From 3c16abebd40b001bd8a5bc5666b6efe08781dd3b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 19 Sep 2022 10:44:42 +0200 Subject: [PATCH] Fix dependencies of KEY_EXCHANGE_ECJPAKE MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The EC J-PAKE module the ability to "fall back" to PSA when MD is not present a few PRs ago, but the dependency of this key exchange on SHA-256 wasn't updated at the time. (Note: the crypto primitive doesn't depend on SHA-256, only its use in the TLS key exchange does.) Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/check_config.h | 11 ++++++++++- include/mbedtls/mbedtls_config.h | 2 +- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index fa70058de6..2ea0b47b35 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -320,11 +320,20 @@ #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ - ( !defined(MBEDTLS_ECJPAKE_C) || !defined(MBEDTLS_SHA256_C) || \ + ( !defined(MBEDTLS_ECJPAKE_C) || \ !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) ) #error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites" #endif +/* Use of EC J-PAKE in TLS requires SHA-256. + * This will be taken from MD is present, or from PSA if MD is absent. + * Note: ECJPAKE_C depends on MD_C || PSA_CRYPTO_C. */ +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ + !( defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA256_C) ) && \ + !( !defined(MBEDTLS_MD_C) && defined(PSA_WANT_ALG_SHA_256) ) +#error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites" +#endif + #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) && \ !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) && \ ( !defined(MBEDTLS_SHA256_C) && \ diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index ff7b30e118..473b74c037 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -958,7 +958,7 @@ * might still happen. For this reason, this is disabled by default. * * Requires: MBEDTLS_ECJPAKE_C - * MBEDTLS_SHA256_C + * SHA-256 (via MD is present, or via PSA, see MBEDTLS_ECJPAKE_C) * MBEDTLS_ECP_DP_SECP256R1_ENABLED * * This enables the following ciphersuites (if other requisites are