cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-09-24 05:00:45 -04:00
Code Issues Packages Projects Releases Wiki Activity

More generally, what needs psa_crypto_init also needs threading

Browse Source 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
Gilles Peskine 2025-03-11 14:45:54 +01:00
parent 730be78ce5
commit d3b3c6740f
1 changed files with 21 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
include/mbedtls/mbedtls_config.h
View File

@ -2130,6 +2130,10 @@
* before calling any function from the SSL/TLS, X.509 or PK modules, except
* for the various mbedtls_xxx_init() functions which can be called at any time.
*
* \warning In multithreaded applications, you must also enable
* #MBEDTLS_THREADING_C, unless only one thread ever calls PSA functions
* (`psa_xxx()`), including indirect calls through SSL/TLS, X.509 or PK.
*
* \note An important and desirable effect of this option is that it allows
* PK, X.509 and TLS to take advantage of PSA drivers. For example, enabling
* this option is what allows use of drivers for ECDSA, ECDH and EC J-PAKE in
@ -2139,10 +2143,6 @@
*
* \note See docs/use-psa-crypto.md for a complete description this option.
*
* \note In multithreaded applications, you must also enable
* #MBEDTLS_THREADING_C, unless only one thread ever calls
* `psa_xxx()`, PK, X.509 or TLS functions.
*
* Requires: MBEDTLS_PSA_CRYPTO_C.
*
* Uncomment this to enable internal use of PSA Crypto and new associated APIs.
@ -3224,6 +3224,14 @@
*
* \note In multithreaded applications, you must enable #MBEDTLS_THREADING_C,
* unless only one thread ever calls `psa_xxx()` functions.
* That includes indirect calls, such as:
* - performing a TLS handshake if support for TLS 1.3 is enabled;
* - using a TLS 1.3 connection;
* - indirect calls from PK, X.509 or SSL functions when
* #MBEDTLS_USE_PSA_CRYPTO is enabled;
* - indirect calls to calculate a hash when #MBEDTLS_MD_C is disabled;
* - any other call to a function that requires calling psa_crypto_init()
* beforehand.
*
* Module: library/psa_crypto.c
*
@ -3662,12 +3670,17 @@
* if `MBEDTLS_USE_PSA_CRYPTO` is enabled (regardless of whether individual
* TLS, X.509 or PK contexts are shared between threads).
* - A TLS 1.3 connection, regardless of the compile-time configuration.
* - Any library feature that calculates a hash, except for algorithm-specific
* low-level modules, if `MBEDTLS_MD_C` is disabled.
* - Any library feature that calculates a hash, except for algorithm-specific
* low-level modules, if `MBEDTLS_CIPHER_C` is disabled.
* - Any library feature that calculates a hash, if `MBEDTLS_MD_C` is disabled.
* As an exception, algorithm-specific low-level modules do not require
* threading protection unless the contexts are shared between threads.
* - Any library feature that performs symmetric encryption or decryption,
* if `MBEDTLS_CIPHER_C` is disabled.
* As an exception, algorithm-specific low-level modules do not require
* threading protection unless the contexts are shared between threads.
* - Any use of a cryptographic context if the same context is used in
* multiple threads.
* - Any call to a function where the documentation specifies that
* psa_crypto_init() must be called prior to that function.
*
* See also our Knowledge Base article about threading:
* https://mbed-tls.readthedocs.io/en/latest/kb/development/thread-safety-and-multi-threading