From 45bcb6aac847645439f35416bf229e709a963a5c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 10 Mar 2023 11:40:48 +0100 Subject: [PATCH] Fix dependencies of 1.2 ECDSA key exchanges MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Having ECDSA in PSA doesn't help if we're not using PSA from TLS 1.2... Also, move the definition of PSA_HAVE_FULL_ECDSA outside the MBEDTLS_PSA_CRYPTO_CONFIG guards so that it is available in all cases. Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/check_config.h | 20 +++++++++++++++++--- include/mbedtls/config_psa.h | 10 +++++----- 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 2e02e9a5c..7b1c70cb0 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -279,9 +279,20 @@ #error "MBEDTLS_HMAC_DRBG_C defined, but not all prerequisites" #endif +/* Helper for ECDSA dependencies, will be undefined at the end of the file */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(PSA_HAVE_FULL_ECDSA) +#define MBEDTLS_PK_HAVE_ECDSA +#endif +#else /* MBEDTLS_USE_PSA_CRYPTO */ +#if defined(MBEDTLS_ECDSA_C) +#define MBEDTLS_PK_HAVE_ECDSA +#endif +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) && \ ( !defined(MBEDTLS_ECDH_C) || \ - !(defined(MBEDTLS_ECDSA_C) || defined(PSA_HAVE_FULL_ECDSA)) || \ + !defined(MBEDTLS_PK_HAVE_ECDSA) || \ !defined(MBEDTLS_X509_CRT_PARSE_C) ) #error "MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED defined, but not all prerequisites" #endif @@ -313,9 +324,9 @@ #error "MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED defined, but not all prerequisites" #endif -#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \ +#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \ ( !defined(MBEDTLS_ECDH_C) || \ - !(defined(MBEDTLS_ECDSA_C) || defined(PSA_HAVE_FULL_ECDSA)) || \ + !defined(MBEDTLS_PK_HAVE_ECDSA) || \ !defined(MBEDTLS_X509_CRT_PARSE_C) ) #error "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED defined, but not all prerequisites" #endif @@ -1068,6 +1079,9 @@ #error "MBEDTLS_PKCS7_C is defined, but not all prerequisites" #endif +/* Undefine helper symbols */ +#undef MBEDTLS_PK_HAVE_ECDSA + /* * Avoid warning from -pedantic. This is a convenient place for this * workaround since this is included by every single file before the diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 77cb1a9e1..568d8c2bf 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -310,11 +310,6 @@ extern "C" { #define PSA_HAVE_SOFT_BLOCK_AEAD 1 #endif -#if defined(PSA_WANT_ALG_ECDSA) && defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) && \ - defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) -#define PSA_HAVE_FULL_ECDSA 1 -#endif - #if defined(PSA_WANT_KEY_TYPE_AES) #if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_AES) #define PSA_HAVE_SOFT_KEY_TYPE_AES 1 @@ -848,6 +843,11 @@ extern "C" { #endif /* MBEDTLS_PSA_CRYPTO_CONFIG */ +#if defined(PSA_WANT_ALG_ECDSA) && defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) && \ + defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) +#define PSA_HAVE_FULL_ECDSA 1 +#endif + /* These features are always enabled. */ #define PSA_WANT_KEY_TYPE_DERIVE 1 #define PSA_WANT_KEY_TYPE_PASSWORD 1