Merge pull request #4254 from mstarzyk-mobica/remove_libpkcs11-helper

Remove PKCS#11 library wrapper.
2025-10-31 03:30:35 -04:00 · 2021-04-22 12:39:54 +02:00 · 2021-04-22 12:39:54 +02:00 · e8e450a394
commit e8e450a394
parent 1216233949 f9c7b3eb11
22 changed files with 6 additions and 577 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -38,8 +38,6 @@ endif()
 # Set the project root directory.
 set(MBEDTLS_DIR ${CMAKE_CURRENT_SOURCE_DIR})
 option(USE_PKCS11_HELPER_LIBRARY "Build mbed TLS with the pkcs11-helper library." OFF)
 option(ENABLE_PROGRAMS "Build mbed TLS programs." ON)
 option(UNSAFE_BUILD "Allow unsafe builds. These builds ARE NOT SECURE." OFF)
--- a/ChangeLog.d/remove_pkcs11.txt
+++ b/ChangeLog.d/remove_pkcs11.txt
@ -0,0 +1,6 @@
 Removals
   * Remove PKCS#11 library wrapper. PKCS#11 has limited functionality,
     lacks automated tests and has scarce documentation. Also, PSA Crypto
     provides a more flexible private key management.
     More details on PCKS#11 wrapper removal can be found in the mailing list
     https://lists.trustedfirmware.org/pipermail/mbed-tls/2020-April/000024.html
--- a/configs/config-psa-crypto.h
+++ b/configs/config-psa-crypto.h
@ -2477,21 +2477,6 @@
 */
 #define MBEDTLS_PKCS5_C
 /**
 * \def MBEDTLS_PKCS11_C
 *
 * Enable wrapper for PKCS#11 smartcard support.
 *
 * Module:  library/pkcs11.c
 * Caller:  library/pk.c
 *
 * Requires: MBEDTLS_PK_C
 *
 * This module enables SSL/TLS PKCS #11 smartcard support.
 * Requires the presence of the PKCS#11 helper library (libpkcs11-helper)
 */
 //#define MBEDTLS_PKCS11_C
 /**
 * \def MBEDTLS_PKCS12_C
 *
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@ -362,18 +362,6 @@
 #error "MBEDTLS_PK_WRITE_C defined, but not all prerequisites"
 #endif
 #if defined(MBEDTLS_PKCS11_C) && !defined(MBEDTLS_PK_C)
 #error "MBEDTLS_PKCS11_C defined, but not all prerequisites"
 #endif
 #if defined(MBEDTLS_PKCS11_C)
 #if defined(MBEDTLS_DEPRECATED_REMOVED)
 #error "MBEDTLS_PKCS11_C is deprecated and will be removed in a future version of Mbed TLS"
 #elif defined(MBEDTLS_DEPRECATED_WARNING)
 #warning "MBEDTLS_PKCS11_C is deprecated and will be removed in a future version of Mbed TLS"
 #endif
 #endif /* MBEDTLS_PKCS11_C */
 #if defined(MBEDTLS_PLATFORM_EXIT_ALT) && !defined(MBEDTLS_PLATFORM_C)
 #error "MBEDTLS_PLATFORM_EXIT_ALT defined, but not all prerequisites"
 #endif
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@ -2948,24 +2948,6 @@
 */
 #define MBEDTLS_PKCS5_C
 /**
 * \def MBEDTLS_PKCS11_C
 *
 * Enable wrapper for PKCS#11 smartcard support via the pkcs11-helper library.
 *
 * \deprecated This option is deprecated and will be removed in a future
 *             version of Mbed TLS.
 *
 * Module:  library/pkcs11.c
 * Caller:  library/pk.c
 *
 * Requires: MBEDTLS_PK_C
 *
 * This module enables SSL/TLS PKCS #11 smartcard support.
 * Requires the presence of the PKCS#11 helper library (libpkcs11-helper)
 */
 //#define MBEDTLS_PKCS11_C
 /**
 * \def MBEDTLS_PKCS12_C
 *
--- a/include/mbedtls/pkcs11.h
+++ b/include/mbedtls/pkcs11.h
@ -1,246 +0,0 @@
 /**
 * \file pkcs11.h
 *
 * \brief Wrapper for PKCS#11 library libpkcs11-helper
 *
 * \author Adriaan de Jong <dejong@fox-it.com>
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *  http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */
 #ifndef MBEDTLS_PKCS11_H
 #define MBEDTLS_PKCS11_H
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #if defined(MBEDTLS_PKCS11_C)
 #include "mbedtls/x509_crt.h"
 #include <pkcs11-helper-1.0/pkcs11h-certificate.h>
 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
    !defined(inline) && !defined(__cplusplus)
 #define inline __inline
 #endif
 #ifdef __cplusplus
 extern "C" {
 #endif
 #if defined(MBEDTLS_DEPRECATED_REMOVED)
 /**
 * Context for PKCS #11 private keys.
 */
 typedef struct mbedtls_pkcs11_context
 {
        pkcs11h_certificate_t pkcs11h_cert;
        int len;
 } mbedtls_pkcs11_context;
 #if defined(MBEDTLS_DEPRECATED_WARNING)
 #define MBEDTLS_DEPRECATED      __attribute__((deprecated))
 #else
 #define MBEDTLS_DEPRECATED
 #endif
 /**
 * Initialize a mbedtls_pkcs11_context.
 * (Just making memory references valid.)
 *
 * \deprecated          This function is deprecated and will be removed in a
 *                      future version of the library.
 */
 MBEDTLS_DEPRECATED void mbedtls_pkcs11_init( mbedtls_pkcs11_context *ctx );
 /**
 * Fill in a mbed TLS certificate, based on the given PKCS11 helper certificate.
 *
 * \deprecated          This function is deprecated and will be removed in a
 *                      future version of the library.
 *
 * \param cert          X.509 certificate to fill
 * \param pkcs11h_cert  PKCS #11 helper certificate
 *
 * \return              0 on success.
 */
 MBEDTLS_DEPRECATED int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt *cert,
                                        pkcs11h_certificate_t pkcs11h_cert );
 /**
 * Set up a mbedtls_pkcs11_context storing the given certificate. Note that the
 * mbedtls_pkcs11_context will take over control of the certificate, freeing it when
 * done.
 *
 * \deprecated          This function is deprecated and will be removed in a
 *                      future version of the library.
 *
 * \param priv_key      Private key structure to fill.
 * \param pkcs11_cert   PKCS #11 helper certificate
 *
 * \return              0 on success
 */
 MBEDTLS_DEPRECATED int mbedtls_pkcs11_priv_key_bind(
                                        mbedtls_pkcs11_context *priv_key,
                                        pkcs11h_certificate_t pkcs11_cert );
 /**
 * Free the contents of the given private key context. Note that the structure
 * itself is not freed.
 *
 * \deprecated          This function is deprecated and will be removed in a
 *                      future version of the library.
 *
 * \param priv_key      Private key structure to cleanup
 */
 MBEDTLS_DEPRECATED void mbedtls_pkcs11_priv_key_free(
                                            mbedtls_pkcs11_context *priv_key );
 /**
 * \brief          Do an RSA private key decrypt, then remove the message
 *                 padding
 *
 * \deprecated     This function is deprecated and will be removed in a future
 *                 version of the library.
 *
 * \param ctx      PKCS #11 context
 * \param mode     must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
 * \param input    buffer holding the encrypted data
 * \param output   buffer that will hold the plaintext
 * \param olen     will contain the plaintext length
 * \param output_max_len    maximum length of the output buffer
 *
 * \return         0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
 *
 * \note           The output buffer must be as large as the size
 *                 of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
 *                 an error is thrown.
 */
 MBEDTLS_DEPRECATED int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context *ctx,
                                               int mode, size_t *olen,
                                               const unsigned char *input,
                                               unsigned char *output,
                                               size_t output_max_len );
 /**
 * \brief          Do a private RSA to sign a message digest
 *
 * \deprecated     This function is deprecated and will be removed in a future
 *                 version of the library.
 *
 * \param ctx      PKCS #11 context
 * \param mode     must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
 * \param md_alg   a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
 * \param hashlen  message digest length (for MBEDTLS_MD_NONE only)
 * \param hash     buffer holding the message digest
 * \param sig      buffer that will hold the ciphertext
 *
 * \return         0 if the signing operation was successful,
 *                 or an MBEDTLS_ERR_RSA_XXX error code
 *
 * \note           The "sig" buffer must be as large as the size
 *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
 */
 MBEDTLS_DEPRECATED int mbedtls_pkcs11_sign( mbedtls_pkcs11_context *ctx,
                                            int mode,
                                            mbedtls_md_type_t md_alg,
                                            unsigned int hashlen,
                                            const unsigned char *hash,
                                            unsigned char *sig );
 /**
 * SSL/TLS wrappers for PKCS#11 functions
 *
 * \deprecated     This function is deprecated and will be removed in a future
 *                 version of the library.
 */
 MBEDTLS_DEPRECATED static inline int mbedtls_ssl_pkcs11_decrypt( void *ctx,
                            int mode, size_t *olen,
                            const unsigned char *input, unsigned char *output,
                            size_t output_max_len )
 {
    return mbedtls_pkcs11_decrypt( (mbedtls_pkcs11_context *) ctx, mode, olen, input, output,
                           output_max_len );
 }
 /**
 * \brief          This function signs a message digest using RSA.
 *
 * \deprecated     This function is deprecated and will be removed in a future
 *                 version of the library.
 *
 * \param ctx      The PKCS #11 context.
 * \param f_rng    The RNG function. This parameter is unused.
 * \param p_rng    The RNG context. This parameter is unused.
 * \param mode     The operation to run. This must be set to
 *                 MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's
 *                 signature.
 * \param md_alg   The message digest algorithm. One of the MBEDTLS_MD_XXX
 *                 must be passed to this function and MBEDTLS_MD_NONE can be
 *                 used for signing raw data.
 * \param hashlen  The message digest length (for MBEDTLS_MD_NONE only).
 * \param hash     The buffer holding the message digest.
 * \param sig      The buffer that will hold the ciphertext.
 *
 * \return         \c 0 if the signing operation was successful.
 * \return         A non-zero error code on failure.
 *
 * \note           The \p sig buffer must be as large as the size of
 *                 <code>ctx->N</code>. For example, 128 bytes if RSA-1024 is
 *                 used.
 */
 MBEDTLS_DEPRECATED static inline int mbedtls_ssl_pkcs11_sign( void *ctx,
                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
                    int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,
                    const unsigned char *hash, unsigned char *sig )
 {
    ((void) f_rng);
    ((void) p_rng);
    return mbedtls_pkcs11_sign( (mbedtls_pkcs11_context *) ctx, mode, md_alg,
                        hashlen, hash, sig );
 }
 /**
 * This function gets the length of the private key.
 *
 * \deprecated     This function is deprecated and will be removed in a future
 *                 version of the library.
 *
 * \param ctx      The PKCS #11 context.
 *
 * \return         The length of the private key.
 */
 MBEDTLS_DEPRECATED static inline size_t mbedtls_ssl_pkcs11_key_len( void *ctx )
 {
    return ( (mbedtls_pkcs11_context *) ctx )->len;
 }
 #undef MBEDTLS_DEPRECATED
 #endif /* MBEDTLS_DEPRECATED_REMOVED */
 #ifdef __cplusplus
 }
 #endif
 #endif /* MBEDTLS_PKCS11_C */
 #endif /* MBEDTLS_PKCS11_H */
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@ -89,7 +89,6 @@ set(src_crypto
 list(APPEND src_crypto ${thirdparty_src})
 set(src_x509
    pkcs11.c
    x509.c
    x509_create.c
    x509_crl.c
@ -136,10 +135,6 @@ if(HAIKU)
    set(libs ${libs} network)
 endif(HAIKU)
 if(USE_PKCS11_HELPER_LIBRARY)
    set(libs ${libs} pkcs11-helper)
 endif(USE_PKCS11_HELPER_LIBRARY)
 if(LINK_WITH_PTHREAD)
    set(libs ${libs} pthread)
 endif()
--- a/library/Makefile
+++ b/library/Makefile
@ -148,7 +148,6 @@ LOCAL_CFLAGS+=$(THIRDPARTY_INCLUDES)
 OBJS_CRYPTO+=$(THIRDPARTY_CRYPTO_OBJECTS)
 OBJS_X509= \
 	   pkcs11.o \
 	   x509.o \
 	   x509_create.o \
 	   x509_crl.o \
--- a/library/pkcs11.c
+++ b/library/pkcs11.c
@ -1,238 +0,0 @@
 /**
 * \file pkcs11.c
 *
 * \brief Wrapper for PKCS#11 library libpkcs11-helper
 *
 * \author Adriaan de Jong <dejong@fox-it.com>
 *
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *  http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */
 #include "mbedtls/pkcs11.h"
 #if defined(MBEDTLS_PKCS11_C)
 #include "mbedtls/md.h"
 #include "mbedtls/oid.h"
 #include "mbedtls/x509_crt.h"
 #if defined(MBEDTLS_PLATFORM_C)
 #include "mbedtls/platform.h"
 #else
 #include <stdlib.h>
 #define mbedtls_calloc    calloc
 #define mbedtls_free       free
 #endif
 #include <string.h>
 void mbedtls_pkcs11_init( mbedtls_pkcs11_context *ctx )
 {
    memset( ctx, 0, sizeof( mbedtls_pkcs11_context ) );
 }
 int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt *cert, pkcs11h_certificate_t pkcs11_cert )
 {
    int ret = 1;
    unsigned char *cert_blob = NULL;
    size_t cert_blob_size = 0;
    if( cert == NULL )
    {
        ret = 2;
        goto cleanup;
    }
    if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert, NULL,
                                                &cert_blob_size ) != CKR_OK )
    {
        ret = 3;
        goto cleanup;
    }
    cert_blob = mbedtls_calloc( 1, cert_blob_size );
    if( NULL == cert_blob )
    {
        ret = 4;
        goto cleanup;
    }
    if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert, cert_blob,
                                                &cert_blob_size ) != CKR_OK )
    {
        ret = 5;
        goto cleanup;
    }
    if( 0 != mbedtls_x509_crt_parse( cert, cert_blob, cert_blob_size ) )
    {
        ret = 6;
        goto cleanup;
    }
    ret = 0;
 cleanup:
    if( NULL != cert_blob )
        mbedtls_free( cert_blob );
    return( ret );
 }
 int mbedtls_pkcs11_priv_key_bind( mbedtls_pkcs11_context *priv_key,
        pkcs11h_certificate_t pkcs11_cert )
 {
    int ret = 1;
    mbedtls_x509_crt cert;
    mbedtls_x509_crt_init( &cert );
    if( priv_key == NULL )
        goto cleanup;
    if( 0 != mbedtls_pkcs11_x509_cert_bind( &cert, pkcs11_cert ) )
        goto cleanup;
    priv_key->len = mbedtls_pk_get_len( &cert.pk );
    priv_key->pkcs11h_cert = pkcs11_cert;
    ret = 0;
 cleanup:
    mbedtls_x509_crt_free( &cert );
    return( ret );
 }
 void mbedtls_pkcs11_priv_key_free( mbedtls_pkcs11_context *priv_key )
 {
    if( NULL != priv_key )
        pkcs11h_certificate_freeCertificate( priv_key->pkcs11h_cert );
 }
 int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context *ctx,
                       int mode, size_t *olen,
                       const unsigned char *input,
                       unsigned char *output,
                       size_t output_max_len )
 {
    size_t input_len, output_len;
    if( NULL == ctx )
        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
    if( MBEDTLS_RSA_PRIVATE != mode )
        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
    output_len = input_len = ctx->len;
    if( input_len < 16 || input_len > output_max_len )
        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
    /* Determine size of output buffer */
    if( pkcs11h_certificate_decryptAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, input,
            input_len, NULL, &output_len ) != CKR_OK )
    {
        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
    }
    if( output_len > output_max_len )
        return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
    if( pkcs11h_certificate_decryptAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, input,
            input_len, output, &output_len ) != CKR_OK )
    {
        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
    }
    *olen = output_len;
    return( 0 );
 }
 int mbedtls_pkcs11_sign( mbedtls_pkcs11_context *ctx,
                    int mode,
                    mbedtls_md_type_t md_alg,
                    unsigned int hashlen,
                    const unsigned char *hash,
                    unsigned char *sig )
 {
    size_t sig_len = 0, asn_len = 0, oid_size = 0;
    unsigned char *p = sig;
    const char *oid;
    if( NULL == ctx )
        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
    if( MBEDTLS_RSA_PRIVATE != mode )
        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
    if( md_alg != MBEDTLS_MD_NONE )
    {
        const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
        if( md_info == NULL )
            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
        if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
        hashlen = mbedtls_md_get_size( md_info );
        asn_len = 10 + oid_size;
    }
    sig_len = ctx->len;
    if( hashlen > sig_len || asn_len > sig_len ||
        hashlen + asn_len > sig_len )
    {
        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
    }
    if( md_alg != MBEDTLS_MD_NONE )
    {
        /*
         * DigestInfo ::= SEQUENCE {
         *   digestAlgorithm DigestAlgorithmIdentifier,
         *   digest Digest }
         *
         * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
         *
         * Digest ::= OCTET STRING
         */
        *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
        *p++ = (unsigned char) ( 0x08 + oid_size + hashlen );
        *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
        *p++ = (unsigned char) ( 0x04 + oid_size );
        *p++ = MBEDTLS_ASN1_OID;
        *p++ = oid_size & 0xFF;
        memcpy( p, oid, oid_size );
        p += oid_size;
        *p++ = MBEDTLS_ASN1_NULL;
        *p++ = 0x00;
        *p++ = MBEDTLS_ASN1_OCTET_STRING;
        *p++ = hashlen;
    }
    memcpy( p, hash, hashlen );
    if( pkcs11h_certificate_signAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, sig,
            asn_len + hashlen, sig, &sig_len ) != CKR_OK )
    {
        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
    }
    return( 0 );
 }
 #endif /* defined(MBEDTLS_PKCS11_C) */
--- a/library/version_features.c
+++ b/library/version_features.c
@ -726,9 +726,6 @@ static const char * const features[] = {
 #if defined(MBEDTLS_PKCS5_C)
    "MBEDTLS_PKCS5_C",
 #endif /* MBEDTLS_PKCS5_C */
 #if defined(MBEDTLS_PKCS11_C)
    "MBEDTLS_PKCS11_C",
 #endif /* MBEDTLS_PKCS11_C */
 #if defined(MBEDTLS_PKCS12_C)
    "MBEDTLS_PKCS12_C",
 #endif /* MBEDTLS_PKCS12_C */
--- a/programs/Makefile
+++ b/programs/Makefile
@ -1,6 +1,5 @@
 # To compile on SunOS: add "-lsocket -lnsl" to LDFLAGS
 # To compile with PKCS11: add "-lpkcs11-helper" to LDFLAGS
 CFLAGS	?= -O2
 WARNING_CFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral
--- a/programs/fuzz/CMakeLists.txt
+++ b/programs/fuzz/CMakeLists.txt
@ -2,10 +2,6 @@ set(libs
    ${mbedtls_target}
 )
 if(USE_PKCS11_HELPER_LIBRARY)
    set(libs ${libs} pkcs11-helper)
 endif(USE_PKCS11_HELPER_LIBRARY)
 find_library(FUZZINGENGINE_LIB FuzzingEngine)
 if(FUZZINGENGINE_LIB)
    project(fuzz CXX)
--- a/programs/ssl/CMakeLists.txt
+++ b/programs/ssl/CMakeLists.txt
@ -5,10 +5,6 @@ set(libs
    ${mbedtls_target}
 )
 if(USE_PKCS11_HELPER_LIBRARY)
    set(libs ${libs} pkcs11-helper)
 endif(USE_PKCS11_HELPER_LIBRARY)
 set(executables
    dtls_client
    dtls_server
--- a/programs/test/CMakeLists.txt
+++ b/programs/test/CMakeLists.txt
@ -2,10 +2,6 @@ set(libs
    ${mbedtls_target}
 )
 if(USE_PKCS11_HELPER_LIBRARY)
    set(libs ${libs} pkcs11-helper)
 endif(USE_PKCS11_HELPER_LIBRARY)
 set(executables_libs
    selftest
    udp_proxy
--- a/programs/test/cpp_dummy_build.cpp
+++ b/programs/test/cpp_dummy_build.cpp
@ -63,7 +63,6 @@
 #include "mbedtls/oid.h"
 #include "mbedtls/pem.h"
 #include "mbedtls/pk.h"
 #include "mbedtls/pkcs11.h"
 #include "mbedtls/pkcs12.h"
 #include "mbedtls/pkcs5.h"
 #include "mbedtls/platform_time.h"
--- a/programs/test/query_config.c
+++ b/programs/test/query_config.c
@ -73,7 +73,6 @@
 #include "mbedtls/oid.h"
 #include "mbedtls/pem.h"
 #include "mbedtls/pk.h"
 #include "mbedtls/pkcs11.h"
 #include "mbedtls/pkcs12.h"
 #include "mbedtls/pkcs5.h"
 #include "mbedtls/platform_time.h"
@ -1988,14 +1987,6 @@ int query_config( const char *config )
    }
 #endif /* MBEDTLS_PKCS5_C */
 #if defined(MBEDTLS_PKCS11_C)
    if( strcmp( "MBEDTLS_PKCS11_C", config ) == 0 )
    {
        MACRO_EXPANSION_TO_STR( MBEDTLS_PKCS11_C );
        return( 0 );
    }
 #endif /* MBEDTLS_PKCS11_C */
 #if defined(MBEDTLS_PKCS12_C)
    if( strcmp( "MBEDTLS_PKCS12_C", config ) == 0 )
    {
--- a/programs/x509/CMakeLists.txt
+++ b/programs/x509/CMakeLists.txt
@ -2,10 +2,6 @@ set(libs
    ${mbedx509_target}
 )
 if(USE_PKCS11_HELPER_LIBRARY)
    set(libs ${libs} pkcs11-helper)
 endif(USE_PKCS11_HELPER_LIBRARY)
 set(executables
    cert_app
    cert_req
--- a/scripts/config.py
+++ b/scripts/config.py
@ -183,7 +183,6 @@ EXCLUDE_FROM_FULL = frozenset([
    'MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES', # removes a feature
    'MBEDTLS_NO_PLATFORM_ENTROPY', # removes a feature
    'MBEDTLS_NO_UDBL_DIVISION', # influences anything that uses bignum
    'MBEDTLS_PKCS11_C', # build dependency (libpkcs11-helper)
    'MBEDTLS_PLATFORM_NO_STD_FUNCTIONS', # removes a feature
    'MBEDTLS_PSA_CRYPTO_CONFIG', # toggles old/new style PSA config
    'MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG', # behavior change + build dependency
@ -277,7 +276,6 @@ def include_in_crypto(name):
    if name in [
            'MBEDTLS_DEBUG_C', # part of libmbedtls
            'MBEDTLS_NET_C', # part of libmbedtls
            'MBEDTLS_PKCS11_C', # part of libmbedx509
    ]:
        return False
    return True
--- a/scripts/data_files/query_config.fmt
+++ b/scripts/data_files/query_config.fmt
@ -73,7 +73,6 @@
 #include "mbedtls/oid.h"
 #include "mbedtls/pem.h"
 #include "mbedtls/pk.h"
 #include "mbedtls/pkcs11.h"
 #include "mbedtls/pkcs12.h"
 #include "mbedtls/pkcs5.h"
 #include "mbedtls/platform_time.h"
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@ -9,10 +9,6 @@ if(NOT DEFINED MBEDTLS_DIR)
    set(MBEDTLS_DIR ${CMAKE_SOURCE_DIR})
 endif()
 if(USE_PKCS11_HELPER_LIBRARY)
    set(libs ${libs} pkcs11-helper)
 endif(USE_PKCS11_HELPER_LIBRARY)
 if(NOT MBEDTLS_PYTHON_EXECUTABLE)
    message(FATAL_ERROR "Cannot build test suites without Python 3")
 endif()
--- a/tests/Makefile
+++ b/tests/Makefile
@ -1,6 +1,5 @@
 # To compile on SunOS: add "-lsocket -lnsl" to LDFLAGS
 # To compile with PKCS11: add "-lpkcs11-helper" to LDFLAGS
 CFLAGS	?= -O2
 WARNING_CFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral
--- a/visualc/VS2010/mbedTLS.vcxproj
+++ b/visualc/VS2010/mbedTLS.vcxproj
@ -182,7 +182,6 @@
    <ClInclude Include="..\..\include\mbedtls\oid.h" />
    <ClInclude Include="..\..\include\mbedtls\pem.h" />
    <ClInclude Include="..\..\include\mbedtls\pk.h" />
    <ClInclude Include="..\..\include\mbedtls\pkcs11.h" />
    <ClInclude Include="..\..\include\mbedtls\pkcs12.h" />
    <ClInclude Include="..\..\include\mbedtls\pkcs5.h" />
    <ClInclude Include="..\..\include\mbedtls\platform.h" />
@ -321,7 +320,6 @@
    <ClCompile Include="..\..\library\pem.c" />
    <ClCompile Include="..\..\library\pk.c" />
    <ClCompile Include="..\..\library\pk_wrap.c" />
    <ClCompile Include="..\..\library\pkcs11.c" />
    <ClCompile Include="..\..\library\pkcs12.c" />
    <ClCompile Include="..\..\library\pkcs5.c" />
    <ClCompile Include="..\..\library\pkparse.c" />