Driver-only hashes: X.509

[mprse]

Description

Build X.509 with all hashes provided by drivers and no md.c.

Resolves: #6127
Resolves: #6136
Resolves: #6144

Test coverage:

*** Comparing before-default -> after-default ***
   x509parse: total 723; skipped  26 ->  26
   x509write: total  41; skipped   8 ->   8
         pem: total  13; skipped   0 ->   0
         oid: total  28; skipped   0 ->   0

*** Comparing before-full -> after-full ***
   x509parse: total 723; skipped  25 ->  25
   x509write: total  41; skipped   0 ->   0
         pem: total  13; skipped   0 ->   0
         oid: total  28; skipped   0 ->   0

*** Comparing reference -> drivers ***
   x509parse: total 723; skipped  89 ->  89
   x509write: total  41; skipped   3 ->   3
         pem: total  13; skipped   0 ->   0
         oid: total  28; skipped   0 ->   0

Status

READY

Requires Backporting

NO

Migrations

NO

[mprse]

One component is now still failing:

test_psa_crypto_config_accel_hash

pem.c: In function 'pem_des_decrypt':
pem.c:268:17: error: implicit declaration of function 'pem_pbkdf1' [-Werror=implicit-function-declaration]
     if( ( ret = pem_pbkdf1( des_key, 8, des_iv, pwd, pwdlen ) ) != 0 )

In this build we have defined the following symbols:

• MBEDTLS_MD_C
• MBEDTLS_PSA_CRYPTO_C
• PSA_WANT_ALG_MD5

But we don't have:

• MBEDTLS_MD5_C
• MBEDTLS_USE_PSA_CRYPTO

At the moment to have pem_pbkdf1() we need either MBEDTLS_MD5_C (legacy implementation) or alternatively MBEDTLS_USE_PSA_CRYPTO (psa implementation).

I have stuck with this and I'm wondering if test_psa_crypto_config_accel_hash is still needed? I see that @mpg added test_psa_crypto_config_accel_hash_use_psa component which make sense from my perspective. Here we are using drivers+psa-md5 so we can use psa version.

Alternatively we can set MBEDTLS_MD5_C in test_psa_crypto_config_accel_hash?
I need help here.

EDIT:
Further analysis.
Main question here is to define how this should be fixed. I see the following options:

• Remove this component as running driver build without PSA is not needed and next component is drivers with PSA.

• Use MBEDTLS_PSA_CRYPTO_C instead MBEDTLS_USE_PSA_CRYPTO in pem.c and x509write_crt.c.
  In this case we will be using PSA without MBEDTLS_USE_PSA_CRYPTO, so does this test component still make sense? (if this is explicit no PSA case and PSA is used anyway?)
  With these changes I'm able to build this component, but many tests from test_suite_x509parse and test_suite_x509write are failing. Probably similar change is required in other files since we have inconsistency (PSA vs no PSA) and if we move forward then MBEDTLS_USE_PSA_CRYPTO won't have any sense.

• Change macros in the legacy_or_psa.h so they relay on MBEDTLS_USE_PSA_CRYPTO instead MBEDTLS_PSA_CRYPTO_C.
  In this case this test component passes and outcome-analysis.sh also passes, but this breaks @mpg design, so probably it's not an option here.

cc @gilles-peskine-arm @AndrzejKurek

[gilles-peskine-arm]

The library is supposed to work when drivers are enabled and USE_PSA_CRYPTO is disabled. This means that explicit uses of the PSA API will call drivers (for some algorithm), but the X.509 and TLS code uses legacy crypto. There's nothing wrong with that. This component is useful.

At the moment to have pem_pbkdf1() we need either MBEDTLS_MD5_C (legacy implementation) or alternatively MBEDTLS_USE_PSA_CRYPTO (psa implementation).

In this build, MD5 is only available accelerated (PSA_WANT_ALG_MD5 is enabled and MBEDTLS_MD5_C is disabled) but MBEDTLS_USE_PSA_CRYPTO is disabled. So the build should not attempt to enable pem_pbkdf1.

[mprse]

This make sens, but if we use MBEDTLS_HAS_MD5_VIA_LOWLEVEL_OR_PSA in places of MBEDTLS_MD5_C and provide an implementation of the internal function pem_pbkdf1() based on PSA, to be used only when MBEDTLS_MD5_C is not available (#6144), then in this configuration pem_pbkdf1() should be available.

[mprse]

X.509 can be now build with all hashes provided by drivers and no md.c:

• component_test_psa_crypto_config_accel_hash_use_psa : PSA version of pem_pbkdf1()
• component_test_psa_crypto_config_accel_hash :pem_pbkdf1() not available
• default: MD version of pem_pbkdf1()
• full: MD version of pem_pbkdf1().

Test coverage:

*** Comparing before-default -> after-default ***
   x509parse: total 723; skipped  26 ->  26
   x509write: total  41; skipped   8 ->   8
         pem: total  13; skipped   0 ->   0
         oid: total  28; skipped   0 ->   0

*** Comparing before-full -> after-full ***
   x509parse: total 723; skipped  25 ->  25
   x509write: total  41; skipped   0 ->   0
         pem: total  13; skipped   0 ->   0
         oid: total  28; skipped   0 ->   0

*** Comparing reference -> drivers ***
   x509parse: total 723; skipped  89 ->  89
   x509write: total  41; skipped   3 ->   3
         pem: total  13; skipped   0 ->   0
         oid: total  28; skipped   0 ->   0

[AndrzejKurek]

Suggested change

	#include "legacy_or_psa.h"
	#if defined(MBEDTLS_USE_PSA_CRYPTO)
	#include "psa/crypto.h"
	#endif
	#include "legacy_or_psa.h"

[AndrzejKurek]

Suggested change

	#include "legacy_or_psa.h"
	#if defined(MBEDTLS_USE_PSA_CRYPTO)
	#include "psa/crypto.h"
	#endif
	#include "legacy_or_psa.h"

[gilles-peskine-arm]

The test framework automatically includes psa/crypto.h. It should probably include legacy_or_psa.h automatically as well.

[gilles-peskine-arm]

Also, legacy_or_psa.h should include psa/crypto.h. Right now, including legacy_or_psa.h doesn't work if psa/crypto.h hasn't already been included.

[mprse]

I think it is good idea to include psa/crypto.h in legacy_or_psa.h.

[AndrzejKurek]

Suggested change

	#include "legacy_or_psa.h"
	#if defined(MBEDTLS_USE_PSA_CRYPTO)
	#include "psa/crypto.h"
	#endif
	#include "legacy_or_psa.h"

[AndrzejKurek]

Suggested change

	#include "legacy_or_psa.h"
	#if defined(MBEDTLS_USE_PSA_CRYPTO)
	#include "psa/crypto.h"
	#endif
	#include "legacy_or_psa.h"

[AndrzejKurek]

Is this needed? Since PEM_RFC1421 is defined MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA has to be defined.
So either we have MD5_C and the case above happens, or we don't, but MBEDTLS_USE_PSA_CRYPTO has to be on. Am I missing something?

[mprse]

Yes, it can be removed.

[AndrzejKurek]

Suggested change

	#if defined(PEM_RFC1421 )
	#if defined( PEM_RFC1421 )

[gilles-peskine-arm]

Actually, no. We put spaces inside parentheses except for defined and casts. Don't ask me why.

[AndrzejKurek]

Right, the other way around :D

[AndrzejKurek]

Suggested change

	#if defined(PEM_RFC1421 )
	#if defined( PEM_RFC1421 )

[AndrzejKurek]

Suggested change

	#if defined(PEM_RFC1421 )
	#if defined( PEM_RFC1421 )

[AndrzejKurek]

Suggested change

	#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA */
	#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA */

[AndrzejKurek]

Why are some SHA's guarded by LOWLEVEL_OR_PSA, and others by VIA_MD_OR_PSA? Shouldn't this be uniform?

[mprse]

Hmm. I don't know why it is like this. I agree that it should be LOWLEVEL_OR_PSA everywhere.

[AndrzejKurek]

It seems to me that x509_CREATE_C does not really depend on MD - you probably meant MBEDTLS_X509_CRT_WRITE_C (but please make sure). Also, the description for MBEDTLS_X509_CRT_WRITE_C should end with

Suggested change

	* before doing any PKCS#1 v2.1 operation.
	* before doing any x509 write operation.

[AndrzejKurek]

Minor: This data would in my opinion fall into the VIA_LOWLEVEL_OR_PSA category, but x509 will be defined only with MBEDTLS_USE_PSA_CRYPTO or MBEDTLS_MD_C, so that's not a problem.

[mprse]

I think MD type refers to MD layer.

[AndrzejKurek]

I know, what I mean is that the strings below are just metadata, and could be useful without the MBEDTLS_MD_C module, so instead of using, for example MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA, MBEDTLS_HAS_ALG_SHA_1_VIA_LOWLEVEL_OR_PSA could be used here, but the x509 module itself requires either MBEDTLS_USE_PSA_CRYPTO or MBEDTLS_MD_C, so it doesn't make a difference - this code will not be used without MBEDTLS_MD_C and without MBEDTLS_PSA_CRYPTO_C.

[AndrzejKurek]

Why MBEDTLS_CMAC_C? It seems that this is a new dependency.

[mprse]

There was function level dependency to MBEDTLS_CIPHER_MODE_CBC and now it is only for CBC cases (below). But without MBEDTLS_CIPHER_MODE_CBC this test was executed and was failing. While debugging I decided to add MBEDTLS_CMAC_C as it was more suitable.

[gilles-peskine-arm]

This doesn't make sense: why a dependency on a completely unrelated algorithm? PEM doesn't use CMAC directly or indirectly. Maybe a dependency is missing but CMAC can't be right. Looking at the code, I think there's a missing dependency on MBEDTLS_AES_C (or more precisely MBEDTLS_DEC_C || MBEDTLS_AES_C, but we don't really care about DES-only configurations), because without that the PEM module doesn't even try to parse encryption.

[mprse]

Will check again.

[mprse]

Removed this dependency and checked locally default, full, test_psa_crypto_config_accel_hash_use_psa, test_psa_crypto_config_accel_hash configurations and everything is ok. I also can't find related CI failure in the history as it doesn't go that far.
In this case I will remove this and let's see what CI says.

[mprse]

Yup, CI has failed now. The following component:

^^^^test_when_no_ciphersuites_have_mac: test: !MBEDTLS_SSL_SOME_MODES_USE_MAC: make test -> 2^^^^


PEM read (unknown encryption algorithm) ........................... FAILED
  ret == res
  at line 51, suites/test_suite_pem.function

From the component:
    scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER
    scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
    scripts/config.py unset MBEDTLS_CMAC_C

[gilles-peskine-arm]

The dependency is on MBEDTLS_CIPHER_MODE_CBC (you can confirm by doing a build with default config minus MBEDTLS_CIPHER_MODE_CBC). The test case only fails because mbedtls_pem_read_buffer returns a different error (MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE).

To be very precise in the tests, we should duplicate the test cases for this function and make them expect MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE when the encryption mechanism isn't supported. As a quick fix, we can make the test case depend on MBEDTLS_CIPHER_MODE_CBC. (It actually depends on more than that, but there are many missing dependencies on cipher features throughout the test suites and fixing them is out of scope here.)

[mprse]

Thanks for clarification. I have modified the last commit and changed dependency from MBEDTLS_CMAC_C to MBEDTLS_CIPHER_MODE_CBC.

[gilles-peskine-arm]

By the way, #1892 tracks the lack of test builds with variations on supported cipher features. No point in fixing preexisting individual cases until we have a way to test.

[mprse]

@superna9999 @AndrzejKurek Sorry guys. One more change was required (modified the last commit).

[AndrzejKurek]

This test case will still fail with default configuration and the following changes:

./scripts/config.pl unset MBEDTLS_DES_C
./scripts/config.pl unset MBEDTLS_AES_C
./scripts/config.pl unset MBEDTLS_NIST_KW_C
./scripts/config.pl unset MBEDTLS_CMAC_C
./scripts/config.pl unset MBEDTLS_CTR_DRBG_C
./scripts/config.pl unset MBEDTLS_CMAC_C

due to the lack of AES_C and DES_C.
The test case has to reflect the same requirements as PEM_RFC1421.

[AndrzejKurek]

After speaking personnaly to @mprse and reqding @gilles-peskine-arm comment about not being so precise about the defines - I can approve the simplified dependency here.

[mprse]

Can we merge this one? CI is green and PR was already approved by @superna9999 , but it seems he is out of office today.
I only modified one dependency in the test as requested by @gilles-peskine-arm since @superna9999 review.
This one is blocking #6208.

[mprse]

@superna9999 Can you review this one, so we can merge it.