commit 8c95ac45004a9421141e4963d5045137fd2fbfd7
author Andrzej Kurek <andrzej.kurek@arm.com> Wed Aug 17 16:17:00 2022 -0400
committer Andrzej Kurek <andrzej.kurek@arm.com> Mon Aug 22 17:46:50 2022 -0400
tree 260b9f31b784a6dae5b8396249fbb773a97fa8e1
parent 7bb8bab45740e17cd2985a48762a011ce5e30df6

Add missing dependencies / alternatives

A number of places lacked the necessary dependencies on one of
the used features: MD, key exchange with certificate, 
entropy, or ETM.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 873b2f4..361dc8b 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -7810,8 +7810,11 @@
         }
 
         if( ( transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER ) ||
-            ( ( transform->psa_alg == PSA_ALG_CBC_NO_PADDING ) &&
-              ( transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ) ) )
+            ( ( transform->psa_alg == PSA_ALG_CBC_NO_PADDING )
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
+              && ( transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED )
+#endif
+            ) )
             /* mbedtls_ct_hmac() requires the key to be exportable */
             psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT |
                                                   PSA_KEY_USAGE_VERIFY_HASH );

programs/fuzz/fuzz_privkey.c

diff --git a/programs/fuzz/fuzz_privkey.c b/programs/fuzz/fuzz_privkey.c
index e8e1d44..56795d2 100644
--- a/programs/fuzz/fuzz_privkey.c
+++ b/programs/fuzz/fuzz_privkey.c
@@ -16,7 +16,7 @@
 #endif // MBEDTLS_PK_PARSE_C && MBEDTLS_CTR_DRBG_C
 
 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
-#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_CTR_DRBG_C)
+#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_CTR_DRBG_C) && defined(MBEDTLS_ENTROPY_C)
     int ret;
     mbedtls_pk_context pk;
     mbedtls_ctr_drbg_context ctr_drbg;
@@ -88,7 +88,7 @@
 #else
     (void) Data;
     (void) Size;
-#endif // MBEDTLS_PK_PARSE_C && MBEDTLS_CTR_DRBG_C
+#endif // MBEDTLS_PK_PARSE_C && MBEDTLS_CTR_DRBG_C && MBEDTLS_ENTROPY_C
 
     return 0;
 }

programs/ssl/ssl_client2.c

diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index e8b8b1e..c0c525e 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -1789,6 +1789,7 @@
     }
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
     /* The default algorithms profile disables SHA-1, but our tests still
        rely on it heavily. */
     if( opt.allow_sha1 > 0 )
@@ -1797,11 +1798,11 @@
         mbedtls_ssl_conf_cert_profile( &conf, &crt_profile_for_test );
         mbedtls_ssl_conf_sig_algs( &conf, ssl_sig_algs_for_test );
     }
-
     if( opt.context_crt_cb == 0 )
         mbedtls_ssl_conf_verify( &conf, my_verify, NULL );
 
     memset( peer_crt_info, 0, sizeof( peer_crt_info ) );
+#endif
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)

programs/ssl/ssl_context_info.c

diff --git a/programs/ssl/ssl_context_info.c b/programs/ssl/ssl_context_info.c
index 19054eb..24d4b6a 100644
--- a/programs/ssl/ssl_context_info.c
+++ b/programs/ssl/ssl_context_info.c
@@ -645,7 +645,7 @@
         {
             printf( "\tcipher         : %s\n", cipher_info->name );
         }
-
+#if defined(MBEDTLS_MD_C)
         md_info = mbedtls_md_info_from_type( ciphersuite_info->mac );
         if( md_info == NULL )
         {
@@ -655,6 +655,7 @@
         {
             printf( "\tMessage-Digest : %s\n", mbedtls_md_get_name( md_info ) );
         }
+#endif
     }
 
     CHECK_SSL_END( 1 );

programs/ssl/ssl_server2.c

diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 67b6ca2..c592df2 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -2753,6 +2753,7 @@
     }
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
     /* The default algorithms profile disables SHA-1, but our tests still
        rely on it heavily. Hence we allow it here. A real-world server
        should use the default profile unless there is a good reason not to. */
@@ -2762,6 +2763,7 @@
         mbedtls_ssl_conf_cert_profile( &conf, &crt_profile_for_test );
         mbedtls_ssl_conf_sig_algs( &conf, ssl_sig_algs_for_test );
     }
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
     if( opt.auth_mode != DFL_AUTH_MODE )

tests/suites/test_suite_ssl.function

diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 97fb2dc..c83e63c 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -4023,10 +4023,12 @@
     size_t plaintext_len, block_size, i;
     unsigned char padlen; /* excluding the padding_length byte */
     unsigned char add_data[13];
-    unsigned char mac[MBEDTLS_MD_MAX_SIZE];
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
     size_t sign_mac_length = 0;
+    unsigned char mac[PSA_HASH_MAX_SIZE];
+#else
+    unsigned char mac[MBEDTLS_MD_MAX_SIZE];
 #endif
     int exp_ret;
     int ret;
@@ -4120,7 +4122,7 @@
                                              rec.buf + rec.data_offset,
                                              rec.data_len ) );
     TEST_EQUAL( PSA_SUCCESS, psa_mac_sign_finish( &operation,
-                                                  mac, MBEDTLS_MD_MAX_SIZE,
+                                                  mac, sizeof(mac),
                                                   &sign_mac_length ) );
 #else
     TEST_EQUAL( 0, mbedtls_md_hmac_update( &t0.md_ctx_enc, add_data, 13 ) );