[Debian-iot-maintainers] Bug#1053533: mbedtls: enable MBEDTLS_NIST_KW_C

[Andrea Pappacoda]

On Thu, 05 Oct 2023 21:35:47 +0200 Jérôme Pouiller <jerome.pouiller at gmail.com> wrote:
> I have just noticed MBEDTLS_NIST_KW_C was not enabled (and obviously my
> project[1] depends on it).
> 
> I usually use the default config provided by mbedtls (which I believe
> enable all the possible options). Do you know if there is any reason to
> strip down this configuration?

Hi Jerome, thanks for your report.

We don't strip down mbedtls' configuration, we just use the default, which seems to not include NIST_KW_C. I haven't looked at this option in detail, but changing the config can, and probably will, break ABI. I've tried it before and it broke at least one package.

Hence we probably cannot enable this new option until we'll bump the SONAME, which isn't going to happen soon, probably.

I wish mbedtls were more modular so that we could enable new features without rebuilding the library, but unfortunately this isn't possible as far as I know.

We cannot enable all possible features either because it'd make mbedtls' attack surface way bigger for little benefit.

I'll look into this, but I probably won't be able to satisfy your request (for some time).

Bye!