Add config.h option MBEDTLS_PK_SINGLE_HASH

No effect for now, just declaring it here, implemented in subsequent commits.

The option requires MBEDTLS_USE_TINYCRYPT and is incompatible with
MBEDTLS_PK_RSA_ALT_SUPPORT and MBEDTLS_RSA_C.

Currently users (including the X.509 and SSL libraries) assume that if both PK
and RSA are enabled, then RSA is available through PK. If we allowed RSA to be
enabled together with PK_SINGLE_TYPE, we'd break that assumption. Going
through the code to find all place that rely on that assumption and fix them
would be cumbersome, and people who want PK_SINGLE_TYPE are unlikely to care
about RSA anyway, so let's just make them incompatible.

This is also consistent with what's done in the MD module: MD_SINGLE_HASH
requires that exactly one hash be enabled.
This commit is contained in:
Manuel Pégourié-Gonnard 2019-09-19 10:45:14 +02:00
parent 26b807dae8
commit 1c1cc0d373
6 changed files with 77 additions and 0 deletions

View file

@ -52,7 +52,9 @@
#define MBEDTLS_SSL_CONF_SINGLE_SIG_HASH_MD_ID MBEDTLS_MD_SHA256
#define MBEDTLS_SSL_CONF_SINGLE_SIG_HASH_TLS_ID MBEDTLS_SSL_HASH_SHA256
/* Harcoded options in abstraction layers */
#define MBEDTLS_MD_SINGLE_HASH MBEDTLS_MD_INFO_SHA256
#define MBEDTLS_PK_SINGLE_TYPE MBEDTLS_PK_INFO_ECKEY
/* Key exchanges */
#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED

View file

@ -853,6 +853,18 @@
#undef MBEDTLS_HASHES_ENABLED
#endif /* MBEDTLS_MD_SINGLE_HASH */
#if defined(MBEDTLS_PK_SINGLE_TYPE) && !defined(MBEDTLS_USE_TINYCRYPT)
#error "MBEDTLS_PK_SINGLE_TYPE can only be used with MBEDTLS_USE_TINYCRYPT"
#endif
#if defined(MBEDTLS_PK_SINGLE_TYPE) && defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
#error "MBEDTLS_PK_SINGLE_TYPE is not compatible with MBEDTLS_PK_RSA_ALT_SUPPORT"
#endif
#if defined(MBEDTLS_PK_SINGLE_TYPE) && defined(MBEDTLS_RSA_C)
#error "MBEDTLS_PK_SINGLE_TYPE is not compatible with MBEDTLS_RSA_C"
#endif
#if defined(MBEDTLS_THREADING_ALT)
#if !defined(MBEDTLS_THREADING_C) || defined(MBEDTLS_THREADING_IMPL)
#error "MBEDTLS_THREADING_ALT defined, but not all prerequisites"

View file

@ -3840,6 +3840,17 @@
*/
//#define MBEDTLS_MD_SINGLE_HASH MBEDTLS_MD_INFO_SHA256
/* Enable support for a single PK type in the PK layer.
*
* This is mainly intented to reduce code size on highly constrained system
* with large control over the set of algorithms they need to support. It will
* also reduce dynamic memory allocation.
*
* Currently this is only supported with EC keys in conjunction with the
* MBEDTLS_USE_TINYCRYPT option. Set this to MBEDTLS_PK_INFO_ECKEY to enable.
*/
//#define MBEDTLS_PK_SINGLE_TYPE MBEDTLS_PK_INFO_ECKEY
/* \} SECTION: Compile-time SSL configuration */
/* Target and application specific configurations

View file

@ -33,6 +33,9 @@
#include "pk.h"
/* Dummy definition to keep check-names.sh happy - don't uncomment */
//#define MBEDTLS_PK_INFO_ECKEY
struct mbedtls_pk_info_t
{
/** Public key type */

View file

@ -2922,6 +2922,14 @@ int query_config( const char *config )
}
#endif /* MBEDTLS_MD_SINGLE_HASH */
#if defined(MBEDTLS_PK_SINGLE_TYPE)
if( strcmp( "MBEDTLS_PK_SINGLE_TYPE", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_PK_SINGLE_TYPE );
return( 0 );
}
#endif /* MBEDTLS_PK_SINGLE_TYPE */
/* If the symbol is not found, return an error */
return( 1 );
}

View file

@ -1494,6 +1494,47 @@ component_test_default_tinycrypt_without_legacy_ecc () {
if_build_succeeded tests/compat.sh -f 'ECDHE-ECDSA\|ECDHE-PSK\|ECDH-ECDSA'
}
component_test_hardcoded_pk_type () {
msg "build: default config + single PK type harcoded (tinycrypt)"
# need to enable tinycrypt first - copied from tinycrypt component
scripts/config.pl set MBEDTLS_USE_TINYCRYPT
scripts/config.pl set MBEDTLS_SSL_CONF_RNG rng_wrap
scripts/config.pl set MBEDTLS_SSL_CONF_SINGLE_EC
scripts/config.pl set MBEDTLS_SSL_CONF_SINGLE_EC_TLS_ID 23
scripts/config.pl set MBEDTLS_SSL_CONF_SINGLE_UECC_GRP_ID MBEDTLS_UECC_DP_SECP256R1
scripts/config.pl unset MBEDTLS_ECP_C
scripts/config.pl unset MBEDTLS_ECDH_C
scripts/config.pl unset MBEDTLS_ECDSA_C
scripts/config.pl unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
scripts/config.pl unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
scripts/config.pl unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
scripts/config.pl unset MBEDTLS_ECP_DP_SECP192R1_ENABLED
scripts/config.pl unset MBEDTLS_ECP_DP_SECP224R1_ENABLED
scripts/config.pl unset MBEDTLS_ECP_DP_SECP256R1_ENABLED
scripts/config.pl unset MBEDTLS_ECP_DP_SECP384R1_ENABLED
scripts/config.pl unset MBEDTLS_ECP_DP_SECP521R1_ENABLED
scripts/config.pl unset MBEDTLS_ECP_DP_BP256R1_ENABLED
scripts/config.pl unset MBEDTLS_ECP_DP_BP384R1_ENABLED
scripts/config.pl unset MBEDTLS_ECP_DP_BP512R1_ENABLED
scripts/config.pl unset MBEDTLS_ECP_DP_SECP192K1_ENABLED
scripts/config.pl unset MBEDTLS_ECP_DP_SECP224K1_ENABLED
scripts/config.pl unset MBEDTLS_ECP_DP_SECP256K1_ENABLED
# now single-PK specific configs
scripts/config.pl set MBEDTLS_PK_SINGLE_TYPE MBEDTLS_PK_INFO_ECKEY
scripts/config.pl unset MBEDTLS_PK_RSA_ALT_SUPPORT
scripts/config.pl unset MBEDTLS_RSA_C
scripts/config.pl unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
scripts/config.pl unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
scripts/config.pl unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
scripts/config.pl unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
scripts/config.pl unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
make CFLAGS='-Werror -O1'
msg "test: default config + single PK type harcoded (tinycrypt)"
make test
if_build_succeeded tests/ssl-opt.sh -f '^Default, DTLS$'
}
component_test_baremetal () {
msg "build: lib+test+programs for baremetal.h + baremetal_test.h"
record_status scripts/baremetal.sh --ram --build-only