Revert "config: Remove X.509 options"

This reverts commit bb1f701212.

* include/mbedtls/check_config.h:
    * MBEDTLS_X509_RSASSA_PSS_SUPPORT: there has been an addition (of
      MBEDTLS_SHA512_NO_SHA384) at the place where it was removed.
      Re-add it before MBEDTLS_SHA512_NO_SHA384 to keep it grouped
      with MBEDTLS_RSA_C.

Conflicts:
* scripts/config.pl: this file has been replaced by config.py. Port
  the reversed changes to config.py:
    * Revert removing three symbols from the list of symbols to
      exclude from full.
This commit is contained in:
Gilles Peskine 2020-02-26 18:33:58 +01:00 committed by Ronald Cron
parent 458b8f2a59
commit 252e391cca
9 changed files with 653 additions and 4 deletions

View file

@ -51,6 +51,8 @@
#define MBEDTLS_PKCS1_V21 #define MBEDTLS_PKCS1_V21
#define MBEDTLS_SELF_TEST #define MBEDTLS_SELF_TEST
#define MBEDTLS_VERSION_FEATURES #define MBEDTLS_VERSION_FEATURES
#define MBEDTLS_X509_CHECK_KEY_USAGE
#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
/* mbed TLS modules */ /* mbed TLS modules */
#define MBEDTLS_AES_C #define MBEDTLS_AES_C
@ -76,6 +78,9 @@
#define MBEDTLS_SHA256_C #define MBEDTLS_SHA256_C
#define MBEDTLS_SHA512_C #define MBEDTLS_SHA512_C
#define MBEDTLS_VERSION_C #define MBEDTLS_VERSION_C
#define MBEDTLS_X509_USE_C
#define MBEDTLS_X509_CRT_PARSE_C
#define MBEDTLS_X509_CRL_PARSE_C
//#define MBEDTLS_CMAC_C //#define MBEDTLS_CMAC_C
/* Miscellaneous options */ /* Miscellaneous options */

View file

@ -1024,6 +1024,64 @@
*/ */
#define MBEDTLS_VERSION_FEATURES #define MBEDTLS_VERSION_FEATURES
/**
* \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
*
* If set, the X509 parser will not break-off when parsing an X509 certificate
* and encountering an extension in a v1 or v2 certificate.
*
* Uncomment to prevent an error.
*/
//#define MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
/**
* \def MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
*
* If set, the X509 parser will not break-off when parsing an X509 certificate
* and encountering an unknown critical extension.
*
* \warning Depending on your PKI use, enabling this can be a security risk!
*
* Uncomment to prevent an error.
*/
//#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
/**
* \def MBEDTLS_X509_CHECK_KEY_USAGE
*
* Enable verification of the keyUsage extension (CA and leaf certificates).
*
* Disabling this avoids problems with mis-issued and/or misused
* (intermediate) CA and leaf certificates.
*
* \warning Depending on your PKI use, disabling this can be a security risk!
*
* Comment to skip keyUsage checking for both CA and leaf certificates.
*/
#define MBEDTLS_X509_CHECK_KEY_USAGE
/**
* \def MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
*
* Enable verification of the extendedKeyUsage extension (leaf certificates).
*
* Disabling this avoids problems with mis-issued and/or misused certificates.
*
* \warning Depending on your PKI use, disabling this can be a security risk!
*
* Comment to skip extendedKeyUsage checking for certificates.
*/
#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
/**
* \def MBEDTLS_X509_RSASSA_PSS_SUPPORT
*
* Enable parsing and verification of X.509 certificates, CRLs and CSRS
* signed with RSASSA-PSS (aka PKCS#1 v2.1).
*
* Comment this macro to disallow using RSASSA-PSS in certificates.
*/
#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
/* \} name SECTION: mbed TLS feature support */ /* \} name SECTION: mbed TLS feature support */
/** /**
@ -1154,7 +1212,8 @@
* Enable the generic ASN1 parser. * Enable the generic ASN1 parser.
* *
* Module: library/asn1.c * Module: library/asn1.c
* Caller: library/dhm.c * Caller: library/x509.c
* library/dhm.c
* library/pkcs12.c * library/pkcs12.c
* library/pkcs5.c * library/pkcs5.c
* library/pkparse.c * library/pkparse.c
@ -1169,6 +1228,9 @@
* Module: library/asn1write.c * Module: library/asn1write.c
* Caller: library/ecdsa.c * Caller: library/ecdsa.c
* library/pkwrite.c * library/pkwrite.c
* library/x509_create.c
* library/x509write_crt.c
* library/x509write_csr.c
*/ */
#define MBEDTLS_ASN1_WRITE_C #define MBEDTLS_ASN1_WRITE_C
@ -1326,6 +1388,18 @@
*/ */
#define MBEDTLS_CCM_C #define MBEDTLS_CCM_C
/**
* \def MBEDTLS_CERTS_C
*
* Enable the test certificates.
*
* Module: library/certs.c
* Caller:
*
* This module is used for testing (ssl_client/server).
*/
#define MBEDTLS_CERTS_C
/** /**
* \def MBEDTLS_CHACHA20_C * \def MBEDTLS_CHACHA20_C
* *
@ -1694,6 +1768,13 @@
* library/pkparse.c * library/pkparse.c
* library/pkwrite.c * library/pkwrite.c
* library/rsa.c * library/rsa.c
* library/x509.c
* library/x509_create.c
* library/x509_crl.c
* library/x509_crt.c
* library/x509_csr.c
* library/x509write_crt.c
* library/x509write_csr.c
* *
* This modules translates between OIDs and internal values. * This modules translates between OIDs and internal values.
*/ */
@ -1721,6 +1802,9 @@
* Module: library/pem.c * Module: library/pem.c
* Caller: library/dhm.c * Caller: library/dhm.c
* library/pkparse.c * library/pkparse.c
* library/x509_crl.c
* library/x509_crt.c
* library/x509_csr.c
* *
* Requires: MBEDTLS_BASE64_C * Requires: MBEDTLS_BASE64_C
* *
@ -1735,6 +1819,8 @@
* *
* Module: library/pem.c * Module: library/pem.c
* Caller: library/pkwrite.c * Caller: library/pkwrite.c
* library/x509write_crt.c
* library/x509write_csr.c
* *
* Requires: MBEDTLS_BASE64_C * Requires: MBEDTLS_BASE64_C
* *
@ -1761,6 +1847,8 @@
* Enable the generic public (asymetric) key parser. * Enable the generic public (asymetric) key parser.
* *
* Module: library/pkparse.c * Module: library/pkparse.c
* Caller: library/x509_crt.c
* library/x509_csr.c
* *
* Requires: MBEDTLS_PK_C * Requires: MBEDTLS_PK_C
* *
@ -1774,6 +1862,7 @@
* Enable the generic public (asymetric) key writer. * Enable the generic public (asymetric) key writer.
* *
* Module: library/pkwrite.c * Module: library/pkwrite.c
* Caller: library/x509write.c
* *
* Requires: MBEDTLS_PK_C * Requires: MBEDTLS_PK_C
* *
@ -1794,6 +1883,21 @@
*/ */
#define MBEDTLS_PKCS5_C #define MBEDTLS_PKCS5_C
/**
* \def MBEDTLS_PKCS11_C
*
* Enable wrapper for PKCS#11 smartcard support.
*
* Module: library/pkcs11.c
* Caller: library/pk.c
*
* Requires: MBEDTLS_PK_C
*
* This module enables SSL/TLS PKCS #11 smartcard support.
* Requires the presence of the PKCS#11 helper library (libpkcs11-helper)
*/
//#define MBEDTLS_PKCS11_C
/** /**
* \def MBEDTLS_PKCS12_C * \def MBEDTLS_PKCS12_C
* *
@ -1895,6 +1999,7 @@
* *
* Module: library/rsa.c * Module: library/rsa.c
* library/rsa_internal.c * library/rsa_internal.c
* Caller: library/x509.c
* *
* This module is used by the following key exchanges: * This module is used by the following key exchanges:
* RSA, DHE-RSA, ECDHE-RSA, RSA-PSK * RSA, DHE-RSA, ECDHE-RSA, RSA-PSK
@ -1910,6 +2015,7 @@
* *
* Module: library/sha1.c * Module: library/sha1.c
* Caller: library/md.c * Caller: library/md.c
* library/x509write_crt.c
* *
* This module is required for SSL/TLS up to version 1.1, for TLS 1.2 * This module is required for SSL/TLS up to version 1.1, for TLS 1.2
* depending on the handshake parameters, and for SHA1-signed certificates. * depending on the handshake parameters, and for SHA1-signed certificates.
@ -2004,6 +2110,106 @@
*/ */
#define MBEDTLS_VERSION_C #define MBEDTLS_VERSION_C
/**
* \def MBEDTLS_X509_USE_C
*
* Enable X.509 core for using certificates.
*
* Module: library/x509.c
* Caller: library/x509_crl.c
* library/x509_crt.c
* library/x509_csr.c
*
* Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C,
* MBEDTLS_PK_PARSE_C
*
* This module is required for the X.509 parsing modules.
*/
#define MBEDTLS_X509_USE_C
/**
* \def MBEDTLS_X509_CRT_PARSE_C
*
* Enable X.509 certificate parsing.
*
* Module: library/x509_crt.c
* Caller: library/ssl_cli.c
* library/ssl_srv.c
* library/ssl_tls.c
*
* Requires: MBEDTLS_X509_USE_C
*
* This module is required for X.509 certificate parsing.
*/
#define MBEDTLS_X509_CRT_PARSE_C
/**
* \def MBEDTLS_X509_CRL_PARSE_C
*
* Enable X.509 CRL parsing.
*
* Module: library/x509_crl.c
* Caller: library/x509_crt.c
*
* Requires: MBEDTLS_X509_USE_C
*
* This module is required for X.509 CRL parsing.
*/
#define MBEDTLS_X509_CRL_PARSE_C
/**
* \def MBEDTLS_X509_CSR_PARSE_C
*
* Enable X.509 Certificate Signing Request (CSR) parsing.
*
* Module: library/x509_csr.c
* Caller: library/x509_crt_write.c
*
* Requires: MBEDTLS_X509_USE_C
*
* This module is used for reading X.509 certificate request.
*/
#define MBEDTLS_X509_CSR_PARSE_C
/**
* \def MBEDTLS_X509_CREATE_C
*
* Enable X.509 core for creating certificates.
*
* Module: library/x509_create.c
*
* Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_WRITE_C
*
* This module is the basis for creating X.509 certificates and CSRs.
*/
#define MBEDTLS_X509_CREATE_C
/**
* \def MBEDTLS_X509_CRT_WRITE_C
*
* Enable creating X.509 certificates.
*
* Module: library/x509_crt_write.c
*
* Requires: MBEDTLS_X509_CREATE_C
*
* This module is required for X.509 certificate creation.
*/
#define MBEDTLS_X509_CRT_WRITE_C
/**
* \def MBEDTLS_X509_CSR_WRITE_C
*
* Enable creating X.509 Certificate Signing Requests (CSR).
*
* Module: library/x509_csr_write.c
*
* Requires: MBEDTLS_X509_CREATE_C
*
* This module is required for X.509 certificate request writing.
*/
#define MBEDTLS_X509_CSR_WRITE_C
/** /**
* \def MBEDTLS_XTEA_C * \def MBEDTLS_XTEA_C
* *

View file

@ -66,9 +66,12 @@
#define MBEDTLS_PK_PARSE_C #define MBEDTLS_PK_PARSE_C
#define MBEDTLS_SHA256_C #define MBEDTLS_SHA256_C
#define MBEDTLS_SHA512_C #define MBEDTLS_SHA512_C
#define MBEDTLS_X509_CRT_PARSE_C
#define MBEDTLS_X509_USE_C
/* For test certificates */ /* For test certificates */
#define MBEDTLS_BASE64_C #define MBEDTLS_BASE64_C
#define MBEDTLS_CERTS_C
#define MBEDTLS_PEM_PARSE_C #define MBEDTLS_PEM_PARSE_C
/* Save RAM at the expense of ROM */ /* Save RAM at the expense of ROM */

View file

@ -270,6 +270,10 @@
#error "MBEDTLS_PK_WRITE_C defined, but not all prerequisites" #error "MBEDTLS_PK_WRITE_C defined, but not all prerequisites"
#endif #endif
#if defined(MBEDTLS_PKCS11_C) && !defined(MBEDTLS_PK_C)
#error "MBEDTLS_PKCS11_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_PLATFORM_EXIT_ALT) && !defined(MBEDTLS_PLATFORM_C) #if defined(MBEDTLS_PLATFORM_EXIT_ALT) && !defined(MBEDTLS_PLATFORM_C)
#error "MBEDTLS_PLATFORM_EXIT_ALT defined, but not all prerequisites" #error "MBEDTLS_PLATFORM_EXIT_ALT defined, but not all prerequisites"
#endif #endif
@ -510,6 +514,11 @@
#error "MBEDTLS_RSA_C defined, but none of the PKCS1 versions enabled" #error "MBEDTLS_RSA_C defined, but none of the PKCS1 versions enabled"
#endif #endif
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
( !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_PKCS1_V21) )
#error "MBEDTLS_X509_RSASSA_PSS_SUPPORT defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_SHA512_NO_SHA384) && !defined(MBEDTLS_SHA512_C) #if defined(MBEDTLS_SHA512_NO_SHA384) && !defined(MBEDTLS_SHA512_C)
#error "MBEDTLS_SHA512_NO_SHA384 defined without MBEDTLS_SHA512_C" #error "MBEDTLS_SHA512_NO_SHA384 defined without MBEDTLS_SHA512_C"
#endif #endif
@ -541,6 +550,38 @@
#error "MBEDTLS_VERSION_FEATURES defined, but not all prerequisites" #error "MBEDTLS_VERSION_FEATURES defined, but not all prerequisites"
#endif #endif
#if defined(MBEDTLS_X509_USE_C) && ( !defined(MBEDTLS_BIGNUM_C) || \
!defined(MBEDTLS_OID_C) || !defined(MBEDTLS_ASN1_PARSE_C) || \
!defined(MBEDTLS_PK_PARSE_C) )
#error "MBEDTLS_X509_USE_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_X509_CREATE_C) && ( !defined(MBEDTLS_BIGNUM_C) || \
!defined(MBEDTLS_OID_C) || !defined(MBEDTLS_ASN1_WRITE_C) || \
!defined(MBEDTLS_PK_WRITE_C) )
#error "MBEDTLS_X509_CREATE_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_X509_CRT_PARSE_C) && ( !defined(MBEDTLS_X509_USE_C) )
#error "MBEDTLS_X509_CRT_PARSE_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_X509_CRL_PARSE_C) && ( !defined(MBEDTLS_X509_USE_C) )
#error "MBEDTLS_X509_CRL_PARSE_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_X509_CSR_PARSE_C) && ( !defined(MBEDTLS_X509_USE_C) )
#error "MBEDTLS_X509_CSR_PARSE_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_X509_CRT_WRITE_C) && ( !defined(MBEDTLS_X509_CREATE_C) )
#error "MBEDTLS_X509_CRT_WRITE_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_X509_CSR_WRITE_C) && ( !defined(MBEDTLS_X509_CREATE_C) )
#error "MBEDTLS_X509_CSR_WRITE_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_HAVE_INT32) && defined(MBEDTLS_HAVE_INT64) #if defined(MBEDTLS_HAVE_INT32) && defined(MBEDTLS_HAVE_INT64)
#error "MBEDTLS_HAVE_INT32 and MBEDTLS_HAVE_INT64 cannot be defined simultaneously" #error "MBEDTLS_HAVE_INT32 and MBEDTLS_HAVE_INT64 cannot be defined simultaneously"
#endif /* MBEDTLS_HAVE_INT32 && MBEDTLS_HAVE_INT64 */ #endif /* MBEDTLS_HAVE_INT32 && MBEDTLS_HAVE_INT64 */

View file

@ -1125,6 +1125,83 @@
*/ */
#define MBEDTLS_VERSION_FEATURES #define MBEDTLS_VERSION_FEATURES
/**
* \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
*
* If set, the X509 parser will not break-off when parsing an X509 certificate
* and encountering an extension in a v1 or v2 certificate.
*
* Uncomment to prevent an error.
*/
//#define MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
/**
* \def MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
*
* If set, the X509 parser will not break-off when parsing an X509 certificate
* and encountering an unknown critical extension.
*
* \warning Depending on your PKI use, enabling this can be a security risk!
*
* Uncomment to prevent an error.
*/
//#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
/**
* \def MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
*
* If set, this enables the X.509 API `mbedtls_x509_crt_verify_with_ca_cb()`
* and the SSL API `mbedtls_ssl_conf_ca_cb()` which allow users to configure
* the set of trusted certificates through a callback instead of a linked
* list.
*
* This is useful for example in environments where a large number of trusted
* certificates is present and storing them in a linked list isn't efficient
* enough, or when the set of trusted certificates changes frequently.
*
* See the documentation of `mbedtls_x509_crt_verify_with_ca_cb()` and
* `mbedtls_ssl_conf_ca_cb()` for more information.
*
* Uncomment to enable trusted certificate callbacks.
*/
//#define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
/**
* \def MBEDTLS_X509_CHECK_KEY_USAGE
*
* Enable verification of the keyUsage extension (CA and leaf certificates).
*
* Disabling this avoids problems with mis-issued and/or misused
* (intermediate) CA and leaf certificates.
*
* \warning Depending on your PKI use, disabling this can be a security risk!
*
* Comment to skip keyUsage checking for both CA and leaf certificates.
*/
#define MBEDTLS_X509_CHECK_KEY_USAGE
/**
* \def MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
*
* Enable verification of the extendedKeyUsage extension (leaf certificates).
*
* Disabling this avoids problems with mis-issued and/or misused certificates.
*
* \warning Depending on your PKI use, disabling this can be a security risk!
*
* Comment to skip extendedKeyUsage checking for certificates.
*/
#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
/**
* \def MBEDTLS_X509_RSASSA_PSS_SUPPORT
*
* Enable parsing and verification of X.509 certificates, CRLs and CSRS
* signed with RSASSA-PSS (aka PKCS#1 v2.1).
*
* Comment this macro to disallow using RSASSA-PSS in certificates.
*/
#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
/* \} name SECTION: mbed TLS feature support */ /* \} name SECTION: mbed TLS feature support */
/** /**
@ -1255,7 +1332,8 @@
* Enable the generic ASN1 parser. * Enable the generic ASN1 parser.
* *
* Module: library/asn1.c * Module: library/asn1.c
* Caller: library/dhm.c * Caller: library/x509.c
* library/dhm.c
* library/pkcs12.c * library/pkcs12.c
* library/pkcs5.c * library/pkcs5.c
* library/pkparse.c * library/pkparse.c
@ -1270,6 +1348,9 @@
* Module: library/asn1write.c * Module: library/asn1write.c
* Caller: library/ecdsa.c * Caller: library/ecdsa.c
* library/pkwrite.c * library/pkwrite.c
* library/x509_create.c
* library/x509write_crt.c
* library/x509write_csr.c
*/ */
#define MBEDTLS_ASN1_WRITE_C #define MBEDTLS_ASN1_WRITE_C
@ -1427,6 +1508,18 @@
*/ */
#define MBEDTLS_CCM_C #define MBEDTLS_CCM_C
/**
* \def MBEDTLS_CERTS_C
*
* Enable the test certificates.
*
* Module: library/certs.c
* Caller:
*
* This module is used for testing (ssl_client/server).
*/
#define MBEDTLS_CERTS_C
/** /**
* \def MBEDTLS_CHACHA20_C * \def MBEDTLS_CHACHA20_C
* *
@ -1799,6 +1892,13 @@
* library/pkparse.c * library/pkparse.c
* library/pkwrite.c * library/pkwrite.c
* library/rsa.c * library/rsa.c
* library/x509.c
* library/x509_create.c
* library/x509_crl.c
* library/x509_crt.c
* library/x509_csr.c
* library/x509write_crt.c
* library/x509write_csr.c
* *
* This modules translates between OIDs and internal values. * This modules translates between OIDs and internal values.
*/ */
@ -1826,6 +1926,9 @@
* Module: library/pem.c * Module: library/pem.c
* Caller: library/dhm.c * Caller: library/dhm.c
* library/pkparse.c * library/pkparse.c
* library/x509_crl.c
* library/x509_crt.c
* library/x509_csr.c
* *
* Requires: MBEDTLS_BASE64_C * Requires: MBEDTLS_BASE64_C
* *
@ -1840,6 +1943,8 @@
* *
* Module: library/pem.c * Module: library/pem.c
* Caller: library/pkwrite.c * Caller: library/pkwrite.c
* library/x509write_crt.c
* library/x509write_csr.c
* *
* Requires: MBEDTLS_BASE64_C * Requires: MBEDTLS_BASE64_C
* *
@ -1866,6 +1971,8 @@
* Enable the generic public (asymetric) key parser. * Enable the generic public (asymetric) key parser.
* *
* Module: library/pkparse.c * Module: library/pkparse.c
* Caller: library/x509_crt.c
* library/x509_csr.c
* *
* Requires: MBEDTLS_PK_C * Requires: MBEDTLS_PK_C
* *
@ -1879,6 +1986,7 @@
* Enable the generic public (asymetric) key writer. * Enable the generic public (asymetric) key writer.
* *
* Module: library/pkwrite.c * Module: library/pkwrite.c
* Caller: library/x509write.c
* *
* Requires: MBEDTLS_PK_C * Requires: MBEDTLS_PK_C
* *
@ -1899,6 +2007,21 @@
*/ */
#define MBEDTLS_PKCS5_C #define MBEDTLS_PKCS5_C
/**
* \def MBEDTLS_PKCS11_C
*
* Enable wrapper for PKCS#11 smartcard support.
*
* Module: library/pkcs11.c
* Caller: library/pk.c
*
* Requires: MBEDTLS_PK_C
*
* This module enables SSL/TLS PKCS #11 smartcard support.
* Requires the presence of the PKCS#11 helper library (libpkcs11-helper)
*/
//#define MBEDTLS_PKCS11_C
/** /**
* \def MBEDTLS_PKCS12_C * \def MBEDTLS_PKCS12_C
* *
@ -2020,6 +2143,7 @@
* *
* Module: library/rsa.c * Module: library/rsa.c
* library/rsa_internal.c * library/rsa_internal.c
* Caller: library/x509.c
* *
* This module is used by the following key exchanges: * This module is used by the following key exchanges:
* RSA, DHE-RSA, ECDHE-RSA, RSA-PSK * RSA, DHE-RSA, ECDHE-RSA, RSA-PSK
@ -2035,6 +2159,7 @@
* *
* Module: library/sha1.c * Module: library/sha1.c
* Caller: library/md.c * Caller: library/md.c
* library/x509write_crt.c
* *
* This module is required for SSL/TLS up to version 1.1, for TLS 1.2 * This module is required for SSL/TLS up to version 1.1, for TLS 1.2
* depending on the handshake parameters, and for SHA1-signed certificates. * depending on the handshake parameters, and for SHA1-signed certificates.
@ -2129,6 +2254,106 @@
*/ */
#define MBEDTLS_VERSION_C #define MBEDTLS_VERSION_C
/**
* \def MBEDTLS_X509_USE_C
*
* Enable X.509 core for using certificates.
*
* Module: library/x509.c
* Caller: library/x509_crl.c
* library/x509_crt.c
* library/x509_csr.c
*
* Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C,
* MBEDTLS_PK_PARSE_C
*
* This module is required for the X.509 parsing modules.
*/
#define MBEDTLS_X509_USE_C
/**
* \def MBEDTLS_X509_CRT_PARSE_C
*
* Enable X.509 certificate parsing.
*
* Module: library/x509_crt.c
* Caller: library/ssl_cli.c
* library/ssl_srv.c
* library/ssl_tls.c
*
* Requires: MBEDTLS_X509_USE_C
*
* This module is required for X.509 certificate parsing.
*/
#define MBEDTLS_X509_CRT_PARSE_C
/**
* \def MBEDTLS_X509_CRL_PARSE_C
*
* Enable X.509 CRL parsing.
*
* Module: library/x509_crl.c
* Caller: library/x509_crt.c
*
* Requires: MBEDTLS_X509_USE_C
*
* This module is required for X.509 CRL parsing.
*/
#define MBEDTLS_X509_CRL_PARSE_C
/**
* \def MBEDTLS_X509_CSR_PARSE_C
*
* Enable X.509 Certificate Signing Request (CSR) parsing.
*
* Module: library/x509_csr.c
* Caller: library/x509_crt_write.c
*
* Requires: MBEDTLS_X509_USE_C
*
* This module is used for reading X.509 certificate request.
*/
#define MBEDTLS_X509_CSR_PARSE_C
/**
* \def MBEDTLS_X509_CREATE_C
*
* Enable X.509 core for creating certificates.
*
* Module: library/x509_create.c
*
* Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_WRITE_C
*
* This module is the basis for creating X.509 certificates and CSRs.
*/
#define MBEDTLS_X509_CREATE_C
/**
* \def MBEDTLS_X509_CRT_WRITE_C
*
* Enable creating X.509 certificates.
*
* Module: library/x509_crt_write.c
*
* Requires: MBEDTLS_X509_CREATE_C
*
* This module is required for X.509 certificate creation.
*/
#define MBEDTLS_X509_CRT_WRITE_C
/**
* \def MBEDTLS_X509_CSR_WRITE_C
*
* Enable creating X.509 Certificate Signing Requests (CSR).
*
* Module: library/x509_csr_write.c
*
* Requires: MBEDTLS_X509_CREATE_C
*
* This module is required for X.509 certificate request writing.
*/
#define MBEDTLS_X509_CSR_WRITE_C
/** /**
* \def MBEDTLS_XTEA_C * \def MBEDTLS_XTEA_C
* *

View file

@ -429,6 +429,24 @@ static const char * const features[] = {
#if defined(MBEDTLS_VERSION_FEATURES) #if defined(MBEDTLS_VERSION_FEATURES)
"MBEDTLS_VERSION_FEATURES", "MBEDTLS_VERSION_FEATURES",
#endif /* MBEDTLS_VERSION_FEATURES */ #endif /* MBEDTLS_VERSION_FEATURES */
#if defined(MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3)
"MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3",
#endif /* MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 */
#if defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
"MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION",
#endif /* MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION */
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
"MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK",
#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
"MBEDTLS_X509_CHECK_KEY_USAGE",
#endif /* MBEDTLS_X509_CHECK_KEY_USAGE */
#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
"MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE",
#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
"MBEDTLS_X509_RSASSA_PSS_SUPPORT",
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
#if defined(MBEDTLS_AESNI_C) #if defined(MBEDTLS_AESNI_C)
"MBEDTLS_AESNI_C", "MBEDTLS_AESNI_C",
#endif /* MBEDTLS_AESNI_C */ #endif /* MBEDTLS_AESNI_C */
@ -462,6 +480,9 @@ static const char * const features[] = {
#if defined(MBEDTLS_CCM_C) #if defined(MBEDTLS_CCM_C)
"MBEDTLS_CCM_C", "MBEDTLS_CCM_C",
#endif /* MBEDTLS_CCM_C */ #endif /* MBEDTLS_CCM_C */
#if defined(MBEDTLS_CERTS_C)
"MBEDTLS_CERTS_C",
#endif /* MBEDTLS_CERTS_C */
#if defined(MBEDTLS_CHACHA20_C) #if defined(MBEDTLS_CHACHA20_C)
"MBEDTLS_CHACHA20_C", "MBEDTLS_CHACHA20_C",
#endif /* MBEDTLS_CHACHA20_C */ #endif /* MBEDTLS_CHACHA20_C */
@ -555,6 +576,9 @@ static const char * const features[] = {
#if defined(MBEDTLS_PKCS5_C) #if defined(MBEDTLS_PKCS5_C)
"MBEDTLS_PKCS5_C", "MBEDTLS_PKCS5_C",
#endif /* MBEDTLS_PKCS5_C */ #endif /* MBEDTLS_PKCS5_C */
#if defined(MBEDTLS_PKCS11_C)
"MBEDTLS_PKCS11_C",
#endif /* MBEDTLS_PKCS11_C */
#if defined(MBEDTLS_PKCS12_C) #if defined(MBEDTLS_PKCS12_C)
"MBEDTLS_PKCS12_C", "MBEDTLS_PKCS12_C",
#endif /* MBEDTLS_PKCS12_C */ #endif /* MBEDTLS_PKCS12_C */
@ -600,6 +624,27 @@ static const char * const features[] = {
#if defined(MBEDTLS_VERSION_C) #if defined(MBEDTLS_VERSION_C)
"MBEDTLS_VERSION_C", "MBEDTLS_VERSION_C",
#endif /* MBEDTLS_VERSION_C */ #endif /* MBEDTLS_VERSION_C */
#if defined(MBEDTLS_X509_USE_C)
"MBEDTLS_X509_USE_C",
#endif /* MBEDTLS_X509_USE_C */
#if defined(MBEDTLS_X509_CRT_PARSE_C)
"MBEDTLS_X509_CRT_PARSE_C",
#endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_X509_CRL_PARSE_C)
"MBEDTLS_X509_CRL_PARSE_C",
#endif /* MBEDTLS_X509_CRL_PARSE_C */
#if defined(MBEDTLS_X509_CSR_PARSE_C)
"MBEDTLS_X509_CSR_PARSE_C",
#endif /* MBEDTLS_X509_CSR_PARSE_C */
#if defined(MBEDTLS_X509_CREATE_C)
"MBEDTLS_X509_CREATE_C",
#endif /* MBEDTLS_X509_CREATE_C */
#if defined(MBEDTLS_X509_CRT_WRITE_C)
"MBEDTLS_X509_CRT_WRITE_C",
#endif /* MBEDTLS_X509_CRT_WRITE_C */
#if defined(MBEDTLS_X509_CSR_WRITE_C)
"MBEDTLS_X509_CSR_WRITE_C",
#endif /* MBEDTLS_X509_CSR_WRITE_C */
#if defined(MBEDTLS_XTEA_C) #if defined(MBEDTLS_XTEA_C)
"MBEDTLS_XTEA_C", "MBEDTLS_XTEA_C",
#endif /* MBEDTLS_XTEA_C */ #endif /* MBEDTLS_XTEA_C */

View file

@ -1186,6 +1186,54 @@ int query_config( const char *config )
} }
#endif /* MBEDTLS_VERSION_FEATURES */ #endif /* MBEDTLS_VERSION_FEATURES */
#if defined(MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3)
if( strcmp( "MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 );
return( 0 );
}
#endif /* MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 */
#if defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
if( strcmp( "MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION );
return( 0 );
}
#endif /* MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION */
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
if( strcmp( "MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK );
return( 0 );
}
#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
if( strcmp( "MBEDTLS_X509_CHECK_KEY_USAGE", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_X509_CHECK_KEY_USAGE );
return( 0 );
}
#endif /* MBEDTLS_X509_CHECK_KEY_USAGE */
#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
if( strcmp( "MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE );
return( 0 );
}
#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
if( strcmp( "MBEDTLS_X509_RSASSA_PSS_SUPPORT", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_X509_RSASSA_PSS_SUPPORT );
return( 0 );
}
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
#if defined(MBEDTLS_AESNI_C) #if defined(MBEDTLS_AESNI_C)
if( strcmp( "MBEDTLS_AESNI_C", config ) == 0 ) if( strcmp( "MBEDTLS_AESNI_C", config ) == 0 )
{ {
@ -1274,6 +1322,14 @@ int query_config( const char *config )
} }
#endif /* MBEDTLS_CCM_C */ #endif /* MBEDTLS_CCM_C */
#if defined(MBEDTLS_CERTS_C)
if( strcmp( "MBEDTLS_CERTS_C", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_CERTS_C );
return( 0 );
}
#endif /* MBEDTLS_CERTS_C */
#if defined(MBEDTLS_CHACHA20_C) #if defined(MBEDTLS_CHACHA20_C)
if( strcmp( "MBEDTLS_CHACHA20_C", config ) == 0 ) if( strcmp( "MBEDTLS_CHACHA20_C", config ) == 0 )
{ {
@ -1522,6 +1578,14 @@ int query_config( const char *config )
} }
#endif /* MBEDTLS_PKCS5_C */ #endif /* MBEDTLS_PKCS5_C */
#if defined(MBEDTLS_PKCS11_C)
if( strcmp( "MBEDTLS_PKCS11_C", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_PKCS11_C );
return( 0 );
}
#endif /* MBEDTLS_PKCS11_C */
#if defined(MBEDTLS_PKCS12_C) #if defined(MBEDTLS_PKCS12_C)
if( strcmp( "MBEDTLS_PKCS12_C", config ) == 0 ) if( strcmp( "MBEDTLS_PKCS12_C", config ) == 0 )
{ {
@ -1642,6 +1706,62 @@ int query_config( const char *config )
} }
#endif /* MBEDTLS_VERSION_C */ #endif /* MBEDTLS_VERSION_C */
#if defined(MBEDTLS_X509_USE_C)
if( strcmp( "MBEDTLS_X509_USE_C", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_X509_USE_C );
return( 0 );
}
#endif /* MBEDTLS_X509_USE_C */
#if defined(MBEDTLS_X509_CRT_PARSE_C)
if( strcmp( "MBEDTLS_X509_CRT_PARSE_C", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_X509_CRT_PARSE_C );
return( 0 );
}
#endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_X509_CRL_PARSE_C)
if( strcmp( "MBEDTLS_X509_CRL_PARSE_C", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_X509_CRL_PARSE_C );
return( 0 );
}
#endif /* MBEDTLS_X509_CRL_PARSE_C */
#if defined(MBEDTLS_X509_CSR_PARSE_C)
if( strcmp( "MBEDTLS_X509_CSR_PARSE_C", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_X509_CSR_PARSE_C );
return( 0 );
}
#endif /* MBEDTLS_X509_CSR_PARSE_C */
#if defined(MBEDTLS_X509_CREATE_C)
if( strcmp( "MBEDTLS_X509_CREATE_C", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_X509_CREATE_C );
return( 0 );
}
#endif /* MBEDTLS_X509_CREATE_C */
#if defined(MBEDTLS_X509_CRT_WRITE_C)
if( strcmp( "MBEDTLS_X509_CRT_WRITE_C", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_X509_CRT_WRITE_C );
return( 0 );
}
#endif /* MBEDTLS_X509_CRT_WRITE_C */
#if defined(MBEDTLS_X509_CSR_WRITE_C)
if( strcmp( "MBEDTLS_X509_CSR_WRITE_C", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_X509_CSR_WRITE_C );
return( 0 );
}
#endif /* MBEDTLS_X509_CSR_WRITE_C */
#if defined(MBEDTLS_XTEA_C) #if defined(MBEDTLS_XTEA_C)
if( strcmp( "MBEDTLS_XTEA_C", config ) == 0 ) if( strcmp( "MBEDTLS_XTEA_C", config ) == 0 )
{ {

View file

@ -177,6 +177,7 @@ def include_in_full(name):
'MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES', 'MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES',
'MBEDTLS_NO_PLATFORM_ENTROPY', 'MBEDTLS_NO_PLATFORM_ENTROPY',
'MBEDTLS_NO_UDBL_DIVISION', 'MBEDTLS_NO_UDBL_DIVISION',
'MBEDTLS_PKCS11_C',
'MBEDTLS_PLATFORM_NO_STD_FUNCTIONS', 'MBEDTLS_PLATFORM_NO_STD_FUNCTIONS',
'MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER', 'MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER',
'MBEDTLS_PSA_CRYPTO_SE_C', 'MBEDTLS_PSA_CRYPTO_SE_C',
@ -185,6 +186,8 @@ def include_in_full(name):
'MBEDTLS_RSA_NO_CRT', 'MBEDTLS_RSA_NO_CRT',
'MBEDTLS_SHA512_NO_SHA384', 'MBEDTLS_SHA512_NO_SHA384',
'MBEDTLS_TEST_NULL_ENTROPY', 'MBEDTLS_TEST_NULL_ENTROPY',
'MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3',
'MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION',
]: ]:
return False return False
if name.endswith('_ALT'): if name.endswith('_ALT'):

View file

@ -39,9 +39,10 @@ my %algs = (
'MBEDTLS_ECP_C' => ['MBEDTLS_ECDSA_C', 'MBEDTLS_ECP_C' => ['MBEDTLS_ECDSA_C',
'MBEDTLS_ECDH_C', 'MBEDTLS_ECDH_C',
'MBEDTLS_ECJPAKE_C'], 'MBEDTLS_ECJPAKE_C'],
'MBEDTLS_PKCS1_V21' => [], 'MBEDTLS_X509_RSASSA_PSS_SUPPORT' => [],
'MBEDTLS_PKCS1_V21' => ['MBEDTLS_X509_RSASSA_PSS_SUPPORT'],
'MBEDTLS_PKCS1_V15' => [], 'MBEDTLS_PKCS1_V15' => [],
'MBEDTLS_RSA_C' => [], 'MBEDTLS_RSA_C' => ['MBEDTLS_X509_RSASSA_PSS_SUPPORT'],
); );
system( "cp $config_h $config_h.bak" ) and die; system( "cp $config_h $config_h.bak" ) and die;