diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 90dee6c1af..85f7efde20 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -150,14 +150,6 @@ #error "MBEDTLS_ECP_C defined, but not all prerequisites" #endif -#if defined(MBEDTLS_ECP_C) && !( \ - defined(MBEDTLS_ECP_ALT) || \ - defined(MBEDTLS_CTR_DRBG_C) || \ - defined(MBEDTLS_HMAC_DRBG_C) || \ - defined(MBEDTLS_ECP_NO_INTERNAL_RNG)) -#error "MBEDTLS_ECP_C requires a DRBG module unless MBEDTLS_ECP_NO_INTERNAL_RNG is defined or an alternative implementation is used" -#endif - #if defined(MBEDTLS_PK_PARSE_C) && !defined(MBEDTLS_ASN1_PARSE_C) #error "MBEDTLS_PK_PARSE_C defined, but not all prerequesites" #endif diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 16f8f8b350..10370f37b5 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -651,28 +651,6 @@ */ #define MBEDTLS_ECP_NIST_OPTIM -/** - * \def MBEDTLS_ECP_NO_INTERNAL_RNG - * - * When this option is disabled, mbedtls_ecp_mul() will make use of an - * internal RNG when called with a NULL \c f_rng argument, in order to protect - * against some side-channel attacks. - * - * This protection introduces a dependency of the ECP module on one of the - * DRBG modules. For very constrained implementations that don't require this - * protection (for example, because you're only doing signature verification, - * so not manipulating any secret, or because local/physical side-channel - * attacks are outside your threat model), it might be desirable to get rid of - * that dependency. - * - * \warning Enabling this option makes some uses of ECP vulnerable to some - * side-channel attacks. Only enable it if you know that's not a problem for - * your use case. - * - * Uncomment this macro to disable some counter-measures in ECP. - */ -//#define MBEDTLS_ECP_NO_INTERNAL_RNG - /** * \def MBEDTLS_ECP_RESTARTABLE * diff --git a/scripts/config.py b/scripts/config.py index e27f322707..cbce1eb471 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -181,7 +181,6 @@ EXCLUDE_FROM_FULL = frozenset([ 'MBEDTLS_DEPRECATED_WARNING', # conflicts with deprecated options 'MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED', # influences the use of ECDH in TLS 'MBEDTLS_ECP_NO_FALLBACK', # removes internal ECP implementation - 'MBEDTLS_ECP_NO_INTERNAL_RNG', # removes a feature 'MBEDTLS_ECP_RESTARTABLE', # incompatible with USE_PSA_CRYPTO 'MBEDTLS_ENTROPY_FORCE_SHA256', # interacts with CTR_DRBG_128_BIT_KEY 'MBEDTLS_HAVE_SSE2', # hardware dependency diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 1423099571..2f3573f573 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1000,7 +1000,6 @@ component_test_psa_external_rng_no_drbg_classic () { scripts/config.py unset MBEDTLS_CTR_DRBG_C scripts/config.py unset MBEDTLS_HMAC_DRBG_C scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG - scripts/config.py set MBEDTLS_ECP_NO_INTERNAL_RNG # When MBEDTLS_USE_PSA_CRYPTO is disabled and there is no DRBG, # the SSL test programs don't have an RNG and can't work. Explicitly # make them use the PSA RNG with -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG. @@ -1023,7 +1022,6 @@ component_test_psa_external_rng_no_drbg_use_psa () { scripts/config.py unset MBEDTLS_CTR_DRBG_C scripts/config.py unset MBEDTLS_HMAC_DRBG_C scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG - scripts/config.py set MBEDTLS_ECP_NO_INTERNAL_RNG make CFLAGS="$ASAN_CFLAGS -O2" LDFLAGS="$ASAN_CFLAGS" msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - main suites" @@ -1048,43 +1046,6 @@ component_test_psa_external_rng_use_psa_crypto () { if_build_succeeded tests/ssl-opt.sh -f 'Default\|opaque' } -component_test_ecp_no_internal_rng () { - msg "build: Default plus ECP_NO_INTERNAL_RNG minus DRBG modules" - scripts/config.py set MBEDTLS_ECP_NO_INTERNAL_RNG - scripts/config.py unset MBEDTLS_CTR_DRBG_C - scripts/config.py unset MBEDTLS_HMAC_DRBG_C - scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG - scripts/config.py unset MBEDTLS_PSA_CRYPTO_C # requires a DRBG - scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C # requires PSA Crypto - - CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: ECP_NO_INTERNAL_RNG, no DRBG module" - make test - - # no SSL tests as they all depend on having a DRBG -} - -component_test_ecp_restartable_no_internal_rng () { - msg "build: Default plus ECP_RESTARTABLE and ECP_NO_INTERNAL_RNG, no DRBG" - scripts/config.py set MBEDTLS_ECP_NO_INTERNAL_RNG - scripts/config.py set MBEDTLS_ECP_RESTARTABLE - scripts/config.py unset MBEDTLS_CTR_DRBG_C - scripts/config.py unset MBEDTLS_HMAC_DRBG_C - scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG - scripts/config.py unset MBEDTLS_PSA_CRYPTO_C # requires CTR_DRBG - scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C # requires PSA Crypto - - CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: ECP_RESTARTABLE and ECP_NO_INTERNAL_RNG, no DRBG module" - make test - - # no SSL tests as they all depend on having a DRBG -} - component_test_everest () { msg "build: Everest ECDH context (ASan build)" # ~ 6 min scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED