From ea805b4f200ff85d1c9a6c7edac938c627582c3e Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 2 May 2022 10:30:03 +0200 Subject: [PATCH 1/5] mbedtls_config.h, check_config.h: fix CIPHER dependencies Signed-off-by: Przemek Stekiel --- include/mbedtls/check_config.h | 23 ++++++++++++++++------- include/mbedtls/mbedtls_config.h | 26 ++++++++++++++++++++------ 2 files changed, 36 insertions(+), 13 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 88beaeb3a..f0749f037 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -76,13 +76,13 @@ #endif #if defined(MBEDTLS_CMAC_C) && \ - !defined(MBEDTLS_AES_C) && !defined(MBEDTLS_DES_C) + ( !defined(MBEDTLS_CIPHER_C ) || ( !defined(MBEDTLS_AES_C) && !defined(MBEDTLS_DES_C) ) ) #error "MBEDTLS_CMAC_C defined, but not all prerequisites" #endif #if defined(MBEDTLS_NIST_KW_C) && \ ( !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_CIPHER_C) ) -#error "MBEDTLS_NIST_KW_C defined, but not all prerequisites" +#error "MBEDTLS_NIST_KW_C defined, but not all prerequisites (missing CIPHER)" #endif #if defined(MBEDTLS_ECDH_C) && !defined(MBEDTLS_ECP_C) @@ -149,8 +149,13 @@ #error "MBEDTLS_PK_PARSE_C defined, but not all prerequisites" #endif -#if defined(MBEDTLS_PKCS5_C) && !defined(MBEDTLS_MD_C) -#error "MBEDTLS_PKCS5_C defined, but not all prerequisites" +#if defined(MBEDTLS_PKCS12_C) && !defined(MBEDTLS_CIPHER_C) +#error "MBEDTLS_PKCS12_C defined, but not all prerequesites" +#endif + +#if defined(MBEDTLS_PKCS5_C) && (!defined(MBEDTLS_MD_C) || \ + !defined(MBEDTLS_CIPHER_C)) +#error "MBEDTLS_PKCS5_C defined, but not all prerequesites" #endif #if defined(MBEDTLS_PKCS12_C) && !defined(MBEDTLS_MD_C) @@ -199,7 +204,7 @@ #endif #if defined(MBEDTLS_CCM_C) && !defined(MBEDTLS_CIPHER_C) -#error "MBEDTLS_CCM_C defined, but not all prerequisites" +#error "MBEDTLS_CCM_C defined, but not all prerequisites (missing CIPHER)" #endif #if defined(MBEDTLS_GCM_C) && ( \ @@ -208,7 +213,7 @@ #endif #if defined(MBEDTLS_GCM_C) && !defined(MBEDTLS_CIPHER_C) -#error "MBEDTLS_GCM_C defined, but not all prerequisites" +#error "MBEDTLS_GCM_C defined, but not all prerequisites (missing CIPHER)" #endif #if defined(MBEDTLS_CHACHAPOLY_C) && !defined(MBEDTLS_CHACHA20_C) @@ -562,6 +567,10 @@ #error "MBEDTLS_PSA_CRYPTO_C defined, but not all prerequisites (missing RNG)" #endif +#if defined(MBEDTLS_PSA_CRYPTO_C) && !defined(MBEDTLS_CIPHER_C ) +#error "MBEDTLS_PSA_CRYPTO_C defined, but not all prerequisites (missing CIPHER)" +#endif + #if defined(MBEDTLS_PSA_CRYPTO_SPM) && !defined(MBEDTLS_PSA_CRYPTO_C) #error "MBEDTLS_PSA_CRYPTO_SPM defined, but not all prerequisites" #endif @@ -801,7 +810,7 @@ #endif #if defined(MBEDTLS_SSL_TICKET_C) && !defined(MBEDTLS_CIPHER_C) -#error "MBEDTLS_SSL_TICKET_C defined, but not all prerequisites" +#error "MBEDTLS_SSL_TICKET_C defined, but not all prerequisites (missing CIPHER)" #endif #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \ diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 5ec31f774..ca264e902 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -2115,7 +2115,8 @@ * * Module: library/ccm.c * - * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C + * Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or + * MBEDTLS_ARIA_C * * This module enables the AES-CCM ciphersuites, if other requisites are * enabled as well. @@ -2148,7 +2149,18 @@ * Enable the generic cipher layer. * * Module: library/cipher.c - * Caller: library/ssl_tls.c + * Caller: library/ccm.c + * library/cmac.c + * library/gcm.c + * library/nist_kw.c + * library/oid.c + * library/pkcs12.c + * library/pkcs5.c + * library/psa_crypto_aead.c + * library/psa_crypto_mac.c + * library/ssl_ciphersuites.c + * library/ssl_msg.c + * library/ssl_ticket.c * * Uncomment to enable generic cipher wrappers. */ @@ -2167,7 +2179,7 @@ * * Module: library/cmac.c * - * Requires: MBEDTLS_AES_C or MBEDTLS_DES_C + * Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_DES_C * */ #define MBEDTLS_CMAC_C @@ -2346,7 +2358,8 @@ * * Module: library/gcm.c * - * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or MBEDTLS_ARIA_C + * Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or + * MBEDTLS_ARIA_C * * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other * requisites are enabled as well. @@ -2605,7 +2618,7 @@ * * Module: library/pkcs5.c * - * Requires: MBEDTLS_MD_C + * Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C * * This module adds support for the PKCS#5 functions. */ @@ -2663,7 +2676,8 @@ * * Module: library/psa_crypto.c * - * Requires: either MBEDTLS_CTR_DRBG_C and MBEDTLS_ENTROPY_C, + * Requires: MBEDTLS_CIPHER_C, + * either MBEDTLS_CTR_DRBG_C and MBEDTLS_ENTROPY_C, * or MBEDTLS_HMAC_DRBG_C and MBEDTLS_ENTROPY_C, * or MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. * From 10f3a601b483d1f1b34112086eedc8eda674c5ef Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 2 May 2022 10:55:33 +0200 Subject: [PATCH 2/5] all.sh: add build/test config full minus CIPHER Dependency list: - ['MBEDTLS_CIPHER_C'] - ['MBEDTLS_CMAC_C', 'MBEDTLS_NIST_KW_C', 'MBEDTLS_PKCS12_C', 'MBEDTLS_PKCS5_C', 'MBEDTLS_CCM_C', 'MBEDTLS_GCM_C', 'MBEDTLS_PSA_CRYPTO_C', 'MBEDTLS_SSL_TLS_C', 'MBEDTLS_SSL_TICKET_C'] - ['MBEDTLS_PSA_CRYPTO_SE_C', 'MBEDTLS_PSA_CRYPTO_STORAGE_C', 'MBEDTLS_SSL_PROTO_TLS1_3', 'MBEDTLS_SSL_CLI_C', 'MBEDTLS_SSL_SRV_C', 'MBEDTLS_SSL_DTLS_ANTI_REPLAY', 'MBEDTLS_SSL_DTLS_CONNECTION_ID', 'MBEDTLS_USE_PSA_CRYPTO'] Signed-off-by: Przemek Stekiel --- tests/scripts/all.sh | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 29a6201a7..2f7cd68c9 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1227,6 +1227,33 @@ component_test_crypto_full_no_md () { make test } +component_test_full_no_cipher () { + msg "build: full minus CIPHER" + scripts/config.py full + scripts/config.py unset MBEDTLS_CIPHER_C + scripts/config.py unset MBEDTLS_CMAC_C + scripts/config.py unset MBEDTLS_NIST_KW_C + scripts/config.py unset MBEDTLS_PKCS12_C + scripts/config.py unset MBEDTLS_PKCS5_C + scripts/config.py unset MBEDTLS_CCM_C + scripts/config.py unset MBEDTLS_GCM_C + scripts/config.py unset MBEDTLS_PSA_CRYPTO_C + scripts/config.py unset MBEDTLS_SSL_TLS_C + scripts/config.py unset MBEDTLS_SSL_TICKET_C + scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C + scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py unset MBEDTLS_SSL_CLI_C + scripts/config.py unset MBEDTLS_SSL_SRV_C + scripts/config.py unset MBEDTLS_SSL_DTLS_ANTI_REPLAY + scripts/config.py unset MBEDTLS_SSL_DTLS_CONNECTION_ID + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + make + + msg "test: full minus CIPHER" + make test +} + component_test_psa_external_rng_use_psa_crypto () { msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" scripts/config.py full From 179d74831f07b583af9167dca880573ec43e9680 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 2 May 2022 11:03:35 +0200 Subject: [PATCH 3/5] all.sh: add build/test config crypto_full minus CIPHER Dependency list: - ['MBEDTLS_CIPHER_C'] - ['MBEDTLS_CMAC_C', 'MBEDTLS_NIST_KW_C', 'MBEDTLS_PKCS12_C', 'MBEDTLS_PKCS5_C', 'MBEDTLS_CCM_C', 'MBEDTLS_GCM_C', 'MBEDTLS_PSA_CRYPTO_C'] - ['MBEDTLS_PSA_CRYPTO_SE_C', 'MBEDTLS_PSA_CRYPTO_STORAGE_C', 'MBEDTLS_USE_PSA_CRYPTO'] Signed-off-by: Przemek Stekiel --- tests/scripts/all.sh | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 2f7cd68c9..348578049 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1254,6 +1254,26 @@ component_test_full_no_cipher () { make test } +component_test_crypto_full_no_cipher () { + msg "build: crypto_full minus CIPHER" + scripts/config.py crypto_full + scripts/config.py unset MBEDTLS_CIPHER_C + scripts/config.py unset MBEDTLS_CMAC_C + scripts/config.py unset MBEDTLS_NIST_KW_C + scripts/config.py unset MBEDTLS_PKCS12_C + scripts/config.py unset MBEDTLS_PKCS5_C + scripts/config.py unset MBEDTLS_CCM_C + scripts/config.py unset MBEDTLS_GCM_C + scripts/config.py unset MBEDTLS_PSA_CRYPTO_C + scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C + scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + make + + msg "test: crypto_full minus CIPHER" + make test +} + component_test_psa_external_rng_use_psa_crypto () { msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" scripts/config.py full From a09f835bd8a9494ca1e23659f20b05aab3cfdbef Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 12 May 2022 09:34:28 +0200 Subject: [PATCH 4/5] Fix CIPHER dependencies dependeny and error messages Signed-off-by: Przemek Stekiel --- include/mbedtls/check_config.h | 13 +++++++------ include/mbedtls/mbedtls_config.h | 5 ++--- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index f0749f037..73c50c254 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -82,7 +82,7 @@ #if defined(MBEDTLS_NIST_KW_C) && \ ( !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_CIPHER_C) ) -#error "MBEDTLS_NIST_KW_C defined, but not all prerequisites (missing CIPHER)" +#error "MBEDTLS_NIST_KW_C defined, but not all prerequisites" #endif #if defined(MBEDTLS_ECDH_C) && !defined(MBEDTLS_ECP_C) @@ -204,7 +204,7 @@ #endif #if defined(MBEDTLS_CCM_C) && !defined(MBEDTLS_CIPHER_C) -#error "MBEDTLS_CCM_C defined, but not all prerequisites (missing CIPHER)" +#error "MBEDTLS_CCM_C defined, but not all prerequisites" #endif #if defined(MBEDTLS_GCM_C) && ( \ @@ -213,7 +213,7 @@ #endif #if defined(MBEDTLS_GCM_C) && !defined(MBEDTLS_CIPHER_C) -#error "MBEDTLS_GCM_C defined, but not all prerequisites (missing CIPHER)" +#error "MBEDTLS_GCM_C defined, but not all prerequisites" #endif #if defined(MBEDTLS_CHACHAPOLY_C) && !defined(MBEDTLS_CHACHA20_C) @@ -568,7 +568,7 @@ #endif #if defined(MBEDTLS_PSA_CRYPTO_C) && !defined(MBEDTLS_CIPHER_C ) -#error "MBEDTLS_PSA_CRYPTO_C defined, but not all prerequisites (missing CIPHER)" +#error "MBEDTLS_PSA_CRYPTO_C defined, but not all prerequisites" #endif #if defined(MBEDTLS_PSA_CRYPTO_SPM) && !defined(MBEDTLS_PSA_CRYPTO_C) @@ -809,8 +809,9 @@ #error "MBEDTLS_SSL_EXTENDED_MASTER_SECRET defined, but not all prerequisites" #endif -#if defined(MBEDTLS_SSL_TICKET_C) && !defined(MBEDTLS_CIPHER_C) -#error "MBEDTLS_SSL_TICKET_C defined, but not all prerequisites (missing CIPHER)" +#if defined(MBEDTLS_SSL_TICKET_C) && ( !defined(MBEDTLS_CIPHER_C) && \ + !defined(MBEDTLS_USE_PSA_CRYPTO) ) +#error "MBEDTLS_SSL_TICKET_C defined, but not all prerequisites" #endif #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \ diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index ca264e902..016b219cc 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -2153,14 +2153,13 @@ * library/cmac.c * library/gcm.c * library/nist_kw.c - * library/oid.c * library/pkcs12.c * library/pkcs5.c * library/psa_crypto_aead.c * library/psa_crypto_mac.c * library/ssl_ciphersuites.c * library/ssl_msg.c - * library/ssl_ticket.c + * library/ssl_ticket.c (unless MBEDTLS_USE_PSA_CRYPTO is enabled) * * Uncomment to enable generic cipher wrappers. */ @@ -2978,7 +2977,7 @@ * Module: library/ssl_ticket.c * Caller: * - * Requires: MBEDTLS_CIPHER_C + * Requires: MBEDTLS_CIPHER_C || MBEDTLS_USE_PSA_CRYPTO */ #define MBEDTLS_SSL_TICKET_C From da5f483ad81e4ea2491829c4857d4be8077ddd2f Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 12 May 2022 09:46:29 +0200 Subject: [PATCH 5/5] all.sh: Fix order of CIPHER dependencies Signed-off-by: Przemek Stekiel --- tests/scripts/all.sh | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 348578049..6144c2fad 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1231,22 +1231,24 @@ component_test_full_no_cipher () { msg "build: full minus CIPHER" scripts/config.py full scripts/config.py unset MBEDTLS_CIPHER_C + # Direct dependencies + scripts/config.py unset MBEDTLS_CCM_C scripts/config.py unset MBEDTLS_CMAC_C + scripts/config.py unset MBEDTLS_GCM_C scripts/config.py unset MBEDTLS_NIST_KW_C scripts/config.py unset MBEDTLS_PKCS12_C scripts/config.py unset MBEDTLS_PKCS5_C - scripts/config.py unset MBEDTLS_CCM_C - scripts/config.py unset MBEDTLS_GCM_C scripts/config.py unset MBEDTLS_PSA_CRYPTO_C scripts/config.py unset MBEDTLS_SSL_TLS_C scripts/config.py unset MBEDTLS_SSL_TICKET_C + # Indirect dependencies + scripts/config.py unset MBEDTLS_SSL_CLI_C scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py unset MBEDTLS_SSL_CLI_C - scripts/config.py unset MBEDTLS_SSL_SRV_C scripts/config.py unset MBEDTLS_SSL_DTLS_ANTI_REPLAY scripts/config.py unset MBEDTLS_SSL_DTLS_CONNECTION_ID + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py unset MBEDTLS_SSL_SRV_C scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO make @@ -1258,13 +1260,15 @@ component_test_crypto_full_no_cipher () { msg "build: crypto_full minus CIPHER" scripts/config.py crypto_full scripts/config.py unset MBEDTLS_CIPHER_C + # Direct dependencies + scripts/config.py unset MBEDTLS_CCM_C scripts/config.py unset MBEDTLS_CMAC_C + scripts/config.py unset MBEDTLS_GCM_C scripts/config.py unset MBEDTLS_NIST_KW_C scripts/config.py unset MBEDTLS_PKCS12_C scripts/config.py unset MBEDTLS_PKCS5_C - scripts/config.py unset MBEDTLS_CCM_C - scripts/config.py unset MBEDTLS_GCM_C scripts/config.py unset MBEDTLS_PSA_CRYPTO_C + # Indirect dependencies scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO