mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-07-29 11:41:15 +03:00
Merge pull request #9614 from gilles-peskine-arm/use_psa_crypto-always_on
Always enable MBEDTLS_USE_PSA_CRYPTO in all.sh
This commit is contained in:
Gilles Peskine
GitHub
@ -183,29 +183,6 @@ component_test_rsa_no_crt () {
|
||||
tests/context-info.sh
|
||||
}
|
||||
|
||||
component_test_no_ctr_drbg_classic () {
|
||||
msg "build: Full minus CTR_DRBG, classic crypto in TLS"
|
||||
scripts/config.py full
|
||||
scripts/config.py unset MBEDTLS_CTR_DRBG_C
|
||||
scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
|
||||
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
|
||||
|
||||
CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
|
||||
make
|
||||
|
||||
msg "test: Full minus CTR_DRBG, classic crypto - main suites"
|
||||
make test
|
||||
|
||||
# In this configuration, the TLS test programs use HMAC_DRBG.
|
||||
# The SSL tests are slow, so run a small subset, just enough to get
|
||||
# confidence that the SSL code copes with HMAC_DRBG.
|
||||
msg "test: Full minus CTR_DRBG, classic crypto - ssl-opt.sh (subset)"
|
||||
tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server'
|
||||
|
||||
msg "test: Full minus CTR_DRBG, classic crypto - compat.sh (subset)"
|
||||
tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL
|
||||
}
|
||||
|
||||
component_test_no_ctr_drbg_use_psa () {
|
||||
msg "build: Full minus CTR_DRBG, PSA crypto in TLS"
|
||||
scripts/config.py full
|
||||
@ -228,34 +205,6 @@ component_test_no_ctr_drbg_use_psa () {
|
||||
tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL
|
||||
}
|
||||
|
||||
component_test_no_hmac_drbg_classic () {
|
||||
msg "build: Full minus HMAC_DRBG, classic crypto in TLS"
|
||||
scripts/config.py full
|
||||
scripts/config.py unset MBEDTLS_HMAC_DRBG_C
|
||||
scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG
|
||||
scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
|
||||
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
|
||||
|
||||
CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
|
||||
make
|
||||
|
||||
msg "test: Full minus HMAC_DRBG, classic crypto - main suites"
|
||||
make test
|
||||
|
||||
# Normally our ECDSA implementation uses deterministic ECDSA. But since
|
||||
# HMAC_DRBG is disabled in this configuration, randomized ECDSA is used
|
||||
# instead.
|
||||
# Test SSL with non-deterministic ECDSA. Only test features that
|
||||
# might be affected by how ECDSA signature is performed.
|
||||
msg "test: Full minus HMAC_DRBG, classic crypto - ssl-opt.sh (subset)"
|
||||
tests/ssl-opt.sh -f 'Default\|SSL async private: sign'
|
||||
|
||||
# To save time, only test one protocol version, since this part of
|
||||
# the protocol is identical in (D)TLS up to 1.2.
|
||||
msg "test: Full minus HMAC_DRBG, classic crypto - compat.sh (ECDSA)"
|
||||
tests/compat.sh -m tls12 -t 'ECDSA'
|
||||
}
|
||||
|
||||
component_test_no_hmac_drbg_use_psa () {
|
||||
msg "build: Full minus HMAC_DRBG, PSA crypto in TLS"
|
||||
scripts/config.py full
|
||||
@ -283,30 +232,6 @@ component_test_no_hmac_drbg_use_psa () {
|
||||
tests/compat.sh -m tls12 -t 'ECDSA'
|
||||
}
|
||||
|
||||
component_test_psa_external_rng_no_drbg_classic () {
|
||||
msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto in TLS"
|
||||
scripts/config.py full
|
||||
scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
|
||||
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
|
||||
scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
|
||||
scripts/config.py unset MBEDTLS_ENTROPY_C
|
||||
scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
|
||||
scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
|
||||
scripts/config.py unset MBEDTLS_CTR_DRBG_C
|
||||
scripts/config.py unset MBEDTLS_HMAC_DRBG_C
|
||||
scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG
|
||||
# When MBEDTLS_USE_PSA_CRYPTO is disabled and there is no DRBG,
|
||||
# the SSL test programs don't have an RNG and can't work. Explicitly
|
||||
# make them use the PSA RNG with -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG.
|
||||
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG" LDFLAGS="$ASAN_CFLAGS"
|
||||
|
||||
msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - main suites"
|
||||
make test
|
||||
|
||||
msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - ssl-opt.sh (subset)"
|
||||
tests/ssl-opt.sh -f 'Default'
|
||||
}
|
||||
|
||||
component_test_psa_external_rng_no_drbg_use_psa () {
|
||||
msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto in TLS"
|
||||
scripts/config.py full
|
||||
@ -1576,17 +1501,17 @@ component_test_tfm_config_no_p256m () {
|
||||
# - component_test_psa_ecc_key_pair_no_generate
|
||||
# The goal is to test with all PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy symbols
|
||||
# enabled, but one. Input arguments are as follows:
|
||||
# - $1 is the key type under test, i.e. ECC/RSA/DH
|
||||
# - $2 is the key option to be unset (i.e. generate, derive, etc)
|
||||
# - $1 is the configuration to start from
|
||||
# - $2 is the key type under test, i.e. ECC/RSA/DH
|
||||
# - $3 is the key option to be unset (i.e. generate, derive, etc)
|
||||
build_and_test_psa_want_key_pair_partial () {
|
||||
key_type=$1
|
||||
unset_option=$2
|
||||
base_config=$1
|
||||
key_type=$2
|
||||
unset_option=$3
|
||||
disabled_psa_want="PSA_WANT_KEY_TYPE_${key_type}_KEY_PAIR_${unset_option}"
|
||||
|
||||
msg "build: full - MBEDTLS_USE_PSA_CRYPTO - ${disabled_psa_want}"
|
||||
scripts/config.py full
|
||||
scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
|
||||
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
|
||||
msg "build: $base_config - ${disabled_psa_want}"
|
||||
scripts/config.py "$base_config"
|
||||
|
||||
# All the PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy are enabled by default in
|
||||
# crypto_config.h so we just disable the one we don't want.
|
||||
@ -1594,16 +1519,20 @@ build_and_test_psa_want_key_pair_partial () {
|
||||
|
||||
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
|
||||
|
||||
msg "test: full - MBEDTLS_USE_PSA_CRYPTO - ${disabled_psa_want}"
|
||||
msg "test: $base_config - ${disabled_psa_want}"
|
||||
make test
|
||||
}
|
||||
|
||||
component_test_psa_ecc_key_pair_no_derive () {
|
||||
build_and_test_psa_want_key_pair_partial "ECC" "DERIVE"
|
||||
build_and_test_psa_want_key_pair_partial full "ECC" "DERIVE"
|
||||
}
|
||||
|
||||
component_test_psa_ecc_key_pair_no_generate () {
|
||||
build_and_test_psa_want_key_pair_partial "ECC" "GENERATE"
|
||||
# TLS needs ECC key generation whenever ephemeral ECDH is enabled.
|
||||
# We don't have proper guards for configurations with ECC key generation
|
||||
# disabled (https://github.com/Mbed-TLS/mbedtls/issues/9481). Until
|
||||
# then (if ever), just test the crypto part of the library.
|
||||
build_and_test_psa_want_key_pair_partial crypto_full "ECC" "GENERATE"
|
||||
}
|
||||
|
||||
config_psa_crypto_accel_rsa () {
|
||||
|
||||
Reference in New Issue
Block a user