diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h index e40482a99a..7b7ff49f5a 100644 --- a/include/mbedtls/build_info.h +++ b/include/mbedtls/build_info.h @@ -68,6 +68,11 @@ #include MBEDTLS_USER_CONFIG_FILE #endif +/* For the sake of consistency checks in mbedtls_config.c */ +#if defined(MBEDTLS_INCLUDE_AFTER_RAW_CONFIG) +#include MBEDTLS_INCLUDE_AFTER_RAW_CONFIG +#endif + /* Indicate that all configuration files have been read. * It is now time to adjust the configuration (follow through on dependencies, * make PSA and legacy crypto consistent, etc.). diff --git a/library/mbedtls_config.c b/library/mbedtls_config.c index 679f8e36f9..a3deae3152 100644 --- a/library/mbedtls_config.c +++ b/library/mbedtls_config.c @@ -6,8 +6,29 @@ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ +/* Apply the TF-PSA-Crypto configuration first. We need to do this + * before , because "mbedtls_config_check_before.h" + * needs to run after the crypto config (including derived macros) is + * finalized, but before the user's mbedtls config is applied. This way + * it is possible to differentiate macros set by the user's mbedtls config + * from macros set or derived by the crypto config. */ +#include + +/* Consistency checks on the user's configuration. + * Check that it doesn't define macros that we assume are under full + * control of the library, or options from past major versions that + * no longer have any effect. + * These headers are automatically generated. See + * framework/scripts/mbedtls_framework/config_checks_generator.py + */ +#include "mbedtls_config_check_before.h" +#define MBEDTLS_INCLUDE_AFTER_RAW_CONFIG "mbedtls_config_check_user.h" + #include /* Consistency checks in the configuration: check for incompatible options, * missing options when at least one of a set needs to be enabled, etc. */ +/* Manually written checks */ #include "mbedtls_check_config.h" +/* Automatically generated checks */ +#include "mbedtls_config_check_final.h"