mirror of
				https://github.com/Mbed-TLS/mbedtls.git
				synced 2025-10-26 00:37:41 +03:00 
			
		
		
		
	Enable USE_PSA_CRYPTO with config.pl full
Previously it was disabled as too experimental, which no longer holds. Also, this option introduces new APIs, so it's not only about an internal alternative (as the comment in config.pl used to state) - people who request a full config should get all of the available APIs. Adapt all.sh: now all builds with full config will also test this option, and builds with the default config will test without it. Just to be sure, let's have a build with full config minus this option. Update documentation of MBEDTLS_USE_PSA_CRYPTO to reflect the status of the new APIs it enables in Mbed TLS and why they're still opt-in.
This commit is contained in:
		
				
					committed by
					
						 Andrzej Kurek
						Andrzej Kurek
					
				
			
			
				
	
			
			
			
						parent
						
							de7636e2dd
						
					
				
				
					commit
					971dea3745
				
			| @@ -1726,18 +1726,26 @@ | |||||||
| /** | /** | ||||||
|  * \def MBEDTLS_USE_PSA_CRYPTO |  * \def MBEDTLS_USE_PSA_CRYPTO | ||||||
|  * |  * | ||||||
|  * Make the X.509 and TLS library use PSA for cryptographic operations, see |  * Make the X.509 and TLS library use PSA for cryptographic operations, and | ||||||
|  * #MBEDTLS_PSA_CRYPTO_C. |  * enable new APIs for using keys handled by PSA Crypto. | ||||||
|  * |  * | ||||||
|  * Note: this option is still in progress, the full X.509 and TLS modules are |  * \note This option is still in progress, the full X.509 and TLS modules are | ||||||
|  * not covered yet, but parts that are not ported to PSA yet will still work |  * not covered yet, but parts that are not ported to PSA yet will still work | ||||||
|  * as usual, so enabling this option should not break backwards compatibility. |  * as usual, so enabling this option should not break backwards compatibility. | ||||||
|  * |  * | ||||||
|  * \warning  Support for PSA is still an experimental feature. |  * \warning The PSA Crypto API is still beta status. While you're welcome to | ||||||
|  *           Any public API that depends on this option may change |  * experiment using it, incompatible API changes are still possible, and some | ||||||
|  *           at any time until this warning is removed. |  * parts may not have reached the same quality as the rest of Mbed TLS yet. | ||||||
|  |  * | ||||||
|  |  * \warning This option enables new Mbed TLS APIs that are dependent on the | ||||||
|  |  * PSA Crypto API, so can't come with the same stability guarantees as the | ||||||
|  |  * rest of the Mbed TLS APIs. You're welcome to experiment with them, but for | ||||||
|  |  * now access to these APIs is opt-in (via enabling the present option), in | ||||||
|  |  * order to clearly differentiate them from the stable Mbed TLS APIs. | ||||||
|  * |  * | ||||||
|  * Requires: MBEDTLS_PSA_CRYPTO_C. |  * Requires: MBEDTLS_PSA_CRYPTO_C. | ||||||
|  |  * | ||||||
|  |  * Uncomment this to enable internal use of PSA Crypto and new associated APIs | ||||||
|  */ |  */ | ||||||
| //#define MBEDTLS_USE_PSA_CRYPTO | //#define MBEDTLS_USE_PSA_CRYPTO | ||||||
|  |  | ||||||
|   | |||||||
| @@ -37,9 +37,6 @@ | |||||||
| #       - this could be enabled if the respective tests were adapted | #       - this could be enabled if the respective tests were adapted | ||||||
| #   MBEDTLS_ZLIB_SUPPORT | #   MBEDTLS_ZLIB_SUPPORT | ||||||
| #   MBEDTLS_PKCS11_C | #   MBEDTLS_PKCS11_C | ||||||
| #   MBEDTLS_USE_PSA_CRYPTO |  | ||||||
| #       - experimental, and more an alternative implementation than a feature |  | ||||||
| #   MBEDTLS_PSA_ITS_FILE_C |  | ||||||
| #   MBEDTLS_PSA_CRYPTO_SPM | #   MBEDTLS_PSA_CRYPTO_SPM | ||||||
| #   MBEDTLS_PSA_INJECT_ENTROPY | #   MBEDTLS_PSA_INJECT_ENTROPY | ||||||
| #   and any symbol beginning _ALT | #   and any symbol beginning _ALT | ||||||
| @@ -103,8 +100,6 @@ MBEDTLS_ZLIB_SUPPORT | |||||||
| MBEDTLS_PKCS11_C | MBEDTLS_PKCS11_C | ||||||
| MBEDTLS_NO_UDBL_DIVISION | MBEDTLS_NO_UDBL_DIVISION | ||||||
| MBEDTLS_NO_64BIT_MULTIPLICATION | MBEDTLS_NO_64BIT_MULTIPLICATION | ||||||
| MBEDTLS_USE_PSA_CRYPTO |  | ||||||
| MBEDTLS_PSA_ITS_FILE_C |  | ||||||
| MBEDTLS_PSA_CRYPTO_SPM | MBEDTLS_PSA_CRYPTO_SPM | ||||||
| MBEDTLS_PSA_INJECT_ENTROPY | MBEDTLS_PSA_INJECT_ENTROPY | ||||||
| _ALT\s*$ | _ALT\s*$ | ||||||
|   | |||||||
| @@ -840,6 +840,7 @@ component_test_not_submodule_make () { | |||||||
|     scripts/config.pl unset MBEDTLS_USE_PSA_CRYPTO # depends on PSA |     scripts/config.pl unset MBEDTLS_USE_PSA_CRYPTO # depends on PSA | ||||||
|     scripts/config.pl unset MBEDTLS_PSA_CRYPTO_C # only works from submodule |     scripts/config.pl unset MBEDTLS_PSA_CRYPTO_C # only works from submodule | ||||||
|     scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_C # depends on PSA |     scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_C # depends on PSA | ||||||
|  |     scripts/config.pl unset MBEDTLS_PSA_ITS_FILE_C # depends on PSA | ||||||
|     make CC=gcc CFLAGS='-g' USE_CRYPTO_SUBMODULE=0 |     make CC=gcc CFLAGS='-g' USE_CRYPTO_SUBMODULE=0 | ||||||
|  |  | ||||||
|     msg "test: submodule libmbedcrypto wasn't built (no USE_CRYPTO_SUBMODULE, make)" |     msg "test: submodule libmbedcrypto wasn't built (no USE_CRYPTO_SUBMODULE, make)" | ||||||
| @@ -863,6 +864,8 @@ component_test_not_submodule_cmake () { | |||||||
|     scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests |     scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests | ||||||
|     scripts/config.pl unset MBEDTLS_PSA_CRYPTO_C # only works from submodule |     scripts/config.pl unset MBEDTLS_PSA_CRYPTO_C # only works from submodule | ||||||
|     scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_C # depends on PSA |     scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_C # depends on PSA | ||||||
|  |     scripts/config.pl unset MBEDTLS_PSA_ITS_FILE_C # depends on PSA | ||||||
|  |     scripts/config.pl unset MBEDTLS_USE_PSA_CRYPTO # depends on PSA | ||||||
|     CC=gcc cmake -D CMAKE_BUILD_TYPE=Debug -D USE_CRYPTO_SUBMODULE=Off . |     CC=gcc cmake -D CMAKE_BUILD_TYPE=Debug -D USE_CRYPTO_SUBMODULE=Off . | ||||||
|     make |     make | ||||||
|  |  | ||||||
| @@ -880,33 +883,34 @@ component_test_not_submodule_cmake () { | |||||||
|     if_build_succeeded tests/ssl-opt.sh |     if_build_succeeded tests/ssl-opt.sh | ||||||
| } | } | ||||||
|  |  | ||||||
| component_test_use_psa_crypto_full_cmake_asan() { | component_test_no_use_psa_crypto_full_cmake_asan() { | ||||||
|     # MBEDTLS_USE_PSA_CRYPTO: run the same set of tests as basic-build-test.sh |     # full minus MBEDTLS_USE_PSA_CRYPTO: run the same set of tests as basic-build-test.sh | ||||||
|     msg "build: cmake, full config + MBEDTLS_USE_PSA_CRYPTO, ASan" |     msg "build: cmake, full config + MBEDTLS_USE_PSA_CRYPTO, ASan" | ||||||
|     scripts/config.pl full |     scripts/config.pl full | ||||||
|     scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests |     scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests | ||||||
|     scripts/config.pl unset MBEDTLS_ECP_RESTARTABLE  # restartable ECC not supported through PSA |     scripts/config.pl unset MBEDTLS_ECP_RESTARTABLE  # restartable ECC not supported through PSA | ||||||
|     scripts/config.pl set MBEDTLS_PSA_CRYPTO_C |     scripts/config.pl set MBEDTLS_PSA_CRYPTO_C | ||||||
|     scripts/config.pl set MBEDTLS_USE_PSA_CRYPTO |     scripts/config.pl unset MBEDTLS_USE_PSA_CRYPTO | ||||||
|  |     scripts/config.pl unset MBEDTLS_PSA_ITS_FILE_C | ||||||
|     CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . |     CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . | ||||||
|     make |     make | ||||||
|  |  | ||||||
|     msg "test: main suites (MBEDTLS_USE_PSA_CRYPTO)" |     msg "test: main suites (full minus MBEDTLS_USE_PSA_CRYPTO)" | ||||||
|     make test |     make test | ||||||
|  |  | ||||||
|     msg "test: ssl-opt.sh (MBEDTLS_USE_PSA_CRYPTO)" |     msg "test: ssl-opt.sh (full minus MBEDTLS_USE_PSA_CRYPTO)" | ||||||
|     if_build_succeeded tests/ssl-opt.sh |     if_build_succeeded tests/ssl-opt.sh | ||||||
|  |  | ||||||
|     msg "test: compat.sh default (MBEDTLS_USE_PSA_CRYPTO)" |     msg "test: compat.sh default (full minus MBEDTLS_USE_PSA_CRYPTO)" | ||||||
|     if_build_succeeded tests/compat.sh |     if_build_succeeded tests/compat.sh | ||||||
|  |  | ||||||
|     msg "test: compat.sh ssl3 (MBEDTLS_USE_PSA_CRYPTO)" |     msg "test: compat.sh ssl3 (full minus MBEDTLS_USE_PSA_CRYPTO)" | ||||||
|     if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" tests/compat.sh -m 'ssl3' |     if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" tests/compat.sh -m 'ssl3' | ||||||
|  |  | ||||||
|     msg "test: compat.sh RC4, DES & NULL (MBEDTLS_USE_PSA_CRYPTO)" |     msg "test: compat.sh RC4, DES & NULL (full minus MBEDTLS_USE_PSA_CRYPTO)" | ||||||
|     if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '3DES\|DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR' |     if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '3DES\|DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR' | ||||||
|  |  | ||||||
|     msg "test: compat.sh ARIA + ChachaPoly (MBEDTLS_USE_PSA_CRYPTO)" |     msg "test: compat.sh ARIA + ChachaPoly (full minus MBEDTLS_USE_PSA_CRYPTO)" | ||||||
|     if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' |     if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' | ||||||
| } | } | ||||||
|  |  | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user