Lines Matching refs:not

6 This document discusses a migration strategy for code that is not subject to `MBEDTLS_USE_PSA_CRYPT…
12 A difference between the original strategy and the current one is that in this work, we are not tre…
75 …erfaces may change without notice.” In practice, this may mean constraints not only on how to writ…
76not ready for production since it is not completed.” We may want to change this, for example, to a…
80 It is not a goal at this stage to make more code directly call `psa_xxx` functions. Rather, the goa…
92 * Make non-covered modules call PSA, but only [when this will actually work](#why-psa-is-not-always…
99 * Software implementations of primitive cryptographic mechanisms. These are not expected to change.
101 * Code implementing the PSA crypto interface. This is not expected to change, except perhaps to exp…
107 * **Legacy domain**: does not interact with PSA. Implementations of hashes, of cipher primitives, o…
108 * **Mixed domain**: does not currently use PSA, but should [when possible](#why-psa-is-not-always-p…
189 #### Why PSA is not always possible
191 Here are some reasons why calling `psa_xxx()` to perform a hash or cipher calculation might not be …
194 * There is a PSA driver which has not been initialized (this happens in `psa_crypto_init()`).
195 …ciphers, the keystore is not initialized yet, and Mbed TLS uses a custom implementation of PSA ITS…
196 …quested mechanism is enabled in the legacy interface but not in the PSA interface. This was not re…
197 * `MBEDTLS_PSA_CRYPTO_CLIENT` is enabled, and the client has not yet activated the connection to th…
202 …if this does not add a risk of failure or performance degradation ([PSA is impossible or undesirab…
207 * must not call PSA (or must have a fallback) if their caller is not in the PSA domain and the PSA …
211 Generally speaking, just because some feature is not enabled in `mbedtls_config.h` or `psa_config.h…
226 * Who's the ultimate caller — see [indirect knowledge](#indirect-knowledge) — which is not actually…
231 And we need to take care of the [the cases where PSA is not possible](#why-psa-is-not-always-possib…
240not available (regardless of whether this is because `MBEDTLS_PSA_CRYPTO_C` is disabled, or becaus…
254 …-SHA-256. It must work at all times, regardless of the state of PSA (e.g. drivers not initialized).
258 …` or `PSA_WANT_ALG_SHA_256` is enabled. If only `PSA_WANT_ALG_SHA_256` and not `MBEDTLS_SHA256_C` …
264 * `MBEDTLS_PSA_CRYPTO_CLIENT`. Then calling PSA may or may not be desirable for performance. There …
266 …hink of a case where we would want to guarantee that if `MBEDTLS_xxx_C` is not enabled, but xxx is…
267 …elerator might want entropy (for side channel countermeasures) which might not be available at boo…
288 …t are available through accelerators but not through legacy, but this is not officially supported …
291 It is strongly desirable to allow mechanisms available through PSA but not legacy: this allows savi…
293not PSA when `MBEDTLS_PSA_CRYPTO_C` is enabled. This would only save at best a very small amount o…
295 In this analysis, we have not found a compelling reason to require all legacy mechanisms to also be…
302 We now need to create an abstraction for mixed-domain hash calculation. (We could not create an abs…
310 The existing interface in `md.h` is close to what we want, but not perfect. What's wrong with it?
328 We do not need to support driver-only hashes and ciphers in PK. X.509 and TLS without `MBEDTLS_USE_…
332 This will go away naturally in 4.0 when this macros is not longer an option (because it's always on…
338 Considering this existing restriction which we do not plan to lift before 4.0, it is acceptable dri…
361 - CTR-DRBG can just check if `AES_C` is present and "fall back" to PSA if not.
417 Unlike the full MD, MD light does not support null pointers as `mbedtls_md_context_t *`. At least s…
499 Usage note: for algorithms that are not enabled via PSA, calling `psa_can_do_hash` is generally saf…
509 …ble set the engine to `MBEDTLS_MD_ENGINE_PSA`. (Skip this is `MBEDTLS_MD_SOME_PSA` is not defined.)
510 …module based on the type as currently done. (Skip this is `MBEDTLS_MD_SOME_LEGACY` is not defined.)
513 …via PSA can be completed. This implies that `mbedtls_psa_crypto_free` must not be called while an …
529 This section is not necessary to implement MD light, but will cut down its code size.
558 PSA has its own HMAC implementation. In builds with both `MBEDTLS_MD_C` and `PSA_WANT_ALG_HMAC` not
562 …dispatches to PSA if an algorithm is available via `MBEDTLS_PSA_CRYPTO_C`, not if it's available v…
574 it (namely: CCM, GCM) only when `CIPHER_C` is not available, or the new module
614 …via PSA can be completed. This implies that `mbedtls_psa_crypto_free` must not be called while an …