Make RSA_ALT support optionnal

2025-10-30 03:00:21 -04:00 · 2015-03-31 14:01:33 +02:00 · 2015-03-31 14:01:33 +02:00 · 348bcb3694
commit 348bcb3694
parent 32076e66be
7 changed files with 29 additions and 2 deletions
--- a/3
+++ b/3
@ -46,6 +46,9 @@ Default behavior changes
   * Support for receiving SSLv2 ClientHello is now disabled by default at
     compile time.
   * The default authmode for SSL/TLS clients is now REQUIRED.
+   * Support for RSA_ALT contexts in the PK layer is now optional. Since is is
+     enabled in the default configuration, this is only noticeable if using a
+     custom config.h

 Changes
   * Remove test program o_p_test, the script compat.sh does more.
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@ -768,6 +768,15 @@
 */
 //#define POLARSSL_MEMORY_BACKTRACE

+/**
+ * \def POLARSSL_PK_RSA_ALT_SUPPORT
+ *
+ * Support external private RSA keys (eg from a HSM) in the PK layer.
+ *
+ * Comment this macro to disable support for external private RSA keys.
+ */
+#define POLARSSL_PK_RSA_ALT_SUPPORT
+
 /**
 * \def POLARSSL_PKCS1_V15
 *
--- a/include/mbedtls/pk.h
+++ b/include/mbedtls/pk.h
@ -197,6 +197,7 @@ typedef struct
    void *              pk_ctx;     /**< Underlying public key context  */
 } pk_context;

+#if defined(POLARSSL_PK_RSA_ALT_SUPPORT)
 /**
 * \brief           Types for RSA-alt abstraction
 */
@ -208,6 +209,7 @@ typedef int (*pk_rsa_alt_sign_func)( void *ctx,
                    int mode, md_type_t md_alg, unsigned int hashlen,
                    const unsigned char *hash, unsigned char *sig );
 typedef size_t (*pk_rsa_alt_key_len_func)( void *ctx );
+#endif /* POLARSSL_PK_RSA_ALT_SUPPORT */

 /**
 * \brief           Return information associated with the given PK type
@ -244,6 +246,7 @@ void pk_free( pk_context *ctx );
 */
 int pk_init_ctx( pk_context *ctx, const pk_info_t *info );

+#if defined(POLARSSL_PK_RSA_ALT_SUPPORT)
 /**
 * \brief           Initialize an RSA-alt context
 *
@ -262,6 +265,7 @@ int pk_init_ctx_rsa_alt( pk_context *ctx, void * key,
                         pk_rsa_alt_decrypt_func decrypt_func,
                         pk_rsa_alt_sign_func sign_func,
                         pk_rsa_alt_key_len_func key_len_func );
+#endif /* POLARSSL_PK_RSA_ALT_SUPPORT */

 /**
 * \brief           Get the size in bits of the underlying key
--- a/include/mbedtls/pk_wrap.h
+++ b/include/mbedtls/pk_wrap.h
@ -33,6 +33,7 @@

 #include "pk.h"

+#if defined(POLARSSL_PK_RSA_ALT_SUPPORT)
 /* Container for RSA-alt */
 typedef struct
 {
@ -41,6 +42,7 @@ typedef struct
    pk_rsa_alt_sign_func sign_func;
    pk_rsa_alt_key_len_func key_len_func;
 } rsa_alt_context;
+#endif

 #if defined(POLARSSL_RSA_C)
 extern const pk_info_t rsa_info;
@ -55,6 +57,8 @@ extern const pk_info_t eckeydh_info;
 extern const pk_info_t ecdsa_info;
 #endif

+#if defined(POLARSSL_PK_RSA_ALT_SUPPORT)
 extern const pk_info_t rsa_alt_info;
+#endif

 #endif /* POLARSSL_PK_WRAP_H */
--- a/library/pk.c
+++ b/library/pk.c
@ -112,6 +112,7 @@ int pk_init_ctx( pk_context *ctx, const pk_info_t *info )
    return( 0 );
 }

+#if defined(POLARSSL_PK_RSA_ALT_SUPPORT)
 /*
 * Initialize an RSA-alt context
 */
@ -140,6 +141,7 @@ int pk_init_ctx_rsa_alt( pk_context *ctx, void * key,

    return( 0 );
 }
+#endif /* POLARSSL_PK_RSA_ALT_SUPPORT */

 /*
 * Tell if a PK can do the operations of the given type
--- a/library/pk_wrap.c
+++ b/library/pk_wrap.c
@ -50,10 +50,12 @@
 #define polarssl_free       free
 #endif

+#if defined(POLARSSL_PK_RSA_ALT_SUPPORT)
 /* Implementation that should never be optimized out by the compiler */
 static void polarssl_zeroize( void *v, size_t n ) {
    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
 }
+#endif

 #if defined(POLARSSL_RSA_C)
 static int rsa_can_do( pk_type_t type )
@ -377,6 +379,7 @@ const pk_info_t ecdsa_info = {
 };
 #endif /* POLARSSL_ECDSA_C */

+#if defined(POLARSSL_PK_RSA_ALT_SUPPORT)
 /*
 * Support for alternative RSA-private implementations
 */
@ -488,4 +491,6 @@ const pk_info_t rsa_alt_info = {
    NULL,
 };

+#endif /* POLARSSL_PK_RSA_ALT_SUPPORT */
+
 #endif /* POLARSSL_PK_C */
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@ -98,7 +98,7 @@ void pk_check_pair( char *pub_file, char *prv_file, int ret )

    TEST_ASSERT( pk_check_pair( &pub, &prv ) == ret );

-#if defined(POLARSSL_RSA_C)
+#if defined(POLARSSL_RSA_C) && defined(POLARSSL_PK_RSA_ALT_SUPPORT)
    if( pk_get_type( &prv ) == POLARSSL_PK_RSA )
    {
        TEST_ASSERT( pk_init_ctx_rsa_alt( &alt, pk_rsa( prv ),
@ -414,7 +414,7 @@ exit:
 }
 /* END_CASE */

-/* BEGIN_CASE depends_on:POLARSSL_RSA_C */
+/* BEGIN_CASE depends_on:POLARSSL_RSA_C:POLARSSL_PK_RSA_ALT_SUPPORT */
 void pk_rsa_alt( )
 {
    /*