Merge pull request #7271 from mpg/use-md-light

Use md light
2025-05-09 19:31:18 +08:00 · 2023-03-20 09:01:16 +01:00 · 2023-03-20 09:01:16 +01:00 · 14c194aae9
commit 14c194aae9
parent b937c92853 6ea8d3414f
5 changed files with 37 additions and 20 deletions
--- a/include/mbedtls/build_info.h
+++ b/include/mbedtls/build_info.h
@ -87,6 +87,13 @@
 #define MBEDTLS_MD_LIGHT
 #endif
 /* Auto-enable MBEDTLS_MD_LIGHT if some module needs it.
 */
 #if defined(MBEDTLS_PEM_PARSE_C) || \
    defined(MBEDTLS_RSA_C)
 #define MBEDTLS_MD_LIGHT
 #endif
 /* If MBEDTLS_PSA_CRYPTO_C is defined, make sure MBEDTLS_PSA_CRYPTO_CLIENT
 * is defined as well to include all PSA code.
 */
--- a/library/pem.c
+++ b/library/pem.c
@ -25,7 +25,7 @@
 #include "mbedtls/base64.h"
 #include "mbedtls/des.h"
 #include "mbedtls/aes.h"
-#include "mbedtls/md5.h"
+#include "mbedtls/md.h"
 #include "mbedtls/cipher.h"
 #include "mbedtls/platform_util.h"
 #include "mbedtls/error.h"
@ -99,26 +99,33 @@ static int pem_pbkdf1(unsigned char *key, size_t keylen,
                      unsigned char *iv,
                      const unsigned char *pwd, size_t pwdlen)
 {
-    mbedtls_md5_context md5_ctx;
+    mbedtls_md_context_t md5_ctx;
    const mbedtls_md_info_t *md5_info;
    unsigned char md5sum[16];
    size_t use_len;
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_md5_init(&md5_ctx);
+    mbedtls_md_init(&md5_ctx);
    /* Prepare the context. (setup() errors gracefully on NULL info.) */
    md5_info = mbedtls_md_info_from_type(MBEDTLS_MD_MD5);
    if ((ret = mbedtls_md_setup(&md5_ctx, md5_info, 0)) != 0) {
        goto exit;
    }
    /*
     * key[ 0..15] = MD5(pwd || IV)
     */
-    if ((ret = mbedtls_md5_starts(&md5_ctx)) != 0) {
+    if ((ret = mbedtls_md_starts(&md5_ctx)) != 0) {
        goto exit;
    }
-    if ((ret = mbedtls_md5_update(&md5_ctx, pwd, pwdlen)) != 0) {
+    if ((ret = mbedtls_md_update(&md5_ctx, pwd, pwdlen)) != 0) {
        goto exit;
    }
-    if ((ret = mbedtls_md5_update(&md5_ctx, iv,  8)) != 0) {
+    if ((ret = mbedtls_md_update(&md5_ctx, iv,  8)) != 0) {
        goto exit;
    }
-    if ((ret = mbedtls_md5_finish(&md5_ctx, md5sum)) != 0) {
+    if ((ret = mbedtls_md_finish(&md5_ctx, md5sum)) != 0) {
        goto exit;
    }
@ -132,19 +139,19 @@ static int pem_pbkdf1(unsigned char *key, size_t keylen,
    /*
     * key[16..23] = MD5(key[ 0..15] || pwd || IV])
     */
-    if ((ret = mbedtls_md5_starts(&md5_ctx)) != 0) {
+    if ((ret = mbedtls_md_starts(&md5_ctx)) != 0) {
        goto exit;
    }
-    if ((ret = mbedtls_md5_update(&md5_ctx, md5sum, 16)) != 0) {
+    if ((ret = mbedtls_md_update(&md5_ctx, md5sum, 16)) != 0) {
        goto exit;
    }
-    if ((ret = mbedtls_md5_update(&md5_ctx, pwd, pwdlen)) != 0) {
+    if ((ret = mbedtls_md_update(&md5_ctx, pwd, pwdlen)) != 0) {
        goto exit;
    }
-    if ((ret = mbedtls_md5_update(&md5_ctx, iv, 8)) != 0) {
+    if ((ret = mbedtls_md_update(&md5_ctx, iv, 8)) != 0) {
        goto exit;
    }
-    if ((ret = mbedtls_md5_finish(&md5_ctx, md5sum)) != 0) {
+    if ((ret = mbedtls_md_finish(&md5_ctx, md5sum)) != 0) {
        goto exit;
    }
@ -156,7 +163,7 @@ static int pem_pbkdf1(unsigned char *key, size_t keylen,
    memcpy(key + 16, md5sum, use_len);
 exit:
-    mbedtls_md5_free(&md5_ctx);
+    mbedtls_md_free(&md5_ctx);
    mbedtls_platform_zeroize(md5sum, 16);
    return ret;
--- a/library/rsa.c
+++ b/library/rsa.c
@ -2344,7 +2344,7 @@ void mbedtls_rsa_free(mbedtls_rsa_context *ctx)
 #if defined(MBEDTLS_SELF_TEST)
-#include "mbedtls/sha1.h"
+#include "mbedtls/md.h"
 /*
 * Example RSA-1024 keypair, for test purposes
@ -2508,7 +2508,8 @@ int mbedtls_rsa_self_test(int verbose)
        mbedtls_printf("  PKCS#1 data sign  : ");
    }
-    if (mbedtls_sha1(rsa_plaintext, PT_LEN, sha1sum) != 0) {
+    if (mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA1),
                   rsa_plaintext, PT_LEN, sha1sum) != 0) {
        if (verbose != 0) {
            mbedtls_printf("failed\n");
        }
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@ -1230,8 +1230,9 @@ component_test_crypto_full_md_light_only () {
    scripts/config.py unset MBEDTLS_PKCS7_C
    # Disable indirect dependencies of MD
    scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # needs HMAC_DRBG
-    # Enable "light" subset of MD
+    # Note: MD-light is auto-enabled in build_info.h by modules that need it,
-    make CFLAGS="$ASAN_CFLAGS -DMBEDTLS_MD_LIGHT" LDFLAGS="$ASAN_CFLAGS"
+    # which we haven't disabled, so no need to explicitly enable it.
    make CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
    # Make sure we don't have the HMAC functions, but the hashing functions
    not grep mbedtls_md_hmac library/md.o
@ -2616,8 +2617,9 @@ component_test_psa_crypto_config_accel_hash_use_psa () {
    make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" all
    # There's a risk of something getting re-enabled via config_psa.h;
-    # make sure it did not happen.
+    # make sure it did not happen. Note: it's OK for MD_LIGHT to be enabled,
-    not grep mbedtls_md library/md.o
+    # but not the full MD_C (for now), so check mbedtls_md_hmac for that.
    not grep mbedtls_md_hmac library/md.o
    not grep mbedtls_md5 library/md5.o
    not grep mbedtls_sha1 library/sha1.o
    not grep mbedtls_sha256 library/sha256.o
--- a/tests/suites/test_suite_md.function
+++ b/tests/suites/test_suite_md.function
@ -128,7 +128,7 @@ void md_info(int md_type, char *md_name, int md_size)
    (void) md_name;
 #endif
-    /* Note: PSA Crypto init not needed to info functions */
+    /* Note: PSA Crypto init not needed for info functions */
    md_info = mbedtls_md_info_from_type(md_type);
    TEST_ASSERT(md_info != NULL);