From 5d479d805028af50a939e57a87958253265057f5 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 17 Feb 2026 17:16:48 +0100 Subject: [PATCH 1/5] Update tf-psa-crypto with unified Unix detection Signed-off-by: Gilles Peskine --- tf-psa-crypto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf-psa-crypto b/tf-psa-crypto index 4587e3f861..293cfe5ece 160000 --- a/tf-psa-crypto +++ b/tf-psa-crypto @@ -1 +1 @@ -Subproject commit 4587e3f861c29a8aa1439078aef4ed593d07a34b +Subproject commit 293cfe5eceed98a2ee75d5241a78657b466750c7 From e8dec9c0310adfb1be6795e17407136adcd70c76 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 16 Jan 2026 18:55:24 +0100 Subject: [PATCH 2/5] Unify the detection of Unix-like platforms We were using slightly different guards to decide whether to include `` in different places. Unify those. Signed-off-by: Gilles Peskine --- ChangeLog.d/unistd.txt | 3 +++ library/net_sockets.c | 4 +--- 2 files changed, 4 insertions(+), 3 deletions(-) create mode 100644 ChangeLog.d/unistd.txt diff --git a/ChangeLog.d/unistd.txt b/ChangeLog.d/unistd.txt new file mode 100644 index 0000000000..d2e4d4301a --- /dev/null +++ b/ChangeLog.d/unistd.txt @@ -0,0 +1,3 @@ +Changes + * Tweak the detection of Unix-like platforms, which makes more system + interfaces (timing, threading) available on Haiku, QNX and Midipix. diff --git a/library/net_sockets.c b/library/net_sockets.c index ca70f3797b..25f06824cb 100644 --- a/library/net_sockets.c +++ b/library/net_sockets.c @@ -19,9 +19,7 @@ #if defined(MBEDTLS_NET_C) -#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \ - !defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \ - !defined(__HAIKU__) && !defined(__midipix__) +#if !defined(MBEDTLS_PLATFORM_IS_UNIXLIKE) && !defined(_WIN32) #error "This module only works on Unix and Windows, see MBEDTLS_NET_C in mbedtls_config.h" #endif From 37fd7d52102bd6a75ad0a814f9775f70a36fb88c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 30 Jan 2026 18:06:56 +0100 Subject: [PATCH 3/5] Start from a clean baseline for C11 ext1 and POSIX features Define `_POSIX_C_SOURCE` and `_XOPEN_SOURCE` in a single place that applies everywhere, to make things simple. This may break some platforms that require special handling for POSIX functions and types. Subsequent commits will add platform-specific hacks as needed. Signed-off-by: Gilles Peskine --- library/mbedtls_platform_requirements.h | 14 ++++++++++++++ library/net_sockets.c | 10 ---------- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/library/mbedtls_platform_requirements.h b/library/mbedtls_platform_requirements.h index c86204e6fa..c4f959191f 100644 --- a/library/mbedtls_platform_requirements.h +++ b/library/mbedtls_platform_requirements.h @@ -15,6 +15,20 @@ #ifndef MBEDTLS_MBEDTLS_PLATFORM_REQUIREMENTS_H #define MBEDTLS_MBEDTLS_PLATFORM_REQUIREMENTS_H +#if !defined(_POSIX_C_SOURCE) +/* For standards-compliant access to + * getaddrinfo(), + * ... */ +#define _POSIX_C_SOURCE 200112L +#endif + +#if !defined(_XOPEN_SOURCE) +/* For standards-compliant access to + * sockaddr_storage, + * ... */ +#define _XOPEN_SOURCE 600 +#endif + /* On Mingw-w64, force the use of a C99-compliant printf() and friends. * This is necessary on older versions of Mingw and/or Windows runtimes * where snprintf does not always zero-terminate the buffer, and does diff --git a/library/net_sockets.c b/library/net_sockets.c index 25f06824cb..404ef761ae 100644 --- a/library/net_sockets.c +++ b/library/net_sockets.c @@ -5,16 +5,6 @@ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ -/* Enable definition of getaddrinfo() even when compiling with -std=c99. Must - * be set before mbedtls_config.h, which pulls in glibc's features.h indirectly. - * Harmless on other platforms. */ -#ifndef _POSIX_C_SOURCE -#define _POSIX_C_SOURCE 200112L -#endif -#ifndef _XOPEN_SOURCE -#define _XOPEN_SOURCE 600 /* sockaddr_storage */ -#endif - #include "ssl_misc.h" #if defined(MBEDTLS_NET_C) From 037f3c62ff62faa6876c331cd6f3c3d622aef1eb Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 21 Feb 2026 20:20:02 +0100 Subject: [PATCH 4/5] Tell MSVC to allow non-s functions where needed Signed-off-by: Gilles Peskine --- library/mbedtls_platform_requirements.h | 9 +++++++++ programs/ssl/ssl_test_lib.h | 9 +++++++++ programs/util/pem2der.c | 9 +++++++++ programs/x509/cert_req.c | 9 +++++++++ programs/x509/cert_write.c | 9 +++++++++ 5 files changed, 45 insertions(+) diff --git a/library/mbedtls_platform_requirements.h b/library/mbedtls_platform_requirements.h index c4f959191f..ad27fef450 100644 --- a/library/mbedtls_platform_requirements.h +++ b/library/mbedtls_platform_requirements.h @@ -43,4 +43,13 @@ #define __USE_MINGW_ANSI_STDIO 1 #endif +/* Tell MSVC that we're ok with using classic C functions even + * when an `_s` variant exist. For most functions, the improvements + * of the `_s` variants are of limited usefulness and not worth + * the portability headaches. + */ +#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE) +#define _CRT_SECURE_NO_DEPRECATE 1 +#endif + #endif /* MBEDTLS_MBEDTLS_PLATFORM_REQUIREMENTS_H */ diff --git a/programs/ssl/ssl_test_lib.h b/programs/ssl/ssl_test_lib.h index 491da1dd5f..a9384d16df 100644 --- a/programs/ssl/ssl_test_lib.h +++ b/programs/ssl/ssl_test_lib.h @@ -17,6 +17,15 @@ #define __USE_MINGW_ANSI_STDIO 1 #endif +/* Tell MSVC that we're ok with using classic C functions even + * when an `_s` variant exist. For most functions, the improvements + * of the `_s` variants are of limited usefulness and not worth + * the portability headaches. + */ +#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE) +#define _CRT_SECURE_NO_DEPRECATE 1 +#endif + #define MBEDTLS_ALLOW_PRIVATE_ACCESS #include "mbedtls/private/pk_private.h" diff --git a/programs/util/pem2der.c b/programs/util/pem2der.c index 177365b87c..191988082f 100644 --- a/programs/util/pem2der.c +++ b/programs/util/pem2der.c @@ -5,6 +5,15 @@ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ +/* Tell MSVC that we're ok with using classic C functions even + * when an `_s` variant exist. For most functions, the improvements + * of the `_s` variants are of limited usefulness and not worth + * the portability headaches. + */ +#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE) +#define _CRT_SECURE_NO_DEPRECATE 1 +#endif + #include "mbedtls/build_info.h" #include "mbedtls/platform.h" diff --git a/programs/x509/cert_req.c b/programs/x509/cert_req.c index 0d7b5a1e6e..d6e22aaf8c 100644 --- a/programs/x509/cert_req.c +++ b/programs/x509/cert_req.c @@ -5,6 +5,15 @@ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ +/* Tell MSVC that we're ok with using classic C functions even + * when an `_s` variant exist. For most functions, the improvements + * of the `_s` variants are of limited usefulness and not worth + * the portability headaches. + */ +#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE) +#define _CRT_SECURE_NO_DEPRECATE 1 +#endif + #define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS #include "mbedtls/build_info.h" diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index eb090fd051..8ff35f0c2f 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -5,6 +5,15 @@ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ +/* Tell MSVC that we're ok with using classic C functions even + * when an `_s` variant exist. For most functions, the improvements + * of the `_s` variants are of limited usefulness and not worth + * the portability headaches. + */ +#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE) +#define _CRT_SECURE_NO_DEPRECATE 1 +#endif + #define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS #include "mbedtls/build_info.h" From b38e28dbf00b72303781020580e4e7fbfe1ec21c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 4 Mar 2026 11:54:35 +0100 Subject: [PATCH 5/5] Make sure we declare TF-PSA-Crypto platform requirements before including system headers Signed-off-by: Gilles Peskine --- library/mbedtls_common.h | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/library/mbedtls_common.h b/library/mbedtls_common.h index 43dac8266b..188ae4692b 100644 --- a/library/mbedtls_common.h +++ b/library/mbedtls_common.h @@ -33,6 +33,14 @@ */ #include "mbedtls_platform_requirements.h" +/* Mbed TLS is tightly coupled with TF-PSA-Crypto, and inherits all of + * its platform requirements because we don't have a clear separation of + * public vs private platform interfaces. So make sure we declare the + * TF-PSA-Crypto platform requirements. We need to do that before including + * any system headers, thus before including the user config file since it + * may include platform headers. */ +#include "tf_psa_crypto_platform_requirements.h" + /* From this point onwards, ensure we have the library configuration and * the configuration-derived macros. */ #include