From 252e391cca6c11d161adec1b5424a831404f5949 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 26 Feb 2020 18:33:58 +0100 Subject: [PATCH] Revert "config: Remove X.509 options" This reverts commit bb1f70121218b461a4197224d547e6bcfae4f991. * include/mbedtls/check_config.h: * MBEDTLS_X509_RSASSA_PSS_SUPPORT: there has been an addition (of MBEDTLS_SHA512_NO_SHA384) at the place where it was removed. Re-add it before MBEDTLS_SHA512_NO_SHA384 to keep it grouped with MBEDTLS_RSA_C. Conflicts: * scripts/config.pl: this file has been replaced by config.py. Port the reversed changes to config.py: * Revert removing three symbols from the list of symbols to exclude from full. --- configs/config-no-entropy.h | 5 + configs/config-psa-crypto.h | 208 ++++++++++++++++++++++++++++- configs/config-suite-b.h | 3 + include/mbedtls/check_config.h | 41 ++++++ include/mbedtls/config.h | 227 +++++++++++++++++++++++++++++++- library/version_features.c | 45 +++++++ programs/test/query_config.c | 120 +++++++++++++++++ scripts/config.py | 3 + tests/scripts/depends-pkalgs.pl | 5 +- 9 files changed, 653 insertions(+), 4 deletions(-) diff --git a/configs/config-no-entropy.h b/configs/config-no-entropy.h index 502ca0320..433c663be 100644 --- a/configs/config-no-entropy.h +++ b/configs/config-no-entropy.h @@ -51,6 +51,8 @@ #define MBEDTLS_PKCS1_V21 #define MBEDTLS_SELF_TEST #define MBEDTLS_VERSION_FEATURES +#define MBEDTLS_X509_CHECK_KEY_USAGE +#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE /* mbed TLS modules */ #define MBEDTLS_AES_C @@ -76,6 +78,9 @@ #define MBEDTLS_SHA256_C #define MBEDTLS_SHA512_C #define MBEDTLS_VERSION_C +#define MBEDTLS_X509_USE_C +#define MBEDTLS_X509_CRT_PARSE_C +#define MBEDTLS_X509_CRL_PARSE_C //#define MBEDTLS_CMAC_C /* Miscellaneous options */ diff --git a/configs/config-psa-crypto.h b/configs/config-psa-crypto.h index 3d6d7d311..8fe4567de 100644 --- a/configs/config-psa-crypto.h +++ b/configs/config-psa-crypto.h @@ -1024,6 +1024,64 @@ */ #define MBEDTLS_VERSION_FEATURES +/** + * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 + * + * If set, the X509 parser will not break-off when parsing an X509 certificate + * and encountering an extension in a v1 or v2 certificate. + * + * Uncomment to prevent an error. + */ +//#define MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 + +/** + * \def MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION + * + * If set, the X509 parser will not break-off when parsing an X509 certificate + * and encountering an unknown critical extension. + * + * \warning Depending on your PKI use, enabling this can be a security risk! + * + * Uncomment to prevent an error. + */ +//#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION + +/** + * \def MBEDTLS_X509_CHECK_KEY_USAGE + * + * Enable verification of the keyUsage extension (CA and leaf certificates). + * + * Disabling this avoids problems with mis-issued and/or misused + * (intermediate) CA and leaf certificates. + * + * \warning Depending on your PKI use, disabling this can be a security risk! + * + * Comment to skip keyUsage checking for both CA and leaf certificates. + */ +#define MBEDTLS_X509_CHECK_KEY_USAGE + +/** + * \def MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE + * + * Enable verification of the extendedKeyUsage extension (leaf certificates). + * + * Disabling this avoids problems with mis-issued and/or misused certificates. + * + * \warning Depending on your PKI use, disabling this can be a security risk! + * + * Comment to skip extendedKeyUsage checking for certificates. + */ +#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE + +/** + * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT + * + * Enable parsing and verification of X.509 certificates, CRLs and CSRS + * signed with RSASSA-PSS (aka PKCS#1 v2.1). + * + * Comment this macro to disallow using RSASSA-PSS in certificates. + */ +#define MBEDTLS_X509_RSASSA_PSS_SUPPORT /* \} name SECTION: mbed TLS feature support */ /** @@ -1154,7 +1212,8 @@ * Enable the generic ASN1 parser. * * Module: library/asn1.c - * Caller: library/dhm.c + * Caller: library/x509.c + * library/dhm.c * library/pkcs12.c * library/pkcs5.c * library/pkparse.c @@ -1169,6 +1228,9 @@ * Module: library/asn1write.c * Caller: library/ecdsa.c * library/pkwrite.c + * library/x509_create.c + * library/x509write_crt.c + * library/x509write_csr.c */ #define MBEDTLS_ASN1_WRITE_C @@ -1326,6 +1388,18 @@ */ #define MBEDTLS_CCM_C +/** + * \def MBEDTLS_CERTS_C + * + * Enable the test certificates. + * + * Module: library/certs.c + * Caller: + * + * This module is used for testing (ssl_client/server). + */ +#define MBEDTLS_CERTS_C + /** * \def MBEDTLS_CHACHA20_C * @@ -1694,6 +1768,13 @@ * library/pkparse.c * library/pkwrite.c * library/rsa.c + * library/x509.c + * library/x509_create.c + * library/x509_crl.c + * library/x509_crt.c + * library/x509_csr.c + * library/x509write_crt.c + * library/x509write_csr.c * * This modules translates between OIDs and internal values. */ @@ -1721,6 +1802,9 @@ * Module: library/pem.c * Caller: library/dhm.c * library/pkparse.c + * library/x509_crl.c + * library/x509_crt.c + * library/x509_csr.c * * Requires: MBEDTLS_BASE64_C * @@ -1735,6 +1819,8 @@ * * Module: library/pem.c * Caller: library/pkwrite.c + * library/x509write_crt.c + * library/x509write_csr.c * * Requires: MBEDTLS_BASE64_C * @@ -1761,6 +1847,8 @@ * Enable the generic public (asymetric) key parser. * * Module: library/pkparse.c + * Caller: library/x509_crt.c + * library/x509_csr.c * * Requires: MBEDTLS_PK_C * @@ -1774,6 +1862,7 @@ * Enable the generic public (asymetric) key writer. * * Module: library/pkwrite.c + * Caller: library/x509write.c * * Requires: MBEDTLS_PK_C * @@ -1794,6 +1883,21 @@ */ #define MBEDTLS_PKCS5_C +/** + * \def MBEDTLS_PKCS11_C + * + * Enable wrapper for PKCS#11 smartcard support. + * + * Module: library/pkcs11.c + * Caller: library/pk.c + * + * Requires: MBEDTLS_PK_C + * + * This module enables SSL/TLS PKCS #11 smartcard support. + * Requires the presence of the PKCS#11 helper library (libpkcs11-helper) + */ +//#define MBEDTLS_PKCS11_C + /** * \def MBEDTLS_PKCS12_C * @@ -1895,6 +1999,7 @@ * * Module: library/rsa.c * library/rsa_internal.c + * Caller: library/x509.c * * This module is used by the following key exchanges: * RSA, DHE-RSA, ECDHE-RSA, RSA-PSK @@ -1910,6 +2015,7 @@ * * Module: library/sha1.c * Caller: library/md.c + * library/x509write_crt.c * * This module is required for SSL/TLS up to version 1.1, for TLS 1.2 * depending on the handshake parameters, and for SHA1-signed certificates. @@ -2004,6 +2110,106 @@ */ #define MBEDTLS_VERSION_C +/** + * \def MBEDTLS_X509_USE_C + * + * Enable X.509 core for using certificates. + * + * Module: library/x509.c + * Caller: library/x509_crl.c + * library/x509_crt.c + * library/x509_csr.c + * + * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, + * MBEDTLS_PK_PARSE_C + * + * This module is required for the X.509 parsing modules. + */ +#define MBEDTLS_X509_USE_C + +/** + * \def MBEDTLS_X509_CRT_PARSE_C + * + * Enable X.509 certificate parsing. + * + * Module: library/x509_crt.c + * Caller: library/ssl_cli.c + * library/ssl_srv.c + * library/ssl_tls.c + * + * Requires: MBEDTLS_X509_USE_C + * + * This module is required for X.509 certificate parsing. + */ +#define MBEDTLS_X509_CRT_PARSE_C + +/** + * \def MBEDTLS_X509_CRL_PARSE_C + * + * Enable X.509 CRL parsing. + * + * Module: library/x509_crl.c + * Caller: library/x509_crt.c + * + * Requires: MBEDTLS_X509_USE_C + * + * This module is required for X.509 CRL parsing. + */ +#define MBEDTLS_X509_CRL_PARSE_C + +/** + * \def MBEDTLS_X509_CSR_PARSE_C + * + * Enable X.509 Certificate Signing Request (CSR) parsing. + * + * Module: library/x509_csr.c + * Caller: library/x509_crt_write.c + * + * Requires: MBEDTLS_X509_USE_C + * + * This module is used for reading X.509 certificate request. + */ +#define MBEDTLS_X509_CSR_PARSE_C + +/** + * \def MBEDTLS_X509_CREATE_C + * + * Enable X.509 core for creating certificates. + * + * Module: library/x509_create.c + * + * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_WRITE_C + * + * This module is the basis for creating X.509 certificates and CSRs. + */ +#define MBEDTLS_X509_CREATE_C + +/** + * \def MBEDTLS_X509_CRT_WRITE_C + * + * Enable creating X.509 certificates. + * + * Module: library/x509_crt_write.c + * + * Requires: MBEDTLS_X509_CREATE_C + * + * This module is required for X.509 certificate creation. + */ +#define MBEDTLS_X509_CRT_WRITE_C + +/** + * \def MBEDTLS_X509_CSR_WRITE_C + * + * Enable creating X.509 Certificate Signing Requests (CSR). + * + * Module: library/x509_csr_write.c + * + * Requires: MBEDTLS_X509_CREATE_C + * + * This module is required for X.509 certificate request writing. + */ +#define MBEDTLS_X509_CSR_WRITE_C + /** * \def MBEDTLS_XTEA_C * diff --git a/configs/config-suite-b.h b/configs/config-suite-b.h index 4faaa7718..dd9a2a019 100644 --- a/configs/config-suite-b.h +++ b/configs/config-suite-b.h @@ -66,9 +66,12 @@ #define MBEDTLS_PK_PARSE_C #define MBEDTLS_SHA256_C #define MBEDTLS_SHA512_C +#define MBEDTLS_X509_CRT_PARSE_C +#define MBEDTLS_X509_USE_C /* For test certificates */ #define MBEDTLS_BASE64_C +#define MBEDTLS_CERTS_C #define MBEDTLS_PEM_PARSE_C /* Save RAM at the expense of ROM */ diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index c3a38301c..65a3cc8d4 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -270,6 +270,10 @@ #error "MBEDTLS_PK_WRITE_C defined, but not all prerequisites" #endif +#if defined(MBEDTLS_PKCS11_C) && !defined(MBEDTLS_PK_C) +#error "MBEDTLS_PKCS11_C defined, but not all prerequisites" +#endif + #if defined(MBEDTLS_PLATFORM_EXIT_ALT) && !defined(MBEDTLS_PLATFORM_C) #error "MBEDTLS_PLATFORM_EXIT_ALT defined, but not all prerequisites" #endif @@ -510,6 +514,11 @@ #error "MBEDTLS_RSA_C defined, but none of the PKCS1 versions enabled" #endif +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \ + ( !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_PKCS1_V21) ) +#error "MBEDTLS_X509_RSASSA_PSS_SUPPORT defined, but not all prerequisites" +#endif + #if defined(MBEDTLS_SHA512_NO_SHA384) && !defined(MBEDTLS_SHA512_C) #error "MBEDTLS_SHA512_NO_SHA384 defined without MBEDTLS_SHA512_C" #endif @@ -541,6 +550,38 @@ #error "MBEDTLS_VERSION_FEATURES defined, but not all prerequisites" #endif +#if defined(MBEDTLS_X509_USE_C) && ( !defined(MBEDTLS_BIGNUM_C) || \ + !defined(MBEDTLS_OID_C) || !defined(MBEDTLS_ASN1_PARSE_C) || \ + !defined(MBEDTLS_PK_PARSE_C) ) +#error "MBEDTLS_X509_USE_C defined, but not all prerequisites" +#endif + +#if defined(MBEDTLS_X509_CREATE_C) && ( !defined(MBEDTLS_BIGNUM_C) || \ + !defined(MBEDTLS_OID_C) || !defined(MBEDTLS_ASN1_WRITE_C) || \ + !defined(MBEDTLS_PK_WRITE_C) ) +#error "MBEDTLS_X509_CREATE_C defined, but not all prerequisites" +#endif + +#if defined(MBEDTLS_X509_CRT_PARSE_C) && ( !defined(MBEDTLS_X509_USE_C) ) +#error "MBEDTLS_X509_CRT_PARSE_C defined, but not all prerequisites" +#endif + +#if defined(MBEDTLS_X509_CRL_PARSE_C) && ( !defined(MBEDTLS_X509_USE_C) ) +#error "MBEDTLS_X509_CRL_PARSE_C defined, but not all prerequisites" +#endif + +#if defined(MBEDTLS_X509_CSR_PARSE_C) && ( !defined(MBEDTLS_X509_USE_C) ) +#error "MBEDTLS_X509_CSR_PARSE_C defined, but not all prerequisites" +#endif + +#if defined(MBEDTLS_X509_CRT_WRITE_C) && ( !defined(MBEDTLS_X509_CREATE_C) ) +#error "MBEDTLS_X509_CRT_WRITE_C defined, but not all prerequisites" +#endif + +#if defined(MBEDTLS_X509_CSR_WRITE_C) && ( !defined(MBEDTLS_X509_CREATE_C) ) +#error "MBEDTLS_X509_CSR_WRITE_C defined, but not all prerequisites" +#endif + #if defined(MBEDTLS_HAVE_INT32) && defined(MBEDTLS_HAVE_INT64) #error "MBEDTLS_HAVE_INT32 and MBEDTLS_HAVE_INT64 cannot be defined simultaneously" #endif /* MBEDTLS_HAVE_INT32 && MBEDTLS_HAVE_INT64 */ diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index a728a31e5..f8788d89d 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1125,6 +1125,83 @@ */ #define MBEDTLS_VERSION_FEATURES +/** + * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 + * + * If set, the X509 parser will not break-off when parsing an X509 certificate + * and encountering an extension in a v1 or v2 certificate. + * + * Uncomment to prevent an error. + */ +//#define MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 + +/** + * \def MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION + * + * If set, the X509 parser will not break-off when parsing an X509 certificate + * and encountering an unknown critical extension. + * + * \warning Depending on your PKI use, enabling this can be a security risk! + * + * Uncomment to prevent an error. + */ +//#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION + +/** + * \def MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK + * + * If set, this enables the X.509 API `mbedtls_x509_crt_verify_with_ca_cb()` + * and the SSL API `mbedtls_ssl_conf_ca_cb()` which allow users to configure + * the set of trusted certificates through a callback instead of a linked + * list. + * + * This is useful for example in environments where a large number of trusted + * certificates is present and storing them in a linked list isn't efficient + * enough, or when the set of trusted certificates changes frequently. + * + * See the documentation of `mbedtls_x509_crt_verify_with_ca_cb()` and + * `mbedtls_ssl_conf_ca_cb()` for more information. + * + * Uncomment to enable trusted certificate callbacks. + */ +//#define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK + +/** + * \def MBEDTLS_X509_CHECK_KEY_USAGE + * + * Enable verification of the keyUsage extension (CA and leaf certificates). + * + * Disabling this avoids problems with mis-issued and/or misused + * (intermediate) CA and leaf certificates. + * + * \warning Depending on your PKI use, disabling this can be a security risk! + * + * Comment to skip keyUsage checking for both CA and leaf certificates. + */ +#define MBEDTLS_X509_CHECK_KEY_USAGE + +/** + * \def MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE + * + * Enable verification of the extendedKeyUsage extension (leaf certificates). + * + * Disabling this avoids problems with mis-issued and/or misused certificates. + * + * \warning Depending on your PKI use, disabling this can be a security risk! + * + * Comment to skip extendedKeyUsage checking for certificates. + */ +#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE + +/** + * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT + * + * Enable parsing and verification of X.509 certificates, CRLs and CSRS + * signed with RSASSA-PSS (aka PKCS#1 v2.1). + * + * Comment this macro to disallow using RSASSA-PSS in certificates. + */ +#define MBEDTLS_X509_RSASSA_PSS_SUPPORT /* \} name SECTION: mbed TLS feature support */ /** @@ -1255,7 +1332,8 @@ * Enable the generic ASN1 parser. * * Module: library/asn1.c - * Caller: library/dhm.c + * Caller: library/x509.c + * library/dhm.c * library/pkcs12.c * library/pkcs5.c * library/pkparse.c @@ -1270,6 +1348,9 @@ * Module: library/asn1write.c * Caller: library/ecdsa.c * library/pkwrite.c + * library/x509_create.c + * library/x509write_crt.c + * library/x509write_csr.c */ #define MBEDTLS_ASN1_WRITE_C @@ -1427,6 +1508,18 @@ */ #define MBEDTLS_CCM_C +/** + * \def MBEDTLS_CERTS_C + * + * Enable the test certificates. + * + * Module: library/certs.c + * Caller: + * + * This module is used for testing (ssl_client/server). + */ +#define MBEDTLS_CERTS_C + /** * \def MBEDTLS_CHACHA20_C * @@ -1799,6 +1892,13 @@ * library/pkparse.c * library/pkwrite.c * library/rsa.c + * library/x509.c + * library/x509_create.c + * library/x509_crl.c + * library/x509_crt.c + * library/x509_csr.c + * library/x509write_crt.c + * library/x509write_csr.c * * This modules translates between OIDs and internal values. */ @@ -1826,6 +1926,9 @@ * Module: library/pem.c * Caller: library/dhm.c * library/pkparse.c + * library/x509_crl.c + * library/x509_crt.c + * library/x509_csr.c * * Requires: MBEDTLS_BASE64_C * @@ -1840,6 +1943,8 @@ * * Module: library/pem.c * Caller: library/pkwrite.c + * library/x509write_crt.c + * library/x509write_csr.c * * Requires: MBEDTLS_BASE64_C * @@ -1866,6 +1971,8 @@ * Enable the generic public (asymetric) key parser. * * Module: library/pkparse.c + * Caller: library/x509_crt.c + * library/x509_csr.c * * Requires: MBEDTLS_PK_C * @@ -1879,6 +1986,7 @@ * Enable the generic public (asymetric) key writer. * * Module: library/pkwrite.c + * Caller: library/x509write.c * * Requires: MBEDTLS_PK_C * @@ -1899,6 +2007,21 @@ */ #define MBEDTLS_PKCS5_C +/** + * \def MBEDTLS_PKCS11_C + * + * Enable wrapper for PKCS#11 smartcard support. + * + * Module: library/pkcs11.c + * Caller: library/pk.c + * + * Requires: MBEDTLS_PK_C + * + * This module enables SSL/TLS PKCS #11 smartcard support. + * Requires the presence of the PKCS#11 helper library (libpkcs11-helper) + */ +//#define MBEDTLS_PKCS11_C + /** * \def MBEDTLS_PKCS12_C * @@ -2020,6 +2143,7 @@ * * Module: library/rsa.c * library/rsa_internal.c + * Caller: library/x509.c * * This module is used by the following key exchanges: * RSA, DHE-RSA, ECDHE-RSA, RSA-PSK @@ -2035,6 +2159,7 @@ * * Module: library/sha1.c * Caller: library/md.c + * library/x509write_crt.c * * This module is required for SSL/TLS up to version 1.1, for TLS 1.2 * depending on the handshake parameters, and for SHA1-signed certificates. @@ -2129,6 +2254,106 @@ */ #define MBEDTLS_VERSION_C +/** + * \def MBEDTLS_X509_USE_C + * + * Enable X.509 core for using certificates. + * + * Module: library/x509.c + * Caller: library/x509_crl.c + * library/x509_crt.c + * library/x509_csr.c + * + * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, + * MBEDTLS_PK_PARSE_C + * + * This module is required for the X.509 parsing modules. + */ +#define MBEDTLS_X509_USE_C + +/** + * \def MBEDTLS_X509_CRT_PARSE_C + * + * Enable X.509 certificate parsing. + * + * Module: library/x509_crt.c + * Caller: library/ssl_cli.c + * library/ssl_srv.c + * library/ssl_tls.c + * + * Requires: MBEDTLS_X509_USE_C + * + * This module is required for X.509 certificate parsing. + */ +#define MBEDTLS_X509_CRT_PARSE_C + +/** + * \def MBEDTLS_X509_CRL_PARSE_C + * + * Enable X.509 CRL parsing. + * + * Module: library/x509_crl.c + * Caller: library/x509_crt.c + * + * Requires: MBEDTLS_X509_USE_C + * + * This module is required for X.509 CRL parsing. + */ +#define MBEDTLS_X509_CRL_PARSE_C + +/** + * \def MBEDTLS_X509_CSR_PARSE_C + * + * Enable X.509 Certificate Signing Request (CSR) parsing. + * + * Module: library/x509_csr.c + * Caller: library/x509_crt_write.c + * + * Requires: MBEDTLS_X509_USE_C + * + * This module is used for reading X.509 certificate request. + */ +#define MBEDTLS_X509_CSR_PARSE_C + +/** + * \def MBEDTLS_X509_CREATE_C + * + * Enable X.509 core for creating certificates. + * + * Module: library/x509_create.c + * + * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_WRITE_C + * + * This module is the basis for creating X.509 certificates and CSRs. + */ +#define MBEDTLS_X509_CREATE_C + +/** + * \def MBEDTLS_X509_CRT_WRITE_C + * + * Enable creating X.509 certificates. + * + * Module: library/x509_crt_write.c + * + * Requires: MBEDTLS_X509_CREATE_C + * + * This module is required for X.509 certificate creation. + */ +#define MBEDTLS_X509_CRT_WRITE_C + +/** + * \def MBEDTLS_X509_CSR_WRITE_C + * + * Enable creating X.509 Certificate Signing Requests (CSR). + * + * Module: library/x509_csr_write.c + * + * Requires: MBEDTLS_X509_CREATE_C + * + * This module is required for X.509 certificate request writing. + */ +#define MBEDTLS_X509_CSR_WRITE_C + /** * \def MBEDTLS_XTEA_C * diff --git a/library/version_features.c b/library/version_features.c index e2dc9b152..22089af70 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -429,6 +429,24 @@ static const char * const features[] = { #if defined(MBEDTLS_VERSION_FEATURES) "MBEDTLS_VERSION_FEATURES", #endif /* MBEDTLS_VERSION_FEATURES */ +#if defined(MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3) + "MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3", +#endif /* MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 */ +#if defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION) + "MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION", +#endif /* MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION */ +#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) + "MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK", +#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ +#if defined(MBEDTLS_X509_CHECK_KEY_USAGE) + "MBEDTLS_X509_CHECK_KEY_USAGE", +#endif /* MBEDTLS_X509_CHECK_KEY_USAGE */ +#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) + "MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE", +#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */ +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) + "MBEDTLS_X509_RSASSA_PSS_SUPPORT", +#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ #if defined(MBEDTLS_AESNI_C) "MBEDTLS_AESNI_C", #endif /* MBEDTLS_AESNI_C */ @@ -462,6 +480,9 @@ static const char * const features[] = { #if defined(MBEDTLS_CCM_C) "MBEDTLS_CCM_C", #endif /* MBEDTLS_CCM_C */ +#if defined(MBEDTLS_CERTS_C) + "MBEDTLS_CERTS_C", +#endif /* MBEDTLS_CERTS_C */ #if defined(MBEDTLS_CHACHA20_C) "MBEDTLS_CHACHA20_C", #endif /* MBEDTLS_CHACHA20_C */ @@ -555,6 +576,9 @@ static const char * const features[] = { #if defined(MBEDTLS_PKCS5_C) "MBEDTLS_PKCS5_C", #endif /* MBEDTLS_PKCS5_C */ +#if defined(MBEDTLS_PKCS11_C) + "MBEDTLS_PKCS11_C", +#endif /* MBEDTLS_PKCS11_C */ #if defined(MBEDTLS_PKCS12_C) "MBEDTLS_PKCS12_C", #endif /* MBEDTLS_PKCS12_C */ @@ -600,6 +624,27 @@ static const char * const features[] = { #if defined(MBEDTLS_VERSION_C) "MBEDTLS_VERSION_C", #endif /* MBEDTLS_VERSION_C */ +#if defined(MBEDTLS_X509_USE_C) + "MBEDTLS_X509_USE_C", +#endif /* MBEDTLS_X509_USE_C */ +#if defined(MBEDTLS_X509_CRT_PARSE_C) + "MBEDTLS_X509_CRT_PARSE_C", +#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#if defined(MBEDTLS_X509_CRL_PARSE_C) + "MBEDTLS_X509_CRL_PARSE_C", +#endif /* MBEDTLS_X509_CRL_PARSE_C */ +#if defined(MBEDTLS_X509_CSR_PARSE_C) + "MBEDTLS_X509_CSR_PARSE_C", +#endif /* MBEDTLS_X509_CSR_PARSE_C */ +#if defined(MBEDTLS_X509_CREATE_C) + "MBEDTLS_X509_CREATE_C", +#endif /* MBEDTLS_X509_CREATE_C */ +#if defined(MBEDTLS_X509_CRT_WRITE_C) + "MBEDTLS_X509_CRT_WRITE_C", +#endif /* MBEDTLS_X509_CRT_WRITE_C */ +#if defined(MBEDTLS_X509_CSR_WRITE_C) + "MBEDTLS_X509_CSR_WRITE_C", +#endif /* MBEDTLS_X509_CSR_WRITE_C */ #if defined(MBEDTLS_XTEA_C) "MBEDTLS_XTEA_C", #endif /* MBEDTLS_XTEA_C */ diff --git a/programs/test/query_config.c b/programs/test/query_config.c index 32194f5f0..6dc4a003c 100644 --- a/programs/test/query_config.c +++ b/programs/test/query_config.c @@ -1186,6 +1186,54 @@ int query_config( const char *config ) } #endif /* MBEDTLS_VERSION_FEATURES */ +#if defined(MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3) + if( strcmp( "MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 ); + return( 0 ); + } +#endif /* MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 */ + +#if defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION) + if( strcmp( "MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION ); + return( 0 ); + } +#endif /* MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION */ + +#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) + if( strcmp( "MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK ); + return( 0 ); + } +#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ + +#if defined(MBEDTLS_X509_CHECK_KEY_USAGE) + if( strcmp( "MBEDTLS_X509_CHECK_KEY_USAGE", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_X509_CHECK_KEY_USAGE ); + return( 0 ); + } +#endif /* MBEDTLS_X509_CHECK_KEY_USAGE */ + +#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) + if( strcmp( "MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE ); + return( 0 ); + } +#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */ + +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) + if( strcmp( "MBEDTLS_X509_RSASSA_PSS_SUPPORT", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_X509_RSASSA_PSS_SUPPORT ); + return( 0 ); + } +#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ + #if defined(MBEDTLS_AESNI_C) if( strcmp( "MBEDTLS_AESNI_C", config ) == 0 ) { @@ -1274,6 +1322,14 @@ int query_config( const char *config ) } #endif /* MBEDTLS_CCM_C */ +#if defined(MBEDTLS_CERTS_C) + if( strcmp( "MBEDTLS_CERTS_C", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_CERTS_C ); + return( 0 ); + } +#endif /* MBEDTLS_CERTS_C */ + #if defined(MBEDTLS_CHACHA20_C) if( strcmp( "MBEDTLS_CHACHA20_C", config ) == 0 ) { @@ -1522,6 +1578,14 @@ int query_config( const char *config ) } #endif /* MBEDTLS_PKCS5_C */ +#if defined(MBEDTLS_PKCS11_C) + if( strcmp( "MBEDTLS_PKCS11_C", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_PKCS11_C ); + return( 0 ); + } +#endif /* MBEDTLS_PKCS11_C */ + #if defined(MBEDTLS_PKCS12_C) if( strcmp( "MBEDTLS_PKCS12_C", config ) == 0 ) { @@ -1642,6 +1706,62 @@ int query_config( const char *config ) } #endif /* MBEDTLS_VERSION_C */ +#if defined(MBEDTLS_X509_USE_C) + if( strcmp( "MBEDTLS_X509_USE_C", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_X509_USE_C ); + return( 0 ); + } +#endif /* MBEDTLS_X509_USE_C */ + +#if defined(MBEDTLS_X509_CRT_PARSE_C) + if( strcmp( "MBEDTLS_X509_CRT_PARSE_C", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_X509_CRT_PARSE_C ); + return( 0 ); + } +#endif /* MBEDTLS_X509_CRT_PARSE_C */ + +#if defined(MBEDTLS_X509_CRL_PARSE_C) + if( strcmp( "MBEDTLS_X509_CRL_PARSE_C", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_X509_CRL_PARSE_C ); + return( 0 ); + } +#endif /* MBEDTLS_X509_CRL_PARSE_C */ + +#if defined(MBEDTLS_X509_CSR_PARSE_C) + if( strcmp( "MBEDTLS_X509_CSR_PARSE_C", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_X509_CSR_PARSE_C ); + return( 0 ); + } +#endif /* MBEDTLS_X509_CSR_PARSE_C */ + +#if defined(MBEDTLS_X509_CREATE_C) + if( strcmp( "MBEDTLS_X509_CREATE_C", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_X509_CREATE_C ); + return( 0 ); + } +#endif /* MBEDTLS_X509_CREATE_C */ + +#if defined(MBEDTLS_X509_CRT_WRITE_C) + if( strcmp( "MBEDTLS_X509_CRT_WRITE_C", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_X509_CRT_WRITE_C ); + return( 0 ); + } +#endif /* MBEDTLS_X509_CRT_WRITE_C */ + +#if defined(MBEDTLS_X509_CSR_WRITE_C) + if( strcmp( "MBEDTLS_X509_CSR_WRITE_C", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_X509_CSR_WRITE_C ); + return( 0 ); + } +#endif /* MBEDTLS_X509_CSR_WRITE_C */ + #if defined(MBEDTLS_XTEA_C) if( strcmp( "MBEDTLS_XTEA_C", config ) == 0 ) { diff --git a/scripts/config.py b/scripts/config.py index 6d4828a95..df2d3d51d 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -177,6 +177,7 @@ def include_in_full(name): 'MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES', 'MBEDTLS_NO_PLATFORM_ENTROPY', 'MBEDTLS_NO_UDBL_DIVISION', + 'MBEDTLS_PKCS11_C', 'MBEDTLS_PLATFORM_NO_STD_FUNCTIONS', 'MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER', 'MBEDTLS_PSA_CRYPTO_SE_C', @@ -185,6 +186,8 @@ def include_in_full(name): 'MBEDTLS_RSA_NO_CRT', 'MBEDTLS_SHA512_NO_SHA384', 'MBEDTLS_TEST_NULL_ENTROPY', + 'MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3', + 'MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION', ]: return False if name.endswith('_ALT'): diff --git a/tests/scripts/depends-pkalgs.pl b/tests/scripts/depends-pkalgs.pl index 7fbd6d71e..c05edaacf 100755 --- a/tests/scripts/depends-pkalgs.pl +++ b/tests/scripts/depends-pkalgs.pl @@ -39,9 +39,10 @@ my %algs = ( 'MBEDTLS_ECP_C' => ['MBEDTLS_ECDSA_C', 'MBEDTLS_ECDH_C', 'MBEDTLS_ECJPAKE_C'], - 'MBEDTLS_PKCS1_V21' => [], + 'MBEDTLS_X509_RSASSA_PSS_SUPPORT' => [], + 'MBEDTLS_PKCS1_V21' => ['MBEDTLS_X509_RSASSA_PSS_SUPPORT'], 'MBEDTLS_PKCS1_V15' => [], - 'MBEDTLS_RSA_C' => [], + 'MBEDTLS_RSA_C' => ['MBEDTLS_X509_RSASSA_PSS_SUPPORT'], ); system( "cp $config_h $config_h.bak" ) and die;