diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 1ced6e5780..93d2ae19d8 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -153,6 +153,18 @@ #error "MBEDTLS_PKCS5_C defined, but not all prerequesites" #endif +#if defined(MBEDTLS_PKCS12_C) && !defined(MBEDTLS_MD_C) +#error "MBEDTLS_PKCS12_C defined, but not all prerequesites" +#endif + +#if defined(MBEDTLS_PKCS1_V15) && !defined(MBEDTLS_MD_C) +#error "MBEDTLS_PKCS1_V15 defined, but not all prerequesites" +#endif + +#if defined(MBEDTLS_PKCS1_V21) && !defined(MBEDTLS_MD_C) +#error "MBEDTLS_PKCS1_V21 defined, but not all prerequesites" +#endif + #if defined(MBEDTLS_ENTROPY_C) && (!defined(MBEDTLS_SHA512_C) && \ !defined(MBEDTLS_SHA256_C)) #error "MBEDTLS_ENTROPY_C defined, but not all prerequisites" @@ -342,7 +354,7 @@ #endif #if defined(MBEDTLS_PK_C) && \ - ( !defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_ECP_C) ) + ( !defined(MBEDTLS_MD_C) || ( !defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_ECP_C) ) ) #error "MBEDTLS_PK_C defined, but not all prerequisites" #endif diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 2d32f67cc1..21596da880 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -1129,7 +1129,7 @@ * * Enable support for PKCS#1 v1.5 encoding. * - * Requires: MBEDTLS_RSA_C + * Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C * * This enables support for PKCS#1 v1.5 operations. */ @@ -2401,7 +2401,24 @@ * Enable the generic message digest layer. * * Module: library/md.c - * Caller: + * Caller: library/constant_time.c + * library/ecdsa.c + * library/ecjpake.c + * library/hkdf.c + * library/hmac_drbg.c + * library/pk.c + * library/pkcs5.c + * library/pkcs12.c + * library/psa_crypto_ecp.c + * library/psa_crypto_rsa.c + * library/rsa.c + * library/ssl_cookie.c + * library/ssl_msg.c + * library/ssl_tls.c + * library/x509.c + * library/x509_crt.c + * library/x509write_crt.c + * library/x509write_csr.c * * Uncomment to enable generic message digest wrappers. */ @@ -2546,7 +2563,7 @@ * library/ssl*_server.c * library/x509.c * - * Requires: MBEDTLS_RSA_C or MBEDTLS_ECP_C + * Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C or MBEDTLS_ECP_C * * Uncomment to enable generic public key wrappers. */ diff --git a/library/rsa.c b/library/rsa.c index 36f487f3a7..497fc21c1d 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -49,10 +49,6 @@ #include -#if defined(MBEDTLS_PKCS1_V21) -#include "mbedtls/md.h" -#endif - #if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) && !defined(__NetBSD__) #include #endif diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 1e5cd65ee5..9fa4d284cb 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1203,6 +1203,30 @@ component_test_psa_external_rng_no_drbg_use_psa () { tests/ssl-opt.sh -f 'Default\|opaque' } +component_test_crypto_full_no_md () { + msg "build: crypto_full minus MD" + scripts/config.py crypto_full + scripts/config.py unset MBEDTLS_MD_C + # Direct dependencies + scripts/config.py unset MBEDTLS_ECJPAKE_C + scripts/config.py unset MBEDTLS_HKDF_C + scripts/config.py unset MBEDTLS_HMAC_DRBG_C + scripts/config.py unset MBEDTLS_PK_C + scripts/config.py unset MBEDTLS_PKCS1_V15 + scripts/config.py unset MBEDTLS_PKCS1_V21 + scripts/config.py unset MBEDTLS_PKCS5_C + scripts/config.py unset MBEDTLS_PKCS12_C + # Indirect dependencies + scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC + scripts/config.py unset MBEDTLS_PK_PARSE_C + scripts/config.py unset MBEDTLS_PK_WRITE_C + scripts/config.py unset MBEDTLS_RSA_C + make + + msg "test: crypto_full minus MD" + make test +} + component_test_psa_external_rng_use_psa_crypto () { msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" scripts/config.py full diff --git a/tests/scripts/generate_psa_tests.py b/tests/scripts/generate_psa_tests.py index 492810bf01..ea00290362 100755 --- a/tests/scripts/generate_psa_tests.py +++ b/tests/scripts/generate_psa_tests.py @@ -165,6 +165,7 @@ class NotSupported: ALWAYS_SUPPORTED = frozenset([ 'PSA_KEY_TYPE_DERIVE', 'PSA_KEY_TYPE_RAW_DATA', + 'PSA_KEY_TYPE_HMAC' ]) def test_cases_for_key_type_not_supported( self, diff --git a/tests/suites/test_suite_oid.function b/tests/suites/test_suite_oid.function index 5c56ef4983..a255530e62 100644 --- a/tests/suites/test_suite_oid.function +++ b/tests/suites/test_suite_oid.function @@ -82,7 +82,7 @@ void oid_get_x509_extension( data_t *oid, int exp_type ) } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_MD_C */ void oid_get_md_alg_id( data_t *oid, int exp_md_id ) { mbedtls_asn1_buf md_oid = { 0, 0, NULL }; diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal.function b/tests/suites/test_suite_psa_crypto_se_driver_hal.function index 79d658fd0a..9f684913d1 100644 --- a/tests/suites/test_suite_psa_crypto_se_driver_hal.function +++ b/tests/suites/test_suite_psa_crypto_se_driver_hal.function @@ -170,6 +170,7 @@ static psa_status_t counter_allocate( psa_drv_se_context_t *context, } /* Null import: do nothing, but pretend it worked. */ +#if defined(AT_LEAST_ONE_BUILTIN_KDF) static psa_status_t null_import( psa_drv_se_context_t *context, psa_key_slot_number_t slot_number, const psa_key_attributes_t *attributes, @@ -186,8 +187,10 @@ static psa_status_t null_import( psa_drv_se_context_t *context, *bits = PSA_BYTES_TO_BITS( data_length ); return( PSA_SUCCESS ); } +#endif /* AT_LEAST_ONE_BUILTIN_KDF */ /* Null generate: do nothing, but pretend it worked. */ +#if defined(AT_LEAST_ONE_BUILTIN_KDF) static psa_status_t null_generate( psa_drv_se_context_t *context, psa_key_slot_number_t slot_number, const psa_key_attributes_t *attributes, @@ -208,6 +211,7 @@ static psa_status_t null_generate( psa_drv_se_context_t *context, return( PSA_SUCCESS ); } +#endif /* AT_LEAST_ONE_BUILTIN_KDF */ /* Null destroy: do nothing, but pretend it worked. */ static psa_status_t null_destroy( psa_drv_se_context_t *context, @@ -635,6 +639,7 @@ exit: /* Check that a function's return status is "smoke-free", i.e. that * it's an acceptable error code when calling an API function that operates * on a key with potentially bogus parameters. */ +#if defined(AT_LEAST_ONE_BUILTIN_KDF) static int is_status_smoke_free( psa_status_t status ) { switch( status ) @@ -651,6 +656,8 @@ static int is_status_smoke_free( psa_status_t status ) return( 0 ); } } +#endif /* AT_LEAST_ONE_BUILTIN_KDF */ + #define SMOKE_ASSERT( expr ) \ TEST_ASSERT( is_status_smoke_free( expr ) ) @@ -658,6 +665,7 @@ static int is_status_smoke_free( psa_status_t status ) * mostly bogus parameters: the goal is to ensure that there is no memory * corruption or crash. This test function is most useful when run under * an environment with sanity checks such as ASan or MSan. */ +#if defined(AT_LEAST_ONE_BUILTIN_KDF) static int smoke_test_key( mbedtls_svc_key_id_t key ) { int ok = 0; @@ -766,6 +774,7 @@ exit: return( ok ); } +#endif /* AT_LEAST_ONE_BUILTIN_KDF */ static void psa_purge_storage( void ) { @@ -1073,7 +1082,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:AT_LEAST_ONE_BUILTIN_KDF */ void import_key_smoke( int type_arg, int alg_arg, data_t *key_material ) { @@ -1186,7 +1195,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:AT_LEAST_ONE_BUILTIN_KDF */ void generate_key_smoke( int type_arg, int bits_arg, int alg_arg ) { psa_key_type_t type = type_arg; diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 33591d344c..8605b63c04 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -87,7 +87,7 @@ int ca_callback_fail( void *data, mbedtls_x509_crt const *child, mbedtls_x509_cr return -1; } - +#if defined(MBEDTLS_X509_CRT_PARSE_C) int ca_callback( void *data, mbedtls_x509_crt const *child, mbedtls_x509_crt **candidates ) { @@ -141,6 +141,7 @@ exit: *candidates = first; return( ret ); } +#endif /* MBEDTLS_X509_CRT_PARSE_C */ #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ int verify_fatal( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags )