avs_commons 5.4.6

Improvements

* devconfig script now additionally sets `-Werror=implicit-function-declaration`
  flag to ensure that missing function declarations are treated as error

Bugfixes

* Fixed default implementation of avs_condvar_create for pthreads
  in case pthread_condattr APIs are not available
* Fixed compilation warnings when building against Mbed TLS 3.6
* Added missing call to `psa_crypto_init()` if `MBEDTLS_USE_PSA_CRYPTO` is not
  defined, but `MBEDTLS_PSA_CRYPTO_C` is.
* Fixed DANE implementation to be compatible with TLS 1.3 implementation in Mbed
  TLS which ignores the authmode setting.
* Added a workaround to mimic `MBEDTLS_SSL_VERIFY_NONE` authmode when using
  TLS 1.3.
* Fixed a corner case with uninitialized variable in mbedtls_socket layer.

Author: Kucmasz

CHANGELOG.md

@@ -1,5 +1,25 @@
 # Changelog
 
+## avs_commons 5.4.6 (Oct 24th, 2024)
+
+### Improvements
+
+* devconfig script now additionally sets `-Werror=implicit-function-declaration`
+  flag to ensure that missing function declarations are treated as error
+
+### Bugfixes
+
+* Fixed default implementation of avs_condvar_create for pthreads
+  in case pthread_condattr APIs are not available
+* Fixed compilation warnings when building against Mbed TLS 3.6
+* Added missing call to `psa_crypto_init()` if `MBEDTLS_USE_PSA_CRYPTO` is not
+  defined, but `MBEDTLS_PSA_CRYPTO_C` is.
+* Fixed DANE implementation to be compatible with TLS 1.3 implementation in Mbed
+  TLS which ignores the authmode setting.
+* Added a workaround to mimic `MBEDTLS_SSL_VERIFY_NONE` authmode when using
+  TLS 1.3.
+* Fixed a corner case with uninitialized variable in mbedtls_socket layer.
+
 ## avs_commons 5.4.5 (May 28th, 2024)
 
 ### Improvements

CMakeLists.txt

@@ -17,7 +17,7 @@
 cmake_minimum_required(VERSION 3.6.0)
 project(avs_commons C)
 
-set(AVS_COMMONS_VERSION "5.4.5")
+set(AVS_COMMONS_VERSION "5.4.6")
 
 ################# DISTRIBUTION #################################################
 

devconfig

@@ -32,7 +32,7 @@ cmake -D WITH_EXTRA_WARNINGS=ON \
       -D WITH_TEST=ON \
       -D WITH_AVS_CRYPTO_ADVANCED_FEATURES=ON \
       -D WITH_VALGRIND=ON \
-      -D CMAKE_C_FLAGS=-g \
+      -D CMAKE_C_FLAGS="-g -Werror=implicit-function-declaration" \
       -D CMAKE_INSTALL_PREFIX:PATH=/tmp \
       "${EXTRA_FLAGS[@]}" \
       "$@" -H"$(dirname "$0")" -B. &&

src/compat/threading/pthread/avs_pthread_condvar.c

@@ -62,9 +62,11 @@ int avs_condvar_create(avs_condvar_t **out_condvar) {
     if (!result) {
         result = pthread_cond_init(&(*out_condvar)->pthread_cond, attr_ptr);
     }
+#    ifdef USE_CLOCK_MONOTONIC
     if (attr_ptr) {
         pthread_condattr_destroy(attr_ptr);
     }
+#    endif // USE_CLOCK_MONOTONIC
     if (result) {
         avs_free(*out_condvar);
         *out_condvar = NULL;

src/crypto/mbedtls/avs_mbedtls_global.c

@@ -29,11 +29,11 @@
 #    include "../avs_crypto_global.h"
 
 #    include <mbedtls/version.h>
-#    if defined(MBEDTLS_USE_PSA_CRYPTO) \
+#    if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_PSA_CRYPTO_C) \
             || defined(AVS_COMMONS_WITH_MBEDTLS_PSA_RNG)
 #        include <psa/crypto.h>
-#    endif // defined(MBEDTLS_USE_PSA_CRYPTO) ||
-           // defined(AVS_COMMONS_WITH_MBEDTLS_PSA_RNG)
+#    endif // defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_PSA_CRYPTO_C)
+           // || defined(AVS_COMMONS_WITH_MBEDTLS_PSA_RNG)
 
 #    define MODULE_NAME avs_crypto_global
 #    include <avs_x_log_config.h>
@@ -42,7 +42,7 @@ VISIBILITY_SOURCE_BEGIN
 
 avs_error_t _avs_crypto_initialize_global_state() {
     avs_error_t err = AVS_OK;
-#    if defined(MBEDTLS_USE_PSA_CRYPTO) \
+#    if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_PSA_CRYPTO_C) \
             || defined(AVS_COMMONS_WITH_MBEDTLS_PSA_RNG)
     // NOTE: When MBEDTLS_USE_PSA_CRYPTO is enabled, psa_crypto_init() is
     // required even when only using the regular Mbed TLS API. Also, even when
@@ -53,8 +53,8 @@ avs_error_t _avs_crypto_initialize_global_state() {
         LOG(ERROR, _("psa_crypto_init() failed: ") "%" PRId32, status);
         return avs_errno(AVS_EPROTO);
     }
-#    endif // defined(MBEDTLS_USE_PSA_CRYPTO) ||
-           // defined(AVS_COMMONS_WITH_MBEDTLS_PSA_RNG)
+#    endif // defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_PSA_CRYPTO_C)
+           // || defined(AVS_COMMONS_WITH_MBEDTLS_PSA_RNG)
 #    if defined(AVS_COMMONS_WITH_AVS_CRYPTO_PKI_ENGINE) \
             || defined(AVS_COMMONS_WITH_AVS_CRYPTO_PSK_ENGINE)
     err = _avs_crypto_mbedtls_engine_initialize_global_state();

src/crypto/mbedtls/avs_mbedtls_private.h

@@ -151,7 +151,7 @@ _avs_crypto_mbedtls_cipher_info_from_ciphersuite(
 
 static inline mbedtls_cipher_mode_t
 _avs_crypto_mbedtls_cipher_info_get_mode(const mbedtls_cipher_info_t *cipher) {
-    return cipher->MBEDTLS_PRIVATE(mode);
+    return (mbedtls_cipher_mode_t) cipher->MBEDTLS_PRIVATE(mode);
 }
 
 static inline unsigned int
@@ -166,6 +166,44 @@ static inline int mbedtls_ssl_is_handshake_over(mbedtls_ssl_context *ssl) {
 }
 #    endif // MBEDTLS_VERSION_NUMBER < 0x03020000
 
+#    if defined(AVS_COMMONS_WITH_AVS_NET) \
+            && MBEDTLS_VERSION_NUMBER >= 0x03060000
+// since Mbed TLS 3.6.0 mbedtls_ssl_ciphersuite_uses_psk and
+// mbedtls_ssl_ciphersuite_uses_srv_cert has been moved to internal functions
+
+#        if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+static inline int
+mbedtls_ssl_ciphersuite_uses_psk(const mbedtls_ssl_ciphersuite_t *ciphersuite) {
+    switch (ciphersuite->MBEDTLS_PRIVATE(key_exchange)) {
+    case MBEDTLS_KEY_EXCHANGE_PSK:
+    case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+    case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
+    case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+        return 1;
+    default:
+        return 0;
+    }
+}
+#        endif // defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+
+static inline int mbedtls_ssl_ciphersuite_uses_srv_cert(
+        const mbedtls_ssl_ciphersuite_t *ciphersuite) {
+    switch (ciphersuite->MBEDTLS_PRIVATE(key_exchange)) {
+    case MBEDTLS_KEY_EXCHANGE_RSA:
+    case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+    case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+    case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+    case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+    case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+    case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+        return 1;
+    default:
+        return 0;
+    }
+}
+#    endif // defined(AVS_COMMONS_WITH_AVS_NET) && MBEDTLS_VERSION_NUMBER >=
+           // 0x03060000
+
 #    ifndef MBEDTLS_SSL_SRV_C
 // HACK: We (ab)use mbedtls_ssl_conf_session_cache() in avs_net to detect
 // whether a (D)TLS session has been resumed or a new one has been created.
@@ -205,7 +243,7 @@ mbedtls_ssl_conf_session_cache(mbedtls_ssl_config *conf,
         && defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
 static inline mbedtls_cipher_type_t
 _avs_crypto_mbedtls_cipher_info_get_type(const mbedtls_cipher_info_t *cipher) {
-    return cipher->MBEDTLS_PRIVATE(type);
+    return (mbedtls_cipher_type_t) cipher->MBEDTLS_PRIVATE(type);
 }
 #endif // defined(AVS_COMMONS_WITH_AVS_NET) &&
        // defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) &&