From 348bcb36942f60f90096a0f3b5514b36dc0a2fd2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 31 Mar 2015 14:01:33 +0200 Subject: [PATCH] Make RSA_ALT support optionnal --- ChangeLog | 3 +++ include/mbedtls/config.h | 9 +++++++++ include/mbedtls/pk.h | 4 ++++ include/mbedtls/pk_wrap.h | 4 ++++ library/pk.c | 2 ++ library/pk_wrap.c | 5 +++++ tests/suites/test_suite_pk.function | 4 ++-- 7 files changed, 29 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index e40b929bf..09c5b2f6e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -46,6 +46,9 @@ Default behavior changes * Support for receiving SSLv2 ClientHello is now disabled by default at compile time. * The default authmode for SSL/TLS clients is now REQUIRED. + * Support for RSA_ALT contexts in the PK layer is now optional. Since is is + enabled in the default configuration, this is only noticeable if using a + custom config.h Changes * Remove test program o_p_test, the script compat.sh does more. diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index b13790d78..52cec1da8 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -768,6 +768,15 @@ */ //#define POLARSSL_MEMORY_BACKTRACE +/** + * \def POLARSSL_PK_RSA_ALT_SUPPORT + * + * Support external private RSA keys (eg from a HSM) in the PK layer. + * + * Comment this macro to disable support for external private RSA keys. + */ +#define POLARSSL_PK_RSA_ALT_SUPPORT + /** * \def POLARSSL_PKCS1_V15 * diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h index 8fda5817b..207d3542d 100644 --- a/include/mbedtls/pk.h +++ b/include/mbedtls/pk.h @@ -197,6 +197,7 @@ typedef struct void * pk_ctx; /**< Underlying public key context */ } pk_context; +#if defined(POLARSSL_PK_RSA_ALT_SUPPORT) /** * \brief Types for RSA-alt abstraction */ @@ -208,6 +209,7 @@ typedef int (*pk_rsa_alt_sign_func)( void *ctx, int mode, md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, unsigned char *sig ); typedef size_t (*pk_rsa_alt_key_len_func)( void *ctx ); +#endif /* POLARSSL_PK_RSA_ALT_SUPPORT */ /** * \brief Return information associated with the given PK type @@ -244,6 +246,7 @@ void pk_free( pk_context *ctx ); */ int pk_init_ctx( pk_context *ctx, const pk_info_t *info ); +#if defined(POLARSSL_PK_RSA_ALT_SUPPORT) /** * \brief Initialize an RSA-alt context * @@ -262,6 +265,7 @@ int pk_init_ctx_rsa_alt( pk_context *ctx, void * key, pk_rsa_alt_decrypt_func decrypt_func, pk_rsa_alt_sign_func sign_func, pk_rsa_alt_key_len_func key_len_func ); +#endif /* POLARSSL_PK_RSA_ALT_SUPPORT */ /** * \brief Get the size in bits of the underlying key diff --git a/include/mbedtls/pk_wrap.h b/include/mbedtls/pk_wrap.h index 367725007..7a7f4fa01 100644 --- a/include/mbedtls/pk_wrap.h +++ b/include/mbedtls/pk_wrap.h @@ -33,6 +33,7 @@ #include "pk.h" +#if defined(POLARSSL_PK_RSA_ALT_SUPPORT) /* Container for RSA-alt */ typedef struct { @@ -41,6 +42,7 @@ typedef struct pk_rsa_alt_sign_func sign_func; pk_rsa_alt_key_len_func key_len_func; } rsa_alt_context; +#endif #if defined(POLARSSL_RSA_C) extern const pk_info_t rsa_info; @@ -55,6 +57,8 @@ extern const pk_info_t eckeydh_info; extern const pk_info_t ecdsa_info; #endif +#if defined(POLARSSL_PK_RSA_ALT_SUPPORT) extern const pk_info_t rsa_alt_info; +#endif #endif /* POLARSSL_PK_WRAP_H */ diff --git a/library/pk.c b/library/pk.c index f083b861c..d14730255 100644 --- a/library/pk.c +++ b/library/pk.c @@ -112,6 +112,7 @@ int pk_init_ctx( pk_context *ctx, const pk_info_t *info ) return( 0 ); } +#if defined(POLARSSL_PK_RSA_ALT_SUPPORT) /* * Initialize an RSA-alt context */ @@ -140,6 +141,7 @@ int pk_init_ctx_rsa_alt( pk_context *ctx, void * key, return( 0 ); } +#endif /* POLARSSL_PK_RSA_ALT_SUPPORT */ /* * Tell if a PK can do the operations of the given type diff --git a/library/pk_wrap.c b/library/pk_wrap.c index d6dea12c1..994320f94 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -50,10 +50,12 @@ #define polarssl_free free #endif +#if defined(POLARSSL_PK_RSA_ALT_SUPPORT) /* Implementation that should never be optimized out by the compiler */ static void polarssl_zeroize( void *v, size_t n ) { volatile unsigned char *p = v; while( n-- ) *p++ = 0; } +#endif #if defined(POLARSSL_RSA_C) static int rsa_can_do( pk_type_t type ) @@ -377,6 +379,7 @@ const pk_info_t ecdsa_info = { }; #endif /* POLARSSL_ECDSA_C */ +#if defined(POLARSSL_PK_RSA_ALT_SUPPORT) /* * Support for alternative RSA-private implementations */ @@ -488,4 +491,6 @@ const pk_info_t rsa_alt_info = { NULL, }; +#endif /* POLARSSL_PK_RSA_ALT_SUPPORT */ + #endif /* POLARSSL_PK_C */ diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index d82ab2a32..3d0df6787 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -98,7 +98,7 @@ void pk_check_pair( char *pub_file, char *prv_file, int ret ) TEST_ASSERT( pk_check_pair( &pub, &prv ) == ret ); -#if defined(POLARSSL_RSA_C) +#if defined(POLARSSL_RSA_C) && defined(POLARSSL_PK_RSA_ALT_SUPPORT) if( pk_get_type( &prv ) == POLARSSL_PK_RSA ) { TEST_ASSERT( pk_init_ctx_rsa_alt( &alt, pk_rsa( prv ), @@ -414,7 +414,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:POLARSSL_RSA_C */ +/* BEGIN_CASE depends_on:POLARSSL_RSA_C:POLARSSL_PK_RSA_ALT_SUPPORT */ void pk_rsa_alt( ) { /*