From 5a51d0d789ee2d5b2e702e07bc09c389b94ae434 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 22 Mar 2023 13:04:08 +0100 Subject: [PATCH] Fix depends.py failure with correct TLS 1.2 deps MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit TLS 1.2 has never been able to work with only SHA-512, it just happened to pass previously because the declared dependencies were too lax. (Probably related to the fact that in the past we didn't distinguish between SHA-512 and SHA-384 in dependencies.) So, just disable all of TLS in SHA-512-only builds. While at it, tune build_info.h to make this easier - it already had partial support for disabling TLS 1.2 or TLS 1.3 in an easier way, but not both of them at the same time. Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/build_info.h | 24 ++++++++++++++++++++++++ tests/scripts/depends.py | 2 +- 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h index 949b1152a6..fd61bca6fb 100644 --- a/include/mbedtls/build_info.h +++ b/include/mbedtls/build_info.h @@ -121,7 +121,31 @@ #define MBEDTLS_PK_PARSE_C #endif +/* The following blocks make it easier to disable all of TLS, + * or of TLS 1.2 or 1.3 or DTLS, without having to manually disable all + * key and extensions related to them. */ + +#if !defined(MBEDTLS_SSL_TLS_C) +#undef MBEDTLS_SSL_CLI_C +#undef MBEDTLS_SSL_SRV_C +#undef MBEDTLS_SSL_PROTO_TLS1_3 +#undef MBEDTLS_SSL_PROTO_TLS1_2 +#undef MBEDTLS_SSL_PROTO_DTLS +#endif + +#if !defined(MBEDTLS_SSL_PROTO_DTLS) +#undef MBEDTLS_SSL_DTLS_ANTI_REPLAY +#undef MBEDTLS_SSL_DTLS_CONNECTION_ID +#undef MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT +#undef MBEDTLS_SSL_DTLS_HELLO_VERIFY +#undef MBEDTLS_SSL_DTLS_SRTP +#undef MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE +#endif + #if !defined(MBEDTLS_SSL_PROTO_TLS1_2) +#undef MBEDTLS_SSL_ENCRYPT_THEN_MAC +#undef MBEDTLS_SSL_EXTENDED_MASTER_SECRET +#undef MBEDTLS_SSL_RENEGOTIATION #undef MBEDTLS_KEY_EXCHANGE_RSA_ENABLED #undef MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED #undef MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 581baad9a3..b29ea0aa61 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -277,7 +277,7 @@ REVERSE_DEPENDENCIES = { # if a given define is the only one enabled from an exclusive group. EXCLUSIVE_GROUPS = { 'MBEDTLS_SHA512_C': ['-MBEDTLS_SSL_COOKIE_C', - '-MBEDTLS_SSL_PROTO_TLS1_3'], + '-MBEDTLS_SSL_TLS_C'], 'MBEDTLS_ECP_DP_CURVE448_ENABLED': ['-MBEDTLS_ECDSA_C', '-MBEDTLS_ECDSA_DETERMINISTIC', '-MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED',