commit eabeb30c65d5f31856af46100ffe4c9fc2bd843b
author Andrzej Kurek <andrzej.kurek@arm.com> Mon Oct 17 07:52:51 2022 -0400
committer Andrzej Kurek <andrzej.kurek@arm.com> Wed Oct 19 08:35:09 2022 -0400
tree cf874188fd62fe535eff7e65bbc13683dbf52d17
parent 228b12ce54cbe9994fb255bb176869510aec4db3

Fix SHA512 vs SHA384 dependencies

When building SHA512 without SHA384,
there are some code paths that resulted
in unused variables or usage of undefined code.
This commit fixes that.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>

library/ssl_cookie.c

diff --git a/library/ssl_cookie.c b/library/ssl_cookie.c
index 190c0f0..3f9bf87 100644
--- a/library/ssl_cookie.c
+++ b/library/ssl_cookie.c
@@ -38,8 +38,8 @@
 #include <string.h>
 
 /*
- * If DTLS is in use, then at least one of SHA-1, SHA-256, SHA-512 is
- * available. Try SHA-256 first, 512 wastes resources
+ * If DTLS is in use, then at least one of SHA-1, SHA-256, SHA-384 is
+ * available. Try SHA-256 first, 384 wastes resources
  */
 #if defined(MBEDTLS_HAS_ALG_SHA_224_VIA_LOWLEVEL_OR_PSA)
 #define COOKIE_MD           MBEDTLS_MD_SHA224

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index eee0dad..4678f53 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -604,6 +604,12 @@
     mbedtls_sha512_update( &ssl->handshake->fin_sha384, buf, len );
 #endif
 #endif
+#if !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \
+    !defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
+    (void) ssl;
+    (void) buf;
+    (void) len;
+#endif
 }
 
 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
@@ -5165,6 +5171,10 @@
         goto exit;
 
 exit:
+#if !defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \
+    !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
+    (void) ssl;
+#endif
     return( psa_ssl_status_to_mbedtls( status ) );
 }
 #else /* MBEDTLS_USE_PSA_CRYPTO */
@@ -5437,6 +5447,8 @@
     return( PSA_SUCCESS );
 }
 
+#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || \
+    defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int tls_prf_generic( mbedtls_md_type_t md_type,
                             const unsigned char *secret, size_t slen,
@@ -5511,7 +5523,7 @@
 
     return( 0 );
 }
-
+#endif
 #else /* MBEDTLS_USE_PSA_CRYPTO */
 
 MBEDTLS_CHECK_RETURN_CRITICAL
@@ -5917,7 +5929,10 @@
         default:
             return( -1 );
     }
-
+#if !defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \
+    !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
+    (void) ssl;
+#endif
     return( 0 );
 }
 
@@ -7436,8 +7451,6 @@
  * Helper to get TLS 1.2 PRF from ciphersuite
  * (Duplicates bits of logic from ssl_set_handshake_prfs().)
  */
-#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || \
-    defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
 static tls_prf_fn ssl_tls12prf_from_cs( int ciphersuite_id )
 {
     const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
@@ -7457,10 +7470,9 @@
     !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
     (void) ciphersuite_info;
 #endif
+
     return( NULL );
 }
-#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA ||
-          MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
 
 static mbedtls_tls_prf_types tls_prf_get_type( mbedtls_ssl_tls_prf_cb *tls_prf )

programs/fuzz/fuzz_dtlsserver.c

diff --git a/programs/fuzz/fuzz_dtlsserver.c b/programs/fuzz/fuzz_dtlsserver.c
index 1aa757c..17caab2 100644
--- a/programs/fuzz/fuzz_dtlsserver.c
+++ b/programs/fuzz/fuzz_dtlsserver.c
@@ -11,12 +11,14 @@
 #include "mbedtls/ctr_drbg.h"
 #include "mbedtls/timing.h"
 #include "mbedtls/ssl_cookie.h"
-
+#include "mbedtls/legacy_or_psa.h"
 
 #if defined(MBEDTLS_SSL_SRV_C) && \
     defined(MBEDTLS_ENTROPY_C) && \
     defined(MBEDTLS_CTR_DRBG_C) && \
-    defined(MBEDTLS_TIMING_C)
+    defined(MBEDTLS_TIMING_C) && \
+        ( defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || \
+          defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) )
 const char *pers = "fuzz_dtlsserver";
 const unsigned char client_ip[4] = {0x7F, 0, 0, 1};
 static int initialized = 0;
@@ -32,7 +34,9 @@
     defined(MBEDTLS_SSL_SRV_C) && \
     defined(MBEDTLS_ENTROPY_C) && \
     defined(MBEDTLS_CTR_DRBG_C) && \
-    defined(MBEDTLS_TIMING_C)
+    defined(MBEDTLS_TIMING_C) && \
+    ( defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || \
+      defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) )
     int ret;
     size_t len;
     mbedtls_ssl_context ssl;

tests/scripts/depends.py

diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py
index 2d7750f..409d144 100755
--- a/tests/scripts/depends.py
+++ b/tests/scripts/depends.py
@@ -243,6 +243,7 @@
 EXCLUSIVE_GROUPS = {
     'MBEDTLS_SHA224_C': ['MBEDTLS_SHA256_C'],
     'MBEDTLS_SHA384_C': ['MBEDTLS_SHA512_C'],
+    'MBEDTLS_SHA512_C': ['!MBEDTLS_SSL_COOKIE_C'],
     'MBEDTLS_ECP_DP_CURVE448_ENABLED': ['!MBEDTLS_ECDSA_C',
                                         '!MBEDTLS_ECDSA_DETERMINISTIC',
                                         '!MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED',