Merge pull request #5444 from AndrzejKurek/use-psa-crypto-reduced-configs-2.28

Backport 2.28: Resolve problems with reduced configs using USE_PSA_CRYPTO
2025-01-23 18:21:01 +00:00 · 2022-02-02 10:20:35 +01:00 · 2022-02-02 10:20:35 +01:00 · 92d54fb41d
parent b72ecfd5a0 a16ffaf811
commit 92d54fb41d
12 changed files with 591 additions and 508 deletions
--- a/ChangeLog.d/psa_crypto_reduced_configs_bugs.txt
+++ b/ChangeLog.d/psa_crypto_reduced_configs_bugs.txt
@ -0,0 +1,3 @@
+Bugfix
+   * Fix several bugs (warnings, compiler and linker errors, test failures)
+     in reduced configurations when MBEDTLS_USE_PSA_CRYPTO is enabled.
--- a/configs/config-ccm-psk-tls1_2.h
+++ b/configs/config-ccm-psk-tls1_2.h
@ -81,6 +81,11 @@
 */
 #define MBEDTLS_SSL_MAX_CONTENT_LEN             1024

+/* These defines are present so that the config modifying scripts can enable
+ * them during tests/scripts/test-ref-configs.pl */
+//#define MBEDTLS_USE_PSA_CRYPTO
+//#define MBEDTLS_PSA_CRYPTO_C
+
 #include "mbedtls/check_config.h"

 #endif /* MBEDTLS_CONFIG_H */
--- a/configs/config-mini-tls1_1.h
+++ b/configs/config-mini-tls1_1.h
@ -71,6 +71,15 @@
 /* For testing with compat.sh */
 #define MBEDTLS_FS_IO

+/* These defines are present so that the config modifying scripts can enable
+ * them during tests/scripts/test-ref-configs.pl */
+//#define MBEDTLS_USE_PSA_CRYPTO
+//#define MBEDTLS_PSA_CRYPTO_C
+
+/* With MBEDTLS_PSA_CRYPTO_C, importing an RSA key requires MBEDTLS_PK_WRITE_C */
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+#define MBEDTLS_PK_WRITE_C
+#endif
 #include "mbedtls/check_config.h"

 #endif /* MBEDTLS_CONFIG_H */
--- a/configs/config-suite-b.h
+++ b/configs/config-suite-b.h
@ -109,6 +109,16 @@
 */
 #define MBEDTLS_SSL_MAX_CONTENT_LEN             1024

+/* These defines are present so that the config modifying scripts can enable
+ * them during tests/scripts/test-ref-configs.pl */
+//#define MBEDTLS_USE_PSA_CRYPTO
+//#define MBEDTLS_PSA_CRYPTO_C
+
+/* With USE_PSA_CRYPTO, some PK operations also need PK_WRITE */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#define MBEDTLS_PK_WRITE_C
+#endif
+
 #include "mbedtls/check_config.h"

 #endif /* MBEDTLS_CONFIG_H */
--- a/configs/config-thread.h
+++ b/configs/config-thread.h
@ -86,6 +86,11 @@
 /* Save ROM and a few bytes of RAM by specifying our own ciphersuite list */
 #define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8

+/* These defines are present so that the config modifying scripts can enable
+ * them during tests/scripts/test-ref-configs.pl */
+//#define MBEDTLS_USE_PSA_CRYPTO
+//#define MBEDTLS_PSA_CRYPTO_C
+
 #include "mbedtls/check_config.h"

 #endif /* MBEDTLS_CONFIG_H */
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@ -623,6 +623,18 @@
 #error "MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER defined, but it cannot coexist with MBEDTLS_USE_PSA_CRYPTO."
 #endif

+#if defined(MBEDTLS_PK_C) && defined(MBEDTLS_USE_PSA_CRYPTO) && \
+    !defined(MBEDTLS_PK_WRITE_C) && defined(MBEDTLS_ECDSA_C)
+#error "MBEDTLS_PK_C in configuration with MBEDTLS_USE_PSA_CRYPTO and \
+        MBEDTLS_ECDSA_C requires MBEDTLS_PK_WRITE_C to be defined."
+#endif
+
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V15) && \
+    !defined(MBEDTLS_PK_WRITE_C) && defined(MBEDTLS_PSA_CRYPTO_C)
+#error "MBEDTLS_PSA_CRYPTO_C, MBEDTLS_RSA_C and  MBEDTLS_PKCS1_V15 defined, \
+        but not all prerequisites"
+#endif
+
 #if defined(MBEDTLS_RSA_C) && ( !defined(MBEDTLS_BIGNUM_C) ||         \
    !defined(MBEDTLS_OID_C) )
 #error "MBEDTLS_RSA_C defined, but not all prerequisites"
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@ -681,9 +681,11 @@ int main( int argc, char *argv[] )
    const char *pers = "ssl_client2";

 #if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
    psa_key_id_t slot = 0;
    psa_algorithm_t alg = 0;
    psa_key_attributes_t key_attributes;
+#endif
    psa_status_t status;
 #endif

@ -1415,6 +1417,7 @@ int main( int argc, char *argv[] )
        }

 #if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined (MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
        if( opt.psk_opaque != 0 )
        {
            /* Ensure that the chosen ciphersuite is PSK-only; we must know
@ -1436,6 +1439,7 @@ int main( int argc, char *argv[] )
 #endif /* MBEDTLS_SHA512_C */
                alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
        }
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
    }

--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@ -1186,6 +1186,7 @@ static void ssl_async_cancel( mbedtls_ssl_context *ssl )
 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */

 #if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
 static psa_status_t psa_setup_psk_key_slot( psa_key_id_t *slot,
                                            psa_algorithm_t alg,
                                            unsigned char *psk,
@ -1208,6 +1209,7 @@ static psa_status_t psa_setup_psk_key_slot( psa_key_id_t *slot,

    return( PSA_SUCCESS );
 }
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
 #endif /* MBEDTLS_USE_PSA_CRYPTO */

 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
@ -2112,6 +2114,7 @@ int main( int argc, char *argv[] )
        }

 #if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
        if( opt.psk_opaque != 0 || opt.psk_list_opaque != 0 )
        {
            /* Ensure that the chosen ciphersuite is PSK-only; we must know
@ -2133,6 +2136,7 @@ int main( int argc, char *argv[] )
 #endif /* MBEDTLS_SHA512_C */
                alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
        }
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
    }

--- a/tests/scripts/test-ref-configs.pl
+++ b/tests/scripts/test-ref-configs.pl
@ -30,19 +30,24 @@ use strict;
 my %configs = (
    'config-ccm-psk-tls1_2.h' => {
        'compat' => '-m tls12 -f \'^TLS-PSK-WITH-AES-...-CCM-8\'',
+        'test_again_with_use_psa' => 1
    },
    'config-mini-tls1_1.h' => {
-        'compat' => '-m tls1_1 -f \'^DES-CBC3-SHA$\|^TLS-RSA-WITH-3DES-EDE-CBC-SHA$\'', #'
+        'compat' => '-m tls1_1 -f \'^DES-CBC3-SHA$\|^TLS-RSA-WITH-3DES-EDE-CBC-SHA$\'', #',
+        'test_again_with_use_psa' => 1
    },
    'config-no-entropy.h' => {
    },
    'config-suite-b.h' => {
        'compat' => "-m tls12 -f 'ECDHE-ECDSA.*AES.*GCM' -p mbedTLS",
+        'test_again_with_use_psa' => 1,
    },
    'config-symmetric-only.h' => {
+        'test_again_with_use_psa' => 0, # Uses PSA by default, no need to test it twice
    },
    'config-thread.h' => {
        'opt' => '-f ECJPAKE.*nolog',
+        'test_again_with_use_psa' => 1,
    },
 );

@ -82,18 +87,33 @@ if (!-e "tests/seedfile" || -s "tests/seedfile" < 64) {
    close SEEDFILE or die;
 }

-while( my ($conf, $data) = each %configs ) {
+sub perform_test {
+    my $conf = $_[0];
+    my $data = $_[1];
+    my $test_with_psa = $_[2];
+
    system( "cp $config_h.bak $config_h" ) and die;
    system( "make clean" ) and die;

    print "\n******************************************\n";
    print "* Testing configuration: $conf\n";
+    if ( $test_with_psa )
+    {
+        print "* ENABLING MBEDTLS_PSA_CRYPTO_C and MBEDTLS_USE_PSA_CRYPTO \n";
+    }
    print "******************************************\n";
+
    $ENV{MBEDTLS_TEST_CONFIGURATION} = $conf;

    system( "cp configs/$conf $config_h" )
        and abort "Failed to activate $conf\n";

+    if ( $test_with_psa )
+    {
+        system( "scripts/config.py set MBEDTLS_PSA_CRYPTO_C" );
+        system( "scripts/config.py set MBEDTLS_USE_PSA_CRYPTO" );
+    }
+
    system( "CFLAGS='-Os -Werror -Wall -Wextra' make" ) and abort "Failed to build: $conf\n";
    system( "make test" ) and abort "Failed test suite: $conf\n";

@ -122,6 +142,15 @@ while( my ($conf, $data) = each %configs ) {
    }
 }

+while( my ($conf, $data) = each %configs ) {
+    my $test_with_psa = $data->{'test_again_with_use_psa'};
+    if ( $test_with_psa )
+    {
+        perform_test( $conf, $data, $test_with_psa );
+    }
+    perform_test( $conf, $data, 0 );
+}
+
 system( "mv $config_h.bak $config_h" ) and warn "$config_h not restored\n";
 system( "make clean" );
 exit 0;
--- a/tests/src/psa_exercise_key.c
+++ b/tests/src/psa_exercise_key.c
@ -764,6 +764,7 @@ int mbedtls_test_psa_exported_key_sanity_check(
 #endif /* MBEDTLS_ECP_C */

    {
+        (void) exported;
        TEST_ASSERT( ! "Sanity check not implemented for this key type" );
    }

--- a/tests/suites/test_suite_cipher.gcm.data
+++ b/tests/suites/test_suite_cipher.gcm.data
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@ -48,7 +48,7 @@ static int mem_is_char( void *buffer, unsigned char c, size_t size )
    }
    return( 1 );
 }
-
+#if defined(MBEDTLS_ASN1_WRITE_C)
 /* Write the ASN.1 INTEGER with the value 2^(bits-1)+x backwards from *p. */
 static int asn1_write_10x( unsigned char **p,
                           unsigned char *start,
@ -132,6 +132,7 @@ static int construct_fake_rsa_key( unsigned char *buffer,
    }
    return( len );
 }
+#endif /* MBEDTLS_ASN1_WRITE_C */

 int exercise_mac_setup( psa_key_type_t key_type,
                        const unsigned char *key_bytes,
@ -503,7 +504,7 @@ exit:
 }
 /* END_CASE */

-/* BEGIN_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_ASN1_WRITE_C */
 void import_rsa_made_up( int bits_arg, int keypair, int expected_status_arg )
 {
    mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;