Merge pull request #10319 from gilles-peskine-arm/move-check-config-to-library

check_config.h: move to library and test
2025-08-05 19:35:48 +03:00 · 2025-07-29 14:07:33 +00:00
parent bebe631b7f fff4b32324
commit d6f881e8ca
14 changed files with 93 additions and 3 deletions
--- a/ChangeLog.d/check_config.txt
+++ b/ChangeLog.d/check_config.txt
@@ -0,0 +1,5 @@
+Removals
+   * The header <mbedtls/check_config.h> no longer exists. Including it
+     from a custom config file was no longer needed since Mbed TLS 3.0,
+     and could lead to spurious errors. The checks that it performed are
+     now done automatically when building the library.
--- a/2
+++ b/2
--- a/include/mbedtls/build_info.h
+++ b/include/mbedtls/build_info.h
@@ -85,6 +85,4 @@
 */
 #define MBEDTLS_CONFIG_IS_FINALIZED

-#include "mbedtls/check_config.h"
-
 #endif /* MBEDTLS_BUILD_INFO_H */
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -1,5 +1,6 @@
 set(src_x509
    error.c
+    mbedtls_config.c
    pkcs7.c
    x509.c
    x509_create.c
--- a/library/Makefile
+++ b/library/Makefile
@@ -121,6 +121,7 @@ LOCAL_CFLAGS+=$(THIRDPARTY_INCLUDES)
 OBJS_CRYPTO+=$(THIRDPARTY_CRYPTO_OBJECTS)

 OBJS_X509= \
+	   mbedtls_config.o \
 	   x509.o \
 	   x509_create.o \
 	   x509_crl.o \
--- a/library/mbedtls_check_config.h
+++ b/library/mbedtls_check_config.h
--- a/library/mbedtls_config.c
+++ b/library/mbedtls_config.c
@@ -0,0 +1,13 @@
+/*
+ *  Mbed TLS configuration checks
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include <mbedtls/build_info.h>
+
+/* Consistency checks in the configuration: check for incompatible options,
+ * missing options when at least one of a set needs to be enabled, etc. */
+#include "mbedtls_check_config.h"
--- a/library/x509.c
+++ b/library/x509.c
@@ -24,6 +24,7 @@
 #include "mbedtls/oid.h"
 #include "x509_oid.h"

+#include <limits.h>
 #include <stdio.h>
 #include <string.h>

--- a/library/x509_create.c
+++ b/library/x509_create.c
@@ -14,6 +14,7 @@
 #include "mbedtls/oid.h"
 #include "x509_oid.h"

+#include <limits.h>
 #include <string.h>

 #include "mbedtls/platform.h"
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -27,6 +27,7 @@
 #include "x509_oid.h"
 #include "mbedtls/platform_util.h"

+#include <limits.h>
 #include <string.h>

 #if defined(MBEDTLS_PEM_PARSE_C)
--- a/programs/test/udp_proxy.c
+++ b/programs/test/udp_proxy.c
@@ -16,6 +16,7 @@

 #include "mbedtls/build_info.h"

+#include <limits.h>
 #if defined(MBEDTLS_PLATFORM_C)
 #include "mbedtls/platform.h"
 #else
--- a/tests/scripts/components-basic-checks.sh
+++ b/tests/scripts/components-basic-checks.sh
@@ -123,4 +123,7 @@ component_check_test_helpers () {

    msg "unit test: translate_ciphers.py"
    python3 -m unittest framework/scripts/translate_ciphers.py 2>&1
+
+    msg "unit test: generate_config_checks.py"
+    tests/scripts/test_config_checks.py 2>&1
 }
--- a/tests/scripts/test_config_checks.py
+++ b/tests/scripts/test_config_checks.py
@@ -0,0 +1,63 @@
+#!/usr/bin/env python3
+"""Test the configuration checks generated by generate_config_checks.py.
+"""
+
+## Copyright The Mbed TLS Contributors
+## SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+
+import unittest
+
+import scripts_path # pylint: disable=unused-import
+from mbedtls_framework import unittest_config_checks
+
+
+class MbedtlsTestConfigChecks(unittest_config_checks.TestConfigChecks):
+    """Mbed TLS unit tests for checks generated by config_checks_generator."""
+
+    #pylint: disable=invalid-name # uppercase letters make sense here
+
+    PROJECT_CONFIG_C = 'library/mbedtls_config.c'
+    PROJECT_SPECIFIC_INCLUDE_DIRECTORIES = [
+        'tf-psa-crypto/include',
+        'tf-psa-crypto/drivers/builtin/include',
+    ]
+
+    @unittest.skip("At this time, mbedtls does not go through crypto's check_config.h.")
+    def test_crypto_no_fs_io(self) -> None:
+        """A sample error expected from crypto's check_config.h."""
+        self.bad_case('#undef MBEDTLS_FS_IO',
+                      None,
+                      error=('MBEDTLS_PSA_ITS_FILE_C'))
+
+    def test_mbedtls_no_session_tickets_for_early_data(self) -> None:
+        """An error expected from mbedtls_check_config.h based on the TLS configuration."""
+        self.bad_case(None,
+                      '''
+                      #define MBEDTLS_SSL_EARLY_DATA
+                      #undef MBEDTLS_SSL_SESSION_TICKETS
+                      ''',
+                      error=('MBEDTLS_SSL_EARLY_DATA'))
+
+    def test_mbedtls_no_ecdsa(self) -> None:
+        """An error expected from mbedtls_check_config.h based on crypto+TLS configuration."""
+        self.bad_case('''
+                      #undef PSA_WANT_ALG_ECDSA
+                      #undef PSA_WANT_ALG_DETERMINISTIC_ECDSA
+                      #undef MBEDTLS_ECDSA_C
+                      ''',
+                      '''
+                      #if defined(PSA_WANT_ALG_ECDSA)
+                      #error PSA_WANT_ALG_ECDSA unexpected
+                      #endif
+                      #if defined(PSA_WANT_ALG_DETERMINSTIC_ECDSA)
+                      #error PSA_WANT_ALG_DETERMINSTIC_ECDSA unexpected
+                      #endif
+                      #if defined(MBEDTLS_ECDSA_C)
+                      #error MBEDTLS_ECDSA_C unexpected
+                      #endif
+                      ''',
+                      error=('MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED'))
+
+
+if __name__ == '__main__':
+    unittest.main()
--- a/tests/src/test_helpers/ssl_helpers.c
+++ b/tests/src/test_helpers/ssl_helpers.c
@@ -11,6 +11,8 @@
 #include <test/ssl_helpers.h>
 #include "mbedtls/psa_util.h"

+#include <limits.h>
+
 #if defined(MBEDTLS_SSL_TLS_C)
 int mbedtls_test_random(void *p_rng, unsigned char *output, size_t output_len)
 {