diff --git a/docs/use-psa-crypto.md b/docs/use-psa-crypto.md index fc5317af8..c63e65a9a 100644 --- a/docs/use-psa-crypto.md +++ b/docs/use-psa-crypto.md @@ -11,12 +11,15 @@ General considerations `psa_crypto_init()` before calling any function from the SSL/TLS, X.509 or PK module. -**Scope:** `MBEDTLS_USE_PSA_CRYPTO` has no effect on the parts of the code that -are specific to TLS 1.3; those parts always use PSA Crypto. The parts of the -TLS 1.3 code that are common with TLS 1.2, however, follow this option; -currently this is the record protection code, computation of the running -handshake hash, and X.509. You need to enable `MBEDTLS_USE_PSA_CRYPTO` if you -want TLS 1.3 to use PSA everywhere. +**Scope:** `MBEDTLS_USE_PSA_CRYPTO` has no effect on the most of the TLS 1.3 +code, which always uses PSA crypto. The parts of the TLS 1.3 code that will +use PSA Crypto or not depending on the value of this option are: +- record protection; +- running handshake hash; +- asymmetric signature verification & generation; +- X.509 certificate chain verification. +You need to enable `MBEDTLS_USE_PSA_CRYPTO` if you want TLS 1.3 to use PSA +everywhere. New APIs / API extensions ------------------------- diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 7b1c70cb0..ca60a9d92 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -783,7 +783,7 @@ #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) #if !( defined(MBEDTLS_ECDH_C) && defined(MBEDTLS_X509_CRT_PARSE_C) && \ - ( defined(MBEDTLS_ECDSA_C) || defined(MBEDTLS_PKCS1_V21) ) ) + ( defined(MBEDTLS_PK_HAVE_ECDSA) || defined(MBEDTLS_PKCS1_V21) ) ) #error "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED defined, but not all prerequisites" #endif #endif