From 5bc887c64444c244300f17710a5d6a936ae5a3a2 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Thu, 13 Jun 2024 12:57:00 +0200 Subject: [PATCH 1/5] Update `full_no_cipher_no_psa_crypto` test component With replacing the `MD_CAN` macros with `PSA_WANT` counterparts the pure legacy test cases are needing the config options from `crypto_config.h`. Signed-off-by: Gabor Mezei --- tests/scripts/all.sh | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 35b3ff90bd..6c2b428b69 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1711,13 +1711,10 @@ component_test_crypto_full_md_light_only () { make test } -component_test_full_no_cipher_no_psa_crypto () { +component_test_full_no_cipher_with_legacy () { msg "build: full no CIPHER no PSA_CRYPTO_C" scripts/config.py full scripts/config.py unset MBEDTLS_CIPHER_C - # Don't pull in cipher via PSA mechanisms - # (currently ignored anyway because we completely disable PSA) - scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG # Disable features that depend on CIPHER_C scripts/config.py unset MBEDTLS_CMAC_C scripts/config.py unset MBEDTLS_NIST_KW_C @@ -1725,6 +1722,21 @@ component_test_full_no_cipher_no_psa_crypto () { scripts/config.py unset MBEDTLS_PSA_CRYPTO_CLIENT scripts/config.py unset MBEDTLS_SSL_TLS_C scripts/config.py unset MBEDTLS_SSL_TICKET_C + # The built-in implementation of the following algs/key-types depends + # on CIPHER_C so we disable them. + # This does not hold for KEY_TYPE_CHACHA20 and ALG_CHACHA20_POLY1305 + # so we keep them enabled. + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CMAC + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7 + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CFB + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CTR + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_OFB + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_STREAM_CIPHER + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DESPSA_WANT_ALG_CMAC # Disable features that depend on PSA_CRYPTO_C scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C From df59c630a510991b998bb16479fafb7757770324 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Thu, 13 Jun 2024 16:13:17 +0200 Subject: [PATCH 2/5] Update `config-no-entropy.h` for 'PSA_WANT' macros Signed-off-by: Gabor Mezei --- configs/config-no-entropy.h | 3 +++ configs/crypto-config-no-entropy.h | 39 ++++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+) create mode 100644 configs/crypto-config-no-entropy.h diff --git a/configs/config-no-entropy.h b/configs/config-no-entropy.h index ddb00b41ef..0a8dd14760 100644 --- a/configs/config-no-entropy.h +++ b/configs/config-no-entropy.h @@ -17,6 +17,9 @@ * See README.txt for usage instructions. */ +#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-no-entropy.h" +#define MBEDTLS_PSA_CRYPTO_CONFIG + /* System support */ #define MBEDTLS_HAVE_ASM #define MBEDTLS_HAVE_TIME diff --git a/configs/crypto-config-no-entropy.h b/configs/crypto-config-no-entropy.h new file mode 100644 index 0000000000..9a9afe7da3 --- /dev/null +++ b/configs/crypto-config-no-entropy.h @@ -0,0 +1,39 @@ +/** + * \file crypto-config-no-entropy.h + * + * \brief Minimal crypto configuration of features that do not require an entropy source + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ +/* + * Minimal configuration of features that do not require an entropy source + * Distinguishing features: + * - no entropy module + * - no TLS protocol implementation available due to absence of an entropy + * source + * + * See README.txt for usage instructions. + */ + +#define PSA_WANT_ALG_CBC_PKCS7 1 +#define PSA_WANT_ALG_CCM 1 +#define PSA_WANT_ALG_DETERMINISTIC_ECDSA 1 +#define PSA_WANT_ALG_ECDSA 1 +#define PSA_WANT_ALG_GCM 1 +#define PSA_WANT_ALG_HMAC 1 +#define PSA_WANT_ALG_RSA_OAEP 1 +#define PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 1 +#define PSA_WANT_ALG_RSA_PKCS1V15_SIGN 1 +#define PSA_WANT_ALG_RSA_PSS 1 +#define PSA_WANT_ALG_SHA_224 1 +#define PSA_WANT_ALG_SHA_256 1 +#define PSA_WANT_ALG_SHA_384 1 +#define PSA_WANT_ALG_SHA_512 1 + +#define PSA_WANT_ECC_MONTGOMERY_255 1 +#define PSA_WANT_ECC_SECP_R1_256 1 +#define PSA_WANT_ECC_SECP_R1_384 1 + +#define PSA_WANT_KEY_TYPE_AES 1 From 13db41006c404fdf69805e2a8db81abf67624a31 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Tue, 18 Jun 2024 17:35:00 +0200 Subject: [PATCH 3/5] Revert "Update `config-no-entropy.h` for 'PSA_WANT' macros" This reverts commit df59c630a510991b998bb16479fafb7757770324. Signed-off-by: Gabor Mezei --- configs/config-no-entropy.h | 3 --- configs/crypto-config-no-entropy.h | 39 ------------------------------ 2 files changed, 42 deletions(-) delete mode 100644 configs/crypto-config-no-entropy.h diff --git a/configs/config-no-entropy.h b/configs/config-no-entropy.h index 0a8dd14760..ddb00b41ef 100644 --- a/configs/config-no-entropy.h +++ b/configs/config-no-entropy.h @@ -17,9 +17,6 @@ * See README.txt for usage instructions. */ -#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-no-entropy.h" -#define MBEDTLS_PSA_CRYPTO_CONFIG - /* System support */ #define MBEDTLS_HAVE_ASM #define MBEDTLS_HAVE_TIME diff --git a/configs/crypto-config-no-entropy.h b/configs/crypto-config-no-entropy.h deleted file mode 100644 index 9a9afe7da3..0000000000 --- a/configs/crypto-config-no-entropy.h +++ /dev/null @@ -1,39 +0,0 @@ -/** - * \file crypto-config-no-entropy.h - * - * \brief Minimal crypto configuration of features that do not require an entropy source - */ -/* - * Copyright The Mbed TLS Contributors - * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later - */ -/* - * Minimal configuration of features that do not require an entropy source - * Distinguishing features: - * - no entropy module - * - no TLS protocol implementation available due to absence of an entropy - * source - * - * See README.txt for usage instructions. - */ - -#define PSA_WANT_ALG_CBC_PKCS7 1 -#define PSA_WANT_ALG_CCM 1 -#define PSA_WANT_ALG_DETERMINISTIC_ECDSA 1 -#define PSA_WANT_ALG_ECDSA 1 -#define PSA_WANT_ALG_GCM 1 -#define PSA_WANT_ALG_HMAC 1 -#define PSA_WANT_ALG_RSA_OAEP 1 -#define PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 1 -#define PSA_WANT_ALG_RSA_PKCS1V15_SIGN 1 -#define PSA_WANT_ALG_RSA_PSS 1 -#define PSA_WANT_ALG_SHA_224 1 -#define PSA_WANT_ALG_SHA_256 1 -#define PSA_WANT_ALG_SHA_384 1 -#define PSA_WANT_ALG_SHA_512 1 - -#define PSA_WANT_ECC_MONTGOMERY_255 1 -#define PSA_WANT_ECC_SECP_R1_256 1 -#define PSA_WANT_ECC_SECP_R1_384 1 - -#define PSA_WANT_KEY_TYPE_AES 1 From eafefb7a22081dc0af49fb6ac560b0d24665758f Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Tue, 18 Jun 2024 17:35:25 +0200 Subject: [PATCH 4/5] Revert "Update `full_no_cipher_no_psa_crypto` test component" This reverts commit 5bc887c64444c244300f17710a5d6a936ae5a3a2. Signed-off-by: Gabor Mezei --- tests/scripts/all.sh | 20 ++++---------------- 1 file changed, 4 insertions(+), 16 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 6c2b428b69..35b3ff90bd 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1711,10 +1711,13 @@ component_test_crypto_full_md_light_only () { make test } -component_test_full_no_cipher_with_legacy () { +component_test_full_no_cipher_no_psa_crypto () { msg "build: full no CIPHER no PSA_CRYPTO_C" scripts/config.py full scripts/config.py unset MBEDTLS_CIPHER_C + # Don't pull in cipher via PSA mechanisms + # (currently ignored anyway because we completely disable PSA) + scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG # Disable features that depend on CIPHER_C scripts/config.py unset MBEDTLS_CMAC_C scripts/config.py unset MBEDTLS_NIST_KW_C @@ -1722,21 +1725,6 @@ component_test_full_no_cipher_with_legacy () { scripts/config.py unset MBEDTLS_PSA_CRYPTO_CLIENT scripts/config.py unset MBEDTLS_SSL_TLS_C scripts/config.py unset MBEDTLS_SSL_TICKET_C - # The built-in implementation of the following algs/key-types depends - # on CIPHER_C so we disable them. - # This does not hold for KEY_TYPE_CHACHA20 and ALG_CHACHA20_POLY1305 - # so we keep them enabled. - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CMAC - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7 - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CFB - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CTR - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_OFB - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_STREAM_CIPHER - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DESPSA_WANT_ALG_CMAC # Disable features that depend on PSA_CRYPTO_C scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C From 1b646c2d79f5262a3ef08c24394ca13a9986ec39 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Mon, 17 Jun 2024 16:45:14 +0200 Subject: [PATCH 5/5] Remove `config-no-entropy.h` Signed-off-by: Gabor Mezei --- configs/config-no-entropy.h | 73 ------------------------------- tests/scripts/test-ref-configs.pl | 2 - 2 files changed, 75 deletions(-) delete mode 100644 configs/config-no-entropy.h diff --git a/configs/config-no-entropy.h b/configs/config-no-entropy.h deleted file mode 100644 index ddb00b41ef..0000000000 --- a/configs/config-no-entropy.h +++ /dev/null @@ -1,73 +0,0 @@ -/** - * \file config-no-entropy.h - * - * \brief Minimal configuration of features that do not require an entropy source - */ -/* - * Copyright The Mbed TLS Contributors - * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later - */ -/* - * Minimal configuration of features that do not require an entropy source - * Distinguishing features: - * - no entropy module - * - no TLS protocol implementation available due to absence of an entropy - * source - * - * See README.txt for usage instructions. - */ - -/* System support */ -#define MBEDTLS_HAVE_ASM -#define MBEDTLS_HAVE_TIME - -/* Mbed TLS feature support */ -#define MBEDTLS_CIPHER_MODE_CBC -#define MBEDTLS_CIPHER_PADDING_PKCS7 -#define MBEDTLS_ECP_DP_SECP256R1_ENABLED -#define MBEDTLS_ECP_DP_SECP384R1_ENABLED -#define MBEDTLS_ECP_DP_CURVE25519_ENABLED -#define MBEDTLS_ECP_NIST_OPTIM -#define MBEDTLS_ECDSA_DETERMINISTIC -#define MBEDTLS_PK_RSA_ALT_SUPPORT -#define MBEDTLS_PKCS1_V15 -#define MBEDTLS_PKCS1_V21 -#define MBEDTLS_SELF_TEST -#define MBEDTLS_VERSION_FEATURES - -/* Mbed TLS modules */ -#define MBEDTLS_AES_C -#define MBEDTLS_ASN1_PARSE_C -#define MBEDTLS_ASN1_WRITE_C -#define MBEDTLS_BASE64_C -#define MBEDTLS_BIGNUM_C -#define MBEDTLS_CCM_C -#define MBEDTLS_CIPHER_C -#define MBEDTLS_ECDSA_C -#define MBEDTLS_ECP_C -#define MBEDTLS_ERROR_C -#define MBEDTLS_GCM_C -#define MBEDTLS_HMAC_DRBG_C -#define MBEDTLS_MD_C -#define MBEDTLS_OID_C -#define MBEDTLS_PEM_PARSE_C -#define MBEDTLS_PK_C -#define MBEDTLS_PK_PARSE_C -#define MBEDTLS_PK_WRITE_C -#define MBEDTLS_PLATFORM_C -#define MBEDTLS_RSA_C -/* The library does not currently support enabling SHA-224 without SHA-256. - * A future version of the library will have this option disabled - * by default. */ -#define MBEDTLS_SHA224_C -#define MBEDTLS_SHA256_C -#define MBEDTLS_SHA384_C -#define MBEDTLS_SHA512_C -#define MBEDTLS_VERSION_C -#define MBEDTLS_X509_USE_C -#define MBEDTLS_X509_CRT_PARSE_C -#define MBEDTLS_X509_CRL_PARSE_C -//#define MBEDTLS_CMAC_C - -/* Miscellaneous options */ -#define MBEDTLS_AES_ROM_TABLES diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index 5557de3276..9198293d46 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -24,8 +24,6 @@ my %configs = ( 'opt' => ' ', 'opt_needs_debug' => 1, }, - 'config-no-entropy.h' => { - }, 'config-suite-b.h' => { 'compat' => "-m tls12 -f 'ECDHE_ECDSA.*AES.*GCM' -p mbedTLS", 'opt' => ' ',