From 8cd1da4b73009794a5cf5102855d63e1f70f5b7e Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 17 May 2023 23:18:41 +0200 Subject: [PATCH 1/6] Remove spurious extern "C" This header only contains preprocessor definitions. They are not affected by extern "C". Signed-off-by: Gilles Peskine --- include/mbedtls/config_psa.h | 8 -------- 1 file changed, 8 deletions(-) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 303758f03e..9823fa3986 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -44,10 +44,6 @@ #include "psa/crypto_legacy.h" -#ifdef __cplusplus -extern "C" { -#endif - /****************************************************************/ @@ -1074,8 +1070,4 @@ extern "C" { #define PSA_WANT_KEY_TYPE_PASSWORD_HASH 1 #define PSA_WANT_KEY_TYPE_RAW_DATA 1 -#ifdef __cplusplus -} -#endif - #endif /* MBEDTLS_CONFIG_PSA_H */ From a458d48e7f185dcc727f81e86f557f23a12b0e24 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 17 May 2023 23:13:06 +0200 Subject: [PATCH 2/6] Move the inclusion of the PSA config file(s) into build_info.h They belong here, next to the inclusion of the mbedtls config file. We only put them in config_psa.h in Mbed TLS 2.x because there was no build_info.h we could use. Signed-off-by: Gilles Peskine --- include/mbedtls/build_info.h | 14 ++++++++++++++ include/mbedtls/config_psa.h | 12 ------------ 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h index 985edd2336..b54b9baa80 100644 --- a/include/mbedtls/build_info.h +++ b/include/mbedtls/build_info.h @@ -59,6 +59,7 @@ #define inline __inline #endif +/* X.509, TLS and non-PSA crypto configuration */ #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/mbedtls_config.h" #else @@ -80,6 +81,19 @@ #include MBEDTLS_USER_CONFIG_FILE #endif +/* PSA crypto configuration */ +#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) +#if defined(MBEDTLS_PSA_CRYPTO_CONFIG_FILE) +#include MBEDTLS_PSA_CRYPTO_CONFIG_FILE +#else +#include "psa/crypto_config.h" +#endif +#endif /* defined(MBEDTLS_PSA_CRYPTO_CONFIG) */ + +#if defined(MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE) +#include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE +#endif + /* Auto-enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY if * MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH and MBEDTLS_CTR_DRBG_C defined * to ensure a 128-bit key size in CTR_DRBG. diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 9823fa3986..3b30c02776 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -30,18 +30,6 @@ #ifndef MBEDTLS_CONFIG_PSA_H #define MBEDTLS_CONFIG_PSA_H -#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) -#if defined(MBEDTLS_PSA_CRYPTO_CONFIG_FILE) -#include MBEDTLS_PSA_CRYPTO_CONFIG_FILE -#else -#include "psa/crypto_config.h" -#endif -#endif /* defined(MBEDTLS_PSA_CRYPTO_CONFIG) */ - -#if defined(MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE) -#include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE -#endif - #include "psa/crypto_legacy.h" From 7b7ecf5e0d42537f5f5deb93eb5ce278ecd6a8f1 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 17 May 2023 23:15:31 +0200 Subject: [PATCH 3/6] Fix condition to include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE Don't try to include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE when MBEDTLS_PSA_CRYPTO_CONFIG is disabled. This didn't make sense and was an editorial mistake when adding it: it's meant as an addition to MBEDTLS_PSA_CRYPTO_CONFIG_FILE, so it should be included under the same conditions. Signed-off-by: Gilles Peskine --- ChangeLog.d/psa_crypto_user_config_file.txt | 3 +++ include/mbedtls/build_info.h | 3 +-- 2 files changed, 4 insertions(+), 2 deletions(-) create mode 100644 ChangeLog.d/psa_crypto_user_config_file.txt diff --git a/ChangeLog.d/psa_crypto_user_config_file.txt b/ChangeLog.d/psa_crypto_user_config_file.txt new file mode 100644 index 0000000000..f538f47072 --- /dev/null +++ b/ChangeLog.d/psa_crypto_user_config_file.txt @@ -0,0 +1,3 @@ +Bugfix + * Don't try to include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE when + MBEDTLS_PSA_CRYPTO_CONFIG is disabled. diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h index b54b9baa80..c0424da82f 100644 --- a/include/mbedtls/build_info.h +++ b/include/mbedtls/build_info.h @@ -88,11 +88,10 @@ #else #include "psa/crypto_config.h" #endif -#endif /* defined(MBEDTLS_PSA_CRYPTO_CONFIG) */ - #if defined(MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE) #include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE #endif +#endif /* defined(MBEDTLS_PSA_CRYPTO_CONFIG) */ /* Auto-enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY if * MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH and MBEDTLS_CTR_DRBG_C defined From 44243e11ffd47df0ff6e15c0a17a448cde3de954 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 18 May 2023 19:39:11 +0200 Subject: [PATCH 4/6] Remove obsolete header inclusions Since 3.0.0, mbedtls_config.h (formerly config.h) no longer needs to include config_psa.h or check_config.h: build_info.h takes care of that. Signed-off-by: Gilles Peskine --- tests/include/test/drivers/config_test_driver.h | 3 --- 1 file changed, 3 deletions(-) diff --git a/tests/include/test/drivers/config_test_driver.h b/tests/include/test/drivers/config_test_driver.h index 2585fd9f05..81f988339a 100644 --- a/tests/include/test/drivers/config_test_driver.h +++ b/tests/include/test/drivers/config_test_driver.h @@ -53,7 +53,4 @@ //#define MBEDTLS_PEM_PARSE_C //#define MBEDTLS_BASE64_C -#include "mbedtls/config_psa.h" -#include "mbedtls/check_config.h" - #endif /* MBEDTLS_CONFIG_H */ From 9af413bcc5294de8810aca03ecff452f5f695edc Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 18 May 2023 20:12:44 +0200 Subject: [PATCH 5/6] Don't try to include mbedtls/config_*.h They're included by build_info.h and must not be included directly. Currently, this only concerns one file: config_psa.h. It's technically a bug to include it, but a harmless one because that header has already been included by build_info.h except in configurations where it effectively had no effect (enabling PSA options with PSA turned off). We plan to split config_psa.h into multiple headers that are less independent, which could make the inclusion more problematic. Signed-off-by: Gilles Peskine --- programs/test/generate_cpp_dummy_build.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/programs/test/generate_cpp_dummy_build.sh b/programs/test/generate_cpp_dummy_build.sh index 94e911515d..2541683318 100755 --- a/programs/test/generate_cpp_dummy_build.sh +++ b/programs/test/generate_cpp_dummy_build.sh @@ -63,6 +63,7 @@ EOF for header in include/mbedtls/*.h include/psa/*.h; do case ${header#include/} in mbedtls/mbedtls_config.h) :;; # not meant for direct inclusion + mbedtls/config_*.h) :;; # not meant for direct inclusion psa/crypto_config.h) :;; # not meant for direct inclusion # Some of the psa/crypto_*.h headers are not meant to be included # directly. They do have include guards that make them no-ops if From ea4fc97cd01fdbeb76bb25dce9666f29c1bb64ce Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 22 May 2023 12:18:08 +0200 Subject: [PATCH 6/6] Restore a comment and fix it aca31654e6e96c76b073e0ffedb6ae53c9e4f4c7 removed a sentence with copypasta refering to PBKDF2 instead of XTS. Restore that comment but fix the copypasta. Signed-off-by: Gilles Peskine --- include/psa/crypto_config.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h index af78dce177..d8e8e19d0a 100644 --- a/include/psa/crypto_config.h +++ b/include/psa/crypto_config.h @@ -92,7 +92,8 @@ #define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 #define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1 -/* Note: when adding support, also adjust include/mbedtls/config_psa.h */ +/* XTS is not yet supported via the PSA API in Mbed TLS. + * Note: when adding support, also adjust include/mbedtls/config_psa.h */ //#define PSA_WANT_ALG_XTS 1 #define PSA_WANT_ECC_BRAINPOOL_P_R1_256 1