From 6aadf0b44f2a4118a37967fdb1f6ce3999814621 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 27 Apr 2022 14:46:52 +0200 Subject: [PATCH 1/8] mbedtls_config.h: update dependencies for MBEDTLS_MD_C Signed-off-by: Przemek Stekiel --- include/mbedtls/mbedtls_config.h | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 72a1e1043a..a8003d8813 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -1129,7 +1129,7 @@ * * Enable support for PKCS#1 v1.5 encoding. * - * Requires: MBEDTLS_RSA_C + * Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C * * This enables support for PKCS#1 v1.5 operations. */ @@ -2390,7 +2390,24 @@ * Enable the generic message digest layer. * * Module: library/md.c - * Caller: + * Caller: library/constant_time.c + * library/ecdsa.c + * library/ecjpake.c + * library/hkdf.c + * library/hmac_drbg.c + * library/oid.c + * library/pk.c + * library/pkcs5.c + * library/pkcs12.c + * library/psa_crypto_ecp.c + * library/psa_crypto_rsa.c + * library/rsa.c + * library/ssl_cookie.c + * library/ssl_msg.c + * library/ssl_tls.c + * library/x509_crt.c + * library/x509write_crt.c + * library/x509write_csr.c * * Uncomment to enable generic message digest wrappers. */ @@ -2535,7 +2552,7 @@ * library/ssl*_server.c * library/x509.c * - * Requires: MBEDTLS_RSA_C or MBEDTLS_ECP_C + * Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C or MBEDTLS_ECP_C * * Uncomment to enable generic public key wrappers. */ From bc3cfed43ef23b15f29795dcd64f05fcf432666f Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 27 Apr 2022 14:19:19 +0200 Subject: [PATCH 2/8] check_config.h: Add MBEDTLS_MD_C dependency MBEDTLS_PKCS12_C, MBEDTLS_PKCS1_V15, MBEDTLS_PKCS1_V21, MBEDTLS_PK_C Signed-off-by: Przemek Stekiel --- include/mbedtls/check_config.h | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 1ced6e5780..93d2ae19d8 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -153,6 +153,18 @@ #error "MBEDTLS_PKCS5_C defined, but not all prerequesites" #endif +#if defined(MBEDTLS_PKCS12_C) && !defined(MBEDTLS_MD_C) +#error "MBEDTLS_PKCS12_C defined, but not all prerequesites" +#endif + +#if defined(MBEDTLS_PKCS1_V15) && !defined(MBEDTLS_MD_C) +#error "MBEDTLS_PKCS1_V15 defined, but not all prerequesites" +#endif + +#if defined(MBEDTLS_PKCS1_V21) && !defined(MBEDTLS_MD_C) +#error "MBEDTLS_PKCS1_V21 defined, but not all prerequesites" +#endif + #if defined(MBEDTLS_ENTROPY_C) && (!defined(MBEDTLS_SHA512_C) && \ !defined(MBEDTLS_SHA256_C)) #error "MBEDTLS_ENTROPY_C defined, but not all prerequisites" @@ -342,7 +354,7 @@ #endif #if defined(MBEDTLS_PK_C) && \ - ( !defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_ECP_C) ) + ( !defined(MBEDTLS_MD_C) || ( !defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_ECP_C) ) ) #error "MBEDTLS_PK_C defined, but not all prerequisites" #endif From cd204992f2210e26c6adbaf620fec4aa6edbfa5c Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 27 Apr 2022 15:33:43 +0200 Subject: [PATCH 3/8] Fix dependencies in tests Signed-off-by: Przemek Stekiel --- tests/suites/test_suite_oid.function | 2 +- .../test_suite_psa_crypto_se_driver_hal.function | 13 +++++++++++-- tests/suites/test_suite_x509parse.function | 3 ++- 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_oid.function b/tests/suites/test_suite_oid.function index 5c56ef4983..a255530e62 100644 --- a/tests/suites/test_suite_oid.function +++ b/tests/suites/test_suite_oid.function @@ -82,7 +82,7 @@ void oid_get_x509_extension( data_t *oid, int exp_type ) } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_MD_C */ void oid_get_md_alg_id( data_t *oid, int exp_md_id ) { mbedtls_asn1_buf md_oid = { 0, 0, NULL }; diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal.function b/tests/suites/test_suite_psa_crypto_se_driver_hal.function index 79d658fd0a..9f684913d1 100644 --- a/tests/suites/test_suite_psa_crypto_se_driver_hal.function +++ b/tests/suites/test_suite_psa_crypto_se_driver_hal.function @@ -170,6 +170,7 @@ static psa_status_t counter_allocate( psa_drv_se_context_t *context, } /* Null import: do nothing, but pretend it worked. */ +#if defined(AT_LEAST_ONE_BUILTIN_KDF) static psa_status_t null_import( psa_drv_se_context_t *context, psa_key_slot_number_t slot_number, const psa_key_attributes_t *attributes, @@ -186,8 +187,10 @@ static psa_status_t null_import( psa_drv_se_context_t *context, *bits = PSA_BYTES_TO_BITS( data_length ); return( PSA_SUCCESS ); } +#endif /* AT_LEAST_ONE_BUILTIN_KDF */ /* Null generate: do nothing, but pretend it worked. */ +#if defined(AT_LEAST_ONE_BUILTIN_KDF) static psa_status_t null_generate( psa_drv_se_context_t *context, psa_key_slot_number_t slot_number, const psa_key_attributes_t *attributes, @@ -208,6 +211,7 @@ static psa_status_t null_generate( psa_drv_se_context_t *context, return( PSA_SUCCESS ); } +#endif /* AT_LEAST_ONE_BUILTIN_KDF */ /* Null destroy: do nothing, but pretend it worked. */ static psa_status_t null_destroy( psa_drv_se_context_t *context, @@ -635,6 +639,7 @@ exit: /* Check that a function's return status is "smoke-free", i.e. that * it's an acceptable error code when calling an API function that operates * on a key with potentially bogus parameters. */ +#if defined(AT_LEAST_ONE_BUILTIN_KDF) static int is_status_smoke_free( psa_status_t status ) { switch( status ) @@ -651,6 +656,8 @@ static int is_status_smoke_free( psa_status_t status ) return( 0 ); } } +#endif /* AT_LEAST_ONE_BUILTIN_KDF */ + #define SMOKE_ASSERT( expr ) \ TEST_ASSERT( is_status_smoke_free( expr ) ) @@ -658,6 +665,7 @@ static int is_status_smoke_free( psa_status_t status ) * mostly bogus parameters: the goal is to ensure that there is no memory * corruption or crash. This test function is most useful when run under * an environment with sanity checks such as ASan or MSan. */ +#if defined(AT_LEAST_ONE_BUILTIN_KDF) static int smoke_test_key( mbedtls_svc_key_id_t key ) { int ok = 0; @@ -766,6 +774,7 @@ exit: return( ok ); } +#endif /* AT_LEAST_ONE_BUILTIN_KDF */ static void psa_purge_storage( void ) { @@ -1073,7 +1082,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:AT_LEAST_ONE_BUILTIN_KDF */ void import_key_smoke( int type_arg, int alg_arg, data_t *key_material ) { @@ -1186,7 +1195,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:AT_LEAST_ONE_BUILTIN_KDF */ void generate_key_smoke( int type_arg, int bits_arg, int alg_arg ) { psa_key_type_t type = type_arg; diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index fea02f362c..c1d440711f 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -87,7 +87,7 @@ int ca_callback_fail( void *data, mbedtls_x509_crt const *child, mbedtls_x509_cr return -1; } - +#if defined(MBEDTLS_X509_CRT_PARSE_C) int ca_callback( void *data, mbedtls_x509_crt const *child, mbedtls_x509_crt **candidates ) { @@ -141,6 +141,7 @@ exit: *candidates = first; return( ret ); } +#endif /* MBEDTLS_X509_CRT_PARSE_C */ #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ int verify_fatal( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags ) From 1068c224a4515ba27033568cd6dbacab1c09f6cf Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 5 May 2022 11:52:30 +0200 Subject: [PATCH 4/8] Adapt generated psa no_supported tests for HMAC Remove no_supported HMAC generate/import tests when !PSA_KEY_TYPE_HMAC as HMAC key creation works regardless of PSA_WANT_KEY_TYPE_HMAC. Signed-off-by: Przemek Stekiel --- tests/scripts/generate_psa_tests.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/scripts/generate_psa_tests.py b/tests/scripts/generate_psa_tests.py index ca94d7d324..2e9783a151 100755 --- a/tests/scripts/generate_psa_tests.py +++ b/tests/scripts/generate_psa_tests.py @@ -165,6 +165,7 @@ class NotSupported: ALWAYS_SUPPORTED = frozenset([ 'PSA_KEY_TYPE_DERIVE', 'PSA_KEY_TYPE_RAW_DATA', + 'PSA_KEY_TYPE_HMAC' ]) def test_cases_for_key_type_not_supported( self, From fe2367af26c314a0a1f3b531cdef5a1e4af5f5d3 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 28 Apr 2022 15:44:18 +0200 Subject: [PATCH 5/8] all.sh: add build/test config crypto_full minus MD Dependeny list: - ['MBEDTLS_MD_C'] - ['MBEDTLS_ECJPAKE_C', 'MBEDTLS_PKCS5_C', 'MBEDTLS_PKCS12_C', 'MBEDTLS_PKCS1_V15', 'MBEDTLS_PKCS1_V21', 'MBEDTLS_HKDF_C', 'MBEDTLS_HMAC_DRBG_C', 'MBEDTLS_PK_C'] - ['MBEDTLS_ECDSA_DETERMINISTIC', 'MBEDTLS_PK_PARSE_C', 'MBEDTLS_PK_WRITE_C', 'MBEDTLS_RSA_C'] Signed-off-by: Przemek Stekiel --- tests/scripts/all.sh | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 8528a4f013..75a5a02773 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1197,6 +1197,28 @@ component_test_psa_external_rng_no_drbg_use_psa () { tests/ssl-opt.sh -f 'Default\|opaque' } +component_test_crypto_full_no_md () { + msg "build: crypto_full minus MD" + scripts/config.py crypto_full + scripts/config.py unset MBEDTLS_MD_C + scripts/config.py unset MBEDTLS_ECJPAKE_C + scripts/config.py unset MBEDTLS_PKCS5_C + scripts/config.py unset MBEDTLS_PKCS12_C + scripts/config.py unset MBEDTLS_PKCS1_V15 + scripts/config.py unset MBEDTLS_PKCS1_V21 + scripts/config.py unset MBEDTLS_HKDF_C + scripts/config.py unset MBEDTLS_HMAC_DRBG_C + scripts/config.py unset MBEDTLS_PK_C + scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC + scripts/config.py unset MBEDTLS_PK_PARSE_C + scripts/config.py unset MBEDTLS_PK_WRITE_C + scripts/config.py unset MBEDTLS_RSA_C + make + + msg "test: crypto_full minus MD" + make test +} + component_test_psa_external_rng_use_psa_crypto () { msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" scripts/config.py full From 6e71282c87ad82f7634070a56df3aea2b05a5dff Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Fri, 6 May 2022 11:40:20 +0200 Subject: [PATCH 6/8] Fix caller list of the MD module Signed-off-by: Przemek Stekiel --- include/mbedtls/mbedtls_config.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index a8003d8813..17354b4018 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -2395,7 +2395,6 @@ * library/ecjpake.c * library/hkdf.c * library/hmac_drbg.c - * library/oid.c * library/pk.c * library/pkcs5.c * library/pkcs12.c @@ -2405,6 +2404,7 @@ * library/ssl_cookie.c * library/ssl_msg.c * library/ssl_tls.c + * library/x509.c * library/x509_crt.c * library/x509write_crt.c * library/x509write_csr.c From d3ba7367c9369a0b16152ecf80ec0c5474301256 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Fri, 6 May 2022 11:41:56 +0200 Subject: [PATCH 7/8] component_test_crypto_full_no_md: fix order of disabled features Signed-off-by: Przemek Stekiel --- tests/scripts/all.sh | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 75a5a02773..cce9d28bfc 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1201,14 +1201,16 @@ component_test_crypto_full_no_md () { msg "build: crypto_full minus MD" scripts/config.py crypto_full scripts/config.py unset MBEDTLS_MD_C + # Direct dependencies scripts/config.py unset MBEDTLS_ECJPAKE_C - scripts/config.py unset MBEDTLS_PKCS5_C - scripts/config.py unset MBEDTLS_PKCS12_C - scripts/config.py unset MBEDTLS_PKCS1_V15 - scripts/config.py unset MBEDTLS_PKCS1_V21 scripts/config.py unset MBEDTLS_HKDF_C scripts/config.py unset MBEDTLS_HMAC_DRBG_C scripts/config.py unset MBEDTLS_PK_C + scripts/config.py unset MBEDTLS_PKCS1_V15 + scripts/config.py unset MBEDTLS_PKCS1_V21 + scripts/config.py unset MBEDTLS_PKCS5_C + scripts/config.py unset MBEDTLS_PKCS12_C + # Indirect dependencies scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC scripts/config.py unset MBEDTLS_PK_PARSE_C scripts/config.py unset MBEDTLS_PK_WRITE_C From c1e41bb2b5795ffb94b6175a0872150e348b9773 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Fri, 6 May 2022 11:42:18 +0200 Subject: [PATCH 8/8] rsa.c: remove redundant include of md.h rsa.c includes rsa.h that includes md.h Signed-off-by: Przemek Stekiel --- library/rsa.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/library/rsa.c b/library/rsa.c index 36f487f3a7..497fc21c1d 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -49,10 +49,6 @@ #include -#if defined(MBEDTLS_PKCS1_V21) -#include "mbedtls/md.h" -#endif - #if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) && !defined(__NetBSD__) #include #endif