PEM: always use MD light
Note: PEM_PARSE already auto-enables MD_LIGHT in build_info.h
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index 87181a6..f460e0d 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -2775,6 +2775,10 @@
* library/x509_csr.c
*
* Requires: MBEDTLS_BASE64_C
+ * optionally MBEDTLS_MD5_C, or PSA Crypto with MD5 (see below)
+ *
+ * \warning When parsing password-protected files, if MD5 is provided only by
+ * a PSA driver, you must call psa_crypto_init() before the first file.
*
* This modules adds support for decoding / parsing PEM files.
*/
diff --git a/library/pem.c b/library/pem.c
index 84bbb3d..264c2e4 100644
--- a/library/pem.c
+++ b/library/pem.c
@@ -39,13 +39,6 @@
#include "psa/crypto.h"
#endif
-#if !defined(MBEDTLS_MD5_C)
-#include "mbedtls/psa_util.h"
-#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
- psa_to_md_errors, \
- psa_generic_status_to_mbedtls)
-#endif
-
#include "mbedtls/legacy_or_psa.h"
#if defined(MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \
@@ -94,7 +87,6 @@
return 0;
}
-#if defined(MBEDTLS_MD5_C)
static int pem_pbkdf1(unsigned char *key, size_t keylen,
unsigned char *iv,
const unsigned char *pwd, size_t pwdlen)
@@ -168,91 +160,6 @@
return ret;
}
-#else
-static int pem_pbkdf1(unsigned char *key, size_t keylen,
- unsigned char *iv,
- const unsigned char *pwd, size_t pwdlen)
-{
- unsigned char md5sum[16];
- psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
- size_t output_length = 0;
- psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-
- if ((status = psa_hash_setup(&operation, PSA_ALG_MD5)) != PSA_SUCCESS) {
- goto exit;
- }
-
- if ((status = psa_hash_update(&operation, pwd, pwdlen)) != PSA_SUCCESS) {
- goto exit;
- }
-
- if ((status = psa_hash_update(&operation, iv, 8)) != PSA_SUCCESS) {
- goto exit;
- }
-
- if ((status = psa_hash_finish(&operation, md5sum,
- PSA_HASH_LENGTH(PSA_ALG_MD5),
- &output_length)) != PSA_SUCCESS) {
- goto exit;
- }
-
- if ((status = psa_hash_abort(&operation)) != PSA_SUCCESS) {
- goto exit;
- }
-
- /*
- * key[ 0..15] = MD5(pwd || IV)
- */
- if (keylen <= 16) {
- memcpy(key, md5sum, keylen);
- goto exit;
- }
-
- memcpy(key, md5sum, 16);
-
- /*
- * key[16..23] = MD5(key[ 0..15] || pwd || IV])
- */
- if ((status = psa_hash_setup(&operation, PSA_ALG_MD5)) != PSA_SUCCESS) {
- goto exit;
- }
-
- if ((status = psa_hash_update(&operation, md5sum, 16)) != PSA_SUCCESS) {
- goto exit;
- }
-
- if ((status = psa_hash_update(&operation, pwd, pwdlen)) != PSA_SUCCESS) {
- goto exit;
- }
-
- if ((status = psa_hash_update(&operation, iv, 8)) != PSA_SUCCESS) {
- goto exit;
- }
-
- if ((status = psa_hash_finish(&operation, md5sum,
- PSA_HASH_LENGTH(PSA_ALG_MD5),
- &output_length)) != PSA_SUCCESS) {
- goto exit;
- }
-
- if ((status = psa_hash_abort(&operation)) != PSA_SUCCESS) {
- goto exit;
- }
-
- size_t use_len = 16;
- if (keylen < 32) {
- use_len = keylen - 16;
- }
-
- memcpy(key + 16, md5sum, use_len);
-
-exit:
- mbedtls_platform_zeroize(md5sum, 16);
-
- return PSA_TO_MBEDTLS_ERR(status);
-}
-#endif /* MBEDTLS_MD5_C */
#if defined(MBEDTLS_DES_C)
/*
diff --git a/tests/suites/test_suite_pem.function b/tests/suites/test_suite_pem.function
index 25b66f8..9546614 100644
--- a/tests/suites/test_suite_pem.function
+++ b/tests/suites/test_suite_pem.function
@@ -44,6 +44,8 @@
size_t pwd_len = strlen(pwd);
const unsigned char *buf;
+ MD_PSA_INIT();
+
mbedtls_pem_init(&ctx);
ret = mbedtls_pem_read_buffer(&ctx, header, footer, (unsigned char *) data,
@@ -60,5 +62,6 @@
exit:
mbedtls_pem_free(&ctx);
+ MD_PSA_DONE();
}
/* END_CASE */