From 432e7023b17a907b3381545b6dc8d4837ee00d62 Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Thu, 11 Apr 2019 18:56:18 +0100 Subject: [PATCH 1/2] Add additional sanity checks to check_config.h Additional sanity checks in check_config.h to ensure: * if test certificates are included (MBEDTLS_CERTS_C) there must be also be support for the core X509 feature (MBEDTLS_X509_USE_C). This has a secondary dependency on the public key abstraction layer (MBEDTLS_PK_C), necessary as the certificates will either be signed by RSA or ECDSA, and therefore need to be part of the library. * if any of the TLS protocols are defined (MBEDTLS_SSL_PROTO_xxx) then a key exchange method must also be defined (MBEDTLS_KEY_EXCHANGE_xxx). Anyone who knows the library will probably not make these mistakes or will quickly diagnose and fix them, but it is possible to compile and link both configurations if you build only the library and not the example programs, and therefore users may not realise immediately that there's a mistake, only discovering it at runtime. These checks may therefore save someone some time. Signed-off-by: Simon Butcher --- include/mbedtls/check_config.h | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index d904d5a7a..fa3caa7c4 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -619,6 +619,23 @@ #error "MBEDTLS_SSL_PROTO_TLS1_2 defined, but not all prerequisites" #endif +#if (defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ + defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)) && \ + !(defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) ) +#error "One or more versions of the TLS protocol are enabled " \ + "but no key exchange methods defined with MBEDTLS_KEY_EXCHANGE_xxxx" +#endif + #if defined(MBEDTLS_SSL_PROTO_DTLS) && \ !defined(MBEDTLS_SSL_PROTO_TLS1_1) && \ !defined(MBEDTLS_SSL_PROTO_TLS1_2) @@ -763,6 +780,10 @@ #error "MBEDTLS_X509_CREATE_C defined, but not all prerequisites" #endif +#if defined(MBEDTLS_CERTS_C) && !defined(MBEDTLS_X509_USE_C) +#error "MBEDTLS_CERTS_C defined, but not all prerequisites" +#endif + #if defined(MBEDTLS_X509_CRT_PARSE_C) && ( !defined(MBEDTLS_X509_USE_C) ) #error "MBEDTLS_X509_CRT_PARSE_C defined, but not all prerequisites" #endif From 3aa6405007c4ce209495952c067ff03c56a17661 Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Fri, 27 Mar 2020 16:55:35 +0000 Subject: [PATCH 2/2] Correct comment on the configuration option in x509.c In x509.c, the self-test code is dependent on MBEDTLS_CERTS_C and MBEDTLS_SHA256_C being enabled. At some point in the recent past that dependency was on MBEDTLS_SHA1_C but changed to SHA256, but the comment wasn't updated. This commit updates the comment. Signed-off-by: Simon Butcher --- library/x509.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/x509.c b/library/x509.c index 7f8181be2..c451332c2 100644 --- a/library/x509.c +++ b/library/x509.c @@ -1064,7 +1064,7 @@ cleanup: mbedtls_x509_crt_free( &clicert ); #else ((void) verbose); -#endif /* MBEDTLS_CERTS_C && MBEDTLS_SHA1_C */ +#endif /* MBEDTLS_CERTS_C && MBEDTLS_SHA256_C */ return( ret ); }