Features | |
* Some crypto modules that previously depended on MD or a low-level hash | |
module, either unconditionally (RSA, PK, PKCS5, PKCS12, EC J-PAKE), or | |
for some features (PEM for encrypted files), are now able to use PSA | |
Crypto instead when the legacy API is not available. This means it is | |
now possible to use all features from those modules in configurations | |
where the built-in implementations of hashes are excluded and the hashes | |
are only provided by PSA drivers. In these configurations, you need to | |
call `psa_crypto_init()` before you call any function from those | |
modules; this is not required in configurations where the built-in | |
implementation is still available. Note that some crypto modules and | |
features still depend on the built-in implementation of hashes: | |
MBEDTLS_HKDF_C (but the PSA HKDF function do not depend on it), | |
MBEDTLS_ENTROPY_C, MBEDTLS_HMAC_DRBG_C and MBEDTLS_ECDSA_DETERMINISTIC. | |
In particular, for now, compiling without built-in hashes requires use | |
of MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. | |
* When MBEDTLS_USE_PSA_CRYPTO is enabled, X.509, TLS 1.2 and TLS 1.3 no | |
longer depend on MD. This means it is now possible to use them in | |
configurations where the built-in implementations of hashes are excluded | |
and the hashes are only provided by PSA drivers. |