From 018e09872d728f291e32f03dd5fbe0a36ae25269 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 9 Jul 2025 16:16:45 +0200 Subject: [PATCH 1/6] New source file for configuration checks This will be populated in subsequent commits. Signed-off-by: Gilles Peskine --- library/CMakeLists.txt | 1 + library/Makefile | 1 + library/mbedtls_config.c | 9 +++++++++ 3 files changed, 11 insertions(+) create mode 100644 library/mbedtls_config.c diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 451dbfdb7c..0875bb92d9 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -1,5 +1,6 @@ set(src_x509 error.c + mbedtls_config.c pkcs7.c x509.c x509_create.c diff --git a/library/Makefile b/library/Makefile index a880f26171..f8729344b4 100644 --- a/library/Makefile +++ b/library/Makefile @@ -121,6 +121,7 @@ LOCAL_CFLAGS+=$(THIRDPARTY_INCLUDES) OBJS_CRYPTO+=$(THIRDPARTY_CRYPTO_OBJECTS) OBJS_X509= \ + mbedtls_config.o \ x509.o \ x509_create.o \ x509_crl.o \ diff --git a/library/mbedtls_config.c b/library/mbedtls_config.c new file mode 100644 index 0000000000..692dce705f --- /dev/null +++ b/library/mbedtls_config.c @@ -0,0 +1,9 @@ +/* + * Mbed TLS configuration checks + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + +#include From ac637ac9f81c4218b8c2dfffec244e85915f9338 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 22 Jul 2025 21:54:31 +0200 Subject: [PATCH 2/6] Make check_config.h private `check_config.h` only needs to run once on the configuration. It doesn't need to run every time an application is built. It used to be public up to Mbed TLS 2.x because it was included from `config.h`, and users could substitute that file completely and should still include `check_config.h` from their file. But since Mbed TLS 3.x, including `check_config.h` is a purely internal thing (done in `build_info.h`). So make the file itself purely internal. We don't need to include `check_config.h` when building every library file, just one: `mbedtls_config.c`, that's its job. Give the file a unique name, to avoid any clashes with TF-PSA-Crypto's `check_config.h`. Signed-off-by: Gilles Peskine --- include/mbedtls/build_info.h | 2 -- .../mbedtls/check_config.h => library/mbedtls_check_config.h | 0 library/mbedtls_config.c | 4 ++++ 3 files changed, 4 insertions(+), 2 deletions(-) rename include/mbedtls/check_config.h => library/mbedtls_check_config.h (100%) diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h index 534f01658c..c6e89db677 100644 --- a/include/mbedtls/build_info.h +++ b/include/mbedtls/build_info.h @@ -85,6 +85,4 @@ */ #define MBEDTLS_CONFIG_IS_FINALIZED -#include "mbedtls/check_config.h" - #endif /* MBEDTLS_BUILD_INFO_H */ diff --git a/include/mbedtls/check_config.h b/library/mbedtls_check_config.h similarity index 100% rename from include/mbedtls/check_config.h rename to library/mbedtls_check_config.h diff --git a/library/mbedtls_config.c b/library/mbedtls_config.c index 692dce705f..679f8e36f9 100644 --- a/library/mbedtls_config.c +++ b/library/mbedtls_config.c @@ -7,3 +7,7 @@ */ #include + +/* Consistency checks in the configuration: check for incompatible options, + * missing options when at least one of a set needs to be enabled, etc. */ +#include "mbedtls_check_config.h" From 1819a915bccedd06783b333311a3fd43c5572b81 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 22 Jul 2025 21:54:50 +0200 Subject: [PATCH 3/6] Include limits.h where needed This will be needed when TF-PSA-Crypto's `build_info.h` stops including `limits.h`, which it currently does by accident because it includes `check_config.h` which wants `limits.h` to check `CHAR_BIT`. Signed-off-by: Gilles Peskine --- library/x509.c | 1 + library/x509_create.c | 1 + library/x509_crt.c | 1 + programs/test/udp_proxy.c | 1 + tests/src/test_helpers/ssl_helpers.c | 2 ++ 5 files changed, 6 insertions(+) diff --git a/library/x509.c b/library/x509.c index f315821fdf..03ca1b72e6 100644 --- a/library/x509.c +++ b/library/x509.c @@ -24,6 +24,7 @@ #include "mbedtls/oid.h" #include "x509_oid.h" +#include #include #include diff --git a/library/x509_create.c b/library/x509_create.c index 17fc8fbeb5..09ac69d00b 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -14,6 +14,7 @@ #include "mbedtls/oid.h" #include "x509_oid.h" +#include #include #include "mbedtls/platform.h" diff --git a/library/x509_crt.c b/library/x509_crt.c index 3947eb09aa..7b65b698a3 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -27,6 +27,7 @@ #include "x509_oid.h" #include "mbedtls/platform_util.h" +#include #include #if defined(MBEDTLS_PEM_PARSE_C) diff --git a/programs/test/udp_proxy.c b/programs/test/udp_proxy.c index 6e9ebf9a28..c80a3f59fc 100644 --- a/programs/test/udp_proxy.c +++ b/programs/test/udp_proxy.c @@ -16,6 +16,7 @@ #include "mbedtls/build_info.h" +#include #if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" #else diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index faa79ffd92..1eca6e496d 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -11,6 +11,8 @@ #include #include "mbedtls/psa_util.h" +#include + #if defined(MBEDTLS_SSL_TLS_C) int mbedtls_test_random(void *p_rng, unsigned char *output, size_t output_len) { From aca3b5ec79d2cea605de2d8c28d0725e6acec6af Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 22 Jul 2025 23:40:36 +0200 Subject: [PATCH 4/6] Update framework with unittest_config_checks.py Signed-off-by: Gilles Peskine --- framework | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/framework b/framework index df3307f2b4..87dbfb290f 160000 --- a/framework +++ b/framework @@ -1 +1 @@ -Subproject commit df3307f2b4fe512def60886024f7be8fd1523ccd +Subproject commit 87dbfb290fa42ca2ccfb403e8c2fa7334fa4f1dd From 01def64425c4a1477a2dcf08c473ca18abb293ce Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 25 Apr 2025 18:30:47 +0200 Subject: [PATCH 5/6] Unit tests for check_config.h Ensure that `mbedtls_check_config.h` is taken into account. Signed-off-by: Gilles Peskine --- tests/scripts/components-basic-checks.sh | 3 ++ tests/scripts/test_config_checks.py | 63 ++++++++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100755 tests/scripts/test_config_checks.py diff --git a/tests/scripts/components-basic-checks.sh b/tests/scripts/components-basic-checks.sh index 85731a1710..c7d8161893 100644 --- a/tests/scripts/components-basic-checks.sh +++ b/tests/scripts/components-basic-checks.sh @@ -123,4 +123,7 @@ component_check_test_helpers () { msg "unit test: translate_ciphers.py" python3 -m unittest framework/scripts/translate_ciphers.py 2>&1 + + msg "unit test: generate_config_checks.py" + tests/scripts/test_config_checks.py 2>&1 } diff --git a/tests/scripts/test_config_checks.py b/tests/scripts/test_config_checks.py new file mode 100755 index 0000000000..540144923e --- /dev/null +++ b/tests/scripts/test_config_checks.py @@ -0,0 +1,63 @@ +#!/usr/bin/env python3 +"""Test the configuration checks generated by generate_config_checks.py. +""" + +## Copyright The Mbed TLS Contributors +## SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +import unittest + +import scripts_path # pylint: disable=unused-import +from mbedtls_framework import unittest_config_checks + + +class MbedtlsTestConfigChecks(unittest_config_checks.TestConfigChecks): + """Mbed TLS unit tests for checks generated by config_checks_generator.""" + + #pylint: disable=invalid-name # uppercase letters make sense here + + PROJECT_CONFIG_C = 'library/mbedtls_config.c' + PROJECT_SPECIFIC_INCLUDE_DIRECTORIES = [ + 'tf-psa-crypto/include', + 'tf-psa-crypto/drivers/builtin/include', + ] + + @unittest.skip("At this time, mbedtls does not go through crypto's check_config.h.") + def test_crypto_no_fs_io(self) -> None: + """A sample error expected from crypto's check_config.h.""" + self.bad_case('#undef MBEDTLS_FS_IO', + None, + error=('MBEDTLS_PSA_ITS_FILE_C')) + + def test_mbedtls_no_session_tickets_for_early_data(self) -> None: + """An error expected from mbedtls_check_config.h based on the TLS configuration.""" + self.bad_case(None, + ''' + #define MBEDTLS_SSL_EARLY_DATA + #undef MBEDTLS_SSL_SESSION_TICKETS + ''', + error=('MBEDTLS_SSL_EARLY_DATA')) + + def test_mbedtls_no_ecdsa(self) -> None: + """An error expected from mbedtls_check_config.h based on crypto+TLS configuration.""" + self.bad_case(''' + #undef PSA_WANT_ALG_ECDSA + #undef PSA_WANT_ALG_DETERMINISTIC_ECDSA + #undef MBEDTLS_ECDSA_C + ''', + ''' + #if defined(PSA_WANT_ALG_ECDSA) + #error PSA_WANT_ALG_ECDSA unexpected + #endif + #if defined(PSA_WANT_ALG_DETERMINSTIC_ECDSA) + #error PSA_WANT_ALG_DETERMINSTIC_ECDSA unexpected + #endif + #if defined(MBEDTLS_ECDSA_C) + #error MBEDTLS_ECDSA_C unexpected + #endif + ''', + error=('MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED')) + + +if __name__ == '__main__': + unittest.main() From fff4b323242f0c2cad2be2de8ee23ab71a7bf066 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 22 Jul 2025 23:44:07 +0200 Subject: [PATCH 6/6] Announce that no longer exists It was already deprecated since 3.0 (although we forgot to announce it in the changelog back then). Signed-off-by: Gilles Peskine --- ChangeLog.d/check_config.txt | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 ChangeLog.d/check_config.txt diff --git a/ChangeLog.d/check_config.txt b/ChangeLog.d/check_config.txt new file mode 100644 index 0000000000..f9f44a4b85 --- /dev/null +++ b/ChangeLog.d/check_config.txt @@ -0,0 +1,5 @@ +Removals + * The header no longer exists. Including it + from a custom config file was no longer needed since Mbed TLS 3.0, + and could lead to spurious errors. The checks that it performed are + now done automatically when building the library.