eden-emu/mbedtls
15
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Properly disable ECDH in only (psk) ephemeral ffdh key exchange components

Browse source 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
This commit is contained in:
Przemek Stekiel 2023-06-15 16:44:08 +02:00
parent a53dca125e
commit ce05f54283
3 changed files with 7 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

4
include/mbedtls/check_config.h
View file

@ -814,14 +814,14 @@
#endif #endif
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
#if !( defined(PSA_WANT_ALG_ECDH) && defined(MBEDTLS_X509_CRT_PARSE_C) && \ #if !( (defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)) && defined(MBEDTLS_X509_CRT_PARSE_C) && \
( defined(MBEDTLS_PK_HAVE_ECDSA) || defined(MBEDTLS_PKCS1_V21) ) ) ( defined(MBEDTLS_PK_HAVE_ECDSA) || defined(MBEDTLS_PKCS1_V21) ) )
#error "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED defined, but not all prerequisites" #error "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED defined, but not all prerequisites"
#endif #endif
#endif #endif
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
#if !( defined(PSA_WANT_ALG_ECDH) ) #if !( defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH) )
#error "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED defined, but not all prerequisites" #error "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED defined, but not all prerequisites"
#endif #endif
#endif #endif

4
include/mbedtls/mbedtls_config.h
View file

@ -1642,7 +1642,7 @@
* *
* Enable TLS 1.3 ephemeral key exchange mode. * Enable TLS 1.3 ephemeral key exchange mode.
* *
* Requires: PSA_WANT_ALG_ECDH * Requires: PSA_WANT_ALG_ECDH or PSA_WANT_ALG_FFDH
* MBEDTLS_X509_CRT_PARSE_C * MBEDTLS_X509_CRT_PARSE_C
* and at least one of: * and at least one of:
* MBEDTLS_ECDSA_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDSA) * MBEDTLS_ECDSA_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDSA)
@ -1660,7 +1660,7 @@
* *
* Enable TLS 1.3 PSK ephemeral key exchange mode. * Enable TLS 1.3 PSK ephemeral key exchange mode.
* *
* Requires: PSA_WANT_ALG_ECDH * Requires: PSA_WANT_ALG_ECDH or PSA_WANT_ALG_FFDH
* *
* Comment to disable support for the PSK ephemeral key exchange mode in * Comment to disable support for the PSK ephemeral key exchange mode in
* TLS 1.3. If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not * TLS 1.3. If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not

5
tests/scripts/all.sh
View file

@ -3997,7 +3997,8 @@ component_test_tls13_only_ephemeral_ffdh () {
scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
scripts/config.py unset MBEDTLS_SSL_EARLY_DATA scripts/config.py unset MBEDTLS_SSL_EARLY_DATA
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECDH scripts/config.py unset MBEDTLS_ECDH_C
make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
msg "test_suite_ssl: TLS 1.3 only, only ephemeral ffdh key exchange mode" msg "test_suite_ssl: TLS 1.3 only, only ephemeral ffdh key exchange mode"
@ -4038,7 +4039,7 @@ component_test_tls13_only_psk_ephemeral_ffdh () {
scripts/config.py unset MBEDTLS_PKCS1_V21 scripts/config.py unset MBEDTLS_PKCS1_V21
scripts/config.py unset MBEDTLS_PKCS7_C scripts/config.py unset MBEDTLS_PKCS7_C
scripts/config.py set MBEDTLS_SSL_EARLY_DATA scripts/config.py set MBEDTLS_SSL_EARLY_DATA
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECDH scripts/config.py unset MBEDTLS_ECDH_C
make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
msg "test_suite_ssl: TLS 1.3 only, only PSK ephemeral ffdh key exchange mode" msg "test_suite_ssl: TLS 1.3 only, only PSK ephemeral ffdh key exchange mode"