PSA Internal Functions being included even with MBEDTLS_PSA_CRYPTO_C undefined

[garcimag]

I'm trying to compile mbedTLS 2.26.0 for Windows using CMake, directly on Windows (build=host=Windows). GCC is version 10.3 and checked the option USE_SHARED_MBEDTLS_LIBRARY.

I get the following errors in the linking step:

[ 76%] Linking C shared library libmbedcrypto.dll
c:/mingw/bin/../lib/gcc/i686-w64-mingw32/10.3.0/../../../../i686-w64-mingw32/bin/ld.exe: CMakeFiles\mbedcrypto.dir/objects.a(psa_crypto_driver_wrappers.c.obj):psa_crypto_driver_wrappers.c:(.text+0x33): undefined reference to `psa_sign_hash_internal'
c:/mingw/bin/../lib/gcc/i686-w64-mingw32/10.3.0/../../../../i686-w64-mingw32/bin/ld.exe: CMakeFiles\mbedcrypto.dir/objects.a(psa_crypto_driver_wrappers.c.obj):psa_crypto_driver_wrappers.c:(.text+0x7b): undefined reference to `psa_verify_hash_internal'
c:/mingw/bin/../lib/gcc/i686-w64-mingw32/10.3.0/../../../../i686-w64-mingw32/bin/ld.exe: CMakeFiles\mbedcrypto.dir/objects.a(psa_crypto_driver_wrappers.c.obj):psa_crypto_driver_wrappers.c:(.text+0xb1): undefined reference to `psa_generate_key_internal'
c:/mingw/bin/../lib/gcc/i686-w64-mingw32/10.3.0/../../../../i686-w64-mingw32/bin/ld.exe: CMakeFiles\mbedcrypto.dir/objects.a(psa_crypto_driver_wrappers.c.obj):psa_crypto_driver_wrappers.c:(.text+0xe3): undefined reference to `psa_import_key_into_slot'
c:/mingw/bin/../lib/gcc/i686-w64-mingw32/10.3.0/../../../../i686-w64-mingw32/bin/ld.exe: CMakeFiles\mbedcrypto.dir/objects.a(psa_crypto_driver_wrappers.c.obj):psa_crypto_driver_wrappers.c:(.text+0x115): undefined reference to `psa_export_key_internal'
c:/mingw/bin/../lib/gcc/i686-w64-mingw32/10.3.0/../../../../i686-w64-mingw32/bin/ld.exe: CMakeFiles\mbedcrypto.dir/objects.a(psa_crypto_driver_wrappers.c.obj):psa_crypto_driver_wrappers.c:(.text+0x145): undefined reference to `psa_export_public_key_internal'

My config file has the following:

#define MBEDTLS_HAVE_TIME
#define MBEDTLS_PLATFORM_C

#define MBEDTLS_REMOVE_ARC4_CIPHERSUITES

#define MBEDTLS_RSA_C
#define MBEDTLS_BIGNUM_C
#define MBEDTLS_PK_C
#define MBEDTLS_PK_PARSE_C
#define MBEDTLS_PK_WRITE_C
#define MBEDTLS_PK_RSA_ALT_SUPPORT
#define MBEDTLS_PKCS1_V15
#define MBEDTLS_ASN1_PARSE_C
#define MBEDTLS_ASN1_WRITE_C
#define MBEDTLS_PEM_PARSE_C

#define MBEDTLS_CIPHER_C
#define MBEDTLS_CIPHER_MODE_CBC
#define MBEDTLS_AES_C
#define MBEDTLS_DES_C
#define MBEDTLS_HMAC_DRBG_C
#define MBEDTLS_OID_C

#define MBEDTLS_MD_C
#define MBEDTLS_SHA1_C
#define MBEDTLS_SHA256_C

#define MBEDTLS_BASE64_C
#define MBEDTLS_ERROR_C
#define MBEDTLS_VERSION_C

In my IDE, I see psa_crypto.c properly greyed out, where the implementations of functions like psa_sign_hash_internal are. But in psa_crypto_driver_wrappers.c:112 the code returns psa_sign_hash_internal, causing the undefined reference since its implementation is not included in compilation. The same applies for the other functions in the error log.

I even added

#undef MBEDTLS_PSA_CRYPTO_C
#undef MBEDTLS_PSA_CRYPTO_DRIVERS

Am I missing something?

[gilles-peskine-arm]

This is a bug in Mbed TLS. All the code in psa_crypto_driver_wrappers.c should be under #if defined(MBEDTLS_PSA_CRYPTO_C).

Our CI does not catch this kind of bugs because it mostly does static builds, and would only catch a link error if a function is used from a full program. If a function is accidentally compiled in a configuration where it shouldn't be, but isn't called in this configuration, we don't detect it. I wonder if we should switch to shared library builds for configuration testing?

I'll make a patch for this specific issue, but I'm not sure how to do non-regression.

[gilles-peskine-arm]

I made a patch for 2.27 and 3.0: #4412. The patch doesn't apply cleanly on 2.26 due to a cosmetic difference, you can use https://github.com/gilles-peskine-arm/mbedtls/tree/undefined-reference-2.26. Please note that my patch has not been reviewed yet, so try it out at your own risk.

[garcimag]

Very nice.