From 5dbc24a25546e5484d21fdf3bb1864098f512aab Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 14 Aug 2025 14:38:15 +0100 Subject: [PATCH 1/7] components-configuration-crypto: Removed legacy options. Removed setters for `MBEDTLS_CTR_DRBG_USE_128_BIT_KEY` and `MBEDTLS_ENTROPY_FORCE_SHA256` Signed-off-by: Minos Galanakis --- tests/scripts/components-configuration-crypto.sh | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 4714194565..dd8b49dcfa 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -2357,7 +2357,6 @@ component_test_ctr_drbg_aes_256_sha_256 () { msg "build: full + MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_256 (ASan build)" scripts/config.py full scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C - scripts/config.py set MBEDTLS_ENTROPY_FORCE_SHA256 scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_256 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . make @@ -2367,28 +2366,27 @@ component_test_ctr_drbg_aes_256_sha_256 () { } component_test_ctr_drbg_aes_128_sha_512 () { - msg "build: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY (ASan build)" + msg "build: full + set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128 (ASan build)" scripts/config.py full scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C - scripts/config.py set MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . make - msg "test: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY (ASan build)" + msg "test: full + set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128 (ASan build)" make test } component_test_ctr_drbg_aes_128_sha_256 () { - msg "build: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_256 (ASan build)" + msg "build: full + set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128 + MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_256 (ASan build)" scripts/config.py full scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C - scripts/config.py set MBEDTLS_CTR_DRBG_USE_128_BIT_KEY - scripts/config.py set MBEDTLS_ENTROPY_FORCE_SHA256 + scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128 scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_256 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . make - msg "test: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_256 (ASan build)" + msg "test: full + set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128 + MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_256 (ASan build)" make test } From 906950d8dc353351759f12dc88d6a6add273dcc8 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 14 Aug 2025 15:59:53 +0100 Subject: [PATCH 2/7] config/depends.py: Removed legacy options. Signed-off-by: Minos Galanakis --- scripts/config.py | 2 -- tests/scripts/depends.py | 2 -- 2 files changed, 4 deletions(-) diff --git a/scripts/config.py b/scripts/config.py index 750ff88c72..20555db846 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -76,12 +76,10 @@ EXCLUDE_FROM_FULL = frozenset([ 'MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH', # interacts with CTR_DRBG_128_BIT_KEY 'MBEDTLS_AES_USE_HARDWARE_ONLY', # hardware dependency 'MBEDTLS_BLOCK_CIPHER_NO_DECRYPT', # incompatible with ECB in PSA, CBC/XTS/NIST_KW - 'MBEDTLS_CTR_DRBG_USE_128_BIT_KEY', # interacts with ENTROPY_FORCE_SHA256 'MBEDTLS_DEPRECATED_REMOVED', # conflicts with deprecated options 'MBEDTLS_DEPRECATED_WARNING', # conflicts with deprecated options 'MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED', # influences the use of ECDH in TLS 'MBEDTLS_ECP_WITH_MPI_UINT', # disables the default ECP and is experimental - 'MBEDTLS_ENTROPY_FORCE_SHA256', # interacts with CTR_DRBG_128_BIT_KEY 'MBEDTLS_HAVE_SSE2', # hardware dependency 'MBEDTLS_MEMORY_BACKTRACE', # depends on MEMORY_BUFFER_ALLOC_C 'MBEDTLS_MEMORY_BUFFER_ALLOC_C', # makes sanitizers (e.g. ASan) less effective diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 513c6413a5..ae88abf1e2 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -316,11 +316,9 @@ REVERSE_DEPENDENCIES = { 'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED'], 'PSA_WANT_ALG_SHA_224': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED', - 'MBEDTLS_ENTROPY_FORCE_SHA256', 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT', 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY'], 'PSA_WANT_ALG_SHA_256': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED', - 'MBEDTLS_ENTROPY_FORCE_SHA256', 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT', 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY', 'MBEDTLS_LMS_C', From a1e867981b0263d02876808160a2f1dd64b998f6 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 18 Aug 2025 10:31:31 +0100 Subject: [PATCH 3/7] ssl-opt.sh: Adjust dependency to MBEDTLS_PSA_CRYPTO_C Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index d0278b123c..220e897f6f 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -484,7 +484,7 @@ detect_required_features() { *"programs/ssl/dtls_client "*|\ *"programs/ssl/ssl_client1 "*) requires_config_enabled MBEDTLS_CTR_DRBG_C - requires_config_enabled MBEDTLS_ENTROPY_C + requires_config_enabled MBEDTLS_PSA_CRYPTO_C requires_config_enabled MBEDTLS_PEM_PARSE_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_certificate_authentication @@ -494,7 +494,7 @@ detect_required_features() { *"programs/ssl/ssl_pthread_server "*|\ *"programs/ssl/ssl_server "*) requires_config_enabled MBEDTLS_CTR_DRBG_C - requires_config_enabled MBEDTLS_ENTROPY_C + requires_config_enabled MBEDTLS_PSA_CRYPTO_C requires_config_enabled MBEDTLS_PEM_PARSE_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_certificate_authentication From 1eda7487ae08a3a32a1e9f554071c6fbc74195ac Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 21 Aug 2025 15:57:15 +0100 Subject: [PATCH 4/7] Updated tf-psa-crypto pointer Signed-off-by: Minos Galanakis Signed-off-by: Ronald Cron --- tf-psa-crypto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf-psa-crypto b/tf-psa-crypto index f0b51e354b..86060cd714 160000 --- a/tf-psa-crypto +++ b/tf-psa-crypto @@ -1 +1 @@ -Subproject commit f0b51e354bb69071d3fab28650894287fac2348e +Subproject commit 86060cd714013678ac6483b95c6b9585570b9273 From 8fc000ec2c1e3134293fbaa95cfa4ec003e872aa Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 25 Aug 2025 15:19:59 +0200 Subject: [PATCH 5/7] ssl-opt.sh: Fix MBEDTLS_ENTROPY_C dependency adjustment Signed-off-by: Ronald Cron --- tests/ssl-opt.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 220e897f6f..140409c9cc 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -485,6 +485,7 @@ detect_required_features() { *"programs/ssl/ssl_client1 "*) requires_config_enabled MBEDTLS_CTR_DRBG_C requires_config_enabled MBEDTLS_PSA_CRYPTO_C + requires_config_disabled MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG requires_config_enabled MBEDTLS_PEM_PARSE_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_certificate_authentication @@ -495,6 +496,7 @@ detect_required_features() { *"programs/ssl/ssl_server "*) requires_config_enabled MBEDTLS_CTR_DRBG_C requires_config_enabled MBEDTLS_PSA_CRYPTO_C + requires_config_disabled MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG requires_config_enabled MBEDTLS_PEM_PARSE_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_certificate_authentication From aad5f1bedd09e29e45438135d57026bb3a78d2a5 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 25 Aug 2025 15:32:48 +0200 Subject: [PATCH 6/7] tests: Prepare to switch to SHA-256 as the default CTR_DRBG hash Ensure that when we switch from SHA-512 to SHA-256 as the default CTR_DRBG hash, we still properly test CTR_DRBG with SHA-512. Signed-off-by: Ronald Cron --- tests/scripts/components-configuration-crypto.sh | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index dd8b49dcfa..17c235bb17 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -2353,6 +2353,18 @@ component_test_block_cipher_no_decrypt_aesce_armcc () { not grep aesce_decrypt_block ${BUILTIN_SRC_PATH}/aesce.o } +component_test_ctr_drbg_aes_256_sha_512 () { + msg "build: full + MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_512 (ASan build)" + scripts/config.py full + scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C + scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_512 + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: full + MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_512 (ASan build)" + make test +} + component_test_ctr_drbg_aes_256_sha_256 () { msg "build: full + MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_256 (ASan build)" scripts/config.py full @@ -2370,6 +2382,7 @@ component_test_ctr_drbg_aes_128_sha_512 () { scripts/config.py full scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128 + scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_512 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . make From a0b1c8c7fb46dc35a328eedf4a8fad823a16e00a Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 26 Aug 2025 09:15:18 +0200 Subject: [PATCH 7/7] build: Remove CTR_DRBG 128 bits key warnings Signed-off-by: Ronald Cron --- CMakeLists.txt | 21 --------------------- Makefile | 19 ------------------- 2 files changed, 40 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 162373182b..12ddc2738d 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -100,17 +100,6 @@ option(USE_SHARED_MBEDTLS_LIBRARY "Build Mbed TLS shared library." OFF) option(LINK_WITH_PTHREAD "Explicitly link Mbed TLS library to pthread." OFF) option(LINK_WITH_TRUSTED_STORAGE "Explicitly link Mbed TLS library to trusted_storage." OFF) -# Warning string - created as a list for compatibility with CMake 2.8 -set(CTR_DRBG_128_BIT_KEY_WARN_L1 "**** WARNING! MBEDTLS_CTR_DRBG_USE_128_BIT_KEY defined!\n") -set(CTR_DRBG_128_BIT_KEY_WARN_L2 "**** Using 128-bit keys for CTR_DRBG limits the security of generated\n") -set(CTR_DRBG_128_BIT_KEY_WARN_L3 "**** keys and operations that use random values generated to 128-bit security\n") - -set(CTR_DRBG_128_BIT_KEY_WARNING "${WARNING_BORDER}" - "${CTR_DRBG_128_BIT_KEY_WARN_L1}" - "${CTR_DRBG_128_BIT_KEY_WARN_L2}" - "${CTR_DRBG_128_BIT_KEY_WARN_L3}" - "${WARNING_BORDER}") - # Python 3 is only needed here to check for configuration warnings. if(NOT CMAKE_VERSION VERSION_LESS 3.15.0) set(Python3_FIND_STRATEGY LOCATION) @@ -124,16 +113,6 @@ else() set(MBEDTLS_PYTHON_EXECUTABLE ${PYTHON_EXECUTABLE}) endif() endif() -if(MBEDTLS_PYTHON_EXECUTABLE) - - # If 128-bit keys are configured for CTR_DRBG, display an appropriate warning - execute_process(COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/config.py -f ${CMAKE_CURRENT_SOURCE_DIR}/include/mbedtls/mbedtls_config.h get MBEDTLS_CTR_DRBG_USE_128_BIT_KEY - RESULT_VARIABLE result) - if(${result} EQUAL 0) - message(WARNING ${CTR_DRBG_128_BIT_KEY_WARNING}) - endif() - -endif() # We now potentially need to link all executables against PThreads, if available set(CMAKE_THREAD_PREFER_PTHREAD TRUE) diff --git a/Makefile b/Makefile index a580736602..6706143a24 100644 --- a/Makefile +++ b/Makefile @@ -26,7 +26,6 @@ endif .PHONY: all no_test programs lib tests install uninstall clean test check lcov apidoc apidoc_clean all: programs tests - $(MAKE) post_build no_test: programs @@ -146,24 +145,6 @@ uninstall: done endif - -WARNING_BORDER_LONG =**********************************************************************************\n -CTR_DRBG_128_BIT_KEY_WARN_L1=**** WARNING! MBEDTLS_CTR_DRBG_USE_128_BIT_KEY defined! ****\n -CTR_DRBG_128_BIT_KEY_WARN_L2=**** Using 128-bit keys for CTR_DRBG limits the security of generated ****\n -CTR_DRBG_128_BIT_KEY_WARN_L3=**** keys and operations that use random values generated to 128-bit security ****\n - -CTR_DRBG_128_BIT_KEY_WARNING=\n$(WARNING_BORDER_LONG)$(CTR_DRBG_128_BIT_KEY_WARN_L1)$(CTR_DRBG_128_BIT_KEY_WARN_L2)$(CTR_DRBG_128_BIT_KEY_WARN_L3)$(WARNING_BORDER_LONG) - -# Post build steps -post_build: -ifndef WINDOWS - - # If 128-bit keys are configured for CTR_DRBG, display an appropriate warning - -scripts/config.py get MBEDTLS_CTR_DRBG_USE_128_BIT_KEY && ([ $$? -eq 0 ]) && \ - echo '$(CTR_DRBG_128_BIT_KEY_WARNING)' - -endif - clean: clean_more_on_top $(MAKE) -C library clean $(MAKE) -C programs clean