Use MD_LIGHT rather than md5.h in pem.c
But, for now, still guard things with MBEDTLS_MD5_C, as md.c can only
compute MD5 hashes when MBEDTLS_MD5_C is defined. We'll change the
guards once that has changed.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h
index 4835beb..86a3e16 100644
--- a/include/mbedtls/build_info.h
+++ b/include/mbedtls/build_info.h
@@ -87,6 +87,12 @@
#define MBEDTLS_MD_LIGHT
#endif
+/* Auto-enable MBEDTLS_MD_LIGHT it one module needs it.
+ */
+#if defined(MBEDTLS_PEM_PARSE_C)
+#define MBEDTLS_MD_LIGHT
+#endif
+
/* If MBEDTLS_PSA_CRYPTO_C is defined, make sure MBEDTLS_PSA_CRYPTO_CLIENT
* is defined as well to include all PSA code.
*/
diff --git a/library/pem.c b/library/pem.c
index 9f14052..84bbb3d 100644
--- a/library/pem.c
+++ b/library/pem.c
@@ -25,7 +25,7 @@
#include "mbedtls/base64.h"
#include "mbedtls/des.h"
#include "mbedtls/aes.h"
-#include "mbedtls/md5.h"
+#include "mbedtls/md.h"
#include "mbedtls/cipher.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/error.h"
@@ -99,26 +99,33 @@
unsigned char *iv,
const unsigned char *pwd, size_t pwdlen)
{
- mbedtls_md5_context md5_ctx;
+ mbedtls_md_context_t md5_ctx;
+ const mbedtls_md_info_t *md5_info;
unsigned char md5sum[16];
size_t use_len;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- mbedtls_md5_init(&md5_ctx);
+ mbedtls_md_init(&md5_ctx);
+
+ /* Prepare the context. (setup() errors gracefully on NULL info.) */
+ md5_info = mbedtls_md_info_from_type(MBEDTLS_MD_MD5);
+ if ((ret = mbedtls_md_setup(&md5_ctx, md5_info, 0)) != 0) {
+ goto exit;
+ }
/*
* key[ 0..15] = MD5(pwd || IV)
*/
- if ((ret = mbedtls_md5_starts(&md5_ctx)) != 0) {
+ if ((ret = mbedtls_md_starts(&md5_ctx)) != 0) {
goto exit;
}
- if ((ret = mbedtls_md5_update(&md5_ctx, pwd, pwdlen)) != 0) {
+ if ((ret = mbedtls_md_update(&md5_ctx, pwd, pwdlen)) != 0) {
goto exit;
}
- if ((ret = mbedtls_md5_update(&md5_ctx, iv, 8)) != 0) {
+ if ((ret = mbedtls_md_update(&md5_ctx, iv, 8)) != 0) {
goto exit;
}
- if ((ret = mbedtls_md5_finish(&md5_ctx, md5sum)) != 0) {
+ if ((ret = mbedtls_md_finish(&md5_ctx, md5sum)) != 0) {
goto exit;
}
@@ -132,19 +139,19 @@
/*
* key[16..23] = MD5(key[ 0..15] || pwd || IV])
*/
- if ((ret = mbedtls_md5_starts(&md5_ctx)) != 0) {
+ if ((ret = mbedtls_md_starts(&md5_ctx)) != 0) {
goto exit;
}
- if ((ret = mbedtls_md5_update(&md5_ctx, md5sum, 16)) != 0) {
+ if ((ret = mbedtls_md_update(&md5_ctx, md5sum, 16)) != 0) {
goto exit;
}
- if ((ret = mbedtls_md5_update(&md5_ctx, pwd, pwdlen)) != 0) {
+ if ((ret = mbedtls_md_update(&md5_ctx, pwd, pwdlen)) != 0) {
goto exit;
}
- if ((ret = mbedtls_md5_update(&md5_ctx, iv, 8)) != 0) {
+ if ((ret = mbedtls_md_update(&md5_ctx, iv, 8)) != 0) {
goto exit;
}
- if ((ret = mbedtls_md5_finish(&md5_ctx, md5sum)) != 0) {
+ if ((ret = mbedtls_md_finish(&md5_ctx, md5sum)) != 0) {
goto exit;
}
@@ -156,7 +163,7 @@
memcpy(key + 16, md5sum, use_len);
exit:
- mbedtls_md5_free(&md5_ctx);
+ mbedtls_md_free(&md5_ctx);
mbedtls_platform_zeroize(md5sum, 16);
return ret;
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index d444cba..2b1a3e9 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -2529,8 +2529,9 @@
make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" all
# There's a risk of something getting re-enabled via config_psa.h;
- # make sure it did not happen.
- not grep mbedtls_md library/md.o
+ # make sure it did not happen. Note: it's OK for MD_LIGHT to be enabled,
+ # but not the full MD_C (for now), so check mbedtls_md_hmac for that.
+ not grep mbedtls_md_hmac library/md.o
not grep mbedtls_md5 library/md5.o
not grep mbedtls_sha1 library/sha1.o
not grep mbedtls_sha256 library/sha256.o