1 /** 2 * \file mbedtls/config_adjust_legacy_crypto.h 3 * \brief Adjust legacy configuration configuration 4 * 5 * Automatically enable certain dependencies. Generally, MBEDLTS_xxx 6 * configurations need to be explicitly enabled by the user: enabling 7 * MBEDTLS_xxx_A but not MBEDTLS_xxx_B when A requires B results in a 8 * compilation error. However, we do automatically enable certain options 9 * in some circumstances. One case is if MBEDTLS_xxx_B is an internal option 10 * used to identify parts of a module that are used by other module, and we 11 * don't want to make the symbol MBEDTLS_xxx_B part of the public API. 12 * Another case is if A didn't depend on B in earlier versions, and we 13 * want to use B in A but we need to preserve backward compatibility with 14 * configurations that explicitly activate MBEDTLS_xxx_A but not 15 * MBEDTLS_xxx_B. 16 */ 17 /* 18 * Copyright The Mbed TLS Contributors 19 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 20 */ 21 22 #ifndef MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H 23 #define MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H 24 25 /* Auto-enable MBEDTLS_MD_LIGHT based on MBEDTLS_MD_C. 26 * This allows checking for MD_LIGHT rather than MD_LIGHT || MD_C. 27 */ 28 #if defined(MBEDTLS_MD_C) 29 #define MBEDTLS_MD_LIGHT 30 #endif 31 32 /* Auto-enable MBEDTLS_MD_LIGHT if needed by a module that didn't require it 33 * in a previous release, to ensure backwards compatibility. 34 */ 35 #if defined(MBEDTLS_ECJPAKE_C) || \ 36 defined(MBEDTLS_PEM_PARSE_C) || \ 37 defined(MBEDTLS_ENTROPY_C) || \ 38 defined(MBEDTLS_PK_C) || \ 39 defined(MBEDTLS_PKCS12_C) || \ 40 defined(MBEDTLS_RSA_C) || \ 41 defined(MBEDTLS_SSL_TLS_C) || \ 42 defined(MBEDTLS_X509_USE_C) || \ 43 defined(MBEDTLS_X509_CREATE_C) 44 #define MBEDTLS_MD_LIGHT 45 #endif 46 47 /* MBEDTLS_ECP_LIGHT is auto-enabled by the following symbols: 48 * - MBEDTLS_ECP_C because now it consists of MBEDTLS_ECP_LIGHT plus functions 49 * for curve arithmetic. As a consequence if MBEDTLS_ECP_C is required for 50 * some reason, then MBEDTLS_ECP_LIGHT should be enabled as well. 51 * - MBEDTLS_PK_PARSE_EC_EXTENDED and MBEDTLS_PK_PARSE_EC_COMPRESSED because 52 * these features are not supported in PSA so the only way to have them is 53 * to enable the built-in solution. 54 * Both of them are temporary dependencies: 55 * - PK_PARSE_EC_EXTENDED will be removed after #7779 and #7789 56 * - support for compressed points should also be added to PSA, but in this 57 * case there is no associated issue to track it yet. 58 * - PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE because Weierstrass key derivation 59 * still depends on ECP_LIGHT. 60 * - PK_C + USE_PSA + PSA_WANT_ALG_ECDSA is a temporary dependency which will 61 * be fixed by #7453. 62 */ 63 #if defined(MBEDTLS_ECP_C) || \ 64 defined(MBEDTLS_PK_PARSE_EC_EXTENDED) || \ 65 defined(MBEDTLS_PK_PARSE_EC_COMPRESSED) || \ 66 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE) 67 #define MBEDTLS_ECP_LIGHT 68 #endif 69 70 /* MBEDTLS_PK_PARSE_EC_COMPRESSED is introduced in MbedTLS version 3.5, while 71 * in previous version compressed points were automatically supported as long 72 * as PK_PARSE_C and ECP_C were enabled. As a consequence, for backward 73 * compatibility, we auto-enable PK_PARSE_EC_COMPRESSED when these conditions 74 * are met. */ 75 #if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_ECP_C) 76 #define MBEDTLS_PK_PARSE_EC_COMPRESSED 77 #endif 78 79 /* Helper symbol to state that there is support for ECDH, either through 80 * library implementation (ECDH_C) or through PSA. */ 81 #if (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_ECDH)) || \ 82 (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECDH_C)) 83 #define MBEDTLS_CAN_ECDH 84 #endif 85 86 /* PK module can achieve ECDSA functionalities by means of either software 87 * implementations (ECDSA_C) or through a PSA driver. The following defines 88 * are meant to list these capabilities in a general way which abstracts how 89 * they are implemented under the hood. */ 90 #if !defined(MBEDTLS_USE_PSA_CRYPTO) 91 #if defined(MBEDTLS_ECDSA_C) 92 #define MBEDTLS_PK_CAN_ECDSA_SIGN 93 #define MBEDTLS_PK_CAN_ECDSA_VERIFY 94 #endif /* MBEDTLS_ECDSA_C */ 95 #else /* MBEDTLS_USE_PSA_CRYPTO */ 96 #if defined(PSA_WANT_ALG_ECDSA) 97 #if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) 98 #define MBEDTLS_PK_CAN_ECDSA_SIGN 99 #endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC */ 100 #if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) 101 #define MBEDTLS_PK_CAN_ECDSA_VERIFY 102 #endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */ 103 #endif /* PSA_WANT_ALG_ECDSA */ 104 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 105 106 #if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY) || defined(MBEDTLS_PK_CAN_ECDSA_SIGN) 107 #define MBEDTLS_PK_CAN_ECDSA_SOME 108 #endif 109 110 /* If MBEDTLS_PSA_CRYPTO_C is defined, make sure MBEDTLS_PSA_CRYPTO_CLIENT 111 * is defined as well to include all PSA code. 112 */ 113 #if defined(MBEDTLS_PSA_CRYPTO_C) 114 #define MBEDTLS_PSA_CRYPTO_CLIENT 115 #endif /* MBEDTLS_PSA_CRYPTO_C */ 116 117 /* The PK wrappers need pk_write functions to format RSA key objects 118 * when they are dispatching to the PSA API. This happens under USE_PSA_CRYPTO, 119 * and also even without USE_PSA_CRYPTO for mbedtls_pk_sign_ext(). */ 120 #if defined(MBEDTLS_PSA_CRYPTO_C) && defined(MBEDTLS_RSA_C) 121 #define MBEDTLS_PK_C 122 #define MBEDTLS_PK_WRITE_C 123 #define MBEDTLS_PK_PARSE_C 124 #endif 125 126 /* Helpers to state that each key is supported either on the builtin or PSA side. */ 127 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_521) 128 #define MBEDTLS_ECP_HAVE_SECP521R1 129 #endif 130 #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512) 131 #define MBEDTLS_ECP_HAVE_BP512R1 132 #endif 133 #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) || defined(PSA_WANT_ECC_MONTGOMERY_448) 134 #define MBEDTLS_ECP_HAVE_CURVE448 135 #endif 136 #if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384) 137 #define MBEDTLS_ECP_HAVE_BP384R1 138 #endif 139 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_384) 140 #define MBEDTLS_ECP_HAVE_SECP384R1 141 #endif 142 #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) 143 #define MBEDTLS_ECP_HAVE_BP256R1 144 #endif 145 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_256) 146 #define MBEDTLS_ECP_HAVE_SECP256K1 147 #endif 148 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_256) 149 #define MBEDTLS_ECP_HAVE_SECP256R1 150 #endif 151 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || defined(PSA_WANT_ECC_MONTGOMERY_255) 152 #define MBEDTLS_ECP_HAVE_CURVE25519 153 #endif 154 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_224) 155 #define MBEDTLS_ECP_HAVE_SECP224K1 156 #endif 157 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_224) 158 #define MBEDTLS_ECP_HAVE_SECP224R1 159 #endif 160 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_192) 161 #define MBEDTLS_ECP_HAVE_SECP192K1 162 #endif 163 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_192) 164 #define MBEDTLS_ECP_HAVE_SECP192R1 165 #endif 166 167 /* Helper symbol to state that the PK module has support for EC keys. This 168 * can either be provided through the legacy ECP solution or through the 169 * PSA friendly MBEDTLS_PK_USE_PSA_EC_DATA (see pk.h for its description). */ 170 #if defined(MBEDTLS_ECP_C) || \ 171 (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)) 172 #define MBEDTLS_PK_HAVE_ECC_KEYS 173 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA || MBEDTLS_ECP_C */ 174 175 /* Historically pkparse did not check the CBC padding when decrypting 176 * a key. This was a bug, which is now fixed. As a consequence, pkparse 177 * now needs PKCS7 padding support, but existing configurations might not 178 * enable it, so we enable it here. */ 179 #if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_PKCS5_C) && defined(MBEDTLS_CIPHER_MODE_CBC) 180 #define MBEDTLS_CIPHER_PADDING_PKCS7 181 #endif 182 183 #endif /* MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H */ 184
