Google Git
Sign in
pigweed / third_party / github / ARMmbed / mbedtls / ff43ff6e7835b0673d81acddf15002b5e6de253e^! / .
commitff43ff6e7835b0673d81acddf15002b5e6de253e[log] [tgz]
authorManuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>Wed Apr 20 15:32:01 2022 +0200
committerManuel Pégourié-Gonnard <mpg@elzevir.fr>Mon Jul 04 12:38:43 2022 +0200
treeef2c7bb038b9e5093a134ed4b21f8d581a72251f
parent97ec0b7bfa27f4824b15e71fd04777b180bebeec [diff]
Remove stability waiver from USE_PSA

It was initially motivated by the fact that the PSA Crypto APIs
themselves were not stable. In the meantime, PSA Crypto has reached
1.0.0 so this no longer applies.

If we want user to be able to fully benefit from PSA in order to
isolate long-term secrets, they need to be able to use the new APIs with
confidence. There is no reason to think those APIs are any more likely
to change than any of our other APIs, and if they do, we'll follow the
normal process (deprecated in favour of a new variant).

For reference, the APIs in question are:

mbedtls_pk_setup_opaque() // to use PSA-held ECDSA/RSA keys in TLS

mbedtls_ssl_conf_psk_opaque()   // for PSA-held PSKs in TLS
mbedtls_ssl_set_hs_psk_opaque() // for PSA-held PSKs in TLS

mbedtls_cipher_setup_psa() (deprecated in 3.2)
mbedtls_pk_wrap_as_opaque() (documented internal, to be removed in 3.2)

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>

diff --git a/docs/use-psa-crypto.md b/docs/use-psa-crypto.md
index a3eebc5..4058cb6 100644
--- a/docs/use-psa-crypto.md
+++ b/docs/use-psa-crypto.md

@@ -17,11 +17,6 @@
 TLS 1.3 code that are common with TLS 1.2, however, follow this option (this
 is currently just the record protection code).
 
-Stability: any API that's only available when `MBEDTLS_USE_PSA_CRYPTO` is
-defined is considered experimental and may change in incompatible ways at any
-time. Said otherwise, these APIs are explicitly excluded from the usual API
-stability promises.
-
 New APIs / API extensions
 -------------------------
 

diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index 37200e7..e243660 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h

@@ -1763,12 +1763,11 @@
  * \note See docs/use-psa-crypto.md for a complete description of what this
  * option currently does, and of parts that are not affected by it so far.
  *
- * \warning This option enables new Mbed TLS APIs which are currently
- * considered experimental and may change in incompatible ways at any time.
- * That is, the APIs enabled by this option are not covered by the usual
- * promises of API stability.
+ * \warning If you enable this option, you need to call `psa_crypto_init()`
+ * before calling any function from the SSL/TLS, X.509 or PK modules.
  *
  * Requires: MBEDTLS_PSA_CRYPTO_C.
+ * Conflicts with: MBEDTLS_ECP_RESTARTABLE
  *
  * Uncomment this to enable internal use of PSA Crypto and new associated APIs.
  */