Mbed TLS v3.6.6
Loading...
Searching...
No Matches
config_adjust_legacy_crypto.h
Go to the documentation of this file.
1
19/*
20 * Copyright The Mbed TLS Contributors
21 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
22 */
23
24#ifndef MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H
25#define MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H
26
27#if !defined(MBEDTLS_CONFIG_FILES_READ)
28#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \
29 "up to and including runtime errors such as buffer overflows. " \
30 "If you're trying to fix a complaint from check_config.h, just remove " \
31 "it from your configuration file: since Mbed TLS 3.0, it is included " \
32 "automatically at the right point."
33#endif /* */
34
35/* Ideally, we'd set those as defaults in mbedtls_config.h, but
36 * putting an #ifdef _WIN32 in mbedtls_config.h would confuse config.py.
37 *
38 * So, adjust it here.
39 * Not related to crypto, but this is the bottom of the stack. */
40#if defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER <= 1900)
41#if !defined(MBEDTLS_PLATFORM_SNPRINTF_ALT) && \
42 !defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO)
43#define MBEDTLS_PLATFORM_SNPRINTF_ALT
44#endif
45#if !defined(MBEDTLS_PLATFORM_VSNPRINTF_ALT) && \
46 !defined(MBEDTLS_PLATFORM_VSNPRINTF_MACRO)
47#define MBEDTLS_PLATFORM_VSNPRINTF_ALT
48#endif
49#endif /* _MINGW32__ || (_MSC_VER && (_MSC_VER <= 1900)) */
50
51/* The number of "true" entropy sources (excluding NV seed).
52 * This must be consistent with mbedtls_entropy_init() in entropy.c.
53 */
54/* Define auxiliary macros, because in standard C, defined(xxx) is only
55 * allowed directly on an #if or #elif line, not in recursive expansion. */
56#if defined(MBEDTLS_NO_PLATFORM_ENTROPY)
57#define MBEDTLS_PLATFORM_ENTROPY_ENABLED 0
58#else
59#define MBEDTLS_PLATFORM_ENTROPY_ENABLED 1
60#endif
61#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
62#define MBEDTLS_ENTROPY_HARDWARE_ALT_DEFINED 1
63#else
64#define MBEDTLS_ENTROPY_HARDWARE_ALT_DEFINED 0
65#endif
66
67#define MBEDTLS_ENTROPY_TRUE_SOURCES ( \
68 MBEDTLS_ENTROPY_HARDWARE_ALT_DEFINED + \
69 MBEDTLS_PLATFORM_ENTROPY_ENABLED + \
70 0)
71
72/* Whether there is at least one entropy source for the entropy module.
73 *
74 * Note that when MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG is enabled, the entropy
75 * module is unused and the configuration will typically not include any
76 * entropy source, so this macro will typically remain undefined.
77 */
78#if defined(MBEDTLS_ENTROPY_NV_SEED)
79#define MBEDTLS_ENTROPY_HAVE_SOURCES (MBEDTLS_ENTROPY_TRUE_SOURCES + 1)
80#elif MBEDTLS_ENTROPY_TRUE_SOURCES != 0
81#define MBEDTLS_ENTROPY_HAVE_SOURCES MBEDTLS_ENTROPY_TRUE_SOURCES
82#else
83#undef MBEDTLS_ENTROPY_HAVE_SOURCES
84#endif
85
86/* Test function dependencies can only check with defined(),
87 * not other preprocessor expressions. */
88#if MBEDTLS_ENTROPY_TRUE_SOURCES > 0
89#define MBEDTLS_ENTROPY_HAVE_TRUE_SOURCES
90#else
91#undef MBEDTLS_ENTROPY_HAVE_TRUE_SOURCES
92#endif
93
94/* If MBEDTLS_PSA_CRYPTO_C is defined, make sure MBEDTLS_PSA_CRYPTO_CLIENT
95 * is defined as well to include all PSA code.
96 */
97#if defined(MBEDTLS_PSA_CRYPTO_C)
98#define MBEDTLS_PSA_CRYPTO_CLIENT
99#endif /* MBEDTLS_PSA_CRYPTO_C */
100
101/* Auto-enable CIPHER_C when any of the unauthenticated ciphers is builtin
102 * in PSA. */
103#if defined(MBEDTLS_PSA_CRYPTO_C) && \
104 (defined(MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER) || \
105 defined(MBEDTLS_PSA_BUILTIN_ALG_CTR) || \
106 defined(MBEDTLS_PSA_BUILTIN_ALG_CFB) || \
107 defined(MBEDTLS_PSA_BUILTIN_ALG_OFB) || \
108 defined(MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING) || \
109 defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING) || \
110 defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7) || \
111 defined(MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG) || \
112 defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC))
113#define MBEDTLS_CIPHER_C
114#endif
115
116/* Auto-enable MBEDTLS_MD_LIGHT based on MBEDTLS_MD_C.
117 * This allows checking for MD_LIGHT rather than MD_LIGHT || MD_C.
118 */
119#if defined(MBEDTLS_MD_C)
120#define MBEDTLS_MD_LIGHT
121#endif
122
123/* Auto-enable MBEDTLS_MD_LIGHT if needed by a module that didn't require it
124 * in a previous release, to ensure backwards compatibility.
125 */
126#if defined(MBEDTLS_ECJPAKE_C) || \
127 defined(MBEDTLS_PEM_PARSE_C) || \
128 defined(MBEDTLS_ENTROPY_C) || \
129 defined(MBEDTLS_PK_C) || \
130 defined(MBEDTLS_PKCS12_C) || \
131 defined(MBEDTLS_RSA_C) || \
132 defined(MBEDTLS_SSL_TLS_C) || \
133 defined(MBEDTLS_X509_USE_C) || \
134 defined(MBEDTLS_X509_CREATE_C)
135#define MBEDTLS_MD_LIGHT
136#endif
137
138#if defined(MBEDTLS_MD_LIGHT)
139/*
140 * - MBEDTLS_MD_CAN_xxx is defined if the md module can perform xxx.
141 * - MBEDTLS_MD_xxx_VIA_PSA is defined if the md module may perform xxx via PSA
142 * (see below).
143 * - MBEDTLS_MD_SOME_PSA is defined if at least one algorithm may be performed
144 * via PSA (see below).
145 * - MBEDTLS_MD_SOME_LEGACY is defined if at least one algorithm may be performed
146 * via a direct legacy call (see below).
147 *
148 * The md module performs an algorithm via PSA if there is a PSA hash
149 * accelerator and the PSA driver subsytem is initialized at the time the
150 * operation is started, and makes a direct legacy call otherwise.
151 */
152
153/* PSA accelerated implementations */
154#if defined(MBEDTLS_PSA_CRYPTO_C)
155
156#if defined(MBEDTLS_PSA_ACCEL_ALG_MD5)
157#define MBEDTLS_MD_CAN_MD5
158#define MBEDTLS_MD_MD5_VIA_PSA
159#define MBEDTLS_MD_SOME_PSA
160#endif
161#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_1)
162#define MBEDTLS_MD_CAN_SHA1
163#define MBEDTLS_MD_SHA1_VIA_PSA
164#define MBEDTLS_MD_SOME_PSA
165#endif
166#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_224)
167#define MBEDTLS_MD_CAN_SHA224
168#define MBEDTLS_MD_SHA224_VIA_PSA
169#define MBEDTLS_MD_SOME_PSA
170#endif
171#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_256)
172#define MBEDTLS_MD_CAN_SHA256
173#define MBEDTLS_MD_SHA256_VIA_PSA
174#define MBEDTLS_MD_SOME_PSA
175#endif
176#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_384)
177#define MBEDTLS_MD_CAN_SHA384
178#define MBEDTLS_MD_SHA384_VIA_PSA
179#define MBEDTLS_MD_SOME_PSA
180#endif
181#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_512)
182#define MBEDTLS_MD_CAN_SHA512
183#define MBEDTLS_MD_SHA512_VIA_PSA
184#define MBEDTLS_MD_SOME_PSA
185#endif
186#if defined(MBEDTLS_PSA_ACCEL_ALG_RIPEMD160)
187#define MBEDTLS_MD_CAN_RIPEMD160
188#define MBEDTLS_MD_RIPEMD160_VIA_PSA
189#define MBEDTLS_MD_SOME_PSA
190#endif
191#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_224)
192#define MBEDTLS_MD_CAN_SHA3_224
193#define MBEDTLS_MD_SHA3_224_VIA_PSA
194#define MBEDTLS_MD_SOME_PSA
195#endif
196#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_256)
197#define MBEDTLS_MD_CAN_SHA3_256
198#define MBEDTLS_MD_SHA3_256_VIA_PSA
199#define MBEDTLS_MD_SOME_PSA
200#endif
201#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_384)
202#define MBEDTLS_MD_CAN_SHA3_384
203#define MBEDTLS_MD_SHA3_384_VIA_PSA
204#define MBEDTLS_MD_SOME_PSA
205#endif
206#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_512)
207#define MBEDTLS_MD_CAN_SHA3_512
208#define MBEDTLS_MD_SHA3_512_VIA_PSA
209#define MBEDTLS_MD_SOME_PSA
210#endif
211
212#elif defined(MBEDTLS_PSA_CRYPTO_CLIENT)
213
214#if defined(PSA_WANT_ALG_MD5)
215#define MBEDTLS_MD_CAN_MD5
216#define MBEDTLS_MD_MD5_VIA_PSA
217#define MBEDTLS_MD_SOME_PSA
218#endif
219#if defined(PSA_WANT_ALG_SHA_1)
220#define MBEDTLS_MD_CAN_SHA1
221#define MBEDTLS_MD_SHA1_VIA_PSA
222#define MBEDTLS_MD_SOME_PSA
223#endif
224#if defined(PSA_WANT_ALG_SHA_224)
225#define MBEDTLS_MD_CAN_SHA224
226#define MBEDTLS_MD_SHA224_VIA_PSA
227#define MBEDTLS_MD_SOME_PSA
228#endif
229#if defined(PSA_WANT_ALG_SHA_256)
230#define MBEDTLS_MD_CAN_SHA256
231#define MBEDTLS_MD_SHA256_VIA_PSA
232#define MBEDTLS_MD_SOME_PSA
233#endif
234#if defined(PSA_WANT_ALG_SHA_384)
235#define MBEDTLS_MD_CAN_SHA384
236#define MBEDTLS_MD_SHA384_VIA_PSA
237#define MBEDTLS_MD_SOME_PSA
238#endif
239#if defined(PSA_WANT_ALG_SHA_512)
240#define MBEDTLS_MD_CAN_SHA512
241#define MBEDTLS_MD_SHA512_VIA_PSA
242#define MBEDTLS_MD_SOME_PSA
243#endif
244#if defined(PSA_WANT_ALG_RIPEMD160)
245#define MBEDTLS_MD_CAN_RIPEMD160
246#define MBEDTLS_MD_RIPEMD160_VIA_PSA
247#define MBEDTLS_MD_SOME_PSA
248#endif
249#if defined(PSA_WANT_ALG_SHA3_224)
250#define MBEDTLS_MD_CAN_SHA3_224
251#define MBEDTLS_MD_SHA3_224_VIA_PSA
252#define MBEDTLS_MD_SOME_PSA
253#endif
254#if defined(PSA_WANT_ALG_SHA3_256)
255#define MBEDTLS_MD_CAN_SHA3_256
256#define MBEDTLS_MD_SHA3_256_VIA_PSA
257#define MBEDTLS_MD_SOME_PSA
258#endif
259#if defined(PSA_WANT_ALG_SHA3_384)
260#define MBEDTLS_MD_CAN_SHA3_384
261#define MBEDTLS_MD_SHA3_384_VIA_PSA
262#define MBEDTLS_MD_SOME_PSA
263#endif
264#if defined(PSA_WANT_ALG_SHA3_512)
265#define MBEDTLS_MD_CAN_SHA3_512
266#define MBEDTLS_MD_SHA3_512_VIA_PSA
267#define MBEDTLS_MD_SOME_PSA
268#endif
269
270#endif /* !MBEDTLS_PSA_CRYPTO_CLIENT && !MBEDTLS_PSA_CRYPTO_C */
271
272/* Built-in implementations */
273#if defined(MBEDTLS_MD5_C)
274#define MBEDTLS_MD_CAN_MD5
275#define MBEDTLS_MD_SOME_LEGACY
276#endif
277#if defined(MBEDTLS_SHA1_C)
278#define MBEDTLS_MD_CAN_SHA1
279#define MBEDTLS_MD_SOME_LEGACY
280#endif
281#if defined(MBEDTLS_SHA224_C)
282#define MBEDTLS_MD_CAN_SHA224
283#define MBEDTLS_MD_SOME_LEGACY
284#endif
285#if defined(MBEDTLS_SHA256_C)
286#define MBEDTLS_MD_CAN_SHA256
287#define MBEDTLS_MD_SOME_LEGACY
288#endif
289#if defined(MBEDTLS_SHA384_C)
290#define MBEDTLS_MD_CAN_SHA384
291#define MBEDTLS_MD_SOME_LEGACY
292#endif
293#if defined(MBEDTLS_SHA512_C)
294#define MBEDTLS_MD_CAN_SHA512
295#define MBEDTLS_MD_SOME_LEGACY
296#endif
297#if defined(MBEDTLS_SHA3_C)
298#define MBEDTLS_MD_CAN_SHA3_224
299#define MBEDTLS_MD_CAN_SHA3_256
300#define MBEDTLS_MD_CAN_SHA3_384
301#define MBEDTLS_MD_CAN_SHA3_512
302#define MBEDTLS_MD_SOME_LEGACY
303#endif
304#if defined(MBEDTLS_RIPEMD160_C)
305#define MBEDTLS_MD_CAN_RIPEMD160
306#define MBEDTLS_MD_SOME_LEGACY
307#endif
308
309#endif /* MBEDTLS_MD_LIGHT */
310
311/* BLOCK_CIPHER module can dispatch to PSA when:
312 * - PSA is enabled and drivers have been initialized
313 * - desired key type is supported on the PSA side
314 * If the above conditions are not met, but the legacy support is enabled, then
315 * BLOCK_CIPHER will dynamically fallback to it.
316 *
317 * In case BLOCK_CIPHER is defined (see below) the following symbols/helpers
318 * can be used to define its capabilities:
319 * - MBEDTLS_BLOCK_CIPHER_SOME_PSA: there is at least 1 key type between AES,
320 * ARIA and Camellia which is supported through a driver;
321 * - MBEDTLS_BLOCK_CIPHER_xxx_VIA_PSA: xxx key type is supported through a
322 * driver;
323 * - MBEDTLS_BLOCK_CIPHER_xxx_VIA_LEGACY: xxx key type is supported through
324 * a legacy module (i.e. MBEDTLS_xxx_C)
325 */
326#if defined(MBEDTLS_PSA_CRYPTO_C)
327#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_AES)
328#define MBEDTLS_BLOCK_CIPHER_AES_VIA_PSA
329#define MBEDTLS_BLOCK_CIPHER_SOME_PSA
330#endif
331#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ARIA)
332#define MBEDTLS_BLOCK_CIPHER_ARIA_VIA_PSA
333#define MBEDTLS_BLOCK_CIPHER_SOME_PSA
334#endif
335#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA)
336#define MBEDTLS_BLOCK_CIPHER_CAMELLIA_VIA_PSA
337#define MBEDTLS_BLOCK_CIPHER_SOME_PSA
338#endif
339#endif /* MBEDTLS_PSA_CRYPTO_C */
340
341#if defined(MBEDTLS_AES_C)
342#define MBEDTLS_BLOCK_CIPHER_AES_VIA_LEGACY
343#endif
344#if defined(MBEDTLS_ARIA_C)
345#define MBEDTLS_BLOCK_CIPHER_ARIA_VIA_LEGACY
346#endif
347#if defined(MBEDTLS_CAMELLIA_C)
348#define MBEDTLS_BLOCK_CIPHER_CAMELLIA_VIA_LEGACY
349#endif
350
351/* Helpers to state that BLOCK_CIPHER module supports AES, ARIA and/or Camellia
352 * block ciphers via either PSA or legacy. */
353#if defined(MBEDTLS_BLOCK_CIPHER_AES_VIA_PSA) || \
354 defined(MBEDTLS_BLOCK_CIPHER_AES_VIA_LEGACY)
355#define MBEDTLS_BLOCK_CIPHER_CAN_AES
356#endif
357#if defined(MBEDTLS_BLOCK_CIPHER_ARIA_VIA_PSA) || \
358 defined(MBEDTLS_BLOCK_CIPHER_ARIA_VIA_LEGACY)
359#define MBEDTLS_BLOCK_CIPHER_CAN_ARIA
360#endif
361#if defined(MBEDTLS_BLOCK_CIPHER_CAMELLIA_VIA_PSA) || \
362 defined(MBEDTLS_BLOCK_CIPHER_CAMELLIA_VIA_LEGACY)
363#define MBEDTLS_BLOCK_CIPHER_CAN_CAMELLIA
364#endif
365
366/* GCM_C and CCM_C can either depend on (in order of preference) BLOCK_CIPHER_C
367 * or CIPHER_C. The former is auto-enabled when:
368 * - CIPHER_C is not defined, which is also the legacy solution;
369 * - BLOCK_CIPHER_SOME_PSA because in this case BLOCK_CIPHER can take advantage
370 * of the driver's acceleration.
371 */
372#if (defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C)) && \
373 (!defined(MBEDTLS_CIPHER_C) || defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA))
374#define MBEDTLS_BLOCK_CIPHER_C
375#endif
376
377/* Helpers for GCM/CCM capabilities */
378#if (defined(MBEDTLS_CIPHER_C) && defined(MBEDTLS_AES_C)) || \
379 (defined(MBEDTLS_BLOCK_CIPHER_C) && defined(MBEDTLS_BLOCK_CIPHER_CAN_AES))
380#define MBEDTLS_CCM_GCM_CAN_AES
381#endif
382
383#if (defined(MBEDTLS_CIPHER_C) && defined(MBEDTLS_ARIA_C)) || \
384 (defined(MBEDTLS_BLOCK_CIPHER_C) && defined(MBEDTLS_BLOCK_CIPHER_CAN_ARIA))
385#define MBEDTLS_CCM_GCM_CAN_ARIA
386#endif
387
388#if (defined(MBEDTLS_CIPHER_C) && defined(MBEDTLS_CAMELLIA_C)) || \
389 (defined(MBEDTLS_BLOCK_CIPHER_C) && defined(MBEDTLS_BLOCK_CIPHER_CAN_CAMELLIA))
390#define MBEDTLS_CCM_GCM_CAN_CAMELLIA
391#endif
392
393/* MBEDTLS_ECP_LIGHT is auto-enabled by the following symbols:
394 * - MBEDTLS_ECP_C because now it consists of MBEDTLS_ECP_LIGHT plus functions
395 * for curve arithmetic. As a consequence if MBEDTLS_ECP_C is required for
396 * some reason, then MBEDTLS_ECP_LIGHT should be enabled as well.
397 * - MBEDTLS_PK_PARSE_EC_EXTENDED and MBEDTLS_PK_PARSE_EC_COMPRESSED because
398 * these features are not supported in PSA so the only way to have them is
399 * to enable the built-in solution.
400 * Both of them are temporary dependencies:
401 * - PK_PARSE_EC_EXTENDED will be removed after #7779 and #7789
402 * - support for compressed points should also be added to PSA, but in this
403 * case there is no associated issue to track it yet.
404 * - PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE because Weierstrass key derivation
405 * still depends on ECP_LIGHT.
406 * - PK_C + USE_PSA + PSA_WANT_ALG_ECDSA is a temporary dependency which will
407 * be fixed by #7453.
408 */
409#if defined(MBEDTLS_ECP_C) || \
410 defined(MBEDTLS_PK_PARSE_EC_EXTENDED) || \
411 defined(MBEDTLS_PK_PARSE_EC_COMPRESSED) || \
412 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
413#define MBEDTLS_ECP_LIGHT
414#endif
415
416/* Backward compatibility: after #8740 the RSA module offers functions to parse
417 * and write RSA private/public keys without relying on the PK one. Of course
418 * this needs ASN1 support to do so, so we enable it here. */
419#if defined(MBEDTLS_RSA_C)
420#define MBEDTLS_ASN1_PARSE_C
421#define MBEDTLS_ASN1_WRITE_C
422#endif
423
424/* MBEDTLS_PK_PARSE_EC_COMPRESSED is introduced in Mbed TLS version 3.5, while
425 * in previous version compressed points were automatically supported as long
426 * as PK_PARSE_C and ECP_C were enabled. As a consequence, for backward
427 * compatibility, we auto-enable PK_PARSE_EC_COMPRESSED when these conditions
428 * are met. */
429#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_ECP_C)
430#define MBEDTLS_PK_PARSE_EC_COMPRESSED
431#endif
432
433/* Helper symbol to state that there is support for ECDH, either through
434 * library implementation (ECDH_C) or through PSA. */
435#if (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_ECDH)) || \
436 (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECDH_C))
437#define MBEDTLS_CAN_ECDH
438#endif
439
440/* PK module can achieve ECDSA functionalities by means of either software
441 * implementations (ECDSA_C) or through a PSA driver. The following defines
442 * are meant to list these capabilities in a general way which abstracts how
443 * they are implemented under the hood. */
444#if !defined(MBEDTLS_USE_PSA_CRYPTO)
445#if defined(MBEDTLS_ECDSA_C)
446#define MBEDTLS_PK_CAN_ECDSA_SIGN
447#define MBEDTLS_PK_CAN_ECDSA_VERIFY
448#endif /* MBEDTLS_ECDSA_C */
449#else /* MBEDTLS_USE_PSA_CRYPTO */
450#if defined(PSA_WANT_ALG_ECDSA)
451#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC)
452#define MBEDTLS_PK_CAN_ECDSA_SIGN
453#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC */
454#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
455#define MBEDTLS_PK_CAN_ECDSA_VERIFY
456#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
457#endif /* PSA_WANT_ALG_ECDSA */
458#endif /* MBEDTLS_USE_PSA_CRYPTO */
459
460#if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY) || defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
461#define MBEDTLS_PK_CAN_ECDSA_SOME
462#endif
463
464/* Helpers to state that each key is supported either on the builtin or PSA side. */
465#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_521)
466#define MBEDTLS_ECP_HAVE_SECP521R1
467#endif
468#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
469#define MBEDTLS_ECP_HAVE_BP512R1
470#endif
471#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) || defined(PSA_WANT_ECC_MONTGOMERY_448)
472#define MBEDTLS_ECP_HAVE_CURVE448
473#endif
474#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
475#define MBEDTLS_ECP_HAVE_BP384R1
476#endif
477#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_384)
478#define MBEDTLS_ECP_HAVE_SECP384R1
479#endif
480#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
481#define MBEDTLS_ECP_HAVE_BP256R1
482#endif
483#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_256)
484#define MBEDTLS_ECP_HAVE_SECP256K1
485#endif
486#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_256)
487#define MBEDTLS_ECP_HAVE_SECP256R1
488#endif
489#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || defined(PSA_WANT_ECC_MONTGOMERY_255)
490#define MBEDTLS_ECP_HAVE_CURVE25519
491#endif
492#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_224)
493#define MBEDTLS_ECP_HAVE_SECP224K1
494#endif
495#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_224)
496#define MBEDTLS_ECP_HAVE_SECP224R1
497#endif
498#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_192)
499#define MBEDTLS_ECP_HAVE_SECP192K1
500#endif
501#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_192)
502#define MBEDTLS_ECP_HAVE_SECP192R1
503#endif
504
505/* Helper symbol to state that the PK module has support for EC keys. This
506 * can either be provided through the legacy ECP solution or through the
507 * PSA friendly MBEDTLS_PK_USE_PSA_EC_DATA (see pk.h for its description). */
508#if defined(MBEDTLS_ECP_C) || \
509 (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY))
510#define MBEDTLS_PK_HAVE_ECC_KEYS
511#endif /* MBEDTLS_PK_USE_PSA_EC_DATA || MBEDTLS_ECP_C */
512
513/* Historically pkparse did not check the CBC padding when decrypting
514 * a key. This was a bug, which is now fixed. As a consequence, pkparse
515 * now needs PKCS7 padding support, but existing configurations might not
516 * enable it, so we enable it here. */
517#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_PKCS5_C) && defined(MBEDTLS_CIPHER_MODE_CBC)
518#define MBEDTLS_CIPHER_PADDING_PKCS7
519#endif
520
521/* Backwards compatibility for some macros which were renamed to reflect that
522 * they are related to Armv8, not aarch64. */
523#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) && \
524 !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
525#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
526#endif
527#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) && !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
528#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
529#endif
530
531/* psa_util file features some ECDSA conversion functions, to convert between
532 * legacy's ASN.1 DER format and PSA's raw one. */
533#if (defined(MBEDTLS_PSA_CRYPTO_CLIENT) && \
534 (defined(PSA_WANT_ALG_ECDSA) || defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA)))
535#define MBEDTLS_PSA_UTIL_HAVE_ECDSA
536#endif
537
538/* Some internal helpers to determine which keys are available. */
539#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_AES_C)) || \
540 (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_AES))
541#define MBEDTLS_SSL_HAVE_AES
542#endif
543#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ARIA_C)) || \
544 (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_ARIA))
545#define MBEDTLS_SSL_HAVE_ARIA
546#endif
547#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_CAMELLIA_C)) || \
548 (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_CAMELLIA))
549#define MBEDTLS_SSL_HAVE_CAMELLIA
550#endif
551
552/* Some internal helpers to determine which operation modes are available. */
553#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_CIPHER_MODE_CBC)) || \
554 (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CBC_NO_PADDING))
555#define MBEDTLS_SSL_HAVE_CBC
556#endif
557
558#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_GCM_C)) || \
559 (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_GCM))
560#define MBEDTLS_SSL_HAVE_GCM
561#endif
562
563#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_CCM_C)) || \
564 (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CCM))
565#define MBEDTLS_SSL_HAVE_CCM
566#endif
567
568#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_CHACHAPOLY_C)) || \
569 (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CHACHA20_POLY1305))
570#define MBEDTLS_SSL_HAVE_CHACHAPOLY
571#endif
572
573#if defined(MBEDTLS_SSL_HAVE_GCM) || defined(MBEDTLS_SSL_HAVE_CCM) || \
574 defined(MBEDTLS_SSL_HAVE_CHACHAPOLY)
575#define MBEDTLS_SSL_HAVE_AEAD
576#endif
577
578#endif /* MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H */