From 5d6c048c5f47bef046b98936c4f21b7a1f265f37 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Fri, 14 May 2021 08:34:32 +0100 Subject: [PATCH] config: Fix PSA configuration backwards compat At the moment, the only difference in Mbed TLS configuration options set by MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR and MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY is that MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR defines MBEDTLS_GENPRIME and MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY does not. When working backwards however, when configuring what functionality is available in Mbed TLS's PSA implementation based on Mbed TLS configuration defines (i.e. when MBEDTLS_PSA_CRYPTO_CONFIG is not defined), both MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR and MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY are set regardless of the MBEDTLS_GENPRIME setting. On space-constrained platforms, it is a useful configuration to be able to import/export and work with RSA, but exclude RSA key generation, potentially saving flash space. Change config_psa.h to only set MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR if MBEDTLS_GENPRIME is also set. This restores the configuration behavior present in Mbed TLS v2.24.0 and earlier versions. Without this change, linker errors will occur when attempts to call, which doesn't exist when MBEDTLS_GENPRIME is unset. psa_crypto_rsa.c.obj: in function `rsa_generate_key': psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key' Fixes #4512 Signed-off-by: Jaeden Amero --- ChangeLog.d/psa-without-genprime-fix.txt | 4 ++++ include/mbedtls/config_psa.h | 2 ++ tests/scripts/all.sh | 6 ++++++ 3 files changed, 12 insertions(+) create mode 100644 ChangeLog.d/psa-without-genprime-fix.txt diff --git a/ChangeLog.d/psa-without-genprime-fix.txt b/ChangeLog.d/psa-without-genprime-fix.txt new file mode 100644 index 000000000000..cce06ffe9d18 --- /dev/null +++ b/ChangeLog.d/psa-without-genprime-fix.txt @@ -0,0 +1,4 @@ +Bugfix + * Fix how PSA configures RSA support based on what features are set in the + Mbed TLS configuration. Specifically, support RSA without key generation when MBEDTLS_GENPRIME is not + defined. Fixes #4512. diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index fa415d5f028c..5024062fa243 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -593,8 +593,10 @@ extern "C" { #define MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS 1 #define PSA_WANT_ALG_RSA_PSS 1 #endif /* MBEDTLS_PKCS1_V21 */ +#if defined(MBEDTLS_GENPRIME) #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR 1 #define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR 1 +#endif /* MBEDTLS_GENPRIME */ #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY 1 #define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1 #endif /* MBEDTLS_RSA_C */ diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 8b9d7d172d32..24b20f292c7c 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1306,6 +1306,12 @@ component_build_crypto_baremetal () { if_build_succeeded are_empty_libraries library/libmbedx509.* library/libmbedtls.* } +component_build_psa_crypto_rsa_no_genprime() { + msg "build: default config minus MBEDTLS_GENPRIME" + scripts/config.py unset MBEDTLS_GENPRIME + make +} + component_test_depends_curves () { msg "test/build: curves.pl (gcc)" # ~ 4 min record_status tests/scripts/curves.pl