Skip to content

Commit

Permalink
Merge pull request #9540 from eleuzi01/replace-sha1
Browse files Browse the repository at this point in the history 
Replace MBEDTLS_MD_CAN_SHA1 with PSA_WANT_ALG_SHA_1
  • Loading branch information
@davidhorstmann-arm
davidhorstmann-arm authored Sep 5, 2024
2 parents 1d98d9d + 9fc5be0 commit 924c1a3
Show file tree
Hide file tree
Showing 42 changed files with 1,064 additions and 1,066 deletions.
4 changes: 2 additions & 2 deletions include/mbedtls/check_config.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -347,14 +347,14 @@
!defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) && \
!defined(MBEDTLS_MD_CAN_SHA256) && \
!defined(MBEDTLS_MD_CAN_SHA512) && \
!defined(MBEDTLS_MD_CAN_SHA1)
!defined(PSA_WANT_ALG_SHA_1)
#error "!MBEDTLS_SSL_KEEP_PEER_CERTIFICATE requires SHA-512, SHA-256 or SHA-1".
#endif

#if defined(MBEDTLS_MD_C) && \
!defined(MBEDTLS_MD_CAN_MD5) && \
!defined(MBEDTLS_MD_CAN_RIPEMD160) && \
!defined(MBEDTLS_MD_CAN_SHA1) && \
!defined(PSA_WANT_ALG_SHA_1) && \
!defined(MBEDTLS_MD_CAN_SHA224) && \
!defined(MBEDTLS_MD_CAN_SHA256) && \
!defined(MBEDTLS_MD_CAN_SHA384) && \
Expand Down
2 changes: 0 additions & 2 deletions include/mbedtls/config_adjust_legacy_crypto.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,6 @@
#define MBEDTLS_MD_SOME_PSA
#endif
#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_1)
#define MBEDTLS_MD_CAN_SHA1
#define MBEDTLS_MD_SHA1_VIA_PSA
#define MBEDTLS_MD_SOME_PSA
#endif
Expand Down Expand Up @@ -166,7 +165,6 @@
#define MBEDTLS_MD_SOME_LEGACY
#endif
#if defined(MBEDTLS_SHA1_C)
#define MBEDTLS_MD_CAN_SHA1
#define MBEDTLS_MD_SOME_LEGACY
#endif
#if defined(MBEDTLS_SHA224_C)
Expand Down
2 changes: 1 addition & 1 deletion include/mbedtls/ssl.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1159,7 +1159,7 @@ typedef void mbedtls_ssl_async_cancel_t(mbedtls_ssl_context *ssl);
#elif defined(PSA_WANT_ALG_SHA_384)
#define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE MBEDTLS_MD_SHA384
#define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN 48
#elif defined(MBEDTLS_MD_CAN_SHA1)
#elif defined(PSA_WANT_ALG_SHA_1)
#define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE MBEDTLS_MD_SHA1
#define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN 20
#else
Expand Down
4 changes: 2 additions & 2 deletions include/mbedtls/x509_crt.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1090,7 +1090,7 @@ int mbedtls_x509write_crt_set_extension(mbedtls_x509write_cert *ctx,
int mbedtls_x509write_crt_set_basic_constraints(mbedtls_x509write_cert *ctx,
int is_ca, int max_pathlen);

#if defined(MBEDTLS_MD_CAN_SHA1)
#if defined(PSA_WANT_ALG_SHA_1)
/**
* \brief Set the subjectKeyIdentifier extension for a CRT
* Requires that mbedtls_x509write_crt_set_subject_key() has been
Expand All @@ -1112,7 +1112,7 @@ int mbedtls_x509write_crt_set_subject_key_identifier(mbedtls_x509write_cert *ctx
* \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
*/
int mbedtls_x509write_crt_set_authority_key_identifier(mbedtls_x509write_cert *ctx);
#endif /* MBEDTLS_MD_CAN_SHA1 */
#endif /* PSA_WANT_ALG_SHA_1 */

/**
* \brief Set the Key Usage Extension flags
Expand Down
82 changes: 41 additions & 41 deletions library/ssl_ciphersuites.c
View file

Large diffs are not rendered by default.

4 changes: 2 additions & 2 deletions library/ssl_misc.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
#include "mbedtls/md5.h"
#endif

#if defined(MBEDTLS_MD_CAN_SHA1)
#if defined(PSA_WANT_ALG_SHA_1)
#include "mbedtls/sha1.h"
#endif

Expand Down Expand Up @@ -2557,7 +2557,7 @@ static inline int mbedtls_ssl_tls12_sig_alg_is_supported(
break;
#endif

#if defined(MBEDTLS_MD_CAN_SHA1)
#if defined(PSA_WANT_ALG_SHA_1)
case MBEDTLS_SSL_HASH_SHA1:
break;
#endif
Expand Down
4 changes: 2 additions & 2 deletions library/ssl_tls.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6113,7 +6113,7 @@ mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash)
case MBEDTLS_SSL_HASH_MD5:
return MBEDTLS_MD_MD5;
#endif
#if defined(MBEDTLS_MD_CAN_SHA1)
#if defined(PSA_WANT_ALG_SHA_1)
case MBEDTLS_SSL_HASH_SHA1:
return MBEDTLS_MD_SHA1;
#endif
Expand Down Expand Up @@ -6148,7 +6148,7 @@ unsigned char mbedtls_ssl_hash_from_md_alg(int md)
case MBEDTLS_MD_MD5:
return MBEDTLS_SSL_HASH_MD5;
#endif
#if defined(MBEDTLS_MD_CAN_SHA1)
#if defined(PSA_WANT_ALG_SHA_1)
case MBEDTLS_MD_SHA1:
return MBEDTLS_SSL_HASH_SHA1;
#endif
Expand Down
2 changes: 1 addition & 1 deletion library/x509.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ static inline const char *md_type_to_string(mbedtls_md_type_t md_alg)
case MBEDTLS_MD_MD5:
return "MD5";
#endif
#if defined(MBEDTLS_MD_CAN_SHA1)
#if defined(PSA_WANT_ALG_SHA_1)
case MBEDTLS_MD_SHA1:
return "SHA1";
#endif
Expand Down
4 changes: 2 additions & 2 deletions library/x509write_crt.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -195,7 +195,7 @@ int mbedtls_x509write_crt_set_basic_constraints(mbedtls_x509write_cert *ctx,
is_ca, buf + sizeof(buf) - len, len);
}

#if defined(MBEDTLS_MD_CAN_SHA1)
#if defined(PSA_WANT_ALG_SHA_1)
static int mbedtls_x509write_crt_set_key_identifier(mbedtls_x509write_cert *ctx,
int is_ca,
unsigned char tag)
Expand Down Expand Up @@ -280,7 +280,7 @@ int mbedtls_x509write_crt_set_authority_key_identifier(mbedtls_x509write_cert *c
1,
(MBEDTLS_ASN1_CONTEXT_SPECIFIC | 0));
}
#endif /* MBEDTLS_MD_CAN_SHA1 */
#endif /* PSA_WANT_ALG_SHA_1 */

int mbedtls_x509write_crt_set_key_usage(mbedtls_x509write_cert *ctx,
unsigned int key_usage)
Expand Down
2 changes: 1 addition & 1 deletion programs/ssl/ssl_test_common_source.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -307,7 +307,7 @@ uint16_t ssl_sig_algs_for_test[] = {
#if defined(MBEDTLS_RSA_C) && defined(PSA_WANT_ALG_SHA_256)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
#endif /* MBEDTLS_RSA_C && PSA_WANT_ALG_SHA_256 */
#if defined(MBEDTLS_MD_CAN_SHA1)
#if defined(PSA_WANT_ALG_SHA_1)
/* Allow SHA-1 as we use it extensively in tests. */
MBEDTLS_SSL_SIG_ALG(MBEDTLS_SSL_HASH_SHA1)
#endif
Expand Down
4 changes: 2 additions & 2 deletions programs/x509/cert_write.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -880,7 +880,7 @@ int main(int argc, char *argv[])
mbedtls_printf(" ok\n");
}

#if defined(MBEDTLS_MD_CAN_SHA1)
#if defined(PSA_WANT_ALG_SHA_1)
if (opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
opt.subject_identifier != 0) {
mbedtls_printf(" . Adding the Subject Key Identifier ...");
Expand Down Expand Up @@ -914,7 +914,7 @@ int main(int argc, char *argv[])

mbedtls_printf(" ok\n");
}
#endif /* MBEDTLS_MD_CAN_SHA1 */
#endif /* PSA_WANT_ALG_SHA_1 */

if (opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
opt.key_usage != 0) {
Expand Down
16 changes: 8 additions & 8 deletions tests/src/certs.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -406,7 +406,7 @@ const size_t mbedtls_test_cli_crt_len =

/* List of CAs in PEM or DER, depending on config */
const char *mbedtls_test_cas[] = {
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA1)
#if defined(MBEDTLS_RSA_C) && defined(PSA_WANT_ALG_SHA_1)
mbedtls_test_ca_crt_rsa_sha1,
#endif
#if defined(MBEDTLS_RSA_C) && defined(PSA_WANT_ALG_SHA_256)
Expand All @@ -418,7 +418,7 @@ const char *mbedtls_test_cas[] = {
NULL
};
const size_t mbedtls_test_cas_len[] = {
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA1)
#if defined(MBEDTLS_RSA_C) && defined(PSA_WANT_ALG_SHA_1)
sizeof(mbedtls_test_ca_crt_rsa_sha1),
#endif
#if defined(MBEDTLS_RSA_C) && defined(PSA_WANT_ALG_SHA_256)
Expand All @@ -436,9 +436,9 @@ const unsigned char *mbedtls_test_cas_der[] = {
#if defined(PSA_WANT_ALG_SHA_256)
mbedtls_test_ca_crt_rsa_sha256_der,
#endif /* PSA_WANT_ALG_SHA_256 */
#if defined(MBEDTLS_MD_CAN_SHA1)
#if defined(PSA_WANT_ALG_SHA_1)
mbedtls_test_ca_crt_rsa_sha1_der,
#endif /* MBEDTLS_MD_CAN_SHA1 */
#endif /* PSA_WANT_ALG_SHA_1 */
#endif /* MBEDTLS_RSA_C */
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
mbedtls_test_ca_crt_ec_der,
Expand All @@ -451,9 +451,9 @@ const size_t mbedtls_test_cas_der_len[] = {
#if defined(PSA_WANT_ALG_SHA_256)
sizeof(mbedtls_test_ca_crt_rsa_sha256_der),
#endif /* PSA_WANT_ALG_SHA_256 */
#if defined(MBEDTLS_MD_CAN_SHA1)
#if defined(PSA_WANT_ALG_SHA_1)
sizeof(mbedtls_test_ca_crt_rsa_sha1_der),
#endif /* MBEDTLS_MD_CAN_SHA1 */
#endif /* PSA_WANT_ALG_SHA_1 */
#endif /* MBEDTLS_RSA_C */
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
sizeof(mbedtls_test_ca_crt_ec_der),
Expand All @@ -468,9 +468,9 @@ const char mbedtls_test_cas_pem[] =
#if defined(PSA_WANT_ALG_SHA_256)
TEST_CA_CRT_RSA_SHA256_PEM
#endif /* PSA_WANT_ALG_SHA_256 */
#if defined(MBEDTLS_MD_CAN_SHA1)
#if defined(PSA_WANT_ALG_SHA_1)
TEST_CA_CRT_RSA_SHA1_PEM
#endif /* MBEDTLS_MD_CAN_SHA1 */
#endif /* PSA_WANT_ALG_SHA_1 */
#endif /* MBEDTLS_RSA_C */
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
TEST_CA_CRT_EC_PEM
Expand Down
2 changes: 1 addition & 1 deletion tests/suites/test_suite_debug.data
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ Debug print mbedtls_mpi: 764 bits #2
mbedtls_debug_print_mpi:"0000000000000000000000000000000000000000000000000000000941379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":"MyFile":999:"VALUE":"MyFile(0999)\: value of 'VALUE' (764 bits) is\:\nMyFile(0999)\: 09 41 37 9d 00 fe d1 49 1f e1 5d f2 84 df de 4a\nMyFile(0999)\: 14 2f 68 aa 8d 41 20 23 19 5c ee 66 88 3e 62 90\nMyFile(0999)\: ff e7 03 f4 ea 59 63 bf 21 27 13 ce e4 6b 10 7c\nMyFile(0999)\: 09 18 2b 5e dc d9 55 ad ac 41 8b f4 91 8e 28 89\nMyFile(0999)\: af 48 e1 09 9d 51 38 30 ce c8 5c 26 ac 1e 15 8b\nMyFile(0999)\: 52 62 0e 33 ba 86 92 f8 93 ef bb 2f 95 8b 44 24\n"

Debug print certificate #1 (RSA)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_BASE64_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1:!MBEDTLS_X509_REMOVE_INFO
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_BASE64_C:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_1:!MBEDTLS_X509_REMOVE_INFO
mbedtls_debug_print_crt:"../framework/data_files/server1.crt":"MyFile":999:"PREFIX_":"MyFile(0999)\: PREFIX_ #1\:\nMyFile(0999)\: cert. version \: 3\nMyFile(0999)\: serial number \: 01\nMyFile(0999)\: issuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nMyFile(0999)\: subject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nMyFile(0999)\: issued on \: 2019-02-10 14\:44\:06\nMyFile(0999)\: expires on \: 2029-02-10 14\:44\:06\nMyFile(0999)\: signed using \: RSA with SHA1\nMyFile(0999)\: RSA key size \: 2048 bits\nMyFile(0999)\: basic constraints \: CA=false\nMyFile(0999)\: value of 'crt->rsa.N' (2048 bits) is\:\nMyFile(0999)\: a9 02 1f 3d 40 6a d5 55 53 8b fd 36 ee 82 65 2e\nMyFile(0999)\: 15 61 5e 89 bf b8 e8 45 90 db ee 88 16 52 d3 f1\nMyFile(0999)\: 43 50 47 96 12 59 64 87 6b fd 2b e0 46 f9 73 be\nMyFile(0999)\: dd cf 92 e1 91 5b ed 66 a0 6f 89 29 79 45 80 d0\nMyFile(0999)\: 83 6a d5 41 43 77 5f 39 7c 09 04 47 82 b0 57 39\nMyFile(0999)\: 70 ed a3 ec 15 19 1e a8 33 08 47 c1 05 42 a9 fd\nMyFile(0999)\: 4c c3 b4 df dd 06 1f 4d 10 51 40 67 73 13 0f 40\nMyFile(0999)\: f8 6d 81 25 5f 0a b1 53 c6 30 7e 15 39 ac f9 5a\nMyFile(0999)\: ee 7f 92 9e a6 05 5b e7 13 97 85 b5 23 92 d9 d4\nMyFile(0999)\: 24 06 d5 09 25 89 75 07 dd a6 1a 8f 3f 09 19 be\nMyFile(0999)\: ad 65 2c 64 eb 95 9b dc fe 41 5e 17 a6 da 6c 5b\nMyFile(0999)\: 69 cc 02 ba 14 2c 16 24 9c 4a dc cd d0 f7 52 67\nMyFile(0999)\: 73 f1 2d a0 23 fd 7e f4 31 ca 2d 70 ca 89 0b 04\nMyFile(0999)\: db 2e a6 4f 70 6e 9e ce bd 58 89 e2 53 59 9e 6e\nMyFile(0999)\: 5a 92 65 e2 88 3f 0c 94 19 a3 dd e5 e8 9d 95 13\nMyFile(0999)\: ed 29 db ab 70 12 dc 5a ca 6b 17 ab 52 82 54 b1\nMyFile(0999)\: value of 'crt->rsa.E' (17 bits) is\:\nMyFile(0999)\: 01 00 01\n"

Debug print certificate #2 (EC)
Expand Down
8 changes: 4 additions & 4 deletions tests/suites/test_suite_pkcs7.data
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_RSA_C
pkcs7_parse:"../framework/data_files/pkcs7_data_cert_signed_sha256.der":MBEDTLS_PKCS7_SIGNED_DATA

PKCS7 Signed Data Parse Pass SHA1 #2
depends_on:MBEDTLS_MD_CAN_SHA1:PSA_WANT_ALG_SHA_256:MBEDTLS_RSA_C
depends_on:PSA_WANT_ALG_SHA_1:PSA_WANT_ALG_SHA_256:MBEDTLS_RSA_C
pkcs7_parse:"../framework/data_files/pkcs7_data_cert_signed_sha1.der":MBEDTLS_PKCS7_SIGNED_DATA

PKCS7 Signed Data Parse Pass Without CERT #3
Expand Down Expand Up @@ -71,11 +71,11 @@ depends_on:PSA_WANT_ALG_SHA_256
pkcs7_parse:"../framework/data_files/pkcs7_data_cert_encrypted.der":MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE

PKCS7 Signed Data Verification Pass zero-len data
depends_on:MBEDTLS_MD_CAN_SHA1:PSA_WANT_ALG_SHA_256
depends_on:PSA_WANT_ALG_SHA_1:PSA_WANT_ALG_SHA_256
pkcs7_verify:"../framework/data_files/pkcs7_zerolendata_detached.der":"../framework/data_files/pkcs7-rsa-sha256-1.der":"../framework/data_files/pkcs7_zerolendata.bin":0:0

PKCS7 Signed Data Verification Fail zero-len data
depends_on:MBEDTLS_MD_CAN_SHA1:PSA_WANT_ALG_SHA_256:MBEDTLS_RSA_C
depends_on:PSA_WANT_ALG_SHA_1:PSA_WANT_ALG_SHA_256:MBEDTLS_RSA_C
pkcs7_verify:"../framework/data_files/pkcs7_zerolendata_detached.der":"../framework/data_files/pkcs7-rsa-sha256-2.der":"../framework/data_files/pkcs7_zerolendata.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED

PKCS7 Signed Data Verification Pass SHA256 #9
Expand All @@ -87,7 +87,7 @@ depends_on:PSA_WANT_ALG_SHA_256
pkcs7_verify:"../framework/data_files/pkcs7_data_cert_signed_sha256.der":"../framework/data_files/pkcs7-rsa-sha256-1.der":"../framework/data_files/pkcs7_data.bin":MBEDTLS_MD_SHA256:0

PKCS7 Signed Data Verification Pass SHA1 #10
depends_on:MBEDTLS_MD_CAN_SHA1:PSA_WANT_ALG_SHA_256
depends_on:PSA_WANT_ALG_SHA_1:PSA_WANT_ALG_SHA_256
pkcs7_verify:"../framework/data_files/pkcs7_data_cert_signed_sha1.der":"../framework/data_files/pkcs7-rsa-sha256-1.der":"../framework/data_files/pkcs7_data.bin":0:0

PKCS7 Signed Data Verification Pass SHA512 #11
Expand Down
Loading

0 comments on commit 924c1a3

Please sign in to comment.