From 1818d967fe8ada415ae51022bd44651da05edf04 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Thu, 22 Apr 2021 12:06:32 +0200 Subject: [PATCH 01/16] Four config.h defaults have been changed. Signed-off-by: TRodziewicz --- include/mbedtls/config.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 46941e27f5..c34b6ba478 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -2521,7 +2521,7 @@ * MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 * MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 */ -//#define MBEDTLS_ARIA_C +#define MBEDTLS_ARIA_C /** * \def MBEDTLS_CCM_C @@ -2592,7 +2592,7 @@ * Requires: MBEDTLS_AES_C or MBEDTLS_DES_C * */ -//#define MBEDTLS_CMAC_C +#define MBEDTLS_CMAC_C /** * \def MBEDTLS_CTR_DRBG_C @@ -2728,7 +2728,7 @@ * * Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C */ -//#define MBEDTLS_ECJPAKE_C +#define MBEDTLS_ECJPAKE_C /** * \def MBEDTLS_ECP_C @@ -2824,7 +2824,7 @@ * * Requires: MBEDTLS_AES_C and MBEDTLS_CIPHER_C */ -//#define MBEDTLS_NIST_KW_C +#define MBEDTLS_NIST_KW_C /** * \def MBEDTLS_MD_C From 706279684482e35c092bdecad91125a4ba8b7c91 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Thu, 22 Apr 2021 14:11:10 +0200 Subject: [PATCH 02/16] Testing the failed ubuntu test Signed-off-by: TRodziewicz --- include/mbedtls/config.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index c34b6ba478..6b0cb78064 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -2521,7 +2521,7 @@ * MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 * MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 */ -#define MBEDTLS_ARIA_C +// #define MBEDTLS_ARIA_C /** * \def MBEDTLS_CCM_C @@ -2592,7 +2592,7 @@ * Requires: MBEDTLS_AES_C or MBEDTLS_DES_C * */ -#define MBEDTLS_CMAC_C +// #define MBEDTLS_CMAC_C /** * \def MBEDTLS_CTR_DRBG_C @@ -2728,7 +2728,7 @@ * * Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C */ -#define MBEDTLS_ECJPAKE_C +// #define MBEDTLS_ECJPAKE_C /** * \def MBEDTLS_ECP_C @@ -2824,7 +2824,7 @@ * * Requires: MBEDTLS_AES_C and MBEDTLS_CIPHER_C */ -#define MBEDTLS_NIST_KW_C +// #define MBEDTLS_NIST_KW_C /** * \def MBEDTLS_MD_C From b13360514c55a5de7848beb7acc6e1f86d759478 Mon Sep 17 00:00:00 2001 From: Tomasz Rodziewicz <40165497+TRodziewicz@users.noreply.github.com> Date: Thu, 22 Apr 2021 15:14:17 +0200 Subject: [PATCH 03/16] Test why the test_depends_curves_psa fails in CI --- include/mbedtls/config.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 6b0cb78064..83f50dbdb4 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -2728,7 +2728,7 @@ * * Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C */ -// #define MBEDTLS_ECJPAKE_C +#define MBEDTLS_ECJPAKE_C /** * \def MBEDTLS_ECP_C From 85aff9f07a9a406cae0edf6b1350c757c9d352e6 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Fri, 23 Apr 2021 10:47:26 +0200 Subject: [PATCH 04/16] Correction fixing the test_depends_curves_psa falure Signed-off-by: TRodziewicz --- include/mbedtls/config.h | 6 +++--- tests/scripts/curves.pl | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 83f50dbdb4..c34b6ba478 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -2521,7 +2521,7 @@ * MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 * MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 */ -// #define MBEDTLS_ARIA_C +#define MBEDTLS_ARIA_C /** * \def MBEDTLS_CCM_C @@ -2592,7 +2592,7 @@ * Requires: MBEDTLS_AES_C or MBEDTLS_DES_C * */ -// #define MBEDTLS_CMAC_C +#define MBEDTLS_CMAC_C /** * \def MBEDTLS_CTR_DRBG_C @@ -2824,7 +2824,7 @@ * * Requires: MBEDTLS_AES_C and MBEDTLS_CIPHER_C */ -// #define MBEDTLS_NIST_KW_C +#define MBEDTLS_NIST_KW_C /** * \def MBEDTLS_MD_C diff --git a/tests/scripts/curves.pl b/tests/scripts/curves.pl index 188bd29acc..2572e93301 100755 --- a/tests/scripts/curves.pl +++ b/tests/scripts/curves.pl @@ -84,6 +84,7 @@ for my $curve (@curves) { } # Depends on a specific curve. Also, ignore error if it wasn't enabled. system( "scripts/config.pl unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED" ); +system( "scripts/config.pl unset MBEDTLS_ECJPAKE_C" ); # Test with only $curve enabled, for each $curve. for my $curve (@curves) { From 7c1d41da527f3ad0201438a8a1499655687e3606 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Fri, 23 Apr 2021 13:33:44 +0200 Subject: [PATCH 05/16] Correction fixing the test_everest_curve25519_only falure Signed-off-by: TRodziewicz --- tests/scripts/all.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 5524f1d019..d0a0cca6cf 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1050,6 +1050,7 @@ component_test_everest_curve25519_only () { scripts/config.py unset MBEDTLS_ECDSA_C scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED + scripts/config.py unset MBEDTLS_ECJPAKE_C # Disable all curves for c in $(sed -n 's/#define \(MBEDTLS_ECP_DP_[0-9A-Z_a-z]*_ENABLED\).*/\1/p' <"$CONFIG_H"); do scripts/config.py unset "$c" From 1f984245088be0cce3750e88916d6d8bca25d2bd Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Fri, 23 Apr 2021 14:57:39 +0200 Subject: [PATCH 06/16] Correction fixing the test_when_no_ciphersuites_have_mac falure Signed-off-by: TRodziewicz --- tests/scripts/all.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index d0a0cca6cf..ad1bd11094 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1964,6 +1964,7 @@ component_test_when_no_ciphersuites_have_mac () { scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER scripts/config.py unset MBEDTLS_ARC4_C scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC + scripts/config.py unset MBEDTLS_ECJPAKE_C make msg "test: !MBEDTLS_SSL_SOME_MODES_USE_MAC" From d7a21a1ec542f2f4e4ebd785ed7fba3da3b82301 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Mon, 26 Apr 2021 13:38:08 +0200 Subject: [PATCH 07/16] Fix failing test_when_no_ciphersuites_have_mac test. Signed-off-by: TRodziewicz --- tests/suites/test_suite_cmac.function | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_cmac.function b/tests/suites/test_suite_cmac.function index cabf1070c1..859b2e0251 100644 --- a/tests/suites/test_suite_cmac.function +++ b/tests/suites/test_suite_cmac.function @@ -98,7 +98,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC */ void mbedtls_cmac_setkey( int cipher_type, int key_size, int result ) { const mbedtls_cipher_info_t *cipher_info; From ede30855634c627327e1435817b074f3ad8c2691 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Mon, 26 Apr 2021 15:44:25 +0200 Subject: [PATCH 08/16] Add ChangeLog file and fix comment in config.h Signed-off-by: TRodziewicz --- ChangeLog.d/issue4036.txt | 5 +++++ include/mbedtls/config.h | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 ChangeLog.d/issue4036.txt diff --git a/ChangeLog.d/issue4036.txt b/ChangeLog.d/issue4036.txt new file mode 100644 index 0000000000..9b348d3306 --- /dev/null +++ b/ChangeLog.d/issue4036.txt @@ -0,0 +1,5 @@ +Default behavior changes + * Enable by default the functionalities which have no reason to be disabled. + They are: ARIA block cipher, CMAC mode, elliptic curve J-PAKE library and + Key Wrapping mode as defined in NIST SP 800-38F. Fixes #4036. + diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index c34b6ba478..623b59385c 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -2718,7 +2718,7 @@ * * \warning This is currently experimental. EC J-PAKE support is based on the * Thread v1.0.0 specification; incompatible changes to the specification - * might still happen. For this reason, this is disabled by default. + * might still happen. * * Module: library/ecjpake.c * Caller: From 87bfa20f1cc3929991bebe747bddbc97e8b656df Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Mon, 26 Apr 2021 20:08:53 +0200 Subject: [PATCH 09/16] Removing trailing space from ChangeLog file Signed-off-by: TRodziewicz --- ChangeLog.d/issue4036.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog.d/issue4036.txt b/ChangeLog.d/issue4036.txt index 9b348d3306..7009496235 100644 --- a/ChangeLog.d/issue4036.txt +++ b/ChangeLog.d/issue4036.txt @@ -1,5 +1,5 @@ Default behavior changes * Enable by default the functionalities which have no reason to be disabled. - They are: ARIA block cipher, CMAC mode, elliptic curve J-PAKE library and + They are: ARIA block cipher, CMAC mode, elliptic curve J-PAKE library and Key Wrapping mode as defined in NIST SP 800-38F. Fixes #4036. From 9876a85f223e020b841cadb10604ddd6102090a8 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Wed, 28 Apr 2021 16:29:28 +0200 Subject: [PATCH 10/16] Change the place where the _CIPHER_MODE_CBC is defined from test to check_config.h Signed-off-by: TRodziewicz --- tests/suites/test_suite_cmac.function | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_cmac.function b/tests/suites/test_suite_cmac.function index 859b2e0251..cabf1070c1 100644 --- a/tests/suites/test_suite_cmac.function +++ b/tests/suites/test_suite_cmac.function @@ -98,7 +98,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC */ +/* BEGIN_CASE */ void mbedtls_cmac_setkey( int cipher_type, int key_size, int result ) { const mbedtls_cipher_info_t *cipher_info; From 92b1febbf63243801c94e11c0c0046aa87d68aea Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Wed, 28 Apr 2021 16:34:13 +0200 Subject: [PATCH 11/16] addind check_config.h to the commit Signed-off-by: TRodziewicz --- include/mbedtls/check_config.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 6bf16da834..028f604891 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -85,6 +85,10 @@ #error "MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT defined, but not all prerequisites" #endif +#if defined(MBEDTLS_CMAC_C) +#define MBEDTLS_CIPHER_MODE_CBC +#endif + #if defined(MBEDTLS_CMAC_C) && \ !defined(MBEDTLS_AES_C) && !defined(MBEDTLS_DES_C) #error "MBEDTLS_CMAC_C defined, but not all prerequisites" From 2add5c13ea504f255c62e6c566ca650af2e3e2ef Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Wed, 28 Apr 2021 16:50:20 +0200 Subject: [PATCH 12/16] On second thought changing the way the test is run Signed-off-by: TRodziewicz --- include/mbedtls/check_config.h | 4 ---- tests/scripts/all.sh | 1 + 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 98a554df64..47b5de04dd 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -81,10 +81,6 @@ #error "MBEDTLS_DHM_C defined, but not all prerequisites" #endif -#if defined(MBEDTLS_CMAC_C) -#define MBEDTLS_CIPHER_MODE_CBC -#endif - #if defined(MBEDTLS_CMAC_C) && \ !defined(MBEDTLS_AES_C) && !defined(MBEDTLS_DES_C) #error "MBEDTLS_CMAC_C defined, but not all prerequisites" diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index a60b66bf41..2b0122c19d 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2063,6 +2063,7 @@ component_test_when_no_ciphersuites_have_mac () { scripts/config.py unset MBEDTLS_ARC4_C scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC scripts/config.py unset MBEDTLS_ECJPAKE_C + scripts/config.py unset MBEDTLS_CMAC_C make msg "test: !MBEDTLS_SSL_SOME_MODES_USE_MAC" From 89f98c2556a2148b8ee693a71106247108f2d124 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Thu, 29 Apr 2021 14:08:09 +0200 Subject: [PATCH 13/16] Removal of wrongly placed unset Signed-off-by: TRodziewicz --- tests/scripts/all.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 2b0122c19d..9c2bcc1d79 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2062,7 +2062,6 @@ component_test_when_no_ciphersuites_have_mac () { scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER scripts/config.py unset MBEDTLS_ARC4_C scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC - scripts/config.py unset MBEDTLS_ECJPAKE_C scripts/config.py unset MBEDTLS_CMAC_C make From 6c3fe31f6c41e6682b77833de4a29fa2a0265f5d Mon Sep 17 00:00:00 2001 From: Tomasz Rodziewicz <40165497+TRodziewicz@users.noreply.github.com> Date: Fri, 7 May 2021 09:46:32 +0200 Subject: [PATCH 14/16] Update config.h Warning for ECJPAKE_C was removed from config.h. --- include/mbedtls/config.h | 4 ---- 1 file changed, 4 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 650f862bfd..1b0295e139 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -2606,10 +2606,6 @@ * * Enable the elliptic curve J-PAKE library. * - * \warning This is currently experimental. EC J-PAKE support is based on the - * Thread v1.0.0 specification; incompatible changes to the specification - * might still happen. - * * Module: library/ecjpake.c * Caller: * From 1fc7c4c95e38356f61168803470d3e3b6ea356f6 Mon Sep 17 00:00:00 2001 From: Tomasz Rodziewicz <40165497+TRodziewicz@users.noreply.github.com> Date: Fri, 7 May 2021 10:13:31 +0200 Subject: [PATCH 15/16] Update config.h Correction to the ECJPAKE_C note in config.h --- include/mbedtls/config.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 1b0295e139..7656028e0e 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -2606,6 +2606,10 @@ * * Enable the elliptic curve J-PAKE library. * + * \note EC J-PAKE support is based on the Thread v1.0.0 specification. + * It has not been reviewed for compliance with newer standards such as + * Thread v1.1 or RFC 8236. + * * Module: library/ecjpake.c * Caller: * From 532ca93246e4bbf1a2c4fcabb35a91ada74e10a3 Mon Sep 17 00:00:00 2001 From: Tomasz Rodziewicz <40165497+TRodziewicz@users.noreply.github.com> Date: Fri, 7 May 2021 11:01:24 +0200 Subject: [PATCH 16/16] Trailing spaces removed from comments in config.h --- include/mbedtls/config.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 7656028e0e..20c524c843 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -2606,8 +2606,8 @@ * * Enable the elliptic curve J-PAKE library. * - * \note EC J-PAKE support is based on the Thread v1.0.0 specification. - * It has not been reviewed for compliance with newer standards such as + * \note EC J-PAKE support is based on the Thread v1.0.0 specification. + * It has not been reviewed for compliance with newer standards such as * Thread v1.1 or RFC 8236. * * Module: library/ecjpake.c