mbedtls
mbedtls copied to clipboard
Mbed-TLS
Build errors in TLS 1.2 PSK-only builds
Build the library with X.509 enabled, but without any TLS cipher suite that uses certificates. The build fails.
Observed on mbedtls-3.6.1 and development from today. The problems must have been around for a while, possibly at least partly even before the TLS 1.3 work.
I discovered this when I tried building the library with a single key exchange type, for each TLS 1.2 key exchange type (with TLS 1.3 disabled). Some of the builds failed. Note that this is different from what depends.py pkalgs does: it keeps all TLS 1.3 key exchanges enabled.
Detailed steps to reproduce
Here's a configuration that reproduces the problem:
scripts/config.py full
scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
scripts/config.py set MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
scripts/config.py set MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
scripts/config.py set MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
scripts/config.py set MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
scripts/config.py set MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
(Or mbedtls-prepare-build -d build-notlssig-debug -p full-debug --config-unset=MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED --config-unset=MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED --config-set=MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED --config-unset=MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED --config-unset=MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED --config-set=MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED --config-unset=MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED --config-unset=MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED --config-unset=MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED --config-set=MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED --config-set=MBEDTLS_KEY_EXCHANGE_PSK_ENABLED --config-unset=MBEDTLS_KEY_EXCHANGE_RSA_ENABLED --config-unset=MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED --config-set=MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
This enables all TLS 1.2 and TLS 1.3 key exchanges that don't allow the use of a certificate. Note that RSA and RSA-PSK are not included because they allow a client certificate.
There are two problems, both related to inconsistencies in how we gate function definitions by key exchange types.
- Spurious code gets included in
libmbedtls, causing a link failure./usr/bin/ld: library/libmbedtls.a(ssl_tls12_server.o): in function `ssl_pick_cert': build-notlssig-debug/source/library/ssl_tls12_server.c:758: undefined reference to `mbedtls_ssl_check_cert_usage' collect2: error: ld returned 1 exit status - An unused function in the SSL test programs:
CC source/programs/ssl/ssl_server2.c In file included from source/programs/ssl/ssl_server2.c:713: source/programs/ssl/ssl_test_common_source.c:322:12: error: ‘x509_crt_verify_info’ defined but not used [-Werror=unused-function] 322 | static int x509_crt_verify_info(char *buf, size_t size, const char *prefix, | ^~~~~~~~~~~~~~~~~~~~
Actions
- Adapt
depends.pyso that it reproduces the problem. I think when enumerating TLS 1.2 key exchanges, it should disable TLS 1.3. - Fix the inconsistencies.
