diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 41a97b1ed..6d8a96c06 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1726,18 +1726,26 @@ /** * \def MBEDTLS_USE_PSA_CRYPTO * - * Make the X.509 and TLS library use PSA for cryptographic operations, see - * #MBEDTLS_PSA_CRYPTO_C. + * Make the X.509 and TLS library use PSA for cryptographic operations, and + * enable new APIs for using keys handled by PSA Crypto. * - * Note: this option is still in progress, the full X.509 and TLS modules are + * \note This option is still in progress, the full X.509 and TLS modules are * not covered yet, but parts that are not ported to PSA yet will still work * as usual, so enabling this option should not break backwards compatibility. * - * \warning Support for PSA is still an experimental feature. - * Any public API that depends on this option may change - * at any time until this warning is removed. + * \warning The PSA Crypto API is still beta status. While you're welcome to + * experiment using it, incompatible API changes are still possible, and some + * parts may not have reached the same quality as the rest of Mbed TLS yet. + * + * \warning This option enables new Mbed TLS APIs that are dependent on the + * PSA Crypto API, so can't come with the same stability guarantees as the + * rest of the Mbed TLS APIs. You're welcome to experiment with them, but for + * now access to these APIs is opt-in (via enabling the present option), in + * order to clearly differentiate them from the stable Mbed TLS APIs. * * Requires: MBEDTLS_PSA_CRYPTO_C. + * + * Uncomment this to enable internal use of PSA Crypto and new associated APIs */ //#define MBEDTLS_USE_PSA_CRYPTO diff --git a/scripts/config.pl b/scripts/config.pl index 0528143a0..0e113991f 100755 --- a/scripts/config.pl +++ b/scripts/config.pl @@ -37,9 +37,6 @@ # - this could be enabled if the respective tests were adapted # MBEDTLS_ZLIB_SUPPORT # MBEDTLS_PKCS11_C -# MBEDTLS_USE_PSA_CRYPTO -# - experimental, and more an alternative implementation than a feature -# MBEDTLS_PSA_ITS_FILE_C # MBEDTLS_PSA_CRYPTO_SPM # MBEDTLS_PSA_INJECT_ENTROPY # and any symbol beginning _ALT @@ -103,8 +100,6 @@ MBEDTLS_ZLIB_SUPPORT MBEDTLS_PKCS11_C MBEDTLS_NO_UDBL_DIVISION MBEDTLS_NO_64BIT_MULTIPLICATION -MBEDTLS_USE_PSA_CRYPTO -MBEDTLS_PSA_ITS_FILE_C MBEDTLS_PSA_CRYPTO_SPM MBEDTLS_PSA_INJECT_ENTROPY _ALT\s*$ diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 304eaeede..708adc965 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -840,6 +840,7 @@ component_test_not_submodule_make () { scripts/config.pl unset MBEDTLS_USE_PSA_CRYPTO # depends on PSA scripts/config.pl unset MBEDTLS_PSA_CRYPTO_C # only works from submodule scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_C # depends on PSA + scripts/config.pl unset MBEDTLS_PSA_ITS_FILE_C # depends on PSA make CC=gcc CFLAGS='-g' USE_CRYPTO_SUBMODULE=0 msg "test: submodule libmbedcrypto wasn't built (no USE_CRYPTO_SUBMODULE, make)" @@ -863,6 +864,8 @@ component_test_not_submodule_cmake () { scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests scripts/config.pl unset MBEDTLS_PSA_CRYPTO_C # only works from submodule scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_C # depends on PSA + scripts/config.pl unset MBEDTLS_PSA_ITS_FILE_C # depends on PSA + scripts/config.pl unset MBEDTLS_USE_PSA_CRYPTO # depends on PSA CC=gcc cmake -D CMAKE_BUILD_TYPE=Debug -D USE_CRYPTO_SUBMODULE=Off . make @@ -880,33 +883,34 @@ component_test_not_submodule_cmake () { if_build_succeeded tests/ssl-opt.sh } -component_test_use_psa_crypto_full_cmake_asan() { - # MBEDTLS_USE_PSA_CRYPTO: run the same set of tests as basic-build-test.sh +component_test_no_use_psa_crypto_full_cmake_asan() { + # full minus MBEDTLS_USE_PSA_CRYPTO: run the same set of tests as basic-build-test.sh msg "build: cmake, full config + MBEDTLS_USE_PSA_CRYPTO, ASan" scripts/config.pl full scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests scripts/config.pl unset MBEDTLS_ECP_RESTARTABLE # restartable ECC not supported through PSA scripts/config.pl set MBEDTLS_PSA_CRYPTO_C - scripts/config.pl set MBEDTLS_USE_PSA_CRYPTO + scripts/config.pl unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.pl unset MBEDTLS_PSA_ITS_FILE_C CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . make - msg "test: main suites (MBEDTLS_USE_PSA_CRYPTO)" + msg "test: main suites (full minus MBEDTLS_USE_PSA_CRYPTO)" make test - msg "test: ssl-opt.sh (MBEDTLS_USE_PSA_CRYPTO)" + msg "test: ssl-opt.sh (full minus MBEDTLS_USE_PSA_CRYPTO)" if_build_succeeded tests/ssl-opt.sh - msg "test: compat.sh default (MBEDTLS_USE_PSA_CRYPTO)" + msg "test: compat.sh default (full minus MBEDTLS_USE_PSA_CRYPTO)" if_build_succeeded tests/compat.sh - msg "test: compat.sh ssl3 (MBEDTLS_USE_PSA_CRYPTO)" + msg "test: compat.sh ssl3 (full minus MBEDTLS_USE_PSA_CRYPTO)" if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" tests/compat.sh -m 'ssl3' - msg "test: compat.sh RC4, DES & NULL (MBEDTLS_USE_PSA_CRYPTO)" + msg "test: compat.sh RC4, DES & NULL (full minus MBEDTLS_USE_PSA_CRYPTO)" if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '3DES\|DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR' - msg "test: compat.sh ARIA + ChachaPoly (MBEDTLS_USE_PSA_CRYPTO)" + msg "test: compat.sh ARIA + ChachaPoly (full minus MBEDTLS_USE_PSA_CRYPTO)" if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' }