mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-03-21 10:20:51 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Remove uses of secp244k1

Browse Source 
Remove all code guarded by `PSA_WANT_ECC_SECP_K1_224`, which is not and will
not be implemented. (It would be K1_225 anyway, but we don't intend to
implement it anyway.)

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
Gilles Peskine 2025-01-02 11:30:55 +01:00
parent a074fe491a
commit bc7c523420
8 changed files with 1 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
configs/ext/crypto_config_profile_medium.h
View File

@ -198,12 +198,6 @@
//#define PSA_WANT_ECC_MONTGOMERY_255 1 //#define PSA_WANT_ECC_MONTGOMERY_255 1
//#define PSA_WANT_ECC_MONTGOMERY_448 1 //#define PSA_WANT_ECC_MONTGOMERY_448 1
//#define PSA_WANT_ECC_SECP_K1_192 1 //#define PSA_WANT_ECC_SECP_K1_192 1
/*
* SECP224K1 is buggy via the PSA API in Mbed TLS
* (https://github.com/Mbed-TLS/mbedtls/issues/3541). Thus, do not enable it by
* default.
*/
//#define PSA_WANT_ECC_SECP_K1_224 1
//#define PSA_WANT_ECC_SECP_K1_256 1 //#define PSA_WANT_ECC_SECP_K1_256 1
//#define PSA_WANT_ECC_SECP_R1_192 1 //#define PSA_WANT_ECC_SECP_R1_192 1
//#define PSA_WANT_ECC_SECP_R1_224 1 //#define PSA_WANT_ECC_SECP_R1_224 1

1
include/mbedtls/check_config.h
View File

@ -43,7 +43,6 @@
defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_255) || \ defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_255) || \
defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_448) || \ defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_448) || \
defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192) || \ defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192) || \
defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_224) || \
defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256) || \ defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256) || \
defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_192) || \ defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_192) || \
defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_224) || \ defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_224) || \

3
library/ssl_tls.c
View File

@ -6251,9 +6251,6 @@ static const struct {
#if defined(PSA_WANT_ECC_SECP_R1_224) #if defined(PSA_WANT_ECC_SECP_R1_224)
{ 21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224 }, { 21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224 },
#endif #endif
#if defined(PSA_WANT_ECC_SECP_K1_224)
{ 20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224 },
#endif
#if defined(PSA_WANT_ECC_SECP_R1_192) #if defined(PSA_WANT_ECC_SECP_R1_192)
{ 19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192 }, { 19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192 },
#endif #endif

5
programs/ssl/ssl_test_lib.c
View File

@ -518,11 +518,6 @@ static const struct {
#else #else
{ MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1", 0 }, { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1", 0 },
#endif #endif
#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_224)
{ MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1, "secp224k1", 1 },
#else
{ MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1, "secp224k1", 0 },
#endif
#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_192) #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_192)
{ MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1", 1 }, { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1", 1 },
#else #else

12
scripts/config.py
View File

@ -60,13 +60,8 @@ PSA_DEPRECATED_FEATURE = frozenset([
'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR' 'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR'
]) ])
PSA_UNSTABLE_FEATURE = frozenset([
'PSA_WANT_ECC_SECP_K1_224'
])
EXCLUDE_FROM_CRYPTO = PSA_UNSUPPORTED_FEATURE | \ EXCLUDE_FROM_CRYPTO = PSA_UNSUPPORTED_FEATURE | \
PSA_DEPRECATED_FEATURE | \ PSA_DEPRECATED_FEATURE
PSA_UNSTABLE_FEATURE
# The goal of the full configuration is to have everything that can be tested # The goal of the full configuration is to have everything that can be tested
# together. This includes deprecated or insecure options. It excludes: # together. This includes deprecated or insecure options. It excludes:
@ -114,7 +109,6 @@ EXCLUDE_FROM_FULL = frozenset([
'MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE', # only relevant for embedded devices 'MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE', # only relevant for embedded devices
*PSA_UNSUPPORTED_FEATURE, *PSA_UNSUPPORTED_FEATURE,
*PSA_DEPRECATED_FEATURE, *PSA_DEPRECATED_FEATURE,
*PSA_UNSTABLE_FEATURE
]) ])
def is_seamless_alt(name): def is_seamless_alt(name):
@ -367,8 +361,6 @@ class CryptoConfig(config_common.Config):
if name in PSA_UNSUPPORTED_FEATURE: if name in PSA_UNSUPPORTED_FEATURE:
raise ValueError(f'Feature is unsupported: \'{name}\'') raise ValueError(f'Feature is unsupported: \'{name}\'')
if name in PSA_UNSTABLE_FEATURE:
raise ValueError(f'Feature is unstable: \'{name}\'')
if name not in self.settings: if name not in self.settings:
self._get_configfile().templates.append((name, '', '#define ' + name + ' ')) self._get_configfile().templates.append((name, '', '#define ' + name + ' '))
@ -417,8 +409,6 @@ class CombinedConfig(config_common.Config):
if configfile == self.crypto_configfile: if configfile == self.crypto_configfile:
if name in PSA_UNSUPPORTED_FEATURE: if name in PSA_UNSUPPORTED_FEATURE:
raise ValueError(f'Feature is unsupported: \'{name}\'') raise ValueError(f'Feature is unsupported: \'{name}\'')
if name in PSA_UNSTABLE_FEATURE:
raise ValueError(f'Feature is unstable: \'{name}\'')
# The default value in the crypto config is '1' # The default value in the crypto config is '1'
if not value and re.match(self._crypto_regexp, name): if not value and re.match(self._crypto_regexp, name):

2
tests/scripts/analyze_outcomes.py
View File

@ -132,8 +132,6 @@ class CoverageTask(outcome_analysis.CoverageTask):
'Config: PSA_WANT_ALG_CBC_MAC', 'Config: PSA_WANT_ALG_CBC_MAC',
# Algorithm declared but not supported. # Algorithm declared but not supported.
'Config: PSA_WANT_ALG_XTS', 'Config: PSA_WANT_ALG_XTS',
# Family declared but not supported.
'Config: PSA_WANT_ECC_SECP_K1_224',
# More granularity of key pair type enablement macros # More granularity of key pair type enablement macros
# than we care to test. # than we care to test.
# https://github.com/Mbed-TLS/mbedtls/issues/9590 # https://github.com/Mbed-TLS/mbedtls/issues/9590

7
tests/ssl-opt.sh
View File

@ -2690,13 +2690,6 @@ requires_config_enabled PSA_WANT_ECC_BRAINPOOL_P_R1_256
run_test_psa_force_curve "brainpoolP256r1" run_test_psa_force_curve "brainpoolP256r1"
requires_config_enabled PSA_WANT_ECC_SECP_R1_224 requires_config_enabled PSA_WANT_ECC_SECP_R1_224
run_test_psa_force_curve "secp224r1" run_test_psa_force_curve "secp224r1"
## SECP224K1 is buggy via the PSA API
## (https://github.com/Mbed-TLS/mbedtls/issues/3541),
## so it is disabled in PSA even when it's enabled in Mbed TLS.
## The proper dependency would be on PSA_WANT_ECC_SECP_K1_224 but
## dependencies on PSA symbols in ssl-opt.sh are not implemented yet.
#requires_config_enabled PSA_WANT_ECC_SECP_K1_224
#run_test_psa_force_curve "secp224k1"
requires_config_enabled PSA_WANT_ECC_SECP_R1_192 requires_config_enabled PSA_WANT_ECC_SECP_R1_192
run_test_psa_force_curve "secp192r1" run_test_psa_force_curve "secp192r1"
requires_config_enabled PSA_WANT_ECC_SECP_K1_192 requires_config_enabled PSA_WANT_ECC_SECP_K1_192

5
tests/suites/test_suite_ssl.function
View File

@ -3595,11 +3595,6 @@ void elliptic_curve_get_properties()
#else #else
TEST_UNAVAILABLE_ECC(21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224); TEST_UNAVAILABLE_ECC(21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224);
#endif #endif
#if defined(PSA_WANT_ECC_SECP_K1_224)
TEST_AVAILABLE_ECC(20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224);
#else
TEST_UNAVAILABLE_ECC(20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224);
#endif
#if defined(PSA_WANT_ECC_SECP_R1_192) #if defined(PSA_WANT_ECC_SECP_R1_192)
TEST_AVAILABLE_ECC(19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192); TEST_AVAILABLE_ECC(19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192);
#else #else