From 29d00fa8613033fafe27cd4c3dafa0e8360cb003 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 29 Jan 2026 16:20:19 +0100 Subject: [PATCH 01/11] Create a mbedtls_common.h for the project We already have `x509_internal.h` which is common to all parts of the X.509 library, and `ssl_misc.h` which is common to all parts of the TLS library. Also create `mbedtls_common.h` which is for the Mbed TLS project as a whole. Signed-off-by: Gilles Peskine --- library/mbedtls_common.h | 17 +++++++++++++++++ library/mbedtls_config.c | 4 ++++ library/ssl_misc.h | 2 +- library/x509_internal.h | 2 +- 4 files changed, 23 insertions(+), 2 deletions(-) create mode 100644 library/mbedtls_common.h diff --git a/library/mbedtls_common.h b/library/mbedtls_common.h new file mode 100644 index 0000000000..11d7c8249f --- /dev/null +++ b/library/mbedtls_common.h @@ -0,0 +1,17 @@ +/** + * \file mbedtls_common.h + * + * \brief Utility macros for internal use in the library + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + +#ifndef MBEDTLS_MBEDTLS_COMMON_H +#define MBEDTLS_MBEDTLS_COMMON_H + +/* Mbed TLS requires TF-PSA-Crypto internals. */ +#include "tf_psa_crypto_common.h" + +#endif /* MBEDTLS_MBEDTLS_COMMON_H */ diff --git a/library/mbedtls_config.c b/library/mbedtls_config.c index a3deae3152..48be660015 100644 --- a/library/mbedtls_config.c +++ b/library/mbedtls_config.c @@ -6,6 +6,10 @@ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ +/* We are a special snowflake: we don't include "mbedtls_common.h", + * because that would pull and we need to + * tune the way it works. */ + /* Apply the TF-PSA-Crypto configuration first. We need to do this * before , because "mbedtls_config_check_before.h" * needs to run after the crypto config (including derived macros) is diff --git a/library/ssl_misc.h b/library/ssl_misc.h index f8c03dfa2f..5f8980a20e 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -10,7 +10,7 @@ #ifndef MBEDTLS_SSL_MISC_H #define MBEDTLS_SSL_MISC_H -#include "tf_psa_crypto_common.h" +#include "mbedtls_common.h" #include "mbedtls/build_info.h" #include "mbedtls/error.h" diff --git a/library/x509_internal.h b/library/x509_internal.h index ea3aeb6351..fcb996b19d 100644 --- a/library/x509_internal.h +++ b/library/x509_internal.h @@ -10,7 +10,7 @@ #ifndef MBEDTLS_X509_INTERNAL_H #define MBEDTLS_X509_INTERNAL_H -#include "tf_psa_crypto_common.h" +#include "mbedtls_common.h" #include "mbedtls/build_info.h" #include "mbedtls/private_access.h" From 3a988859504cd3f6b4a379560837a81356d4ffab Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 29 Jan 2026 16:25:15 +0100 Subject: [PATCH 02/11] Create a header to declare platform requirements On some platforms, the system headers expose different interfaces depending on what macros are defined, for example to provide different standards compliance level. Create a common place where we can declare such macros, so that our code can behave in the same way when it's in different files. Individual .c files can still override these requirements by defining macros before including the common header, if it's really necessary. Signed-off-by: Gilles Peskine --- library/mbedtls_common.h | 10 ++++++++++ library/mbedtls_platform_requirements.h | 18 ++++++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 library/mbedtls_platform_requirements.h diff --git a/library/mbedtls_common.h b/library/mbedtls_common.h index 11d7c8249f..2aacfcbc22 100644 --- a/library/mbedtls_common.h +++ b/library/mbedtls_common.h @@ -11,6 +11,16 @@ #ifndef MBEDTLS_MBEDTLS_COMMON_H #define MBEDTLS_MBEDTLS_COMMON_H +/* Before including any system header, declare some macros to tell system + * headers what we expect of them. + * + * Do this before including any header from TF-PSA-Crypto, since the + * convention is first-come-first-served (so that users can + * override some macros on the command line, and individual users can + * override some macros before including the common header). + */ +#include "mbedtls_platform_requirements.h" + /* Mbed TLS requires TF-PSA-Crypto internals. */ #include "tf_psa_crypto_common.h" diff --git a/library/mbedtls_platform_requirements.h b/library/mbedtls_platform_requirements.h new file mode 100644 index 0000000000..f6dd4ce4aa --- /dev/null +++ b/library/mbedtls_platform_requirements.h @@ -0,0 +1,18 @@ +/** + * \file mbedtls_platform_requirements.h + * + * \brief Declare macros that tell system headers what we expect of them. + * + * This file must be included before any system header, and so in particular + * before build_info.h (which includes the user config, which may include + * system headers). + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + +#ifndef MBEDTLS_MBEDTLS_PLATFORM_REQUIREMENTS_H +#define MBEDTLS_MBEDTLS_PLATFORM_REQUIREMENTS_H + +#endif /* MBEDTLS_MBEDTLS_PLATFORM_REQUIREMENTS_H */ From 7af09b4f219583973364df691b10f060031ae544 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 26 Jan 2026 17:45:48 +0100 Subject: [PATCH 03/11] Add a few more test cases for printf formats Signed-off-by: Gilles Peskine --- tests/suites/test_suite_debug.data | 34 ++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/tests/suites/test_suite_debug.data b/tests/suites/test_suite_debug.data index 3d72056528..d9a5c5c2ed 100644 --- a/tests/suites/test_suite_debug.data +++ b/tests/suites/test_suite_debug.data @@ -1,12 +1,46 @@ printf "%" MBEDTLS_PRINTF_SIZET, 0 printf_int_expr:PRINTF_SIZET:sizeof(size_t):0:"0" +printf "%" MBEDTLS_PRINTF_SIZET, 1 byte +printf_int_expr:PRINTF_SIZET:sizeof(size_t):42:"42" + +printf "%" MBEDTLS_PRINTF_SIZET, 4 bytes +printf_int_expr:PRINTF_SIZET:sizeof(size_t):0xfedcba98:"4275878552" + +printf "%" MBEDTLS_PRINTF_SIZET, 8 bytes +depends_on:SIZE_MAX>=0xffffffffffffffff +printf_int_expr:PRINTF_SIZET:sizeof(size_t):0xfedcba9876543210:"18364758544493064720" + printf "%" MBEDTLS_PRINTF_LONGLONG, 0 printf_int_expr:PRINTF_LONGLONG:sizeof(long long):0:"0" +printf "%" MBEDTLS_PRINTF_LONGLONG, 1 byte +printf_int_expr:PRINTF_LONGLONG:sizeof(long long):42:"42" + +printf "%" MBEDTLS_PRINTF_LONGLONG, 4 bytes +printf_int_expr:PRINTF_LONGLONG:sizeof(long long):0xfedcba98:"4275878552" + +printf "%" MBEDTLS_PRINTF_LONGLONG, 8 bytes +printf_int_expr:PRINTF_LONGLONG:sizeof(long long):0x7edcba9876543210:"9141386507638288912" + +printf "%" MBEDTLS_PRINTF_LONGLONG, 8 bytes, negative +printf_int_expr:PRINTF_LONGLONG:sizeof(long long):-0x7edcba9876543210:"-9141386507638288912" + printf "%" MBEDTLS_PRINTF_MS_TIME, 0 printf_int_expr:PRINTF_MS_TIME:sizeof(mbedtls_ms_time_t):0:"0" +printf "%" MBEDTLS_PRINTF_MS_TIME, 1 byte +printf_int_expr:PRINTF_MS_TIME:sizeof(mbedtls_ms_time_t):42:"42" + +printf "%" MBEDTLS_PRINTF_MS_TIME, 4 bytes +printf_int_expr:PRINTF_MS_TIME:sizeof(mbedtls_ms_time_t):0xfedcba98:"4275878552" + +printf "%" MBEDTLS_PRINTF_MS_TIME, 8 bytes +printf_int_expr:PRINTF_MS_TIME:sizeof(mbedtls_ms_time_t):0x7edcba9876543210:"9141386507638288912" + +printf "%" MBEDTLS_PRINTF_MS_TIME, 8 bytes, negative +printf_int_expr:PRINTF_MS_TIME:sizeof(mbedtls_ms_time_t):-0x7edcba9876543210:"-9141386507638288912" + Debug print msg (threshold 1, level 0) debug_print_msg_threshold:1:0:"MyFile":999:"MyFile(0999)\: Text message, 2 == 2\n" From 3c67824964cc7a64eb919d98585ec412d1f5a5b3 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 17 Feb 2026 17:08:12 +0100 Subject: [PATCH 04/11] test_suite_debug: test the printf used by debug.c In `test_suite_debug`, test `mbedtls_debug_snprintf()`, which uses `mbedtls_vsnprintf()` like `mbedtls_debug_print_msg()`. Do this instead of testing `mbedtls_snprintf()`, which might be subtly different (older Windows runtimes had slightly different behavior for vsnprintf() vs snprintf(); TF-PSA-Crypto might pick up a different function if the platform configuration is different in TF-PSA-Crypto and Mbed TLS). Signed-off-by: Gilles Peskine --- library/debug.c | 10 ++++++++++ library/debug_internal.h | 13 +++++++++++++ tests/suites/test_suite_debug.function | 6 +++--- 3 files changed, 26 insertions(+), 3 deletions(-) diff --git a/library/debug.c b/library/debug.c index e622ac9ed4..c27d15d12e 100644 --- a/library/debug.c +++ b/library/debug.c @@ -21,6 +21,16 @@ /* DEBUG_BUF_SIZE must be at least 2 */ #define DEBUG_BUF_SIZE 512 +int mbedtls_debug_snprintf(char *dest, size_t maxlen, + const char *format, ...) +{ + va_list argp; + va_start(argp, format); + int ret = mbedtls_vsnprintf(dest, maxlen, format, argp); + va_end(argp); + return ret; +} + static int debug_threshold = 0; void mbedtls_debug_set_threshold(int threshold) diff --git a/library/debug_internal.h b/library/debug_internal.h index d09e492094..2b869450f6 100644 --- a/library/debug_internal.h +++ b/library/debug_internal.h @@ -12,6 +12,19 @@ #include "mbedtls/debug.h" +/* This should be equivalent to mbedtls_snprintf(). But it might not be due + * to platform shenanigans. For example, Mbed TLS and TF-PSA-Crypto could + * have inconsistent platform definitions. On Mingw, some code might + * be built with a different setting of __USE_MINGW_ANSI_STDIO, resulting + * in an old non-C99 printf being used somewhere. + * + * Our library assumes that mbedtls_snprintf() and other printf functions + * are consistent throughout. This function is not an official API and + * is not meant to be used inside the library. It is provided to help + * debugging printf inconsistencies issues. If you need it, good luck! + */ +int mbedtls_debug_snprintf(char *dest, size_t maxlen, + const char *format, ...) MBEDTLS_PRINTF_ATTRIBUTE(3, 4); /** * \brief Print a message to the debug output. This function is always used * through the MBEDTLS_SSL_DEBUG_MSG() macro, which supplies the ssl diff --git a/tests/suites/test_suite_debug.function b/tests/suites/test_suite_debug.function index 05b0112b93..2d5e5619b6 100644 --- a/tests/suites/test_suite_debug.function +++ b/tests/suites/test_suite_debug.function @@ -116,11 +116,11 @@ void printf_int_expr(int format_indicator, intmax_t sizeof_x, intmax_t x, char * /* Nominal case: buffer just large enough */ TEST_CALLOC(output, n + 1); if ((size_t) sizeof_x <= sizeof(int)) { // Any smaller integers would be promoted to an int due to calling a vararg function - TEST_EQUAL(n, mbedtls_snprintf(output, n + 1, format, (int) x)); + TEST_EQUAL(n, mbedtls_debug_snprintf(output, n + 1, format, (int) x)); } else if (sizeof_x == sizeof(long)) { - TEST_EQUAL(n, mbedtls_snprintf(output, n + 1, format, (long) x)); + TEST_EQUAL(n, mbedtls_debug_snprintf(output, n + 1, format, (long) x)); } else if (sizeof_x == sizeof(long long)) { - TEST_EQUAL(n, mbedtls_snprintf(output, n + 1, format, (long long) x)); + TEST_EQUAL(n, mbedtls_debug_snprintf(output, n + 1, format, (long long) x)); } else { TEST_FAIL( "sizeof_x <= sizeof(int) || sizeof_x == sizeof(long) || sizeof_x == sizeof(long long)"); From cdf3b0a535ba3dab4f72c754c512333883ca1bf7 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 30 Jan 2026 20:39:10 +0100 Subject: [PATCH 05/11] MingW: insist on standard-compliant printf() and friends Always activate `__USE_MINGW_ANSI_STDIO` unless overridden on the command line. This is necessary with older versions of MingW and/or Windows, where snprintf does not always zero-terminate the buffer, and does not support formats such as `"%zu"` for size_t and `"%lld"` for long long. Simplify debug.h accordingly. The macros `MBEDTLS_PRINTF_SIZET`, `MBEDTLS_PRINTF_SIZET_HAX` and `MBEDTLS_PRINTF_LONGLONG` are no longer needed, but they are still used in our code base and must stay in debug.h for backward compatibility. Signed-off-by: Gilles Peskine --- include/mbedtls/debug.h | 35 +++++++------------------ library/mbedtls_platform_requirements.h | 14 ++++++++++ 2 files changed, 24 insertions(+), 25 deletions(-) diff --git a/include/mbedtls/debug.h b/include/mbedtls/debug.h index 87ea6c3150..b8273bc757 100644 --- a/include/mbedtls/debug.h +++ b/include/mbedtls/debug.h @@ -59,10 +59,10 @@ */ #if defined(__has_attribute) #if __has_attribute(format) -#if defined(__MINGW32__) && __USE_MINGW_ANSI_STDIO == 1 +#if defined(__MINGW32__) #define MBEDTLS_PRINTF_ATTRIBUTE(string_index, first_to_check) \ __attribute__((__format__(gnu_printf, string_index, first_to_check))) -#else /* defined(__MINGW32__) && __USE_MINGW_ANSI_STDIO == 1 */ +#else /* defined(__MINGW32__) */ #define MBEDTLS_PRINTF_ATTRIBUTE(string_index, first_to_check) \ __attribute__((format(printf, string_index, first_to_check))) #endif @@ -73,30 +73,15 @@ #define MBEDTLS_PRINTF_ATTRIBUTE(string_index, first_to_check) #endif -/** - * \def MBEDTLS_PRINTF_SIZET - * - * MBEDTLS_PRINTF_xxx: Due to issues with older window compilers - * and MinGW we need to define the printf specifier for size_t - * and long long per platform. - * - * Module: library/debug.c - * Caller: - * - * This module provides debugging functions. +/* Legacy definitions, kept for backward compatibility. + * Since Mbed TLS 4.1, the standard specifiers are always valid. + * We still define the macros because they're part of the Mbed TLS 4.0 API. + * In the library and test code, keep using them for code that's backported + * to 3.6. */ -#if defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER < 1900) - #include - #define MBEDTLS_PRINTF_SIZET PRIuPTR - #define MBEDTLS_PRINTF_SIZET_HEX PRIxPTR - #define MBEDTLS_PRINTF_LONGLONG "I64d" -#else \ - /* defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER < 1900) */ - #define MBEDTLS_PRINTF_SIZET "zu" - #define MBEDTLS_PRINTF_SIZET_HEX "zx" - #define MBEDTLS_PRINTF_LONGLONG "lld" -#endif \ - /* defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER < 1900) */ +#define MBEDTLS_PRINTF_SIZET "zu" +#define MBEDTLS_PRINTF_SIZET_HEX "zx" +#define MBEDTLS_PRINTF_LONGLONG "lld" #if !defined(MBEDTLS_PRINTF_MS_TIME) #include diff --git a/library/mbedtls_platform_requirements.h b/library/mbedtls_platform_requirements.h index f6dd4ce4aa..c86204e6fa 100644 --- a/library/mbedtls_platform_requirements.h +++ b/library/mbedtls_platform_requirements.h @@ -15,4 +15,18 @@ #ifndef MBEDTLS_MBEDTLS_PLATFORM_REQUIREMENTS_H #define MBEDTLS_MBEDTLS_PLATFORM_REQUIREMENTS_H +/* On Mingw-w64, force the use of a C99-compliant printf() and friends. + * This is necessary on older versions of Mingw and/or Windows runtimes + * where snprintf does not always zero-terminate the buffer, and does + * not support formats such as "%zu" for size_t and "%lld" for long long. + * + * Defining __USE_MINGW_ANSI_STDIO=0 may work and provide a small code size + * and performance benefit for some combinations of older Mingw and Windows + * versions. Do this at your own risk and make sure that least + * test_suite_debug passes. + */ +#if !defined(__USE_MINGW_ANSI_STDIO) +#define __USE_MINGW_ANSI_STDIO 1 +#endif + #endif /* MBEDTLS_MBEDTLS_PLATFORM_REQUIREMENTS_H */ From 64ff7fc1dcd1354479664d6a42e83ea098eeaad2 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 20 Feb 2026 17:54:06 +0100 Subject: [PATCH 06/11] Stop using MBEDTLS_PRINTF_SIZET Since Mbed TLS 3.6.0, all officially supported versions of Visual Studio a printf function family that is sufficiently compliant to C99 for our purposes, in particular supporting `%zu` for `size_t`. The only platform without `%zu` that we semi-officially support is older versions of MinGW, still used in our CI. MinGW provides either a Windows legacy printf or a standards-compliant printf depending on the value of `__USE_MINGW_ANSI_STDIO` when compiling each C file. Force the use of the compliant version. Don't rely on `MBEDTLS_PRINTF_SIZET`, which is defined in `` and no longer considers the Windows legacy version in Mbed TLS >= 4.1. Signed-off-by: Gilles Peskine --- programs/ssl/ssl_client2.c | 8 ++------ programs/ssl/ssl_context_info.c | 9 +++++++++ programs/ssl/ssl_server2.c | 2 -- programs/ssl/ssl_test_lib.h | 11 +++++++++++ programs/test/selftest.c | 12 ++++++++++-- 5 files changed, 32 insertions(+), 10 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index cb316706b7..fc00473cfc 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -5,14 +5,8 @@ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS - -#include "mbedtls/private/pk_private.h" - #include "ssl_test_lib.h" -#include "test/psa_crypto_helpers.h" - #if defined(MBEDTLS_SSL_TEST_IMPOSSIBLE) int main(void) { @@ -27,6 +21,8 @@ int main(void) } #else /* !MBEDTLS_SSL_TEST_IMPOSSIBLE && MBEDTLS_SSL_CLI_C */ +#include "test/psa_crypto_helpers.h" + /* Size of memory to be allocated for the heap, when using the library's memory * management and MBEDTLS_MEMORY_BUFFER_ALLOC_C is enabled. */ #define MEMORY_HEAP_SIZE 120000 diff --git a/programs/ssl/ssl_context_info.c b/programs/ssl/ssl_context_info.c index 8310bd21f3..9d7fb99e09 100644 --- a/programs/ssl/ssl_context_info.c +++ b/programs/ssl/ssl_context_info.c @@ -5,6 +5,15 @@ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ +/* On Mingw-w64, force the use of a C99-compliant printf() and friends. + * This is necessary on older versions of Mingw and/or Windows runtimes + * where snprintf does not always zero-terminate the buffer, and does + * not support formats such as "%zu" for size_t and "%lld" for long long. + */ +#if !defined(__USE_MINGW_ANSI_STDIO) +#define __USE_MINGW_ANSI_STDIO 1 +#endif + #include "mbedtls/build_info.h" #include "mbedtls/debug.h" #include "mbedtls/platform.h" diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 0ae2f79303..79cbad877d 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -5,8 +5,6 @@ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS - #include "ssl_test_lib.h" #if defined(MBEDTLS_SSL_TEST_IMPOSSIBLE) diff --git a/programs/ssl/ssl_test_lib.h b/programs/ssl/ssl_test_lib.h index 62da9e92c8..491da1dd5f 100644 --- a/programs/ssl/ssl_test_lib.h +++ b/programs/ssl/ssl_test_lib.h @@ -8,6 +8,17 @@ #ifndef MBEDTLS_PROGRAMS_SSL_SSL_TEST_LIB_H #define MBEDTLS_PROGRAMS_SSL_SSL_TEST_LIB_H +/* On Mingw-w64, force the use of a C99-compliant printf() and friends. + * This is necessary on older versions of Mingw and/or Windows runtimes + * where snprintf does not always zero-terminate the buffer, and does + * not support formats such as "%zu" for size_t and "%lld" for long long. + */ +#if !defined(__USE_MINGW_ANSI_STDIO) +#define __USE_MINGW_ANSI_STDIO 1 +#endif + +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #include "mbedtls/private/pk_private.h" #include "mbedtls/build_info.h" diff --git a/programs/test/selftest.c b/programs/test/selftest.c index 7312edf690..51cd45f026 100644 --- a/programs/test/selftest.c +++ b/programs/test/selftest.c @@ -5,6 +5,15 @@ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ +/* On Mingw-w64, force the use of a C99-compliant printf() and friends. + * This is necessary on older versions of Mingw and/or Windows runtimes + * where snprintf does not always zero-terminate the buffer, and does + * not support formats such as "%zu" for size_t and "%lld" for long long. + */ +#if !defined(__USE_MINGW_ANSI_STDIO) +#define __USE_MINGW_ANSI_STDIO 1 +#endif + #define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS #include "mbedtls/build_info.h" @@ -441,8 +450,7 @@ int main(int argc, char *argv[]) } \ } else { \ mbedtls_printf("Padding checks only implemented for types of size 2, 4 or 8" \ - " - cannot check type '" #TYPE "' of size %" MBEDTLS_PRINTF_SIZET \ - "\n", \ + " - cannot check type '" #TYPE "' of size %zu\n", \ sizeof(TYPE)); \ mbedtls_exit(MBEDTLS_EXIT_FAILURE); \ } \ From 4ec9536339a8209720633a78c76f74d707976522 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 26 Feb 2026 21:34:32 +0100 Subject: [PATCH 07/11] Temporarily force standard *printf functions on MingW On MingW, temporarily force the use of the standard versions of `snprintf()` and `vsnprintf()` (since we set `__USE_MINGW_ANSI_STDIO` in `mbedtls_platform_requirements.h`). Do not honor `platform.h` configuration, because with the current TF-PSA-Crypto, `MBEDTLS_PLATFORM_VSNPRINTF_ALT and `MBEDTLS_PLATFORM_SNPRINTF_ALT` are always enabled on MinGW, so what matters is the setting of `__USE_MINGW_ANSI_STDIO` when `platform.c` is built, and until https://github.com/Mbed-TLS/TF-PSA-Crypto/pull/694, the legacy printf functions are used there. Revert this commit once the `tf-psa-crypto` module is updated with the merge of https://github.com/Mbed-TLS/TF-PSA-Crypto/pull/694. Signed-off-by: Gilles Peskine --- library/debug.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/library/debug.c b/library/debug.c index c27d15d12e..59969070c4 100644 --- a/library/debug.c +++ b/library/debug.c @@ -21,6 +21,20 @@ /* DEBUG_BUF_SIZE must be at least 2 */ #define DEBUG_BUF_SIZE 512 +/* Temporary hack: on MingW, do not honor the platform.h configuration + * for snprintf and vsnprintf. Instead, force the native functions, + * which are the standard ones, not the Windows legacy ones. + * + * This hack should be removed once TF-PSA-Crypto has been updated to + * use the standard printf family. + */ +#if defined(__MINGW32__) +#undef mbedtls_snprintf +#define mbedtls_snprintf snprintf +#undef mbedtls_vsnprintf +#define mbedtls_vsnprintf vsnprintf +#endif + int mbedtls_debug_snprintf(char *dest, size_t maxlen, const char *format, ...) { From eb1328285ba28159e8d6f0f36eb76d120ae10fb4 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 28 Feb 2026 11:54:57 +0000 Subject: [PATCH 08/11] Update framework with support for standard printf on MinGW Signed-off-by: Gilles Peskine --- framework | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/framework b/framework index 8ed11c99fe..e07b6643e8 160000 --- a/framework +++ b/framework @@ -1 +1 @@ -Subproject commit 8ed11c99fe9e6d4d96289ebc1e134949421be917 +Subproject commit e07b6643e8db5fe2fdc20be288b91a2194316862 From a3d55d9ec71a7366e581447d2b0495d8795a22df Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 2 Mar 2026 13:21:01 +0100 Subject: [PATCH 09/11] Document the purpose of mbedtls_common.h Signed-off-by: Gilles Peskine --- library/mbedtls_common.h | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/library/mbedtls_common.h b/library/mbedtls_common.h index 2aacfcbc22..ef8448e12b 100644 --- a/library/mbedtls_common.h +++ b/library/mbedtls_common.h @@ -1,7 +1,19 @@ /** * \file mbedtls_common.h * - * \brief Utility macros for internal use in the library + * \brief Utility macros for internal use in the library. + * + * This file should be included as the first thing in all library C files + * (directly, or indirectly via x509_internal.h or ssl_misc.h). + * It must not be included by sample programs, since sample programs + * illustrate what you can do without the library sources. + * It may be included (often indirectly) by test code that isn't purely + * black-box testing. + * + * This file takes care of setting up requirements for platform headers. + * It includes the library configuration and derived macros. + * It additionally defines various utility macros and other definitions + * (but no function declarations). */ /* * Copyright The Mbed TLS Contributors From 436f1e30ad3eab1032ddf6a31bff9d054b8b9479 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 2 Mar 2026 13:22:42 +0100 Subject: [PATCH 10/11] Include the config in mbedtls_commmon.h as promised Signed-off-by: Gilles Peskine --- library/mbedtls_common.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/library/mbedtls_common.h b/library/mbedtls_common.h index ef8448e12b..43dac8266b 100644 --- a/library/mbedtls_common.h +++ b/library/mbedtls_common.h @@ -33,6 +33,10 @@ */ #include "mbedtls_platform_requirements.h" +/* From this point onwards, ensure we have the library configuration and + * the configuration-derived macros. */ +#include + /* Mbed TLS requires TF-PSA-Crypto internals. */ #include "tf_psa_crypto_common.h" From 29192f0a00d1fbdc8e35f7e7dbe710b340cdb761 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 2 Mar 2026 13:23:50 +0100 Subject: [PATCH 11/11] Use the mbedtls_common.h in generated library .c files as well Signed-off-by: Gilles Peskine --- scripts/data_files/error.fmt | 4 ++-- scripts/data_files/version_features.fmt | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/data_files/error.fmt b/scripts/data_files/error.fmt index 69bec9fe40..0d91ccbf32 100644 --- a/scripts/data_files/error.fmt +++ b/scripts/data_files/error.fmt @@ -1,11 +1,11 @@ -/* +/* -*-c-*- * Error message information * * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ -#include "tf_psa_crypto_common.h" +#include "mbedtls_common.h" #include "mbedtls/error.h" diff --git a/scripts/data_files/version_features.fmt b/scripts/data_files/version_features.fmt index fc71f5d777..4b28764a7e 100644 --- a/scripts/data_files/version_features.fmt +++ b/scripts/data_files/version_features.fmt @@ -1,11 +1,11 @@ -/* +/* -*-c-*- * Version feature information * * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ -#include "ssl_misc.h" +#include "mbedtls_common.h" #if defined(MBEDTLS_VERSION_C)