Enable USE_PSA_CRYPTO with config.pl full

Previously it was disabled as too experimental, which no longer holds. Also,
this option introduces new APIs, so it's not only about an internal
alternative (as the comment in config.pl used to state) - people who request a
full config should get all of the available APIs.

Adapt all.sh: now all builds with full config will also test this option, and
builds with the default config will test without it. Just to be sure, let's
have a build with full config minus this option.

Update documentation of MBEDTLS_USE_PSA_CRYPTO to reflect the status of the
new APIs it enables in Mbed TLS and why they're still opt-in.

include/mbedtls/config.h

@@ -1726,18 +1726,26 @@
 /**
  * \def MBEDTLS_USE_PSA_CRYPTO
  *
- * Make the X.509 and TLS library use PSA for cryptographic operations, see
- * #MBEDTLS_PSA_CRYPTO_C.
+ * Make the X.509 and TLS library use PSA for cryptographic operations, and
+ * enable new APIs for using keys handled by PSA Crypto.
  *
- * Note: this option is still in progress, the full X.509 and TLS modules are
+ * \note This option is still in progress, the full X.509 and TLS modules are
  * not covered yet, but parts that are not ported to PSA yet will still work
  * as usual, so enabling this option should not break backwards compatibility.
  *
- * \warning  Support for PSA is still an experimental feature.
- *           Any public API that depends on this option may change
- *           at any time until this warning is removed.
+ * \warning The PSA Crypto API is still beta status. While you're welcome to
+ * experiment using it, incompatible API changes are still possible, and some
+ * parts may not have reached the same quality as the rest of Mbed TLS yet.
+ *
+ * \warning This option enables new Mbed TLS APIs that are dependent on the
+ * PSA Crypto API, so can't come with the same stability guarantees as the
+ * rest of the Mbed TLS APIs. You're welcome to experiment with them, but for
+ * now access to these APIs is opt-in (via enabling the present option), in
+ * order to clearly differentiate them from the stable Mbed TLS APIs.
  *
  * Requires: MBEDTLS_PSA_CRYPTO_C.
+ *
+ * Uncomment this to enable internal use of PSA Crypto and new associated APIs
  */
 //#define MBEDTLS_USE_PSA_CRYPTO
 

scripts/config.pl

@@ -37,9 +37,6 @@
 #       - this could be enabled if the respective tests were adapted
 #   MBEDTLS_ZLIB_SUPPORT
 #   MBEDTLS_PKCS11_C
-#   MBEDTLS_USE_PSA_CRYPTO
-#       - experimental, and more an alternative implementation than a feature
-#   MBEDTLS_PSA_ITS_FILE_C
 #   MBEDTLS_PSA_CRYPTO_SPM
 #   MBEDTLS_PSA_INJECT_ENTROPY
 #   and any symbol beginning _ALT
@@ -103,8 +100,6 @@ MBEDTLS_ZLIB_SUPPORT
 MBEDTLS_PKCS11_C
 MBEDTLS_NO_UDBL_DIVISION
 MBEDTLS_NO_64BIT_MULTIPLICATION
-MBEDTLS_USE_PSA_CRYPTO
-MBEDTLS_PSA_ITS_FILE_C
 MBEDTLS_PSA_CRYPTO_SPM
 MBEDTLS_PSA_INJECT_ENTROPY
 _ALT\s*$

tests/scripts/all.sh

@@ -840,6 +840,7 @@ component_test_not_submodule_make () {
     scripts/config.pl unset MBEDTLS_USE_PSA_CRYPTO # depends on PSA
     scripts/config.pl unset MBEDTLS_PSA_CRYPTO_C # only works from submodule
     scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_C # depends on PSA
+    scripts/config.pl unset MBEDTLS_PSA_ITS_FILE_C # depends on PSA
     make CC=gcc CFLAGS='-g' USE_CRYPTO_SUBMODULE=0
 
     msg "test: submodule libmbedcrypto wasn't built (no USE_CRYPTO_SUBMODULE, make)"
@@ -863,6 +864,8 @@ component_test_not_submodule_cmake () {
     scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests
     scripts/config.pl unset MBEDTLS_PSA_CRYPTO_C # only works from submodule
     scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_C # depends on PSA
+    scripts/config.pl unset MBEDTLS_PSA_ITS_FILE_C # depends on PSA
+    scripts/config.pl unset MBEDTLS_USE_PSA_CRYPTO # depends on PSA
     CC=gcc cmake -D CMAKE_BUILD_TYPE=Debug -D USE_CRYPTO_SUBMODULE=Off .
     make
 
@@ -880,33 +883,34 @@ component_test_not_submodule_cmake () {
     if_build_succeeded tests/ssl-opt.sh
 }
 
-component_test_use_psa_crypto_full_cmake_asan() {
-    # MBEDTLS_USE_PSA_CRYPTO: run the same set of tests as basic-build-test.sh
+component_test_no_use_psa_crypto_full_cmake_asan() {
+    # full minus MBEDTLS_USE_PSA_CRYPTO: run the same set of tests as basic-build-test.sh
     msg "build: cmake, full config + MBEDTLS_USE_PSA_CRYPTO, ASan"
     scripts/config.pl full
     scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests
     scripts/config.pl unset MBEDTLS_ECP_RESTARTABLE  # restartable ECC not supported through PSA
     scripts/config.pl set MBEDTLS_PSA_CRYPTO_C
-    scripts/config.pl set MBEDTLS_USE_PSA_CRYPTO
+    scripts/config.pl unset MBEDTLS_USE_PSA_CRYPTO
+    scripts/config.pl unset MBEDTLS_PSA_ITS_FILE_C
     CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
     make
 
-    msg "test: main suites (MBEDTLS_USE_PSA_CRYPTO)"
+    msg "test: main suites (full minus MBEDTLS_USE_PSA_CRYPTO)"
     make test
 
-    msg "test: ssl-opt.sh (MBEDTLS_USE_PSA_CRYPTO)"
+    msg "test: ssl-opt.sh (full minus MBEDTLS_USE_PSA_CRYPTO)"
     if_build_succeeded tests/ssl-opt.sh
 
-    msg "test: compat.sh default (MBEDTLS_USE_PSA_CRYPTO)"
+    msg "test: compat.sh default (full minus MBEDTLS_USE_PSA_CRYPTO)"
     if_build_succeeded tests/compat.sh
 
-    msg "test: compat.sh ssl3 (MBEDTLS_USE_PSA_CRYPTO)"
+    msg "test: compat.sh ssl3 (full minus MBEDTLS_USE_PSA_CRYPTO)"
     if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" tests/compat.sh -m 'ssl3'
 
-    msg "test: compat.sh RC4, DES & NULL (MBEDTLS_USE_PSA_CRYPTO)"
+    msg "test: compat.sh RC4, DES & NULL (full minus MBEDTLS_USE_PSA_CRYPTO)"
     if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '3DES\|DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR'
 
-    msg "test: compat.sh ARIA + ChachaPoly (MBEDTLS_USE_PSA_CRYPTO)"
+    msg "test: compat.sh ARIA + ChachaPoly (full minus MBEDTLS_USE_PSA_CRYPTO)"
     if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
 }