[PATCH] mbedtls: remove MBEDTLS_HAVE_TIME

Fri Dec 6 12:30:51 CET 2024

On 12/6/24 11:56, Ilias Apalodimas wrote:
> When MbedTLS TLS features were added MBEDTLS_HAVE_TIME was defined as part
> of enabling https:// support. However that pointed to the wrong function
> which could crash if it received a NULL pointer.
>
> Looking closer that function is not really needed, as it only seems to
> increase the RNG entropy by using 4b of the current time and date.
> The reason that was enabled is that lwIP was unconditionally requiring it,
> although it's configurable and can be turned off.
>
> Since lwIP doesn't use that field anywhere else, make it conditional and
> disable it from our config.
>
> Fixes: commit a564f5094f62 ("mbedtls: Enable TLS 1.2 support")
> Reported-by: Heinrich Schuchardt <heinrich.schuchardt at canonical.com>
> Signed-off-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>

This removes a tiny bit of entropy.

For making https safe we need to invest into finding different entropy
sources. Besides the hardware rng this entropy could come from reading
get_ticks() in different code locations like after receiving a network
package.

Reviewed-by: Heinrich Schuchardt <xypron.glpk at gmx.de>

> ---
>   lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c | 2 ++
>   lib/mbedtls/mbedtls_def_config.h                     | 3 ---
>   2 files changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c
> index 6643b05ee94d..46421588fef8 100644
> --- a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c
> +++ b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c
> @@ -692,7 +692,9 @@ altcp_tls_set_session(struct altcp_pcb *conn, struct altcp_tls_session *session)
>     if (session && conn && conn->state) {
>       altcp_mbedtls_state_t *state = (altcp_mbedtls_state_t *)conn->state;
>       int ret = -1;
> +#ifdef MBEDTLS_HAVE_TIME
>       if (session->data.MBEDTLS_PRIVATE(start))
> +#endif
>         ret = mbedtls_ssl_set_session(&state->ssl_context, &session->data);
>       return ret < 0 ? ERR_VAL : ERR_OK;
>     }
> diff --git a/lib/mbedtls/mbedtls_def_config.h b/lib/mbedtls/mbedtls_def_config.h
> index d27f017d0847..1d2314e90e4d 100644
> --- a/lib/mbedtls/mbedtls_def_config.h
> +++ b/lib/mbedtls/mbedtls_def_config.h
> @@ -92,9 +92,6 @@
>
>   /* Generic options */
>   #define MBEDTLS_ENTROPY_HARDWARE_ALT
> -#define MBEDTLS_HAVE_TIME
> -#define MBEDTLS_PLATFORM_MS_TIME_ALT
> -#define MBEDTLS_PLATFORM_TIME_MACRO rtc_mktime
>   #define MBEDTLS_PLATFORM_C
>   #define MBEDTLS_SSL_CLI_C
>   #define MBEDTLS_SSL_TLS_C