Add missing dependencies / alternatives

A number of places lacked the necessary dependencies on one of the used features: MD, key exchange with certificate, entropy, or ETM. Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-08-17 16:17:00 -04:00 · 2022-08-17 16:17:00 -04:00 · 8c95ac4500
commit 8c95ac4500
parent 7bb8bab457
6 changed files with 17 additions and 8 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -7810,8 +7810,11 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
        }

        if( ( transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER ) ||
-            ( ( transform->psa_alg == PSA_ALG_CBC_NO_PADDING ) &&
-              ( transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ) ) )
+            ( ( transform->psa_alg == PSA_ALG_CBC_NO_PADDING )
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
+              && ( transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED )
+#endif
+            ) )
            /* mbedtls_ct_hmac() requires the key to be exportable */
            psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT |
                                                  PSA_KEY_USAGE_VERIFY_HASH );
--- a/programs/fuzz/fuzz_privkey.c
+++ b/programs/fuzz/fuzz_privkey.c
@ -16,7 +16,7 @@ const char *pers = "fuzz_privkey";
 #endif // MBEDTLS_PK_PARSE_C && MBEDTLS_CTR_DRBG_C

 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
-#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_CTR_DRBG_C)
+#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_CTR_DRBG_C) && defined(MBEDTLS_ENTROPY_C)
    int ret;
    mbedtls_pk_context pk;
    mbedtls_ctr_drbg_context ctr_drbg;
@ -88,7 +88,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
 #else
    (void) Data;
    (void) Size;
-#endif // MBEDTLS_PK_PARSE_C && MBEDTLS_CTR_DRBG_C
+#endif // MBEDTLS_PK_PARSE_C && MBEDTLS_CTR_DRBG_C && MBEDTLS_ENTROPY_C

    return 0;
 }
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@ -1789,6 +1789,7 @@ int main( int argc, char *argv[] )
    }

 #if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
    /* The default algorithms profile disables SHA-1, but our tests still
       rely on it heavily. */
    if( opt.allow_sha1 > 0 )
@ -1797,11 +1798,11 @@ int main( int argc, char *argv[] )
        mbedtls_ssl_conf_cert_profile( &conf, &crt_profile_for_test );
        mbedtls_ssl_conf_sig_algs( &conf, ssl_sig_algs_for_test );
    }
-
    if( opt.context_crt_cb == 0 )
        mbedtls_ssl_conf_verify( &conf, my_verify, NULL );

    memset( peer_crt_info, 0, sizeof( peer_crt_info ) );
+#endif
 #endif /* MBEDTLS_X509_CRT_PARSE_C */

 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
--- a/programs/ssl/ssl_context_info.c
+++ b/programs/ssl/ssl_context_info.c
@ -645,7 +645,7 @@ void print_deserialized_ssl_session( const uint8_t *ssl, uint32_t len,
        {
            printf( "\tcipher         : %s\n", cipher_info->name );
        }
-
+#if defined(MBEDTLS_MD_C)
        md_info = mbedtls_md_info_from_type( ciphersuite_info->mac );
        if( md_info == NULL )
        {
@ -655,6 +655,7 @@ void print_deserialized_ssl_session( const uint8_t *ssl, uint32_t len,
        {
            printf( "\tMessage-Digest : %s\n", mbedtls_md_get_name( md_info ) );
        }
+#endif
    }

    CHECK_SSL_END( 1 );
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@ -2753,6 +2753,7 @@ int main( int argc, char *argv[] )
    }

 #if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
    /* The default algorithms profile disables SHA-1, but our tests still
       rely on it heavily. Hence we allow it here. A real-world server
       should use the default profile unless there is a good reason not to. */
@ -2762,6 +2763,7 @@ int main( int argc, char *argv[] )
        mbedtls_ssl_conf_cert_profile( &conf, &crt_profile_for_test );
        mbedtls_ssl_conf_sig_algs( &conf, ssl_sig_algs_for_test );
    }
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
 #endif /* MBEDTLS_X509_CRT_PARSE_C */

    if( opt.auth_mode != DFL_AUTH_MODE )
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@ -4023,10 +4023,12 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac,
    size_t plaintext_len, block_size, i;
    unsigned char padlen; /* excluding the padding_length byte */
    unsigned char add_data[13];
-    unsigned char mac[MBEDTLS_MD_MAX_SIZE];
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
    psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
    size_t sign_mac_length = 0;
+    unsigned char mac[PSA_HASH_MAX_SIZE];
+#else
+    unsigned char mac[MBEDTLS_MD_MAX_SIZE];
 #endif
    int exp_ret;
    int ret;
@ -4120,7 +4122,7 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac,
                                             rec.buf + rec.data_offset,
                                             rec.data_len ) );
    TEST_EQUAL( PSA_SUCCESS, psa_mac_sign_finish( &operation,
-                                                  mac, MBEDTLS_MD_MAX_SIZE,
+                                                  mac, sizeof(mac),
                                                  &sign_mac_length ) );
 #else
    TEST_EQUAL( 0, mbedtls_md_hmac_update( &t0.md_ctx_enc, add_data, 13 ) );