Checking through the history in https://github.com/Mbed-TLS/mbedtls/pull/4589,
this seems to have been what we intended from the start. But we couldn't do
it yet because the library version was still 2.x while the config version
was already 3.0, so we temporarily commented out the definition in
1cafe5ce20. But then we forgot to uncomment
it during the release since it wasn't part of any process.
Thinking about it independently of the history, I think it makes more sense
to have it uncommented by default. That way, if someone copies the config
from a given version and then keeps it around, they'll get the compatibility
mode for that version.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Since we're making incompatible changes to the configuration, we really
should advance the configuration version.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The support for TLS ciphersuites without
encryption does not rely anymore on the
MBEDTLS_CIPHER_NULL_CIPHER feature of
the cipher module. Introduce a specific
config option to enable these ciphersuites
and use it instead of MBEDTLS_CIPHER_NULL_CIPHER.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Following the removal of the legacy hash, cipher,
CMAC, AEAD, and RSA configuration options in
TF-PSA-Crypto, update the "requires" comments that
referred to the removed options.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
For each function in `x509_oid.c`, determine where it is used and only
include it in the build if it is needed by the X.509 code. Define the
corresponding internal tables only when they are consumed by a function.
This makes Mbed TLS completely independent of the compilation option
`MBEDTLS_OID_C`. This option remains present only in sample configs for
crypto, where it must stay until TF-PSA-Crypto no longer relies on this
option.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Add the option MBEDTLS_SSL_KEYING_MATERIAL_EXPORT to mbedtls_config.h
to control if the function mbedtls_ssl_export_keying_material() should
be available. By default, the option is disabled.
This is because the exporter for TLS 1.2 requires client_random and
server_random need to be stored after the handshake is complete.
Signed-off-by: Max Fillinger <max@max-fillinger.net>
This was the last occurrence found by:
git grep -c 'MBEDTLS_USE_PSA_CRYPTO' library include
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit, moves configuration entries that were not present
during the design-review.
It also updates the proposal accordingly.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
Remove the configuration option MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED and all
code guarded by it. This remove support for the RSA-PSK key exchange in TLS
1.2.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This helps reducing heap memory usage and, if heap memory is
not used anywhere else in an embedded device, it also reduces
code footprint since there is no need for heap management code
in this case.
A new build symbol is added for this purpose, named
MBEDTLS_PSA_STATIC_KEY_SLOTS. It's disabled by default so that
normal usage of Mbed TLS library is not affected.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Gilles Peskine