[diff] [blame]429#define MBEDTLS_ECP_HAVE_CURVE448
Valerio Setti67d82e72023-08-16 17:11:53 +0200[diff] [blame]430#endif
431#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
Valerio Settidb6b4db2023-09-01 09:20:51 +0200[diff] [blame]432#define MBEDTLS_ECP_HAVE_BP384R1
Valerio Setti67d82e72023-08-16 17:11:53 +0200[diff] [blame]433#endif
434#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_384)
Valerio Settidb6b4db2023-09-01 09:20:51 +0200[diff] [blame]435#define MBEDTLS_ECP_HAVE_SECP384R1
Valerio Setti67d82e72023-08-16 17:11:53 +0200[diff] [blame]436#endif
437#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
Valerio Settidb6b4db2023-09-01 09:20:51 +0200[diff] [blame]438#define MBEDTLS_ECP_HAVE_BP256R1
Valerio Setti67d82e72023-08-16 17:11:53 +0200[diff] [blame]439#endif
440#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_256)
Valerio Settidb6b4db2023-09-01 09:20:51 +0200[diff] [blame]441#define MBEDTLS_ECP_HAVE_SECP256K1
Valerio Setti67d82e72023-08-16 17:11:53 +0200[diff] [blame]442#endif
443#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_256)
Valerio Settidb6b4db2023-09-01 09:20:51 +0200[diff] [blame]444#define MBEDTLS_ECP_HAVE_SECP256R1
Valerio Setti67d82e72023-08-16 17:11:53 +0200[diff] [blame]445#endif
446#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || defined(PSA_WANT_ECC_MONTGOMERY_255)
Valerio Settidb6b4db2023-09-01 09:20:51 +0200[diff] [blame]447#define MBEDTLS_ECP_HAVE_CURVE25519
Valerio Setti67d82e72023-08-16 17:11:53 +0200[diff] [blame]448#endif
449#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_224)
Valerio Settidb6b4db2023-09-01 09:20:51 +0200[diff] [blame]450#define MBEDTLS_ECP_HAVE_SECP224K1
Valerio Setti67d82e72023-08-16 17:11:53 +0200[diff] [blame]451#endif
452#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_224)
Valerio Settidb6b4db2023-09-01 09:20:51 +0200[diff] [blame]453#define MBEDTLS_ECP_HAVE_SECP224R1
Valerio Setti67d82e72023-08-16 17:11:53 +0200[diff] [blame]454#endif
455#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_192)
Valerio Settidb6b4db2023-09-01 09:20:51 +0200[diff] [blame]456#define MBEDTLS_ECP_HAVE_SECP192K1
Valerio Setti67d82e72023-08-16 17:11:53 +0200[diff] [blame]457#endif
458#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_192)
Valerio Settidb6b4db2023-09-01 09:20:51 +0200[diff] [blame]459#define MBEDTLS_ECP_HAVE_SECP192R1
Valerio Setti67d82e72023-08-16 17:11:53 +0200[diff] [blame]460#endif
461
Gilles Peskine9d6a63b2023-09-04 17:49:07 +0200[diff] [blame]462/* Helper symbol to state that the PK module has support for EC keys. This
463 * can either be provided through the legacy ECP solution or through the
464 * PSA friendly MBEDTLS_PK_USE_PSA_EC_DATA (see pk.h for its description). */
465#if defined(MBEDTLS_ECP_C) || \
466 (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY))
467#define MBEDTLS_PK_HAVE_ECC_KEYS
468#endif /* MBEDTLS_PK_USE_PSA_EC_DATA || MBEDTLS_ECP_C */
469
Gilles Peskineca1e6052023-09-25 16:16:26 +0200[diff] [blame]470/* Historically pkparse did not check the CBC padding when decrypting
471 * a key. This was a bug, which is now fixed. As a consequence, pkparse
472 * now needs PKCS7 padding support, but existing configurations might not
473 * enable it, so we enable it here. */
474#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_PKCS5_C) && defined(MBEDTLS_CIPHER_MODE_CBC)
475#define MBEDTLS_CIPHER_PADDING_PKCS7
476#endif
477
Dave Rodgman94a634d2023-10-10 12:59:29 +0100[diff] [blame]478/* Backwards compatibility for some macros which were renamed to reflect that
479 * they are related to Armv8, not aarch64. */
Dave Rodgmanc5861d52023-10-10 14:01:54 +0100[diff] [blame]480#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) && \
Dave Rodgman5b89c552023-10-10 14:59:02 +0100[diff] [blame]481 !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
482#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
Dave Rodgman94a634d2023-10-10 12:59:29 +0100[diff] [blame]483#endif
Dave Rodgman5b89c552023-10-10 14:59:02 +0100[diff] [blame]484#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) && !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
485#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
Dave Rodgman94a634d2023-10-10 12:59:29 +0100[diff] [blame]486#endif
Dave Rodgman94a634d2023-10-10 12:59:29 +0100[diff] [blame]487
Valerio Settif4d2dc22024-01-16 10:57:48 +0100[diff] [blame]488/* psa_util file features some ECDSA conversion functions, to convert between
489 * legacy's ASN.1 DER format and PSA's raw one. */
Sam Berry81a438b2024-07-12 14:42:08 +0100[diff] [blame]490#if (defined(MBEDTLS_PSA_CRYPTO_CLIENT) && \
Valerio Settibcf0fc52024-01-26 14:53:28 +0100[diff] [blame]491 (defined(PSA_WANT_ALG_ECDSA) || defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA)))
Valerio Settif4d2dc22024-01-16 10:57:48 +0100[diff] [blame]492#define MBEDTLS_PSA_UTIL_HAVE_ECDSA
493#endif
494
Wenxing Hou848bccf2024-06-19 11:04:13 +0800[diff] [blame]495/* Some internal helpers to determine which keys are available. */
Yanray Wang4ed86912023-11-16 15:20:56 +0800[diff] [blame]496#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_AES_C)) || \
497 (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_AES))
498#define MBEDTLS_SSL_HAVE_AES
499#endif
500#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ARIA_C)) || \
501 (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_ARIA))
502#define MBEDTLS_SSL_HAVE_ARIA
503#endif
504#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_CAMELLIA_C)) || \
505 (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_CAMELLIA))
506#define MBEDTLS_SSL_HAVE_CAMELLIA
507#endif
508
Wenxing Hou848bccf2024-06-19 11:04:13 +0800[diff] [blame]509/* Some internal helpers to determine which operation modes are available. */
Yanray Wang4ed86912023-11-16 15:20:56 +0800[diff] [blame]510#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_CIPHER_MODE_CBC)) || \
511 (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CBC_NO_PADDING))
512#define MBEDTLS_SSL_HAVE_CBC
513#endif
514
Valerio Settie5707042023-10-11 11:54:42 +0200[diff] [blame]515#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_GCM_C)) || \
516 (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_GCM))
517#define MBEDTLS_SSL_HAVE_GCM
518#endif
519
520#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_CCM_C)) || \
521 (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CCM))
522#define MBEDTLS_SSL_HAVE_CCM
523#endif
524
525#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_CHACHAPOLY_C)) || \
526 (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CHACHA20_POLY1305))
527#define MBEDTLS_SSL_HAVE_CHACHAPOLY
528#endif
529
530#if defined(MBEDTLS_SSL_HAVE_GCM) || defined(MBEDTLS_SSL_HAVE_CCM) || \
531 defined(MBEDTLS_SSL_HAVE_CHACHAPOLY)
532#define MBEDTLS_SSL_HAVE_AEAD
533#endif
534
Gilles Peskine9d6a63b2023-09-04 17:49:07 +0200[diff] [blame]535#endif /* MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H */