From fbab4f88dcc1cacbd2e6d11254dbc59c1064e313 Mon Sep 17 00:00:00 2001 From: Elena Uziunaite Date: Thu, 12 Sep 2024 14:58:52 +0100 Subject: [PATCH 01/28] Add missing ALG_SHA_1 Signed-off-by: Elena Uziunaite --- tests/scripts/components-configuration-crypto.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index da0e180801..91ac76523a 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -841,7 +841,7 @@ component_test_psa_crypto_config_accel_ecdsa () { # ----- # These hashes are needed for some ECDSA signature tests. - loc_extra_list="ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ + loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" From 47a9b3d5a5bb95d950f51f2df63a1bba55dee0f5 Mon Sep 17 00:00:00 2001 From: Elena Uziunaite Date: Mon, 16 Sep 2024 14:25:38 +0100 Subject: [PATCH 02/28] Replace MBEDTLS_PK_CAN_ECDSA_SOME with MBEDTLS_PK_CAN_ECDSA_SIGN Signed-off-by: Elena Uziunaite --- programs/ssl/ssl_server2.c | 4 ++-- tests/suites/test_suite_pk.data | 24 ++++++++++++------------ tests/suites/test_suite_ssl.function | 2 +- 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index ed69590642..5de734f7eb 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -2695,7 +2695,7 @@ usage: } key_cert_init = 2; #endif /* MBEDTLS_RSA_C */ -#if defined(MBEDTLS_PK_CAN_ECDSA_SOME) +#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN) if ((ret = mbedtls_x509_crt_parse(&srvcert2, (const unsigned char *) mbedtls_test_srv_crt_ec, mbedtls_test_srv_crt_ec_len)) != 0) { @@ -2712,7 +2712,7 @@ usage: goto exit; } key_cert_init2 = 2; -#endif /* MBEDTLS_PK_CAN_ECDSA_SOME */ +#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */ } #if defined(MBEDTLS_USE_PSA_CRYPTO) diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data index cb420aea71..b4d628f3b0 100644 --- a/tests/suites/test_suite_pk.data +++ b/tests/suites/test_suite_pk.data @@ -903,7 +903,7 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECDSA pair DECRYPT (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SIGN pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY public DECRYPT (bad) @@ -927,7 +927,7 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECDSA pair ENCRYPT (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SIGN pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY public ENCRYPT (bad) @@ -951,7 +951,7 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_USAGE_DERIVE:1:PSA_ALG_ECDH PSA attributes for pk: ECDSA pair DERIVE (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SIGN pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY public DERIVE (bad) @@ -971,7 +971,7 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECDSA pair SIGN_MESSAGE -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SIGN pk_get_psa_attributes:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECKEY pair SIGN_HASH @@ -979,7 +979,7 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECDSA pair SIGN_HASH -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SIGN pk_get_psa_attributes:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECKEY pair->public VERIFY_MESSAGE @@ -987,7 +987,7 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECDSA pair->public VERIFY_MESSAGE -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SIGN pk_get_psa_attributes:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECKEY pair->public VERIFY_HASH @@ -995,7 +995,7 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECDSA pair->public VERIFY_HASH -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SIGN pk_get_psa_attributes:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECKEY public VERIFY_MESSAGE @@ -1231,7 +1231,7 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_TYPE_RSA_KEY_PAIR:0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECDSA pair to RSA (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SIGN pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_TYPE_RSA_KEY_PAIR:0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY pair to different curve (bad) @@ -1243,7 +1243,7 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECDSA pair to different curve (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:MBEDTLS_PK_CAN_ECDSA_SOME +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:MBEDTLS_PK_CAN_ECDSA_SIGN pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY pair to public, different curve (bad) @@ -1255,7 +1255,7 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECDSA pair to public, different curve (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:MBEDTLS_PK_CAN_ECDSA_SOME +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:MBEDTLS_PK_CAN_ECDSA_SIGN pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY public to different curve (bad) @@ -1279,7 +1279,7 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS):MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECDSA pair to different bits (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS:MBEDTLS_PK_CAN_ECDSA_SOME +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS:MBEDTLS_PK_CAN_ECDSA_SIGN pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS):MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY public to different bits (bad) @@ -1303,7 +1303,7 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS):MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECDSA private to public, different bits (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS:MBEDTLS_PK_CAN_ECDSA_SOME +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS:MBEDTLS_PK_CAN_ECDSA_SIGN pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS):MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY public to pair (bad) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 343e58a12d..a16ac64374 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3297,7 +3297,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_SOME */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_SIGN */ void raw_key_agreement_fail(int bad_server_ecdhe_key) { enum { BUFFSIZE = 17000 }; From db0ed75c0f1dce69c83e6003e5496c81925f4921 Mon Sep 17 00:00:00 2001 From: Elena Uziunaite Date: Tue, 3 Sep 2024 14:13:50 +0100 Subject: [PATCH 03/28] Add PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT Signed-off-by: Elena Uziunaite --- tests/suites/test_suite_pk.data | 48 ++++++++++++++++----------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data index b4d628f3b0..331e5a053f 100644 --- a/tests/suites/test_suite_pk.data +++ b/tests/suites/test_suite_pk.data @@ -895,11 +895,11 @@ depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PUBLIC:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY pair DECRYPT (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH pair DECRYPT (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECDSA pair DECRYPT (bad) @@ -919,11 +919,11 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBED pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:FROM_PUBLIC:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY pair ENCRYPT (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH pair ENCRYPT (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECDSA pair ENCRYPT (bad) @@ -943,11 +943,11 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBED pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:FROM_PUBLIC:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY pair DERIVE -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT pk_get_psa_attributes:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_USAGE_DERIVE:1:PSA_ALG_ECDH PSA attributes for pk: ECKEY_DH pair DERIVE -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT pk_get_psa_attributes:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_USAGE_DERIVE:1:PSA_ALG_ECDH PSA attributes for pk: ECDSA pair DERIVE (bad) @@ -967,7 +967,7 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBED pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:FROM_PUBLIC:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY pair SIGN_MESSAGE -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT pk_get_psa_attributes:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECDSA pair SIGN_MESSAGE @@ -975,7 +975,7 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBED pk_get_psa_attributes:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECKEY pair SIGN_HASH -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT pk_get_psa_attributes:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECDSA pair SIGN_HASH @@ -983,7 +983,7 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBED pk_get_psa_attributes:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECKEY pair->public VERIFY_MESSAGE -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT pk_get_psa_attributes:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECDSA pair->public VERIFY_MESSAGE @@ -991,7 +991,7 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBED pk_get_psa_attributes:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECKEY pair->public VERIFY_HASH -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT pk_get_psa_attributes:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECDSA pair->public VERIFY_HASH @@ -1031,19 +1031,19 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBED pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:FROM_PUBLIC:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH pair SIGN_MESSAGE (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH pair SIGN_HASH (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH pair VERIFY_MESSAGE (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_USAGE_VERIFY_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH pair VERIFY_HASH (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_USAGE_VERIFY_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH public SIGN_MESSAGE (bad) @@ -1223,11 +1223,11 @@ depends_on:MBEDTLS_RSA_C pk_import_into_psa_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:RSA_KEY_SIZE + 8:MBEDTLS_ERR_PK_INVALID_ALG PSA import into PSA: ECKEY pair to RSA (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_TYPE_RSA_KEY_PAIR:0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY_DH pair to RSA (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_TYPE_RSA_KEY_PAIR:0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECDSA pair to RSA (bad) @@ -1235,11 +1235,11 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBED pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_TYPE_RSA_KEY_PAIR:0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY pair to different curve (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY_DH pair to different curve (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECDSA pair to different curve (bad) @@ -1247,11 +1247,11 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:MBEDT pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY pair to public, different curve (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY_DH pair to public, different curve (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECDSA pair to public, different curve (bad) @@ -1271,11 +1271,11 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:MBEDT pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PUBLIC:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY pair to different bits (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS):MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY_DH pair to different bits (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS):MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECDSA pair to different bits (bad) @@ -1295,11 +1295,11 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS:MBEDTLS_P pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PUBLIC:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS):MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY private to public, different bits (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS):MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY_DH private to public, different bits (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS):MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECDSA private to public, different bits (bad) From 6a229f926e3af333f79999b6d3545755d2aa2da0 Mon Sep 17 00:00:00 2001 From: Elena Uziunaite Date: Tue, 3 Sep 2024 14:16:07 +0100 Subject: [PATCH 04/28] Remove some dependencies Signed-off-by: Elena Uziunaite --- tests/suites/test_suite_ssl.data | 36 ++++++++++++++++---------------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 489d5d35b1..ed0fa74e4e 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -377,11 +377,11 @@ depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256:MBEDT handshake_cipher:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256":MBEDTLS_PK_RSA:0 Handshake, ECDHE-ECDSA-WITH-AES-256-CCM -depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_cipher:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:0 Handshake, ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 -depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED +depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED handshake_cipher:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:0 Handshake, PSK-WITH-AES-128-CBC-SHA @@ -405,11 +405,11 @@ depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256:MBEDT handshake_cipher:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256":MBEDTLS_PK_RSA:1 DTLS Handshake, ECDHE-ECDSA-WITH-AES-256-CCM -depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_cipher:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:1 DTLS Handshake, ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 -depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED +depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED handshake_cipher:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:1 DTLS Handshake, PSK-WITH-AES-128-CBC-SHA @@ -521,23 +521,23 @@ depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_GCM:MBEDT handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, non-opaque -depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, PSA_ALG_ANY_HASH -depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, PSA_ALG_SHA_256 -depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, bad alg -depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDH:PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, bad usage -depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, non-opaque @@ -557,23 +557,23 @@ depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDT handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDH:PSA_ALG_NONE:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, non-opaque -depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED +depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, PSA_ALG_ANY_HASH -depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_ECDH:PSA_KEY_USAGE_SIGN_HASH|PSA_KEY_USAGE_DERIVE:0:MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, PSA_ALG_SHA_384 -depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_SHA_384):PSA_ALG_ECDH:PSA_KEY_USAGE_SIGN_HASH|PSA_KEY_USAGE_DERIVE:0:MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, missing alg -depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH|PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, missing usage -depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_ECDH:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Sending app data via TLS, MFL=512 without fragmentation @@ -2858,7 +2858,7 @@ SSL TLS 1.3 Record Encryption, tls13.ulfheim.net Example #1 # - App data payload: 70696e67 # - Complete record: 1703030015c74061535eb12f5f25a781957874742ab7fb305dd5 # - Padding used: No (== granularity 1) -depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:PSA_WANT_ALG_SHA_256:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:PSA_WANT_ALG_SHA_256 ssl_tls13_record_protection:MBEDTLS_TLS1_3_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_CLIENT:0:1:"0b6d22c8ff68097ea871c672073773bf":"1b13dd9f8d8f17091d34b349":"49134b95328f279f0183860589ac6707":"bc4dd5f7b98acff85466261d":"70696e67":"c74061535eb12f5f25a781957874742ab7fb305dd5" SSL TLS 1.3 Record Encryption, tls13.ulfheim.net Example #2 @@ -2869,7 +2869,7 @@ SSL TLS 1.3 Record Encryption, tls13.ulfheim.net Example #2 # - App data payload: 706f6e67 # - Complete record: 1703030015370e5f168afa7fb16b663ecdfca3dbb81931a90ca7 # - Padding used: No (== granularity 1) -depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:PSA_WANT_ALG_SHA_256:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:PSA_WANT_ALG_SHA_256 ssl_tls13_record_protection:MBEDTLS_TLS1_3_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_SERVER:1:1:"0b6d22c8ff68097ea871c672073773bf":"1b13dd9f8d8f17091d34b349":"49134b95328f279f0183860589ac6707":"bc4dd5f7b98acff85466261d":"706f6e67":"370e5f168afa7fb16b663ecdfca3dbb81931a90ca7" SSL TLS 1.3 Record Encryption RFC 8448 Example #1 @@ -2888,7 +2888,7 @@ SSL TLS 1.3 Record Encryption RFC 8448 Example #1 # 62 97 4e 1f 5a 62 92 a2 97 70 14 bd 1e 3d ea e6 # 3a ee bb 21 69 49 15 e4 # - Padding used: No (== granularity 1) -depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:PSA_WANT_ALG_SHA_256:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:PSA_WANT_ALG_SHA_256 ssl_tls13_record_protection:MBEDTLS_TLS1_3_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_CLIENT:0:1:"9f02283b6c9c07efc26bb9f2ac92e356":"cf782b88dd83549aadf1e984":"17422dda596ed5d9acd890e3c63f5051":"5b78923dee08579033e523d9":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031":"a23f7054b62c94d0affafe8228ba55cbefacea42f914aa66bcab3f2b9819a8a5b46b395bd54a9a20441e2b62974e1f5a6292a2977014bd1e3deae63aeebb21694915e4" SSL TLS 1.3 Record Encryption RFC 8448 Example #2 @@ -2907,7 +2907,7 @@ SSL TLS 1.3 Record Encryption RFC 8448 Example #2 # fc c4 9c 4b f2 e5 f0 a2 1c 00 47 c2 ab f3 32 54 # 0d d0 32 e1 67 c2 95 5d # - Padding used: No (== granularity 1) -depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:PSA_WANT_ALG_SHA_256:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:PSA_WANT_ALG_SHA_256 ssl_tls13_record_protection:MBEDTLS_TLS1_3_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_SERVER:1:1:"9f02283b6c9c07efc26bb9f2ac92e356":"cf782b88dd83549aadf1e984":"17422dda596ed5d9acd890e3c63f5051":"5b78923dee08579033e523d9":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031":"2e937e11ef4ac740e538ad36005fc4a46932fc3225d05f82aa1b36e30efaf97d90e6dffc602dcb501a59a8fcc49c4bf2e5f0a21c0047c2abf332540dd032e167c2955d" SSL TLS 1.3 Key schedule: Application secrets derivation helper From 605bc16e67d753272e665996fc94db31ddc39562 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sun, 12 May 2024 21:38:07 +0200 Subject: [PATCH 05/28] Make the file a bit more readable Signed-off-by: Gilles Peskine --- scripts/make_generated_files.bat | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/scripts/make_generated_files.bat b/scripts/make_generated_files.bat index b03bce2ade..063b3dc1bd 100644 --- a/scripts/make_generated_files.bat +++ b/scripts/make_generated_files.bat @@ -1,6 +1,10 @@ @rem Generate automatically-generated configuration-independent source files @rem and build scripts. -@rem Perl and Python 3 must be on the PATH. +@rem Requirements: +@rem * Perl must be on the PATH ("perl" command). +@rem * Python 3.8 or above must be on the PATH ("python" command). + +@rem @@@@ library\** @@@@ @rem psa_crypto_driver_wrappers.h needs to be generated prior to @rem generate_visualc_files.pl being invoked. python scripts\generate_driver_wrappers.py || exit /b 1 @@ -8,8 +12,14 @@ perl scripts\generate_errors.pl || exit /b 1 perl scripts\generate_query_config.pl || exit /b 1 perl scripts\generate_features.pl || exit /b 1 python scripts\generate_ssl_debug_helpers.py || exit /b 1 + +@rem @@@@ Build @@@@ perl scripts\generate_visualc_files.pl || exit /b 1 + +@rem @@@@ programs\** @@@@ python scripts\generate_psa_constants.py || exit /b 1 + +@rem @@@@ tests\** @@@@ python framework\scripts\generate_bignum_tests.py || exit /b 1 python framework\scripts\generate_config_tests.py || exit /b 1 python framework\scripts\generate_ecp_tests.py || exit /b 1 From 83af88306dda36c0137e1c21825eef3bdafbc995 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sun, 12 May 2024 21:38:16 +0200 Subject: [PATCH 06/28] Document the C compiler requirement Signed-off-by: Gilles Peskine --- scripts/make_generated_files.bat | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/make_generated_files.bat b/scripts/make_generated_files.bat index 063b3dc1bd..7668932e3f 100644 --- a/scripts/make_generated_files.bat +++ b/scripts/make_generated_files.bat @@ -3,6 +3,8 @@ @rem Requirements: @rem * Perl must be on the PATH ("perl" command). @rem * Python 3.8 or above must be on the PATH ("python" command). +@rem * Either a C compiler called "cc" must be on the PATH, or +@rem the "CC" environment variable must point to a C compiler. @rem @@@@ library\** @@@@ @rem psa_crypto_driver_wrappers.h needs to be generated prior to From 634103c9f9b17e9f8f0e0ba978825f80b5c81fac Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 11 Sep 2024 13:08:21 +0200 Subject: [PATCH 07/28] Update `config.py` to use `config_common.py` from the framework Signed-off-by: Gabor Mezei --- scripts/config.py | 592 +++++++++++++++++++--------------------------- 1 file changed, 240 insertions(+), 352 deletions(-) diff --git a/scripts/config.py b/scripts/config.py index 8704bdb51e..41dc8c5eb5 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -1,158 +1,31 @@ #!/usr/bin/env python3 -"""Mbed TLS configuration file manipulation library and tool +"""Mbed TLS and PSA configuration file manipulation library and tool Basic usage, to read the Mbed TLS configuration: - config = ConfigFile() + config = CombinedConfigFile() if 'MBEDTLS_RSA_C' in config: print('RSA is enabled') """ -# Note that as long as Mbed TLS 2.28 LTS is maintained, the version of -# this script in the mbedtls-2.28 branch must remain compatible with -# Python 3.4. The version in development may only use more recent features -# in parts that are not backported to 2.28. - ## Copyright The Mbed TLS Contributors ## SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later ## import os import re +import sys -class Setting: - """Representation of one Mbed TLS mbedtls_config.h setting. +import framework_scripts_path # pylint: disable=unused-import +from mbedtls_framework import config_common - Fields: - * name: the symbol name ('MBEDTLS_xxx'). - * value: the value of the macro. The empty string for a plain #define - with no value. - * active: True if name is defined, False if a #define for name is - present in mbedtls_config.h but commented out. - * section: the name of the section that contains this symbol. - """ - # pylint: disable=too-few-public-methods - def __init__(self, active, name, value='', section=None): - self.active = active - self.name = name - self.value = value - self.section = section - -class Config: - """Representation of the Mbed TLS configuration. - - In the documentation of this class, a symbol is said to be *active* - if there is a #define for it that is not commented out, and *known* - if there is a #define for it whether commented out or not. - - This class supports the following protocols: - * `name in config` is `True` if the symbol `name` is active, `False` - otherwise (whether `name` is inactive or not known). - * `config[name]` is the value of the macro `name`. If `name` is inactive, - raise `KeyError` (even if `name` is known). - * `config[name] = value` sets the value associated to `name`. `name` - must be known, but does not need to be set. This does not cause - name to become set. - """ - - def __init__(self): - self.settings = {} - - def __contains__(self, name): - """True if the given symbol is active (i.e. set). - - False if the given symbol is not set, even if a definition - is present but commented out. - """ - return name in self.settings and self.settings[name].active - - def all(self, *names): - """True if all the elements of names are active (i.e. set).""" - return all(self.__contains__(name) for name in names) - - def any(self, *names): - """True if at least one symbol in names are active (i.e. set).""" - return any(self.__contains__(name) for name in names) - - def known(self, name): - """True if a #define for name is present, whether it's commented out or not.""" - return name in self.settings - - def __getitem__(self, name): - """Get the value of name, i.e. what the preprocessor symbol expands to. - - If name is not known, raise KeyError. name does not need to be active. - """ - return self.settings[name].value - - def get(self, name, default=None): - """Get the value of name. If name is inactive (not set), return default. - - If a #define for name is present and not commented out, return - its expansion, even if this is the empty string. - - If a #define for name is present but commented out, return default. - """ - if name in self.settings: - return self.settings[name].value - else: - return default - - def __setitem__(self, name, value): - """If name is known, set its value. - - If name is not known, raise KeyError. - """ - self.settings[name].value = value - - def set(self, name, value=None): - """Set name to the given value and make it active. - - If value is None and name is already known, don't change its value. - If value is None and name is not known, set its value to the empty - string. - """ - if name in self.settings: - if value is not None: - self.settings[name].value = value - self.settings[name].active = True - else: - self.settings[name] = Setting(True, name, value=value) - - def unset(self, name): - """Make name unset (inactive). - - name remains known if it was known before. - """ - if name not in self.settings: - return - self.settings[name].active = False - - def adapt(self, adapter): - """Run adapter on each known symbol and (de)activate it accordingly. - - `adapter` must be a function that returns a boolean. It is called as - `adapter(name, active, section)` for each setting, where `active` is - `True` if `name` is set and `False` if `name` is known but unset, - and `section` is the name of the section containing `name`. If - `adapter` returns `True`, then set `name` (i.e. make it active), - otherwise unset `name` (i.e. make it known but inactive). - """ - for setting in self.settings.values(): - setting.active = adapter(setting.name, setting.active, - setting.section) - - def change_matching(self, regexs, enable): - """Change all symbols matching one of the regexs to the desired state.""" - if not regexs: - return - regex = re.compile('|'.join(regexs)) - for setting in self.settings.values(): - if regex.search(setting.name): - setting.active = enable def is_full_section(section): - """Is this section affected by "config.py full" and friends?""" - return section.endswith('support') or section.endswith('modules') + """Is this section affected by "config.py full" and friends? + + In a config file where the sections are not used the whole config file + is an empty section (with value None) and the whole file is affected. + """ + return section is None or section.endswith('support') or section.endswith('modules') def realfull_adapter(_name, active, section): """Activate all symbols found in the global and boolean feature sections. @@ -168,6 +41,26 @@ def realfull_adapter(_name, active, section): return active return True +PSA_UNSUPPORTED_FEATURE = frozenset([ + 'PSA_WANT_ALG_CBC_MAC', + 'PSA_WANT_ALG_XTS', + 'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE', + 'PSA_WANT_KEY_TYPE_DH_KEY_PAIR_DERIVE' +]) + +PSA_DEPRECATED_FEATURE = frozenset([ + 'PSA_WANT_KEY_TYPE_ECC_KEY_PAIR', + 'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR' +]) + +PSA_UNSTABLE_FEATURE = frozenset([ + 'PSA_WANT_ECC_SECP_K1_224' +]) + +EXCLUDE_FROM_CRYPTO = PSA_UNSUPPORTED_FEATURE | \ + PSA_DEPRECATED_FEATURE | \ + PSA_UNSTABLE_FEATURE + # The goal of the full configuration is to have everything that can be tested # together. This includes deprecated or insecure options. It excludes: # * Options that require additional build dependencies or unusual hardware. @@ -211,6 +104,9 @@ EXCLUDE_FROM_FULL = frozenset([ 'MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN', # build dependency (clang+memsan) 'MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND', # build dependency (valgrind headers) 'MBEDTLS_X509_REMOVE_INFO', # removes a feature + *PSA_UNSUPPORTED_FEATURE, + *PSA_DEPRECATED_FEATURE, + *PSA_UNSTABLE_FEATURE ]) def is_seamless_alt(name): @@ -317,6 +213,8 @@ def include_in_crypto(name): 'MBEDTLS_PKCS7_C', # part of libmbedx509 ]: return False + if name in EXCLUDE_FROM_CRYPTO: + return False return True def crypto_adapter(adapter): @@ -335,6 +233,7 @@ def crypto_adapter(adapter): DEPRECATED = frozenset([ 'MBEDTLS_PSA_CRYPTO_SE_C', + *PSA_DEPRECATED_FEATURE ]) def no_deprecated_adapter(adapter): """Modify an adapter to disable deprecated symbols. @@ -369,12 +268,9 @@ def no_platform_adapter(adapter): return adapter(name, active, section) return continuation -class ConfigFile(Config): - """Representation of the Mbed TLS configuration read for a file. - See the documentation of the `Config` class for methods to query - and modify the configuration. - """ +class MbedTLSConfigFile(config_common.ConfigFile): + """Representation of an MbedTLS configuration file.""" _path_in_tree = 'include/mbedtls/mbedtls_config.h' default_path = [_path_in_tree, @@ -385,228 +281,220 @@ class ConfigFile(Config): _path_in_tree)] def __init__(self, filename=None): - """Read the Mbed TLS configuration file.""" - if filename is None: - for candidate in self.default_path: - if os.path.lexists(candidate): - filename = candidate - break - else: - raise Exception('Mbed TLS configuration file not found', - self.default_path) - super().__init__() - self.filename = filename - self.inclusion_guard = None + super().__init__(self.default_path, 'Mbed TLS', filename) self.current_section = 'header' - with open(filename, 'r', encoding='utf-8') as file: - self.templates = [self._parse_line(line) for line in file] - self.current_section = None + + +class CryptoConfigFile(config_common.ConfigFile): + """Representation of a Crypto configuration file.""" + + # Temporary, while Mbed TLS does not just rely on the TF-PSA-Crypto + # build system to build its crypto library. When it does, the + # condition can just be removed. + _path_in_tree = ('include/psa/crypto_config.h' + if not os.path.isdir(os.path.join(os.path.dirname(__file__), + os.pardir, + 'tf-psa-crypto')) else + 'tf-psa-crypto/include/psa/crypto_config.h') + default_path = [_path_in_tree, + os.path.join(os.path.dirname(__file__), + os.pardir, + _path_in_tree), + os.path.join(os.path.dirname(os.path.abspath(os.path.dirname(__file__))), + _path_in_tree)] + + def __init__(self, filename=None): + super().__init__(self.default_path, 'Crypto', filename) + + +class MbedTLSConfig(config_common.Config): + """Representation of the Mbed TLS configuration. + + See the documentation of the `Config` class for methods to query + and modify the configuration. + """ + + def __init__(self, filename=None): + """Read the Mbed TLS configuration file.""" + + super().__init__() + configfile = MbedTLSConfigFile(filename) + self.configfiles.append(configfile) + self.settings.update({name: config_common.Setting(configfile, active, name, value, section) + for (active, name, value, section) + in configfile.parse_file()}) def set(self, name, value=None): + """Set name to the given value and make it active.""" + if name not in self.settings: - self.templates.append((name, '', '#define ' + name + ' ')) + self._get_configfile().templates.append((name, '', '#define ' + name + ' ')) + super().set(name, value) - _define_line_regexp = (r'(?P\s*)' + - r'(?P(//\s*)?)' + - r'(?P#\s*define\s+)' + - r'(?P\w+)' + - r'(?P(?:\((?:\w|\s|,)*\))?)' + - r'(?P\s*)' + - r'(?P.*)') - _ifndef_line_regexp = r'#ifndef (?P\w+)' - _section_line_regexp = (r'\s*/?\*+\s*[\\@]name\s+SECTION:\s*' + - r'(?P
.*)[ */]*') - _config_line_regexp = re.compile(r'|'.join([_define_line_regexp, - _ifndef_line_regexp, - _section_line_regexp])) - def _parse_line(self, line): - """Parse a line in mbedtls_config.h and return the corresponding template.""" - line = line.rstrip('\r\n') - m = re.match(self._config_line_regexp, line) - if m is None: - return line - elif m.group('section'): - self.current_section = m.group('section') - return line - elif m.group('inclusion_guard') and self.inclusion_guard is None: - self.inclusion_guard = m.group('inclusion_guard') - return line - else: - active = not m.group('commented_out') - name = m.group('name') - value = m.group('value') - if name == self.inclusion_guard and value == '': - # The file double-inclusion guard is not an option. - return line - template = (name, - m.group('indentation'), - m.group('define') + name + - m.group('arguments') + m.group('separator')) - self.settings[name] = Setting(active, name, value, - self.current_section) - return template - def _format_template(self, name, indent, middle): - """Build a line for mbedtls_config.h for the given setting. +class CryptoConfig(config_common.Config): + """Representation of the PSA crypto configuration. - The line has the form "#define " - where is "#define ". - """ - setting = self.settings[name] - value = setting.value - if value is None: - value = '' - # Normally the whitespace to separate the symbol name from the - # value is part of middle, and there's no whitespace for a symbol - # with no value. But if a symbol has been changed from having a - # value to not having one, the whitespace is wrong, so fix it. - if value: - if middle[-1] not in '\t ': - middle += ' ' - else: - middle = middle.rstrip() - return ''.join([indent, - '' if setting.active else '//', - middle, - value]).rstrip() + See the documentation of the `Config` class for methods to query + and modify the configuration. + """ - def write_to_stream(self, output): - """Write the whole configuration to output.""" - for template in self.templates: - if isinstance(template, str): - line = template + def __init__(self, filename=None): + """Read the PSA crypto configuration file.""" + + super().__init__() + configfile = CryptoConfigFile(filename) + self.configfiles.append(configfile) + self.settings.update({name: config_common.Setting(configfile, active, name, value, section) + for (active, name, value, section) + in configfile.parse_file()}) + + def set(self, name, value='1'): + """Set name to the given value and make it active.""" + + if name in PSA_UNSUPPORTED_FEATURE: + raise ValueError(f'Feature is unsupported: \'{name}\'') + if name in PSA_UNSTABLE_FEATURE: + raise ValueError(f'Feature is unstable: \'{name}\'') + + if name not in self.settings: + self._get_configfile().templates.append((name, '', '#define ' + name + ' ')) + + super().set(name, value) + + +class CombinedConfig(config_common.Config): + """Representation of MbedTLS and PSA crypto configuration + + See the documentation of the `Config` class for methods to query + and modify the configuration. + """ + + def __init__(self, *configs): + super().__init__() + for config in configs: + if isinstance(config, MbedTLSConfigFile): + self.mbedtls_configfile = config + elif isinstance(config, CryptoConfigFile): + self.crypto_configfile = config else: - line = self._format_template(*template) - output.write(line + '\n') + raise ValueError(f'Invalid configfile: {config}') + self.configfiles.append(config) - def write(self, filename=None): + self.settings.update({name: config_common.Setting(configfile, active, name, value, section) + for configfile in [self.mbedtls_configfile, self.crypto_configfile] + for (active, name, value, section) in configfile.parse_file()}) + + _crypto_regexp = re.compile(r'$PSA_.*') + def _get_configfile(self, name=None): + """Find a config type for a setting name""" + + if name in self.settings: + return self.settings[name].configfile + elif re.match(self._crypto_regexp, name): + return self.crypto_configfile + else: + return self.mbedtls_configfile + + def set(self, name, value=None): + """Set name to the given value and make it active.""" + + configfile = self._get_configfile(name) + + if configfile == self.crypto_configfile: + if name in PSA_UNSUPPORTED_FEATURE: + raise ValueError(f'Feature is unsupported: \'{name}\'') + if name in PSA_UNSTABLE_FEATURE: + raise ValueError(f'Feature is unstable: \'{name}\'') + + # The default value in the crypto config is '1' + if not value: + value = '1' + + if name not in self.settings: + configfile.templates.append((name, '', '#define ' + name + ' ')) + + super().set(name, value) + + #pylint: disable=arguments-differ + def write(self, mbedtls_file=None, crypto_file=None): """Write the whole configuration to the file it was read from. - If filename is specified, write to this file instead. + If mbedtls_file or crypto_file is specified, write the specific configuration + to the corresponding file instead. """ - if filename is None: - filename = self.filename - with open(filename, 'w', encoding='utf-8') as output: - self.write_to_stream(output) + + self.mbedtls_configfile.write(self.settings, mbedtls_file) + self.crypto_configfile.write(self.settings, crypto_file) + + def filename(self, name=None): + """Get the names of the config files. + + If 'name' is specified return the name of the config file where it is defined. + """ + + if not name: + return [config.filename for config in [self.mbedtls_configfile, self.crypto_configfile]] + + return self._get_configfile(name).filename + + +class MbedTLSConfigTool(config_common.ConfigTool): + """Command line mbedtls_config.h and crypto_config.h manipulation tool.""" + + def __init__(self): + super().__init__(MbedTLSConfigFile) + self.config = CombinedConfig(MbedTLSConfigFile(self.parser_args.file), + CryptoConfigFile(self.parser_args.cryptofile)) + + def custom_parser_options(self): + """Adds MbedTLS specific options for the parser.""" + + self.parser.add_argument( + '--cryptofile', '-c', + help="""Crypto file to read (and modify if requested). Default: {}.""" + .format(CryptoConfigFile.default_path)) + + self.add_adapter( + 'baremetal', baremetal_adapter, + """Like full, but exclude features that require platform features + such as file input-output. + """) + self.add_adapter( + 'baremetal_size', baremetal_size_adapter, + """Like baremetal, but exclude debugging features. Useful for code size measurements. + """) + self.add_adapter( + 'full', full_adapter, + """Uncomment most features. + Exclude alternative implementations and platform support options, as well as + some options that are awkward to test. + """) + self.add_adapter( + 'full_no_deprecated', no_deprecated_adapter(full_adapter), + """Uncomment most non-deprecated features. + Like "full", but without deprecated features. + """) + self.add_adapter( + 'full_no_platform', no_platform_adapter(full_adapter), + """Uncomment most non-platform features. Like "full", but without platform features. + """) + self.add_adapter( + 'realfull', realfull_adapter, + """Uncomment all boolean #defines. + Suitable for generating documentation, but not for building. + """) + self.add_adapter( + 'crypto', crypto_adapter(None), + """Only include crypto features. Exclude X.509 and TLS.""") + self.add_adapter( + 'crypto_baremetal', crypto_adapter(baremetal_adapter), + """Like baremetal, but with only crypto features, excluding X.509 and TLS.""") + self.add_adapter( + 'crypto_full', crypto_adapter(full_adapter), + """Like full, but with only crypto features, excluding X.509 and TLS.""") + if __name__ == '__main__': - def main(): - """Command line mbedtls_config.h manipulation tool.""" - parser = argparse.ArgumentParser(description=""" - Mbed TLS configuration file manipulation tool. - """) - parser.add_argument('--file', '-f', - help="""File to read (and modify if requested). - Default: {}. - """.format(ConfigFile.default_path)) - parser.add_argument('--force', '-o', - action='store_true', - help="""For the set command, if SYMBOL is not - present, add a definition for it.""") - parser.add_argument('--write', '-w', metavar='FILE', - help="""File to write to instead of the input file.""") - subparsers = parser.add_subparsers(dest='command', - title='Commands') - parser_get = subparsers.add_parser('get', - help="""Find the value of SYMBOL - and print it. Exit with - status 0 if a #define for SYMBOL is - found, 1 otherwise. - """) - parser_get.add_argument('symbol', metavar='SYMBOL') - parser_set = subparsers.add_parser('set', - help="""Set SYMBOL to VALUE. - If VALUE is omitted, just uncomment - the #define for SYMBOL. - Error out of a line defining - SYMBOL (commented or not) is not - found, unless --force is passed. - """) - parser_set.add_argument('symbol', metavar='SYMBOL') - parser_set.add_argument('value', metavar='VALUE', nargs='?', - default='') - parser_set_all = subparsers.add_parser('set-all', - help="""Uncomment all #define - whose name contains a match for - REGEX.""") - parser_set_all.add_argument('regexs', metavar='REGEX', nargs='*') - parser_unset = subparsers.add_parser('unset', - help="""Comment out the #define - for SYMBOL. Do nothing if none - is present.""") - parser_unset.add_argument('symbol', metavar='SYMBOL') - parser_unset_all = subparsers.add_parser('unset-all', - help="""Comment out all #define - whose name contains a match for - REGEX.""") - parser_unset_all.add_argument('regexs', metavar='REGEX', nargs='*') - - def add_adapter(name, function, description): - subparser = subparsers.add_parser(name, help=description) - subparser.set_defaults(adapter=function) - add_adapter('baremetal', baremetal_adapter, - """Like full, but exclude features that require platform - features such as file input-output.""") - add_adapter('baremetal_size', baremetal_size_adapter, - """Like baremetal, but exclude debugging features. - Useful for code size measurements.""") - add_adapter('full', full_adapter, - """Uncomment most features. - Exclude alternative implementations and platform support - options, as well as some options that are awkward to test. - """) - add_adapter('full_no_deprecated', no_deprecated_adapter(full_adapter), - """Uncomment most non-deprecated features. - Like "full", but without deprecated features. - """) - add_adapter('full_no_platform', no_platform_adapter(full_adapter), - """Uncomment most non-platform features. - Like "full", but without platform features. - """) - add_adapter('realfull', realfull_adapter, - """Uncomment all boolean #defines. - Suitable for generating documentation, but not for building.""") - add_adapter('crypto', crypto_adapter(None), - """Only include crypto features. Exclude X.509 and TLS.""") - add_adapter('crypto_baremetal', crypto_adapter(baremetal_adapter), - """Like baremetal, but with only crypto features, - excluding X.509 and TLS.""") - add_adapter('crypto_full', crypto_adapter(full_adapter), - """Like full, but with only crypto features, - excluding X.509 and TLS.""") - - args = parser.parse_args() - config = ConfigFile(args.file) - if args.command is None: - parser.print_help() - return 1 - elif args.command == 'get': - if args.symbol in config: - value = config[args.symbol] - if value: - sys.stdout.write(value + '\n') - return 0 if args.symbol in config else 1 - elif args.command == 'set': - if not args.force and args.symbol not in config.settings: - sys.stderr.write("A #define for the symbol {} " - "was not found in {}\n" - .format(args.symbol, config.filename)) - return 1 - config.set(args.symbol, value=args.value) - elif args.command == 'set-all': - config.change_matching(args.regexs, True) - elif args.command == 'unset': - config.unset(args.symbol) - elif args.command == 'unset-all': - config.change_matching(args.regexs, False) - else: - config.adapt(args.adapter) - config.write(args.write) - return 0 - - # Import modules only used by main only if main is defined and called. - # pylint: disable=wrong-import-position - import argparse - import sys - sys.exit(main()) + sys.exit(MbedTLSConfigTool().main()) From 3ae480ba7d16c1e8a83444e098d16b7f84d9226c Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 18 Sep 2024 13:02:16 +0200 Subject: [PATCH 08/28] Fix documentation Signed-off-by: Gabor Mezei --- scripts/config.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/scripts/config.py b/scripts/config.py index 41dc8c5eb5..5d7dfc1631 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -423,13 +423,16 @@ class CombinedConfig(config_common.Config): If mbedtls_file or crypto_file is specified, write the specific configuration to the corresponding file instead. + + The parameter name is differ from the definition of the super class to handle + two different config files. """ self.mbedtls_configfile.write(self.settings, mbedtls_file) self.crypto_configfile.write(self.settings, crypto_file) def filename(self, name=None): - """Get the names of the config files. + """Get the name of the config files. If 'name' is specified return the name of the config file where it is defined. """ From 2285ed82825016f8dec2fdc46079be3f3ff3e4f4 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 18 Sep 2024 13:02:42 +0200 Subject: [PATCH 09/28] Update member variable names Signed-off-by: Gabor Mezei --- scripts/config.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/config.py b/scripts/config.py index 5d7dfc1631..51b742c7f8 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -448,8 +448,8 @@ class MbedTLSConfigTool(config_common.ConfigTool): def __init__(self): super().__init__(MbedTLSConfigFile) - self.config = CombinedConfig(MbedTLSConfigFile(self.parser_args.file), - CryptoConfigFile(self.parser_args.cryptofile)) + self.config = CombinedConfig(MbedTLSConfigFile(self.args.file), + CryptoConfigFile(self.args.cryptofile)) def custom_parser_options(self): """Adds MbedTLS specific options for the parser.""" From d72c9f94018797695ad231ef6d4f98c832963909 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 18 Sep 2024 16:51:27 +0200 Subject: [PATCH 10/28] Fix documentation Signed-off-by: Gabor Mezei --- scripts/config.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/config.py b/scripts/config.py index 51b742c7f8..894c51d13c 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -424,8 +424,8 @@ class CombinedConfig(config_common.Config): If mbedtls_file or crypto_file is specified, write the specific configuration to the corresponding file instead. - The parameter name is differ from the definition of the super class to handle - two different config files. + Two file name parameters and not only one as in the super class as we handle + two configuration files in this class. """ self.mbedtls_configfile.write(self.settings, mbedtls_file) From 8b54f0e7e893e48536458feeffa622f33136e689 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 18 Sep 2024 16:53:03 +0200 Subject: [PATCH 11/28] Apply the parameter change Signed-off-by: Gabor Mezei --- scripts/config.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/config.py b/scripts/config.py index 894c51d13c..4a52d7de8d 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -447,7 +447,7 @@ class MbedTLSConfigTool(config_common.ConfigTool): """Command line mbedtls_config.h and crypto_config.h manipulation tool.""" def __init__(self): - super().__init__(MbedTLSConfigFile) + super().__init__(MbedTLSConfigFile.default_path) self.config = CombinedConfig(MbedTLSConfigFile(self.args.file), CryptoConfigFile(self.args.cryptofile)) From 1a0bd776b2aa327cbdbf9dc04419abad819bcd0e Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 4 Sep 2024 11:42:43 +0200 Subject: [PATCH 12/28] Use MbedTLSConfig for config handling to keep campatibility Signed-off-by: Gabor Mezei --- scripts/config.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/scripts/config.py b/scripts/config.py index 4a52d7de8d..cd943f5580 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -3,7 +3,7 @@ """Mbed TLS and PSA configuration file manipulation library and tool Basic usage, to read the Mbed TLS configuration: - config = CombinedConfigFile() + config = MbedTLSConfig() if 'MBEDTLS_RSA_C' in config: print('RSA is enabled') """ @@ -448,8 +448,7 @@ class MbedTLSConfigTool(config_common.ConfigTool): def __init__(self): super().__init__(MbedTLSConfigFile.default_path) - self.config = CombinedConfig(MbedTLSConfigFile(self.args.file), - CryptoConfigFile(self.args.cryptofile)) + self.config = MbedTLSConfig(self.args.file) def custom_parser_options(self): """Adds MbedTLS specific options for the parser.""" From 6f90e79ae5c9d410e68168cc8d4ae15dae01fef8 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Tue, 3 Sep 2024 16:58:25 +0200 Subject: [PATCH 13/28] Update old class names Signed-off-by: Gabor Mezei --- tests/scripts/depends.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 1990cd21ca..64a3d46b2c 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -537,7 +537,7 @@ def main(): default=True) options = parser.parse_args() os.chdir(options.directory) - conf = config.ConfigFile(options.config) + conf = config.MbedTLSConfig(options.config) domain_data = DomainData(options, conf) if options.tasks is True: From 76f147d597e0a002e6c7d46dc61237c3f5246aad Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Thu, 19 Sep 2024 10:20:00 +0200 Subject: [PATCH 14/28] Remove unused `CombinedConfig` class In 3.6 `MbedTLSConfig` is used instead of `ConbinedConfig` due to keep compatibility Signed-off-by: Gabor Mezei --- scripts/config.py | 80 ----------------------------------------------- 1 file changed, 80 deletions(-) diff --git a/scripts/config.py b/scripts/config.py index cd943f5580..c75988d6b1 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -12,7 +12,6 @@ Basic usage, to read the Mbed TLS configuration: ## import os -import re import sys import framework_scripts_path # pylint: disable=unused-import @@ -364,85 +363,6 @@ class CryptoConfig(config_common.Config): super().set(name, value) -class CombinedConfig(config_common.Config): - """Representation of MbedTLS and PSA crypto configuration - - See the documentation of the `Config` class for methods to query - and modify the configuration. - """ - - def __init__(self, *configs): - super().__init__() - for config in configs: - if isinstance(config, MbedTLSConfigFile): - self.mbedtls_configfile = config - elif isinstance(config, CryptoConfigFile): - self.crypto_configfile = config - else: - raise ValueError(f'Invalid configfile: {config}') - self.configfiles.append(config) - - self.settings.update({name: config_common.Setting(configfile, active, name, value, section) - for configfile in [self.mbedtls_configfile, self.crypto_configfile] - for (active, name, value, section) in configfile.parse_file()}) - - _crypto_regexp = re.compile(r'$PSA_.*') - def _get_configfile(self, name=None): - """Find a config type for a setting name""" - - if name in self.settings: - return self.settings[name].configfile - elif re.match(self._crypto_regexp, name): - return self.crypto_configfile - else: - return self.mbedtls_configfile - - def set(self, name, value=None): - """Set name to the given value and make it active.""" - - configfile = self._get_configfile(name) - - if configfile == self.crypto_configfile: - if name in PSA_UNSUPPORTED_FEATURE: - raise ValueError(f'Feature is unsupported: \'{name}\'') - if name in PSA_UNSTABLE_FEATURE: - raise ValueError(f'Feature is unstable: \'{name}\'') - - # The default value in the crypto config is '1' - if not value: - value = '1' - - if name not in self.settings: - configfile.templates.append((name, '', '#define ' + name + ' ')) - - super().set(name, value) - - #pylint: disable=arguments-differ - def write(self, mbedtls_file=None, crypto_file=None): - """Write the whole configuration to the file it was read from. - - If mbedtls_file or crypto_file is specified, write the specific configuration - to the corresponding file instead. - - Two file name parameters and not only one as in the super class as we handle - two configuration files in this class. - """ - - self.mbedtls_configfile.write(self.settings, mbedtls_file) - self.crypto_configfile.write(self.settings, crypto_file) - - def filename(self, name=None): - """Get the name of the config files. - - If 'name' is specified return the name of the config file where it is defined. - """ - - if not name: - return [config.filename for config in [self.mbedtls_configfile, self.crypto_configfile]] - - return self._get_configfile(name).filename - - class MbedTLSConfigTool(config_common.ConfigTool): """Command line mbedtls_config.h and crypto_config.h manipulation tool.""" From bf1c8f9d29000d340bf4709d8df603bebdd6d395 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 18 Sep 2024 17:16:51 +0200 Subject: [PATCH 15/28] Update framework Signed-off-by: Gabor Mezei --- framework | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/framework b/framework index 071831e25b..8c488b1b8f 160000 --- a/framework +++ b/framework @@ -1 +1 @@ -Subproject commit 071831e25bd336baa58bbdf65e985283f56e1b86 +Subproject commit 8c488b1b8f86384450c922f22cd1bee0b996be13 From 3415dc828e227b4b747f02a8d8854b533dd6dfa8 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 19 Sep 2024 13:43:57 +0200 Subject: [PATCH 16/28] Fix obsolete comment about MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER has been compatible with MBEDTLS_USE_PSA_CRYPTO since https://github.com/Mbed-TLS/mbedtls/pull/5380. We still don't want to enable it in the full config because it's a behavior change, even an interface change. Signed-off-by: Gilles Peskine --- scripts/config.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/config.py b/scripts/config.py index 8704bdb51e..92f78484f6 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -200,7 +200,7 @@ EXCLUDE_FROM_FULL = frozenset([ 'MBEDTLS_PLATFORM_NO_STD_FUNCTIONS', # removes a feature 'MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS', # removes a feature 'MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG', # behavior change + build dependency - 'MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER', # incompatible with USE_PSA_CRYPTO + 'MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER', # interface and behavior change 'MBEDTLS_PSA_CRYPTO_SPM', # platform dependency (PSA SPM) 'MBEDTLS_PSA_INJECT_ENTROPY', # conflicts with platform entropy sources 'MBEDTLS_RSA_NO_CRT', # influences the use of RSA in X.509 and TLS From bb47c7368b32919df8fcb125e154fe763b65256e Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 14 Sep 2024 12:13:16 +0200 Subject: [PATCH 17/28] CMake: support "make programs" Signed-off-by: Gilles Peskine --- programs/CMakeLists.txt | 3 +++ programs/aes/CMakeLists.txt | 1 + programs/cipher/CMakeLists.txt | 1 + programs/fuzz/CMakeLists.txt | 2 ++ programs/hash/CMakeLists.txt | 1 + programs/pkey/CMakeLists.txt | 2 ++ programs/psa/CMakeLists.txt | 1 + programs/random/CMakeLists.txt | 1 + programs/ssl/CMakeLists.txt | 1 + programs/test/CMakeLists.txt | 2 ++ programs/util/CMakeLists.txt | 1 + programs/x509/CMakeLists.txt | 1 + 12 files changed, 17 insertions(+) diff --git a/programs/CMakeLists.txt b/programs/CMakeLists.txt index 0633aa6499..aaf93ba38d 100644 --- a/programs/CMakeLists.txt +++ b/programs/CMakeLists.txt @@ -1,3 +1,6 @@ +set(programs_target "${MBEDTLS_TARGET_PREFIX}programs") +add_custom_target(${programs_target}) + add_subdirectory(aes) add_subdirectory(cipher) if (NOT WIN32) diff --git a/programs/aes/CMakeLists.txt b/programs/aes/CMakeLists.txt index ccb8db564f..4d4c890fbf 100644 --- a/programs/aes/CMakeLists.txt +++ b/programs/aes/CMakeLists.txt @@ -1,6 +1,7 @@ set(executables crypt_and_hash ) +add_dependencies(${programs_target} ${executables}) foreach(exe IN LISTS executables) add_executable(${exe} ${exe}.c $) diff --git a/programs/cipher/CMakeLists.txt b/programs/cipher/CMakeLists.txt index e925524f68..effaf8a931 100644 --- a/programs/cipher/CMakeLists.txt +++ b/programs/cipher/CMakeLists.txt @@ -1,6 +1,7 @@ set(executables cipher_aead_demo ) +add_dependencies(${programs_target} ${executables}) foreach(exe IN LISTS executables) add_executable(${exe} ${exe}.c $) diff --git a/programs/fuzz/CMakeLists.txt b/programs/fuzz/CMakeLists.txt index c389029bca..f5358ffff6 100644 --- a/programs/fuzz/CMakeLists.txt +++ b/programs/fuzz/CMakeLists.txt @@ -15,6 +15,7 @@ set(executables_no_common_c fuzz_x509csr fuzz_pkcs7 ) +add_dependencies(${programs_target} ${executables_no_common_c}) set(executables_with_common_c fuzz_privkey @@ -23,6 +24,7 @@ set(executables_with_common_c fuzz_dtlsserver fuzz_server ) +add_dependencies(${programs_target} ${executables_with_common_c}) foreach(exe IN LISTS executables_no_common_c executables_with_common_c) diff --git a/programs/hash/CMakeLists.txt b/programs/hash/CMakeLists.txt index fcacf3ba4f..0ad974d9a9 100644 --- a/programs/hash/CMakeLists.txt +++ b/programs/hash/CMakeLists.txt @@ -3,6 +3,7 @@ set(executables hello md_hmac_demo ) +add_dependencies(${programs_target} ${executables}) foreach(exe IN LISTS executables) add_executable(${exe} ${exe}.c $) diff --git a/programs/pkey/CMakeLists.txt b/programs/pkey/CMakeLists.txt index cd0387a882..defbe281d9 100644 --- a/programs/pkey/CMakeLists.txt +++ b/programs/pkey/CMakeLists.txt @@ -2,6 +2,7 @@ set(executables_mbedtls dh_client dh_server ) +add_dependencies(${programs_target} ${executables_mbedtls}) foreach(exe IN LISTS executables_mbedtls) add_executable(${exe} ${exe}.c $) @@ -29,6 +30,7 @@ set(executables_mbedcrypto rsa_verify rsa_verify_pss ) +add_dependencies(${programs_target} ${executables_mbedcrypto}) foreach(exe IN LISTS executables_mbedcrypto) add_executable(${exe} ${exe}.c $) diff --git a/programs/psa/CMakeLists.txt b/programs/psa/CMakeLists.txt index a8e4b0e372..a6933a6e2b 100644 --- a/programs/psa/CMakeLists.txt +++ b/programs/psa/CMakeLists.txt @@ -6,6 +6,7 @@ set(executables psa_constant_names psa_hash ) +add_dependencies(${programs_target} ${executables}) if(GEN_FILES) add_custom_command( diff --git a/programs/random/CMakeLists.txt b/programs/random/CMakeLists.txt index 5940395354..f0c78259ff 100644 --- a/programs/random/CMakeLists.txt +++ b/programs/random/CMakeLists.txt @@ -2,6 +2,7 @@ set(executables gen_entropy gen_random_ctr_drbg ) +add_dependencies(${programs_target} ${executables}) foreach(exe IN LISTS executables) add_executable(${exe} ${exe}.c $) diff --git a/programs/ssl/CMakeLists.txt b/programs/ssl/CMakeLists.txt index ec2c86fb4a..f4fb477ebf 100644 --- a/programs/ssl/CMakeLists.txt +++ b/programs/ssl/CMakeLists.txt @@ -16,6 +16,7 @@ set(executables ssl_server ssl_server2 ) +add_dependencies(${programs_target} ${executables}) if(GEN_FILES) # Inform CMake that the following file will be generated as part of the build diff --git a/programs/test/CMakeLists.txt b/programs/test/CMakeLists.txt index 0d43ffddd3..e3db8dd9bf 100644 --- a/programs/test/CMakeLists.txt +++ b/programs/test/CMakeLists.txt @@ -8,12 +8,14 @@ set(executables_libs selftest udp_proxy ) +add_dependencies(${programs_target} ${executables_libs}) set(executables_mbedcrypto benchmark query_compile_time_config zeroize ) +add_dependencies(${programs_target} ${executables_mbedcrypto}) if(TEST_CPP) set(cpp_dummy_build_cpp "${CMAKE_CURRENT_BINARY_DIR}/cpp_dummy_build.cpp") diff --git a/programs/util/CMakeLists.txt b/programs/util/CMakeLists.txt index cb6bc3d2d2..264d9416cc 100644 --- a/programs/util/CMakeLists.txt +++ b/programs/util/CMakeLists.txt @@ -6,6 +6,7 @@ set(executables pem2der strerror ) +add_dependencies(${programs_target} ${executables}) foreach(exe IN LISTS executables) add_executable(${exe} ${exe}.c $) diff --git a/programs/x509/CMakeLists.txt b/programs/x509/CMakeLists.txt index 43437f070b..a09813c917 100644 --- a/programs/x509/CMakeLists.txt +++ b/programs/x509/CMakeLists.txt @@ -10,6 +10,7 @@ set(executables load_roots req_app ) +add_dependencies(${programs_target} ${executables}) foreach(exe IN LISTS executables) add_executable(${exe} ${exe}.c $) From 7215b1e9c9752a69c8268841ccdb221b22f1560a Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 14 Sep 2024 12:18:00 +0200 Subject: [PATCH 18/28] CMake: support "make ssl-opt" to just build what ssl-opt.sh needs This also suffices for compat.sh. Include the sample programs in this build. They aren't tested by ssl-opt.sh yet, but they soon will be. Signed-off-by: Gilles Peskine --- programs/CMakeLists.txt | 3 +++ programs/ssl/CMakeLists.txt | 1 + programs/test/CMakeLists.txt | 2 ++ 3 files changed, 6 insertions(+) diff --git a/programs/CMakeLists.txt b/programs/CMakeLists.txt index aaf93ba38d..e031544a9c 100644 --- a/programs/CMakeLists.txt +++ b/programs/CMakeLists.txt @@ -1,6 +1,9 @@ set(programs_target "${MBEDTLS_TARGET_PREFIX}programs") add_custom_target(${programs_target}) +set(ssl_opt_target "${MBEDTLS_TARGET_PREFIX}ssl-opt") +add_custom_target(${ssl_opt_target}) + add_subdirectory(aes) add_subdirectory(cipher) if (NOT WIN32) diff --git a/programs/ssl/CMakeLists.txt b/programs/ssl/CMakeLists.txt index f4fb477ebf..02010d8a7f 100644 --- a/programs/ssl/CMakeLists.txt +++ b/programs/ssl/CMakeLists.txt @@ -17,6 +17,7 @@ set(executables ssl_server2 ) add_dependencies(${programs_target} ${executables}) +add_dependencies(${ssl_opt_target} ${executables}) if(GEN_FILES) # Inform CMake that the following file will be generated as part of the build diff --git a/programs/test/CMakeLists.txt b/programs/test/CMakeLists.txt index e3db8dd9bf..1670b949f4 100644 --- a/programs/test/CMakeLists.txt +++ b/programs/test/CMakeLists.txt @@ -9,6 +9,7 @@ set(executables_libs udp_proxy ) add_dependencies(${programs_target} ${executables_libs}) +add_dependencies(${ssl_opt_target} udp_proxy) set(executables_mbedcrypto benchmark @@ -16,6 +17,7 @@ set(executables_mbedcrypto zeroize ) add_dependencies(${programs_target} ${executables_mbedcrypto}) +add_dependencies(${ssl_opt_target} query_compile_time_config) if(TEST_CPP) set(cpp_dummy_build_cpp "${CMAKE_CURRENT_BINARY_DIR}/cpp_dummy_build.cpp") From b35ed4565ace7b92fbf10c9968326c75a8c2224c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 14 Sep 2024 13:05:51 +0200 Subject: [PATCH 19/28] make: support "make ssl-opt" to just build what ssl-opt.sh needs This also suffices for compat.sh. Include the sample programs in this build. They aren't tested by ssl-opt.sh yet, but they soon will be. Signed-off-by: Gilles Peskine --- Makefile | 3 +++ programs/Makefile | 6 ++++++ 2 files changed, 9 insertions(+) diff --git a/Makefile b/Makefile index fb80529efa..00de60823b 100644 --- a/Makefile +++ b/Makefile @@ -28,6 +28,9 @@ no_test: programs programs: lib mbedtls_test $(MAKE) -C programs +ssl-opt: lib mbedtls_test + $(MAKE) -C programs ssl-opt + lib: $(MAKE) -C library diff --git a/programs/Makefile b/programs/Makefile index 8d1da6dbe7..0604a68a3c 100644 --- a/programs/Makefile +++ b/programs/Makefile @@ -116,6 +116,12 @@ ifndef WINDOWS all: fuzz endif +SSL_OPT_APPS = $(filter ssl/%,$(APPS)) +SSL_OPT_APPS += test/query_compile_time_config test/udp_proxy +# Just the programs needed to run ssl-opt.sh (and compat.sh) +ssl-opt: $(patsubst %,%$(EXEXT),$(SSL_OPT_APPS)) +.PHONY: ssl-opt + fuzz: ${MBEDTLS_TEST_OBJS} $(MAKE) -C fuzz From 4d347aa4336db3ba44295b8ec6938afc8221510b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 19 Sep 2024 18:55:08 +0200 Subject: [PATCH 20/28] Move config-no-entropy.h testing to separate all.sh component Signed-off-by: Gilles Peskine --- .../components-configuration-crypto.sh | 19 +++++++++++++++++++ tests/scripts/test-ref-configs.pl | 2 -- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index da0e180801..83188aed10 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -162,6 +162,25 @@ component_test_rsa_no_crt () { tests/context-info.sh } +component_test_config_no_entropy () { + msg "build: configs/config-no-entropy.h" + cp configs/config-no-entropy.h "$CONFIG_H" + # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake + # want to re-generate generated files that depend on it, quite correctly. + # However this doesn't work as the generation script expects a specific + # format for mbedtls_config.h, which the other files don't follow. Also, + # cmake can't know this, but re-generation is actually not necessary as + # the generated files only depend on the list of available options, not + # whether they're on or off. So, disable cmake's (over-sensitive here) + # dependency resolution for generated files and just rely on them being + # present (thanks to pre_generate_files) by turning GEN_FILES off. + CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: configs/config-no-entropy.h - unit tests" + make test +} + component_test_no_ctr_drbg_classic () { msg "build: Full minus CTR_DRBG, classic crypto in TLS" scripts/config.py full diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index 5557de3276..9198293d46 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -24,8 +24,6 @@ my %configs = ( 'opt' => ' ', 'opt_needs_debug' => 1, }, - 'config-no-entropy.h' => { - }, 'config-suite-b.h' => { 'compat' => "-m tls12 -f 'ECDHE_ECDSA.*AES.*GCM' -p mbedTLS", 'opt' => ' ', From f3d501919133a904c508f6bcd0f141c6a9475e14 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 14 Sep 2024 11:10:05 +0200 Subject: [PATCH 21/28] Move config-ccm-psk-tls1_2.h testing to separate all.sh components Signed-off-by: Gilles Peskine --- tests/scripts/components-configuration-tls.sh | 46 +++++++++++++++++++ tests/scripts/test-ref-configs.pl | 3 -- 2 files changed, 46 insertions(+), 3 deletions(-) diff --git a/tests/scripts/components-configuration-tls.sh b/tests/scripts/components-configuration-tls.sh index 7debb342b0..55135062ce 100644 --- a/tests/scripts/components-configuration-tls.sh +++ b/tests/scripts/components-configuration-tls.sh @@ -224,6 +224,52 @@ component_test_tls1_2_ecjpake_compatibility () { rm s2_no_use_psa c2_no_use_psa } +component_test_tls1_2_ccm_psk_legacy () { + msg "build: configs/config-ccm-psk-tls1_2.h" + cp configs/config-ccm-psk-tls1_2.h "$CONFIG_H" + # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake + # want to re-generate generated files that depend on it, quite correctly. + # However this doesn't work as the generation script expects a specific + # format for mbedtls_config.h, which the other files don't follow. Also, + # cmake can't know this, but re-generation is actually not necessary as + # the generated files only depend on the list of available options, not + # whether they're on or off. So, disable cmake's (over-sensitive here) + # dependency resolution for generated files and just rely on them being + # present (thanks to pre_generate_files) by turning GEN_FILES off. + CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: configs/config-ccm-psk-tls1_2.h - unit tests" + make test + + msg "test: configs/config-ccm-psk-tls1_2.h - compat.sh" + tests/compat.sh -m tls12 -f '^TLS_PSK_WITH_AES_..._CCM_8' +} + +component_test_tls1_2_ccm_psk_psa () { + msg "build: configs/config-ccm-psk-tls1_2.h + USE_PSA_CRYPTO" + cp configs/config-ccm-psk-tls1_2.h "$CONFIG_H" + scripts/config.py set MBEDTLS_PSA_CRYPTO_C + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO + # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake + # want to re-generate generated files that depend on it, quite correctly. + # However this doesn't work as the generation script expects a specific + # format for mbedtls_config.h, which the other files don't follow. Also, + # cmake can't know this, but re-generation is actually not necessary as + # the generated files only depend on the list of available options, not + # whether they're on or off. So, disable cmake's (over-sensitive here) + # dependency resolution for generated files and just rely on them being + # present (thanks to pre_generate_files) by turning GEN_FILES off. + CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: configs/config-ccm-psk-tls1_2.h + USE_PSA_CRYPTO - unit tests" + make test + + msg "test: configs/config-ccm-psk-tls1_2.h + USE_PSA_CRYPTO - compat.sh" + tests/compat.sh -m tls12 -f '^TLS_PSK_WITH_AES_..._CCM_8' +} + component_test_small_ssl_out_content_len () { msg "build: small SSL_OUT_CONTENT_LEN (ASan build)" scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 16384 diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index 9198293d46..92197d7c5e 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -16,9 +16,6 @@ use warnings; use strict; my %configs = ( - 'config-ccm-psk-tls1_2.h' => { - 'compat' => '-m tls12 -f \'^TLS_PSK_WITH_AES_..._CCM_8\'', - }, 'config-ccm-psk-dtls1_2.h' => { 'compat' => '-m dtls12 -f \'^TLS_PSK_WITH_AES_..._CCM_8\'', 'opt' => ' ', From 9929237537b4c301f5a90d7688b56437a4dc7095 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 14 Sep 2024 11:19:31 +0200 Subject: [PATCH 22/28] Move config-ccm-psk-dtls1_2.h testing to separate all.sh components Signed-off-by: Gilles Peskine --- tests/scripts/components-configuration-tls.sh | 66 +++++++++++++++++++ tests/scripts/test-ref-configs.pl | 5 -- 2 files changed, 66 insertions(+), 5 deletions(-) diff --git a/tests/scripts/components-configuration-tls.sh b/tests/scripts/components-configuration-tls.sh index 55135062ce..380334cb7e 100644 --- a/tests/scripts/components-configuration-tls.sh +++ b/tests/scripts/components-configuration-tls.sh @@ -270,6 +270,72 @@ component_test_tls1_2_ccm_psk_psa () { tests/compat.sh -m tls12 -f '^TLS_PSK_WITH_AES_..._CCM_8' } +component_test_tls1_2_ccm_psk_dtls_legacy () { + msg "build: configs/config-ccm-psk-dtls1_2.h" + cp configs/config-ccm-psk-dtls1_2.h "$CONFIG_H" + # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake + # want to re-generate generated files that depend on it, quite correctly. + # However this doesn't work as the generation script expects a specific + # format for mbedtls_config.h, which the other files don't follow. Also, + # cmake can't know this, but re-generation is actually not necessary as + # the generated files only depend on the list of available options, not + # whether they're on or off. So, disable cmake's (over-sensitive here) + # dependency resolution for generated files and just rely on them being + # present (thanks to pre_generate_files) by turning GEN_FILES off. + CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: configs/config-ccm-psk-dtls1_2.h - unit tests" + make test + + msg "test: configs/config-ccm-psk-dtls1_2.h - compat.sh" + tests/compat.sh -m dtls12 -f '^TLS_PSK_WITH_AES_..._CCM_8' + + msg "build: configs/config-ccm-psk-dtls1_2.h + DEBUG" + MBEDTLS_TEST_CONFIGURATION="$MBEDTLS_TEST_CONFIGURATION+DEBUG" + make clean + scripts/config.py set MBEDTLS_DEBUG_C + scripts/config.py set MBEDTLS_ERROR_C + make ssl-opt + + msg "test: configs/config-ccm-psk-dtls1_2.h + DEBUG - ssl-opt.sh" + tests/ssl-opt.sh +} + +component_test_tls1_2_ccm_psk_dtls_psa () { + msg "build: configs/config-ccm-psk-dtls1_2.h + USE_PSA_CRYPTO" + cp configs/config-ccm-psk-dtls1_2.h "$CONFIG_H" + scripts/config.py set MBEDTLS_PSA_CRYPTO_C + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO + # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake + # want to re-generate generated files that depend on it, quite correctly. + # However this doesn't work as the generation script expects a specific + # format for mbedtls_config.h, which the other files don't follow. Also, + # cmake can't know this, but re-generation is actually not necessary as + # the generated files only depend on the list of available options, not + # whether they're on or off. So, disable cmake's (over-sensitive here) + # dependency resolution for generated files and just rely on them being + # present (thanks to pre_generate_files) by turning GEN_FILES off. + CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: configs/config-ccm-psk-dtls1_2.h + USE_PSA_CRYPTO - unit tests" + make test + + msg "test: configs/config-ccm-psk-dtls1_2.h + USE_PSA_CRYPTO - compat.sh" + tests/compat.sh -m dtls12 -f '^TLS_PSK_WITH_AES_..._CCM_8' + + msg "build: configs/config-ccm-psk-dtls1_2.h + USE_PSA_CRYPTO + DEBUG" + MBEDTLS_TEST_CONFIGURATION="$MBEDTLS_TEST_CONFIGURATION+DEBUG" + make clean + scripts/config.py set MBEDTLS_DEBUG_C + scripts/config.py set MBEDTLS_ERROR_C + make ssl-opt + + msg "test: configs/config-ccm-psk-dtls1_2.h + USE_PSA_CRYPTO + DEBUG - ssl-opt.sh" + tests/ssl-opt.sh +} + component_test_small_ssl_out_content_len () { msg "build: small SSL_OUT_CONTENT_LEN (ASan build)" scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 16384 diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index 92197d7c5e..27620b2c58 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -16,11 +16,6 @@ use warnings; use strict; my %configs = ( - 'config-ccm-psk-dtls1_2.h' => { - 'compat' => '-m dtls12 -f \'^TLS_PSK_WITH_AES_..._CCM_8\'', - 'opt' => ' ', - 'opt_needs_debug' => 1, - }, 'config-suite-b.h' => { 'compat' => "-m tls12 -f 'ECDHE_ECDSA.*AES.*GCM' -p mbedTLS", 'opt' => ' ', From e9cd6a70111855e2e0e5ab5726829227adebe5ec Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 14 Sep 2024 11:21:29 +0200 Subject: [PATCH 23/28] Move config-suite-b.h testing to separate all.sh components Signed-off-by: Gilles Peskine --- tests/scripts/components-configuration-tls.sh | 66 +++++++++++++++++++ tests/scripts/test-ref-configs.pl | 5 -- 2 files changed, 66 insertions(+), 5 deletions(-) diff --git a/tests/scripts/components-configuration-tls.sh b/tests/scripts/components-configuration-tls.sh index 380334cb7e..62a09cddce 100644 --- a/tests/scripts/components-configuration-tls.sh +++ b/tests/scripts/components-configuration-tls.sh @@ -9,6 +9,72 @@ #### Configuration Testing - TLS ################################################################ +component_test_config_suite_b_legacy () { + msg "build: configs/config-suite-b.h" + cp configs/config-suite-b.h "$CONFIG_H" + # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake + # want to re-generate generated files that depend on it, quite correctly. + # However this doesn't work as the generation script expects a specific + # format for mbedtls_config.h, which the other files don't follow. Also, + # cmake can't know this, but re-generation is actually not necessary as + # the generated files only depend on the list of available options, not + # whether they're on or off. So, disable cmake's (over-sensitive here) + # dependency resolution for generated files and just rely on them being + # present (thanks to pre_generate_files) by turning GEN_FILES off. + CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: configs/config-suite-b.h - unit tests" + make test + + msg "test: configs/config-suite-b.h - compat.sh" + tests/compat.sh -m tls12 -f 'ECDHE_ECDSA.*AES.*GCM' -p mbedTLS + + msg "build: configs/config-suite-b.h + DEBUG" + MBEDTLS_TEST_CONFIGURATION="$MBEDTLS_TEST_CONFIGURATION+DEBUG" + make clean + scripts/config.py set MBEDTLS_DEBUG_C + scripts/config.py set MBEDTLS_ERROR_C + make ssl-opt + + msg "test: configs/config-suite-b.h + DEBUG - ssl-opt.sh" + tests/ssl-opt.sh +} + +component_test_config_suite_b_psa () { + msg "build: configs/config-suite-b.h + USE_PSA_CRYPTO" + cp configs/config-suite-b.h "$CONFIG_H" + scripts/config.py set MBEDTLS_PSA_CRYPTO_C + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO + # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake + # want to re-generate generated files that depend on it, quite correctly. + # However this doesn't work as the generation script expects a specific + # format for mbedtls_config.h, which the other files don't follow. Also, + # cmake can't know this, but re-generation is actually not necessary as + # the generated files only depend on the list of available options, not + # whether they're on or off. So, disable cmake's (over-sensitive here) + # dependency resolution for generated files and just rely on them being + # present (thanks to pre_generate_files) by turning GEN_FILES off. + CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: configs/config-suite-b.h + USE_PSA_CRYPTO - unit tests" + make test + + msg "test: configs/config-suite-b.h + USE_PSA_CRYPTO - compat.sh" + tests/compat.sh -m tls12 -f 'ECDHE_ECDSA.*AES.*GCM' -p mbedTLS + + msg "build: configs/config-suite-b.h + USE_PSA_CRYPTO + DEBUG" + MBEDTLS_TEST_CONFIGURATION="$MBEDTLS_TEST_CONFIGURATION+DEBUG" + make clean + scripts/config.py set MBEDTLS_DEBUG_C + scripts/config.py set MBEDTLS_ERROR_C + make ssl-opt + + msg "test: configs/config-suite-b.h + USE_PSA_CRYPTO + DEBUG - ssl-opt.sh" + tests/ssl-opt.sh +} + component_test_no_renegotiation () { msg "build: Default + !MBEDTLS_SSL_RENEGOTIATION (ASan build)" # ~ 6 min scripts/config.py unset MBEDTLS_SSL_RENEGOTIATION diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index 27620b2c58..dbe373c59c 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -16,11 +16,6 @@ use warnings; use strict; my %configs = ( - 'config-suite-b.h' => { - 'compat' => "-m tls12 -f 'ECDHE_ECDSA.*AES.*GCM' -p mbedTLS", - 'opt' => ' ', - 'opt_needs_debug' => 1, - }, 'config-symmetric-only.h' => { }, 'config-tfm.h' => { From e62925f1e61fe7c8b6da4267e8d46dccee446128 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 14 Sep 2024 11:24:07 +0200 Subject: [PATCH 24/28] Move config-thread.h testing to separate all.sh components Signed-off-by: Gilles Peskine --- tests/scripts/components-configuration-tls.sh | 46 +++++++++++++++++++ tests/scripts/test-ref-configs.pl | 3 -- 2 files changed, 46 insertions(+), 3 deletions(-) diff --git a/tests/scripts/components-configuration-tls.sh b/tests/scripts/components-configuration-tls.sh index 62a09cddce..23c9d68b9f 100644 --- a/tests/scripts/components-configuration-tls.sh +++ b/tests/scripts/components-configuration-tls.sh @@ -257,6 +257,52 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only_use_psa () { tests/ssl-opt.sh -f "TLS 1.2" } +component_test_config_thread_legacy () { + msg "build: configs/config-thread.h" + cp configs/config-thread.h "$CONFIG_H" + # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake + # want to re-generate generated files that depend on it, quite correctly. + # However this doesn't work as the generation script expects a specific + # format for mbedtls_config.h, which the other files don't follow. Also, + # cmake can't know this, but re-generation is actually not necessary as + # the generated files only depend on the list of available options, not + # whether they're on or off. So, disable cmake's (over-sensitive here) + # dependency resolution for generated files and just rely on them being + # present (thanks to pre_generate_files) by turning GEN_FILES off. + CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: configs/config-thread.h - unit tests" + make test + + msg "test: configs/config-thread.h - ssl-opt.sh" + tests/ssl-opt.sh -f 'ECJPAKE.*nolog' +} + +component_test_config_thread_psa () { + msg "build: configs/config-thread.h + USE_PSA_CRYPTO" + cp configs/config-thread.h "$CONFIG_H" + scripts/config.py set MBEDTLS_PSA_CRYPTO_C + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO + # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake + # want to re-generate generated files that depend on it, quite correctly. + # However this doesn't work as the generation script expects a specific + # format for mbedtls_config.h, which the other files don't follow. Also, + # cmake can't know this, but re-generation is actually not necessary as + # the generated files only depend on the list of available options, not + # whether they're on or off. So, disable cmake's (over-sensitive here) + # dependency resolution for generated files and just rely on them being + # present (thanks to pre_generate_files) by turning GEN_FILES off. + CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: configs/config-thread.h + USE_PSA_CRYPTO - unit tests" + make test + + msg "test: configs/config-thread.h + USE_PSA_CRYPTO - ssl-opt.sh" + tests/ssl-opt.sh -f 'ECJPAKE.*nolog' +} + # We're not aware of any other (open source) implementation of EC J-PAKE in TLS # that we could use for interop testing. However, we now have sort of two # implementations ourselves: one using PSA, the other not. At least test that diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index dbe373c59c..269fb2130e 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -20,9 +20,6 @@ my %configs = ( }, 'config-tfm.h' => { }, - 'config-thread.h' => { - 'opt' => '-f ECJPAKE.*nolog', - }, ); # If no config-name is provided, use all known configs. From dbd0f424b0d2f91a8432ac1cc22335fd93d7436b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 14 Sep 2024 11:27:44 +0200 Subject: [PATCH 25/28] Move config-symmetric-only.h testing to separate all.sh components Signed-off-by: Gilles Peskine --- .../components-configuration-crypto.sh | 40 +++++++++++++++++++ tests/scripts/test-ref-configs.pl | 2 - 2 files changed, 40 insertions(+), 2 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 83188aed10..15b0f397d1 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -535,6 +535,46 @@ component_test_full_no_ccm_star_no_tag () { make test } +component_test_config_symmetric_only_legacy () { + msg "build: configs/config-symmetric-only.h" + cp configs/config-symmetric-only.h "$CONFIG_H" + # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake + # want to re-generate generated files that depend on it, quite correctly. + # However this doesn't work as the generation script expects a specific + # format for mbedtls_config.h, which the other files don't follow. Also, + # cmake can't know this, but re-generation is actually not necessary as + # the generated files only depend on the list of available options, not + # whether they're on or off. So, disable cmake's (over-sensitive here) + # dependency resolution for generated files and just rely on them being + # present (thanks to pre_generate_files) by turning GEN_FILES off. + CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: configs/config-symmetric-only.h - unit tests" + make test +} + +component_test_config_symmetric_only_psa () { + msg "build: configs/config-symmetric-only.h + USE_PSA_CRYPTO" + cp configs/config-symmetric-only.h "$CONFIG_H" + scripts/config.py set MBEDTLS_PSA_CRYPTO_C + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO + # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake + # want to re-generate generated files that depend on it, quite correctly. + # However this doesn't work as the generation script expects a specific + # format for mbedtls_config.h, which the other files don't follow. Also, + # cmake can't know this, but re-generation is actually not necessary as + # the generated files only depend on the list of available options, not + # whether they're on or off. So, disable cmake's (over-sensitive here) + # dependency resolution for generated files and just rely on them being + # present (thanks to pre_generate_files) by turning GEN_FILES off. + CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: configs/config-symmetric-only.h + USE_PSA_CRYPTO - unit tests" + make test +} + component_test_full_no_bignum () { msg "build: full minus bignum" scripts/config.py full diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index 269fb2130e..e6a499da9b 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -16,8 +16,6 @@ use warnings; use strict; my %configs = ( - 'config-symmetric-only.h' => { - }, 'config-tfm.h' => { }, ); From ced0edc43e01aaff4885b81960a799d3e39bb115 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 14 Sep 2024 11:35:36 +0200 Subject: [PATCH 26/28] Move config-tfm.h testing to separate all.sh component Rename the existing component_test_tfm_config which tests a modified version of config-tfm.h for the sake of driver-vs-reference comparison. Signed-off-by: Gilles Peskine --- tests/scripts/analyze_outcomes.py | 2 +- .../scripts/components-configuration-crypto.sh | 18 ++++++++++++++---- tests/scripts/test-ref-configs.pl | 2 -- 3 files changed, 15 insertions(+), 7 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 58c17831ae..e78e90c1f5 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -576,7 +576,7 @@ KNOWN_TASKS = { 'analyze_driver_vs_reference_tfm_config': { 'test_function': do_analyze_driver_vs_reference, 'args': { - 'component_ref': 'test_tfm_config', + 'component_ref': 'test_tfm_config_no_p256m', 'component_driver': 'test_tfm_config_p256m_driver_accel_ec', 'ignored_suites': [ # Modules replaced by drivers diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 15b0f397d1..459aa6fe5a 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -1640,9 +1640,19 @@ component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () { common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum "ECC_DH" } +component_test_tfm_config_as_is () { + msg "build: configs/config-tfm.h" + cp configs/config-tfm.h "$CONFIG_H" + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: configs/config-tfm.h - unit tests" + make test +} + # Helper for setting common configurations between: # - component_test_tfm_config_p256m_driver_accel_ec() -# - component_test_tfm_config() +# - component_test_tfm_config_no_p256m() common_tfm_config () { # Enable TF-M config cp configs/config-tfm.h "$CONFIG_H" @@ -1696,14 +1706,14 @@ component_test_tfm_config_p256m_driver_accel_ec () { # Keep this in sync with component_test_tfm_config_p256m_driver_accel_ec() as # they are both meant to be used in analyze_outcomes.py for driver's coverage # analysis. -component_test_tfm_config () { +component_test_tfm_config_no_p256m () { common_tfm_config # Disable P256M driver, which is on by default, so that analyze_outcomes # can compare this test with test_tfm_config_p256m_driver_accel_ec echo "#undef MBEDTLS_PSA_P256M_DRIVER_ENABLED" >> "$CONFIG_H" - msg "build: TF-M config" + msg "build: TF-M config without p256m" make CFLAGS='-Werror -Wall -Wextra -I../tests/include/spe' tests # Check that p256m was not built @@ -1713,7 +1723,7 @@ component_test_tfm_config () { # files, so we want to ensure that it has not be re-enabled accidentally. not grep mbedtls_cipher library/cipher.o - msg "test: TF-M config" + msg "test: TF-M config without p256m" make test } diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index e6a499da9b..2e97510774 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -16,8 +16,6 @@ use warnings; use strict; my %configs = ( - 'config-tfm.h' => { - }, ); # If no config-name is provided, use all known configs. From fde24b85ae066bb6d8ed517636e0cd7a82e2474b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 14 Sep 2024 11:41:36 +0200 Subject: [PATCH 27/28] Remove test-ref-configs.pl, which no longer does anything Signed-off-by: Gilles Peskine --- tests/scripts/basic-in-docker.sh | 1 - tests/scripts/components-configuration.sh | 15 --- tests/scripts/test-ref-configs.pl | 136 ---------------------- 3 files changed, 152 deletions(-) delete mode 100755 tests/scripts/test-ref-configs.pl diff --git a/tests/scripts/basic-in-docker.sh b/tests/scripts/basic-in-docker.sh index 3aca3a134d..81ee8d61e1 100755 --- a/tests/scripts/basic-in-docker.sh +++ b/tests/scripts/basic-in-docker.sh @@ -31,7 +31,6 @@ for compiler in clang gcc; do run_in_docker programs/test/selftest run_in_docker -e OSSL_NO_DTLS=1 tests/compat.sh run_in_docker tests/ssl-opt.sh -e '\(DTLS\|SCSV\).*openssl' - run_in_docker tests/scripts/test-ref-configs.pl run_in_docker tests/scripts/depends.py curves run_in_docker tests/scripts/depends.py kex done diff --git a/tests/scripts/components-configuration.sh b/tests/scripts/components-configuration.sh index 3a75c4c1e7..559f353d85 100644 --- a/tests/scripts/components-configuration.sh +++ b/tests/scripts/components-configuration.sh @@ -129,21 +129,6 @@ component_test_full_cmake_gcc_asan_new_bignum () { tests/context-info.sh } -component_test_ref_configs () { - msg "test/build: ref-configs (ASan build)" # ~ 6 min 20s - # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake - # want to re-generate generated files that depend on it, quite correctly. - # However this doesn't work as the generation script expects a specific - # format for mbedtls_config.h, which the other files don't follow. Also, - # cmake can't know this, but re-generation is actually not necessary as - # the generated files only depend on the list of available options, not - # whether they're on or off. So, disable cmake's (over-sensitive here) - # dependency resolution for generated files and just rely on them being - # present (thanks to pre_generate_files) by turning GEN_FILES off. - CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . - tests/scripts/test-ref-configs.pl -} - component_test_full_cmake_clang () { msg "build: cmake, full config, clang" # ~ 50s scripts/config.py full diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl deleted file mode 100755 index 2e97510774..0000000000 --- a/tests/scripts/test-ref-configs.pl +++ /dev/null @@ -1,136 +0,0 @@ -#!/usr/bin/env perl - -# test-ref-configs.pl -# -# Copyright The Mbed TLS Contributors -# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later -# -# Purpose -# -# For each reference configuration file in the configs directory, build the -# configuration, run the test suites and compat.sh -# -# Usage: tests/scripts/test-ref-configs.pl [config-name [...]] - -use warnings; -use strict; - -my %configs = ( -); - -# If no config-name is provided, use all known configs. -# Otherwise, use the provided names only. -my @configs_to_test = sort keys %configs; -if ($#ARGV >= 0) { - foreach my $conf_name ( @ARGV ) { - if( ! exists $configs{$conf_name} ) { - die "Unknown configuration: $conf_name\n"; - } - } - @configs_to_test = @ARGV; -} - --d 'library' && -d 'include' && -d 'tests' or die "Must be run from root\n"; - -my $config_h = 'include/mbedtls/mbedtls_config.h'; - -system( "cp $config_h $config_h.bak" ) and die; -sub abort { - system( "mv $config_h.bak $config_h" ) and warn "$config_h not restored\n"; - # use an exit code between 1 and 124 for git bisect (die returns 255) - warn $_[0]; - exit 1; -} - -# Create a seedfile for configurations that enable MBEDTLS_ENTROPY_NV_SEED. -# For test purposes, this doesn't have to be cryptographically random. -if (!-e "tests/seedfile" || -s "tests/seedfile" < 64) { - local *SEEDFILE; - open SEEDFILE, ">tests/seedfile" or die; - print SEEDFILE "*" x 64 or die; - close SEEDFILE or die; -} - -sub perform_test { - my $conf_file = $_[0]; - my $data = $_[1]; - my $test_with_psa = $_[2]; - - my $conf_name = $conf_file; - if ( $test_with_psa ) - { - $conf_name .= "+PSA"; - } - - system( "cp $config_h.bak $config_h" ) and die; - system( "make clean" ) and die; - - print "\n******************************************\n"; - print "* Testing configuration: $conf_name\n"; - print "******************************************\n"; - - $ENV{MBEDTLS_TEST_CONFIGURATION} = $conf_name; - - system( "cp configs/$conf_file $config_h" ) - and abort "Failed to activate $conf_file\n"; - - if ( $test_with_psa ) - { - system( "scripts/config.py set MBEDTLS_PSA_CRYPTO_C" ); - system( "scripts/config.py set MBEDTLS_USE_PSA_CRYPTO" ); - } - - system( "CFLAGS='-Os -Werror -Wall -Wextra' make" ) and abort "Failed to build: $conf_name\n"; - system( "make test" ) and abort "Failed test suite: $conf_name\n"; - - my $compat = $data->{'compat'}; - if( $compat ) - { - print "\nrunning compat.sh $compat ($conf_name)\n"; - system( "tests/compat.sh $compat" ) - and abort "Failed compat.sh: $conf_name\n"; - } - else - { - print "\nskipping compat.sh ($conf_name)\n"; - } - - my $opt = $data->{'opt'}; - if( $opt ) - { - if( $data->{'opt_needs_debug'} ) - { - print "\nrebuilding with debug traces for ssl-opt ($conf_name)\n"; - $conf_name .= '+DEBUG'; - $ENV{MBEDTLS_TEST_CONFIGURATION} = $conf_name; - system( "make clean" ); - system( "scripts/config.py set MBEDTLS_DEBUG_C" ); - system( "scripts/config.py set MBEDTLS_ERROR_C" ); - system( "CFLAGS='-Os -Werror -Wall -Wextra' make" ) and abort "Failed to build: $conf_name\n"; - } - - print "\nrunning ssl-opt.sh $opt ($conf_name)\n"; - system( "tests/ssl-opt.sh $opt" ) - and abort "Failed ssl-opt.sh: $conf_name\n"; - } - else - { - print "\nskipping ssl-opt.sh ($conf_name)\n"; - } -} - -foreach my $conf ( @configs_to_test ) { - system("grep '//#define MBEDTLS_USE_PSA_CRYPTO' configs/$conf > /dev/null"); - die "grep ... configs/$conf: $!" if $? != 0 && $? != 0x100; - my $test_with_psa = $? == 0; - - if ( $test_with_psa ) - { - perform_test( $conf, $configs{$conf}, $test_with_psa ); - } - perform_test( $conf, $configs{$conf}, 0 ); -} - -system( "mv $config_h.bak $config_h" ) and warn "$config_h not restored\n"; -system( "make clean" ); -exit 0; From 5a2bcf6f3e026baede907e0caa4089d48b99fc5b Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Fri, 20 Sep 2024 12:41:24 +0200 Subject: [PATCH 28/28] Remove PSA macros usage from adapters Signed-off-by: Gabor Mezei --- scripts/config.py | 6 ------ 1 file changed, 6 deletions(-) diff --git a/scripts/config.py b/scripts/config.py index c75988d6b1..7c26528ddf 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -103,9 +103,6 @@ EXCLUDE_FROM_FULL = frozenset([ 'MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN', # build dependency (clang+memsan) 'MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND', # build dependency (valgrind headers) 'MBEDTLS_X509_REMOVE_INFO', # removes a feature - *PSA_UNSUPPORTED_FEATURE, - *PSA_DEPRECATED_FEATURE, - *PSA_UNSTABLE_FEATURE ]) def is_seamless_alt(name): @@ -212,8 +209,6 @@ def include_in_crypto(name): 'MBEDTLS_PKCS7_C', # part of libmbedx509 ]: return False - if name in EXCLUDE_FROM_CRYPTO: - return False return True def crypto_adapter(adapter): @@ -232,7 +227,6 @@ def crypto_adapter(adapter): DEPRECATED = frozenset([ 'MBEDTLS_PSA_CRYPTO_SE_C', - *PSA_DEPRECATED_FEATURE ]) def no_deprecated_adapter(adapter): """Modify an adapter to disable deprecated symbols.