Make RSA_ALT support optionnal
diff --git a/ChangeLog b/ChangeLog
index e40b929..09c5b2f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -46,6 +46,9 @@
* Support for receiving SSLv2 ClientHello is now disabled by default at
compile time.
* The default authmode for SSL/TLS clients is now REQUIRED.
+ * Support for RSA_ALT contexts in the PK layer is now optional. Since is is
+ enabled in the default configuration, this is only noticeable if using a
+ custom config.h
Changes
* Remove test program o_p_test, the script compat.sh does more.
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index b13790d..52cec1d 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -769,6 +769,15 @@
//#define POLARSSL_MEMORY_BACKTRACE
/**
+ * \def POLARSSL_PK_RSA_ALT_SUPPORT
+ *
+ * Support external private RSA keys (eg from a HSM) in the PK layer.
+ *
+ * Comment this macro to disable support for external private RSA keys.
+ */
+#define POLARSSL_PK_RSA_ALT_SUPPORT
+
+/**
* \def POLARSSL_PKCS1_V15
*
* Enable support for PKCS#1 v1.5 encoding.
diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h
index 8fda581..207d354 100644
--- a/include/mbedtls/pk.h
+++ b/include/mbedtls/pk.h
@@ -197,6 +197,7 @@
void * pk_ctx; /**< Underlying public key context */
} pk_context;
+#if defined(POLARSSL_PK_RSA_ALT_SUPPORT)
/**
* \brief Types for RSA-alt abstraction
*/
@@ -208,6 +209,7 @@
int mode, md_type_t md_alg, unsigned int hashlen,
const unsigned char *hash, unsigned char *sig );
typedef size_t (*pk_rsa_alt_key_len_func)( void *ctx );
+#endif /* POLARSSL_PK_RSA_ALT_SUPPORT */
/**
* \brief Return information associated with the given PK type
@@ -244,6 +246,7 @@
*/
int pk_init_ctx( pk_context *ctx, const pk_info_t *info );
+#if defined(POLARSSL_PK_RSA_ALT_SUPPORT)
/**
* \brief Initialize an RSA-alt context
*
@@ -262,6 +265,7 @@
pk_rsa_alt_decrypt_func decrypt_func,
pk_rsa_alt_sign_func sign_func,
pk_rsa_alt_key_len_func key_len_func );
+#endif /* POLARSSL_PK_RSA_ALT_SUPPORT */
/**
* \brief Get the size in bits of the underlying key
diff --git a/include/mbedtls/pk_wrap.h b/include/mbedtls/pk_wrap.h
index 3677250..7a7f4fa 100644
--- a/include/mbedtls/pk_wrap.h
+++ b/include/mbedtls/pk_wrap.h
@@ -33,6 +33,7 @@
#include "pk.h"
+#if defined(POLARSSL_PK_RSA_ALT_SUPPORT)
/* Container for RSA-alt */
typedef struct
{
@@ -41,6 +42,7 @@
pk_rsa_alt_sign_func sign_func;
pk_rsa_alt_key_len_func key_len_func;
} rsa_alt_context;
+#endif
#if defined(POLARSSL_RSA_C)
extern const pk_info_t rsa_info;
@@ -55,6 +57,8 @@
extern const pk_info_t ecdsa_info;
#endif
+#if defined(POLARSSL_PK_RSA_ALT_SUPPORT)
extern const pk_info_t rsa_alt_info;
+#endif
#endif /* POLARSSL_PK_WRAP_H */
diff --git a/library/pk.c b/library/pk.c
index f083b86..d147302 100644
--- a/library/pk.c
+++ b/library/pk.c
@@ -112,6 +112,7 @@
return( 0 );
}
+#if defined(POLARSSL_PK_RSA_ALT_SUPPORT)
/*
* Initialize an RSA-alt context
*/
@@ -140,6 +141,7 @@
return( 0 );
}
+#endif /* POLARSSL_PK_RSA_ALT_SUPPORT */
/*
* Tell if a PK can do the operations of the given type
diff --git a/library/pk_wrap.c b/library/pk_wrap.c
index d6dea12..994320f 100644
--- a/library/pk_wrap.c
+++ b/library/pk_wrap.c
@@ -50,10 +50,12 @@
#define polarssl_free free
#endif
+#if defined(POLARSSL_PK_RSA_ALT_SUPPORT)
/* Implementation that should never be optimized out by the compiler */
static void polarssl_zeroize( void *v, size_t n ) {
volatile unsigned char *p = v; while( n-- ) *p++ = 0;
}
+#endif
#if defined(POLARSSL_RSA_C)
static int rsa_can_do( pk_type_t type )
@@ -377,6 +379,7 @@
};
#endif /* POLARSSL_ECDSA_C */
+#if defined(POLARSSL_PK_RSA_ALT_SUPPORT)
/*
* Support for alternative RSA-private implementations
*/
@@ -488,4 +491,6 @@
NULL,
};
+#endif /* POLARSSL_PK_RSA_ALT_SUPPORT */
+
#endif /* POLARSSL_PK_C */
diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function
index d82ab2a..3d0df67 100644
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@@ -98,7 +98,7 @@
TEST_ASSERT( pk_check_pair( &pub, &prv ) == ret );
-#if defined(POLARSSL_RSA_C)
+#if defined(POLARSSL_RSA_C) && defined(POLARSSL_PK_RSA_ALT_SUPPORT)
if( pk_get_type( &prv ) == POLARSSL_PK_RSA )
{
TEST_ASSERT( pk_init_ctx_rsa_alt( &alt, pk_rsa( prv ),
@@ -414,7 +414,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:POLARSSL_RSA_C */
+/* BEGIN_CASE depends_on:POLARSSL_RSA_C:POLARSSL_PK_RSA_ALT_SUPPORT */
void pk_rsa_alt( )
{
/*