-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
adjust_legacy_crypto: enable CIPHER_C when PSA CMAC is builtin #9178
adjust_legacy_crypto: enable CIPHER_C when PSA CMAC is builtin #9178
Conversation
psa_crypto_mac.c uses mbedtls_cipher_xxx() functions to perform CMAC operations. Therefore we need to enable CIPHER_C when PSA CMAC is builtin. Signed-off-by: Valerio Setti <[email protected]>
Just curious: Does the presence of this bug indicate a gap in our test coverage? Why would we not have seen CI failures from this before? |
Yes, I think so. I can investigate |
Ok, let's say that you want to build the crypto library (no tests or programs) using only the
and then there's the
Build just the crypto library with:
The last command will give you failures from
Whereas, if you apply the fix, the build succeeds. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM apart from the missing changelog entry
@@ -48,7 +48,8 @@ | |||
defined(MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING) || \ | |||
defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING) || \ | |||
defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7) || \ | |||
defined(MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG)) | |||
defined(MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG) || \ | |||
defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)) | |||
#define MBEDTLS_CIPHER_C | |||
#endif | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just curious: Does the presence of this bug indicate a gap in our test coverage? Why would we not have seen CI failures from this before?
Yes, I think so. I can investigate all.sh and see if I can add some new component that re-creates the issue I was facing in Zephyr.
The bug is that, with MBEDTLS_PSA_CRYPTO_CONFIG
enabled, if you request CMAC but no unauthenticated cipher, the build fails. The failure is easy to work around and not dangerous.
I personally don't think this requires a non-regression test. It's low-risk and impacts few configurations. It's likely to end up being tested in 4.0 once we adapt depends.py
, and it's unlikely to re-break in 3.6 LTS.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the explaination @gilles-peskine-arm. In this case I would agree that we don't need a non-regression test. Also thanks @valeriosetti for digging into it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The changelog entry isn't quite right.
Signed-off-by: Valerio Setti <[email protected]>
897ab81
to
7e2ce99
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM - thanks!
psa_crypto_mac.c uses mbedtls_cipher_xxx() functions to perform CMAC operations. Therefore we need to enable CIPHER_C when PSA CMAC is builtin.
Resolves #9209
PR checklist