search

Mbed-TLS / mbedtls

An open source, portable, easy to use, readable and flexible TLS library, and reference implementation of the PSA Cryptography API. Releases are on a varying cadence, typically around 3 - 6 months between releases.
https://www.trustedfirmware.org/projects/mbed-tls/
Other
5.02k stars 2.5k forks source link

`mbedtls_config.h` misses `MBEDTLS_ASN1_PARSE_C` and `MBEDTLS_ASN1_WRITE_C` dependencies for `MBEDTLS_RSA_C` #9312

Open dimakuv opened 3 days ago

dimakuv commented 3 days ago

Summary

In Gramine, we use a minimal configuration of mbedTLS: https://github.com/gramineproject/gramine/blob/master/subprojects/packagefiles/mbedtls/include/mbedtls/config-pal.h

When building mbedTLS v3.6.0 with this configuration, I got errors like this:

rsa.c:301:16: error: call to undeclared function 'mbedtls_asn1_write_mpi'; ISO C99 and later do not support implicit function
declarations [-Wimplicit-function-declaration]
  301 |         (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
      |                ^
rsa.c:362:31: error: call to undeclared function 'mbedtls_asn1_write_int'; ISO C99 and later do not support implicit function
declarations [-Wimplicit-function-declaration]
  362 |     MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_int(p, start, 0));
      |                               ^
... and so on ...

Apparently these build errors happen because our minimal config misses these two dependencies:

Indeed, I observe that rsa.c uses those functions that are hidden behind checks like this:

#if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_X509_CREATE_C) || \
    defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA)

Our particular config doesn't use X.509 certificates and doesn't use PSA ECDSA. So our config is supposed to include MBEDTLS_ASN1_PARSE_C. (Similar story for MBEDTLS_ASN1_WRITE_C.)

Here are the relevant code snippets for more context:

System information

Mbed TLS version (number or commit id): v3.6.0, but same is observed on development Operating system and version: Ubuntu 24.04, Linux v6.8 (should be irrelevant) Configuration (if not default, please attach mbedtls_config.h): https://github.com/gramineproject/gramine/blob/a11ae6ad21844bad9725d165137fe6e346d33218/subprojects/packagefiles/mbedtls/include/mbedtls/config-pal.h Compiler and options (if you used a pre-built binary, please indicate how you obtained it): Ubuntu clang version 18.1.3 Additional environment information:

Expected behavior

https://github.com/Mbed-TLS/mbedtls/blob/v3.6.0/include/mbedtls/mbedtls_config.h#L3280 must contain something like this:

 * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C

Actual behavior

https://github.com/Mbed-TLS/mbedtls/blob/v3.6.0/include/mbedtls/mbedtls_config.h#L3280 contains this:

 * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C