Mbed TLS v3.5.0
config_adjust_legacy_crypto.h
Go to the documentation of this file.
1 
17 /*
18  * Copyright The Mbed TLS Contributors
19  * SPDX-License-Identifier: Apache-2.0
20  *
21  * Licensed under the Apache License, Version 2.0 (the "License"); you may
22  * not use this file except in compliance with the License.
23  * You may obtain a copy of the License at
24  *
25  * http://www.apache.org/licenses/LICENSE-2.0
26  *
27  * Unless required by applicable law or agreed to in writing, software
28  * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
29  * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
30  * See the License for the specific language governing permissions and
31  * limitations under the License.
32  */
33 
34 #ifndef MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H
35 #define MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H
36 
37 /* Auto-enable MBEDTLS_MD_LIGHT based on MBEDTLS_MD_C.
38  * This allows checking for MD_LIGHT rather than MD_LIGHT || MD_C.
39  */
40 #if defined(MBEDTLS_MD_C)
41 #define MBEDTLS_MD_LIGHT
42 #endif
43 
44 /* Auto-enable MBEDTLS_MD_LIGHT if needed by a module that didn't require it
45  * in a previous release, to ensure backwards compatibility.
46  */
47 #if defined(MBEDTLS_ECJPAKE_C) || \
48  defined(MBEDTLS_PEM_PARSE_C) || \
49  defined(MBEDTLS_ENTROPY_C) || \
50  defined(MBEDTLS_PK_C) || \
51  defined(MBEDTLS_PKCS12_C) || \
52  defined(MBEDTLS_RSA_C) || \
53  defined(MBEDTLS_SSL_TLS_C) || \
54  defined(MBEDTLS_X509_USE_C) || \
55  defined(MBEDTLS_X509_CREATE_C)
56 #define MBEDTLS_MD_LIGHT
57 #endif
58 
59 /* MBEDTLS_ECP_LIGHT is auto-enabled by the following symbols:
60  * - MBEDTLS_ECP_C because now it consists of MBEDTLS_ECP_LIGHT plus functions
61  * for curve arithmetic. As a consequence if MBEDTLS_ECP_C is required for
62  * some reason, then MBEDTLS_ECP_LIGHT should be enabled as well.
63  * - MBEDTLS_PK_PARSE_EC_EXTENDED and MBEDTLS_PK_PARSE_EC_COMPRESSED because
64  * these features are not supported in PSA so the only way to have them is
65  * to enable the built-in solution.
66  * Both of them are temporary dependencies:
67  * - PK_PARSE_EC_EXTENDED will be removed after #7779 and #7789
68  * - support for compressed points should also be added to PSA, but in this
69  * case there is no associated issue to track it yet.
70  * - PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE because Weierstrass key derivation
71  * still depends on ECP_LIGHT.
72  * - PK_C + USE_PSA + PSA_WANT_ALG_ECDSA is a temporary dependency which will
73  * be fixed by #7453.
74  */
75 #if defined(MBEDTLS_ECP_C) || \
76  defined(MBEDTLS_PK_PARSE_EC_EXTENDED) || \
77  defined(MBEDTLS_PK_PARSE_EC_COMPRESSED) || \
78  defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
79 #define MBEDTLS_ECP_LIGHT
80 #endif
81 
82 /* MBEDTLS_PK_PARSE_EC_COMPRESSED is introduced in MbedTLS version 3.5, while
83  * in previous version compressed points were automatically supported as long
84  * as PK_PARSE_C and ECP_C were enabled. As a consequence, for backward
85  * compatibility, we auto-enable PK_PARSE_EC_COMPRESSED when these conditions
86  * are met. */
87 #if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_ECP_C)
88 #define MBEDTLS_PK_PARSE_EC_COMPRESSED
89 #endif
90 
91 /* Helper symbol to state that there is support for ECDH, either through
92  * library implementation (ECDH_C) or through PSA. */
93 #if (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_ECDH)) || \
94  (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECDH_C))
95 #define MBEDTLS_CAN_ECDH
96 #endif
97 
98 /* PK module can achieve ECDSA functionalities by means of either software
99  * implementations (ECDSA_C) or through a PSA driver. The following defines
100  * are meant to list these capabilities in a general way which abstracts how
101  * they are implemented under the hood. */
102 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
103 #if defined(MBEDTLS_ECDSA_C)
104 #define MBEDTLS_PK_CAN_ECDSA_SIGN
105 #define MBEDTLS_PK_CAN_ECDSA_VERIFY
106 #endif /* MBEDTLS_ECDSA_C */
107 #else /* MBEDTLS_USE_PSA_CRYPTO */
108 #if defined(PSA_WANT_ALG_ECDSA)
109 #if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC)
110 #define MBEDTLS_PK_CAN_ECDSA_SIGN
111 #endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC */
112 #if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
113 #define MBEDTLS_PK_CAN_ECDSA_VERIFY
114 #endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
115 #endif /* PSA_WANT_ALG_ECDSA */
116 #endif /* MBEDTLS_USE_PSA_CRYPTO */
117 
118 #if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY) || defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
119 #define MBEDTLS_PK_CAN_ECDSA_SOME
120 #endif
121 
122 /* If MBEDTLS_PSA_CRYPTO_C is defined, make sure MBEDTLS_PSA_CRYPTO_CLIENT
123  * is defined as well to include all PSA code.
124  */
125 #if defined(MBEDTLS_PSA_CRYPTO_C)
126 #define MBEDTLS_PSA_CRYPTO_CLIENT
127 #endif /* MBEDTLS_PSA_CRYPTO_C */
128 
129 /* The PK wrappers need pk_write functions to format RSA key objects
130  * when they are dispatching to the PSA API. This happens under USE_PSA_CRYPTO,
131  * and also even without USE_PSA_CRYPTO for mbedtls_pk_sign_ext(). */
132 #if defined(MBEDTLS_PSA_CRYPTO_C) && defined(MBEDTLS_RSA_C)
133 #define MBEDTLS_PK_C
134 #define MBEDTLS_PK_WRITE_C
135 #define MBEDTLS_PK_PARSE_C
136 #endif
137 
138 /* Helpers to state that each key is supported either on the builtin or PSA side. */
139 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_521)
140 #define MBEDTLS_ECP_HAVE_SECP521R1
141 #endif
142 #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
143 #define MBEDTLS_ECP_HAVE_BP512R1
144 #endif
145 #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) || defined(PSA_WANT_ECC_MONTGOMERY_448)
146 #define MBEDTLS_ECP_HAVE_CURVE448
147 #endif
148 #if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
149 #define MBEDTLS_ECP_HAVE_BP384R1
150 #endif
151 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_384)
152 #define MBEDTLS_ECP_HAVE_SECP384R1
153 #endif
154 #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
155 #define MBEDTLS_ECP_HAVE_BP256R1
156 #endif
157 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_256)
158 #define MBEDTLS_ECP_HAVE_SECP256K1
159 #endif
160 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_256)
161 #define MBEDTLS_ECP_HAVE_SECP256R1
162 #endif
163 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || defined(PSA_WANT_ECC_MONTGOMERY_255)
164 #define MBEDTLS_ECP_HAVE_CURVE25519
165 #endif
166 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_224)
167 #define MBEDTLS_ECP_HAVE_SECP224K1
168 #endif
169 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_224)
170 #define MBEDTLS_ECP_HAVE_SECP224R1
171 #endif
172 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_192)
173 #define MBEDTLS_ECP_HAVE_SECP192K1
174 #endif
175 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_192)
176 #define MBEDTLS_ECP_HAVE_SECP192R1
177 #endif
178 
179 /* Helper symbol to state that the PK module has support for EC keys. This
180  * can either be provided through the legacy ECP solution or through the
181  * PSA friendly MBEDTLS_PK_USE_PSA_EC_DATA (see pk.h for its description). */
182 #if defined(MBEDTLS_ECP_C) || \
183  (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY))
184 #define MBEDTLS_PK_HAVE_ECC_KEYS
185 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA || MBEDTLS_ECP_C */
186 
187 /* Historically pkparse did not check the CBC padding when decrypting
188  * a key. This was a bug, which is now fixed. As a consequence, pkparse
189  * now needs PKCS7 padding support, but existing configurations might not
190  * enable it, so we enable it here. */
191 #if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_PKCS5_C) && defined(MBEDTLS_CIPHER_MODE_CBC)
192 #define MBEDTLS_CIPHER_PADDING_PKCS7
193 #endif
194 
195 #endif /* MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H */