components-configuration-crypto.sh (134450B)
1 # components-configuration-crypto.sh 2 # 3 # Copyright The Mbed TLS Contributors 4 # SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 5 6 # This file contains test components that are executed by all.sh 7 8 ################################################################ 9 #### Configuration Testing - Crypto 10 ################################################################ 11 12 component_test_psa_crypto_key_id_encodes_owner () { 13 msg "build: full config + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan" 14 scripts/config.py full 15 scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER 16 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 17 make 18 19 msg "test: full config - USE_PSA_CRYPTO + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan" 20 make test 21 } 22 23 component_test_psa_assume_exclusive_buffers () { 24 msg "build: full config + MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS, cmake, gcc, ASan" 25 scripts/config.py full 26 scripts/config.py set MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS 27 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 28 make 29 30 msg "test: full config + MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS, cmake, gcc, ASan" 31 make test 32 } 33 34 component_test_crypto_with_static_key_slots() { 35 msg "build: crypto full + MBEDTLS_PSA_STATIC_KEY_SLOTS" 36 scripts/config.py crypto_full 37 scripts/config.py set MBEDTLS_PSA_STATIC_KEY_SLOTS 38 # Intentionally set MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE to a value that 39 # is enough to contain: 40 # - all RSA public keys up to 4096 bits (max of PSA_VENDOR_RSA_MAX_KEY_BITS). 41 # - RSA key pairs up to 1024 bits, but not 2048 or larger. 42 # - all FFDH key pairs and public keys up to 8192 bits (max of PSA_VENDOR_FFDH_MAX_KEY_BITS). 43 # - all EC key pairs and public keys up to 521 bits (max of PSA_VENDOR_ECC_MAX_CURVE_BITS). 44 scripts/config.py set MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE 1212 45 # Disable the fully dynamic key store (default on) since it conflicts 46 # with the static behavior that we're testing here. 47 scripts/config.py unset MBEDTLS_PSA_KEY_STORE_DYNAMIC 48 49 msg "test: crypto full + MBEDTLS_PSA_STATIC_KEY_SLOTS" 50 make CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" test 51 } 52 53 # check_renamed_symbols HEADER LIB 54 # Check that if HEADER contains '#define MACRO ...' then MACRO is not a symbol 55 # name in LIB. 56 check_renamed_symbols () { 57 ! nm "$2" | sed 's/.* //' | 58 grep -x -F "$(sed -n 's/^ *# *define *\([A-Z_a-z][0-9A-Z_a-z]*\)..*/\1/p' "$1")" 59 } 60 61 component_build_psa_crypto_spm () { 62 msg "build: full config + PSA_CRYPTO_KEY_ID_ENCODES_OWNER + PSA_CRYPTO_SPM, make, gcc" 63 scripts/config.py full 64 scripts/config.py unset MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS 65 scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER 66 scripts/config.py set MBEDTLS_PSA_CRYPTO_SPM 67 # We can only compile, not link, since our test and sample programs 68 # aren't equipped for the modified names used when MBEDTLS_PSA_CRYPTO_SPM 69 # is active. 70 make CC=gcc CFLAGS='-Werror -Wall -Wextra -I../framework/tests/include/spe' lib 71 72 # Check that if a symbol is renamed by crypto_spe.h, the non-renamed 73 # version is not present. 74 echo "Checking for renamed symbols in the library" 75 check_renamed_symbols framework/tests/include/spe/crypto_spe.h library/libmbedcrypto.a 76 } 77 78 # The goal of this component is to build a configuration where: 79 # - test code and libtestdriver1 can make use of calloc/free and 80 # - core library (including PSA core) cannot use calloc/free. 81 component_test_psa_crypto_without_heap() { 82 msg "crypto without heap: build libtestdriver1" 83 # Disable PSA features that cannot be accelerated and whose builtin support 84 # requires calloc/free. 85 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 86 scripts/config.py -f $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_HKDF" 87 scripts/config.py -f $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_PBKDF2_" 88 scripts/config.py -f $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_TLS12_" 89 # RSA key support requires ASN1 parse/write support for testing, but ASN1 90 # is disabled below. 91 scripts/config.py -f $CRYPTO_CONFIG_H unset-all "^PSA_WANT_KEY_TYPE_RSA_" 92 scripts/config.py -f $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_RSA_" 93 # DES requires built-in support for key generation (parity check) so it 94 # cannot be accelerated 95 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES 96 # EC-JPAKE use calloc/free in PSA core 97 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_JPAKE 98 99 # Accelerate all PSA features (which are still enabled in CRYPTO_CONFIG_H). 100 PSA_SYM_LIST=$(./scripts/config.py -f $CRYPTO_CONFIG_H get-all-enabled PSA_WANT) 101 loc_accel_list=$(echo $PSA_SYM_LIST | sed 's/PSA_WANT_//g') 102 103 helper_libtestdriver1_adjust_config crypto 104 helper_libtestdriver1_make_drivers "$loc_accel_list" 105 106 msg "crypto without heap: build main library" 107 # Disable all legacy MBEDTLS_xxx symbols. 108 scripts/config.py unset-all "^MBEDTLS_" 109 # Build the PSA core using the proper config file. 110 scripts/config.py set MBEDTLS_PSA_CRYPTO_C 111 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG 112 # Enable fully-static key slots in PSA core. 113 scripts/config.py set MBEDTLS_PSA_STATIC_KEY_SLOTS 114 # Prevent PSA core from creating a copy of input/output buffers. 115 scripts/config.py set MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS 116 # Prevent PSA core from using CTR-DRBG or HMAC-DRBG for random generation. 117 scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG 118 # Set calloc/free as null pointer functions. Calling them would crash 119 # the program so we can use this as a "sentinel" for being sure no module 120 # is making use of these functions in the library. 121 scripts/config.py set MBEDTLS_PLATFORM_C 122 scripts/config.py set MBEDTLS_PLATFORM_MEMORY 123 scripts/config.py set MBEDTLS_PLATFORM_STD_CALLOC NULL 124 scripts/config.py set MBEDTLS_PLATFORM_STD_FREE NULL 125 126 helper_libtestdriver1_make_main "$loc_accel_list" lib 127 128 msg "crypto without heap: build test suites and helpers" 129 # Reset calloc/free functions to normal operations so that test code can 130 # freely use them. 131 scripts/config.py unset MBEDTLS_PLATFORM_MEMORY 132 scripts/config.py unset MBEDTLS_PLATFORM_STD_CALLOC 133 scripts/config.py unset MBEDTLS_PLATFORM_STD_FREE 134 helper_libtestdriver1_make_main "$loc_accel_list" tests 135 136 msg "crypto without heap: test" 137 make test 138 } 139 140 # Get a list of library-wise undefined symbols and ensure that they only 141 # belong to psa_xxx() functions and not to mbedtls_yyy() ones. 142 # This function is a common helper used by both: 143 # - component_test_default_psa_crypto_client_without_crypto_provider 144 # - component_build_full_psa_crypto_client_without_crypto_provider. 145 common_check_mbedtls_missing_symbols () { 146 nm library/libmbedcrypto.a | grep ' [TRrDC] ' | grep -Eo '(mbedtls_|psa_).*' | sort -u > sym_def.txt 147 nm library/libmbedcrypto.a | grep ' U ' | grep -Eo '(mbedtls_|psa_).*' | sort -u > sym_undef.txt 148 comm sym_def.txt sym_undef.txt -13 > linking_errors.txt 149 not grep mbedtls_ linking_errors.txt 150 151 rm sym_def.txt sym_undef.txt linking_errors.txt 152 } 153 154 component_test_default_psa_crypto_client_without_crypto_provider () { 155 msg "build: default config - PSA_CRYPTO_C + PSA_CRYPTO_CLIENT" 156 157 scripts/config.py unset MBEDTLS_PSA_CRYPTO_C 158 scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C 159 scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C 160 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 161 scripts/config.py set MBEDTLS_PSA_CRYPTO_CLIENT 162 scripts/config.py unset MBEDTLS_LMS_C 163 # Test hooks may rely on functions defined in test helpers, which would 164 # not be built here, leading to a spurious undefined symbol. 165 scripts/config.py unset MBEDTLS_TEST_HOOKS 166 167 make 168 169 msg "check missing symbols: default config - PSA_CRYPTO_C + PSA_CRYPTO_CLIENT" 170 common_check_mbedtls_missing_symbols 171 172 msg "test: default config - PSA_CRYPTO_C + PSA_CRYPTO_CLIENT" 173 make test 174 } 175 176 component_build_full_psa_crypto_client_without_crypto_provider () { 177 msg "build: full config - PSA_CRYPTO_C" 178 179 # Use full config which includes USE_PSA and CRYPTO_CLIENT. 180 scripts/config.py full 181 182 scripts/config.py unset MBEDTLS_PSA_CRYPTO_C 183 scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C 184 # Dynamic secure element support is a deprecated feature and it is not 185 # available when CRYPTO_C and PSA_CRYPTO_STORAGE_C are disabled. 186 scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C 187 # Test hooks may rely on functions defined in test helpers, which would 188 # not be built here, leading to a spurious undefined symbol. 189 scripts/config.py unset MBEDTLS_TEST_HOOKS 190 191 # Since there is no crypto provider in this build it is not possible to 192 # build all the test executables and progrems due to missing PSA functions 193 # at link time. Therefore we will just build libraries and we'll check 194 # that symbols of interest are there. 195 make lib 196 197 msg "check missing symbols: full config - PSA_CRYPTO_C" 198 199 common_check_mbedtls_missing_symbols 200 201 # Ensure that desired functions are included into the build (extend the 202 # following list as required). 203 grep mbedtls_pk_get_psa_attributes library/libmbedcrypto.a 204 grep mbedtls_pk_import_into_psa library/libmbedcrypto.a 205 grep mbedtls_pk_copy_from_psa library/libmbedcrypto.a 206 } 207 208 component_test_psa_crypto_rsa_no_genprime () { 209 msg "build: default config minus MBEDTLS_GENPRIME" 210 scripts/config.py unset MBEDTLS_GENPRIME 211 make 212 213 msg "test: default config minus MBEDTLS_GENPRIME" 214 make test 215 } 216 217 component_test_no_pem_no_fs () { 218 msg "build: Default + !MBEDTLS_PEM_PARSE_C + !MBEDTLS_FS_IO (ASan build)" 219 scripts/config.py unset MBEDTLS_PEM_PARSE_C 220 scripts/config.py unset MBEDTLS_FS_IO 221 scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C # requires a filesystem 222 scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C # requires PSA ITS 223 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 224 make 225 226 msg "test: !MBEDTLS_PEM_PARSE_C !MBEDTLS_FS_IO - main suites (inc. selftests) (ASan build)" # ~ 50s 227 make test 228 229 msg "test: !MBEDTLS_PEM_PARSE_C !MBEDTLS_FS_IO - ssl-opt.sh (ASan build)" # ~ 6 min 230 tests/ssl-opt.sh 231 } 232 233 component_test_rsa_no_crt () { 234 msg "build: Default + RSA_NO_CRT (ASan build)" # ~ 6 min 235 scripts/config.py set MBEDTLS_RSA_NO_CRT 236 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 237 make 238 239 msg "test: RSA_NO_CRT - main suites (inc. selftests) (ASan build)" # ~ 50s 240 make test 241 242 msg "test: RSA_NO_CRT - RSA-related part of ssl-opt.sh (ASan build)" # ~ 5s 243 tests/ssl-opt.sh -f RSA 244 245 msg "test: RSA_NO_CRT - RSA-related part of compat.sh (ASan build)" # ~ 3 min 246 tests/compat.sh -t RSA 247 248 msg "test: RSA_NO_CRT - RSA-related part of context-info.sh (ASan build)" # ~ 15 sec 249 tests/context-info.sh 250 } 251 252 component_test_config_no_entropy () { 253 msg "build: configs/config-no-entropy.h" 254 cp configs/config-no-entropy.h "$CONFIG_H" 255 # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake 256 # want to re-generate generated files that depend on it, quite correctly. 257 # However this doesn't work as the generation script expects a specific 258 # format for mbedtls_config.h, which the other files don't follow. Also, 259 # cmake can't know this, but re-generation is actually not necessary as 260 # the generated files only depend on the list of available options, not 261 # whether they're on or off. So, disable cmake's (over-sensitive here) 262 # dependency resolution for generated files and just rely on them being 263 # present (thanks to pre_generate_files) by turning GEN_FILES off. 264 CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . 265 make 266 267 msg "test: configs/config-no-entropy.h - unit tests" 268 make test 269 } 270 271 component_test_no_ctr_drbg_classic () { 272 msg "build: Full minus CTR_DRBG, classic crypto in TLS" 273 scripts/config.py full 274 scripts/config.py unset MBEDTLS_CTR_DRBG_C 275 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 276 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 277 278 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 279 make 280 281 msg "test: Full minus CTR_DRBG, classic crypto - main suites" 282 make test 283 284 # In this configuration, the TLS test programs use HMAC_DRBG. 285 # The SSL tests are slow, so run a small subset, just enough to get 286 # confidence that the SSL code copes with HMAC_DRBG. 287 msg "test: Full minus CTR_DRBG, classic crypto - ssl-opt.sh (subset)" 288 tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server' 289 290 msg "test: Full minus CTR_DRBG, classic crypto - compat.sh (subset)" 291 tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL 292 } 293 294 component_test_no_ctr_drbg_use_psa () { 295 msg "build: Full minus CTR_DRBG, PSA crypto in TLS" 296 scripts/config.py full 297 scripts/config.py unset MBEDTLS_CTR_DRBG_C 298 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO 299 300 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 301 make 302 303 msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - main suites" 304 make test 305 306 # In this configuration, the TLS test programs use HMAC_DRBG. 307 # The SSL tests are slow, so run a small subset, just enough to get 308 # confidence that the SSL code copes with HMAC_DRBG. 309 msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)" 310 tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server' 311 312 msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - compat.sh (subset)" 313 tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL 314 } 315 316 component_test_no_hmac_drbg_classic () { 317 msg "build: Full minus HMAC_DRBG, classic crypto in TLS" 318 scripts/config.py full 319 scripts/config.py unset MBEDTLS_HMAC_DRBG_C 320 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG 321 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 322 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 323 324 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 325 make 326 327 msg "test: Full minus HMAC_DRBG, classic crypto - main suites" 328 make test 329 330 # Normally our ECDSA implementation uses deterministic ECDSA. But since 331 # HMAC_DRBG is disabled in this configuration, randomized ECDSA is used 332 # instead. 333 # Test SSL with non-deterministic ECDSA. Only test features that 334 # might be affected by how ECDSA signature is performed. 335 msg "test: Full minus HMAC_DRBG, classic crypto - ssl-opt.sh (subset)" 336 tests/ssl-opt.sh -f 'Default\|SSL async private: sign' 337 338 # To save time, only test one protocol version, since this part of 339 # the protocol is identical in (D)TLS up to 1.2. 340 msg "test: Full minus HMAC_DRBG, classic crypto - compat.sh (ECDSA)" 341 tests/compat.sh -m tls12 -t 'ECDSA' 342 } 343 344 component_test_no_hmac_drbg_use_psa () { 345 msg "build: Full minus HMAC_DRBG, PSA crypto in TLS" 346 scripts/config.py full 347 scripts/config.py unset MBEDTLS_HMAC_DRBG_C 348 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG 349 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO 350 351 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 352 make 353 354 msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - main suites" 355 make test 356 357 # Normally our ECDSA implementation uses deterministic ECDSA. But since 358 # HMAC_DRBG is disabled in this configuration, randomized ECDSA is used 359 # instead. 360 # Test SSL with non-deterministic ECDSA. Only test features that 361 # might be affected by how ECDSA signature is performed. 362 msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)" 363 tests/ssl-opt.sh -f 'Default\|SSL async private: sign' 364 365 # To save time, only test one protocol version, since this part of 366 # the protocol is identical in (D)TLS up to 1.2. 367 msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - compat.sh (ECDSA)" 368 tests/compat.sh -m tls12 -t 'ECDSA' 369 } 370 371 component_test_psa_external_rng_no_drbg_classic () { 372 msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto in TLS" 373 scripts/config.py full 374 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 375 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 376 scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG 377 scripts/config.py unset MBEDTLS_ENTROPY_C 378 scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED 379 scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT 380 scripts/config.py unset MBEDTLS_CTR_DRBG_C 381 scripts/config.py unset MBEDTLS_HMAC_DRBG_C 382 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG 383 # When MBEDTLS_USE_PSA_CRYPTO is disabled and there is no DRBG, 384 # the SSL test programs don't have an RNG and can't work. Explicitly 385 # make them use the PSA RNG with -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG. 386 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG" LDFLAGS="$ASAN_CFLAGS" 387 388 msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - main suites" 389 make test 390 391 msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - ssl-opt.sh (subset)" 392 tests/ssl-opt.sh -f 'Default' 393 } 394 395 component_test_psa_external_rng_no_drbg_use_psa () { 396 msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto in TLS" 397 scripts/config.py full 398 scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG 399 scripts/config.py unset MBEDTLS_ENTROPY_C 400 scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED 401 scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT 402 scripts/config.py unset MBEDTLS_CTR_DRBG_C 403 scripts/config.py unset MBEDTLS_HMAC_DRBG_C 404 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG 405 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" 406 407 msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - main suites" 408 make test 409 410 msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - ssl-opt.sh (subset)" 411 tests/ssl-opt.sh -f 'Default\|opaque' 412 } 413 414 component_test_psa_external_rng_use_psa_crypto () { 415 msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" 416 scripts/config.py full 417 scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG 418 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO 419 scripts/config.py unset MBEDTLS_CTR_DRBG_C 420 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" 421 422 msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" 423 make test 424 425 msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" 426 tests/ssl-opt.sh -f 'Default\|opaque' 427 } 428 429 component_test_psa_inject_entropy () { 430 msg "build: full + MBEDTLS_PSA_INJECT_ENTROPY" 431 scripts/config.py full 432 scripts/config.py set MBEDTLS_PSA_INJECT_ENTROPY 433 scripts/config.py set MBEDTLS_ENTROPY_NV_SEED 434 scripts/config.py set MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES 435 scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT 436 scripts/config.py unset MBEDTLS_PLATFORM_STD_NV_SEED_READ 437 scripts/config.py unset MBEDTLS_PLATFORM_STD_NV_SEED_WRITE 438 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'" LDFLAGS="$ASAN_CFLAGS" 439 440 msg "test: full + MBEDTLS_PSA_INJECT_ENTROPY" 441 make test 442 } 443 444 component_full_no_pkparse_pkwrite () { 445 msg "build: full without pkparse and pkwrite" 446 447 scripts/config.py crypto_full 448 scripts/config.py unset MBEDTLS_PK_PARSE_C 449 scripts/config.py unset MBEDTLS_PK_WRITE_C 450 451 make CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" 452 453 # Ensure that PK_[PARSE|WRITE]_C were not re-enabled accidentally (additive config). 454 not grep mbedtls_pk_parse_key library/pkparse.o 455 not grep mbedtls_pk_write_key_der library/pkwrite.o 456 457 msg "test: full without pkparse and pkwrite" 458 make test 459 } 460 461 component_test_crypto_full_md_light_only () { 462 msg "build: crypto_full with only the light subset of MD" 463 scripts/config.py crypto_full 464 scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG 465 # Disable MD 466 scripts/config.py unset MBEDTLS_MD_C 467 # Disable direct dependencies of MD_C 468 scripts/config.py unset MBEDTLS_HKDF_C 469 scripts/config.py unset MBEDTLS_HMAC_DRBG_C 470 scripts/config.py unset MBEDTLS_PKCS7_C 471 # Disable indirect dependencies of MD_C 472 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # needs HMAC_DRBG 473 # Disable things that would auto-enable MD_C 474 scripts/config.py unset MBEDTLS_PKCS5_C 475 476 # Note: MD-light is auto-enabled in build_info.h by modules that need it, 477 # which we haven't disabled, so no need to explicitly enable it. 478 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" 479 480 # Make sure we don't have the HMAC functions, but the hashing functions 481 not grep mbedtls_md_hmac library/md.o 482 grep mbedtls_md library/md.o 483 484 msg "test: crypto_full with only the light subset of MD" 485 make test 486 } 487 488 component_test_full_no_cipher_no_psa_crypto () { 489 msg "build: full no CIPHER no PSA_CRYPTO_C" 490 scripts/config.py full 491 scripts/config.py unset MBEDTLS_CIPHER_C 492 # Don't pull in cipher via PSA mechanisms 493 # (currently ignored anyway because we completely disable PSA) 494 scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG 495 # Disable features that depend on CIPHER_C 496 scripts/config.py unset MBEDTLS_CMAC_C 497 scripts/config.py unset MBEDTLS_NIST_KW_C 498 scripts/config.py unset MBEDTLS_PSA_CRYPTO_C 499 scripts/config.py unset MBEDTLS_PSA_CRYPTO_CLIENT 500 scripts/config.py unset MBEDTLS_SSL_TLS_C 501 scripts/config.py unset MBEDTLS_SSL_TICKET_C 502 # Disable features that depend on PSA_CRYPTO_C 503 scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C 504 scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C 505 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 506 scripts/config.py unset MBEDTLS_LMS_C 507 scripts/config.py unset MBEDTLS_LMS_PRIVATE 508 509 msg "test: full no CIPHER no PSA_CRYPTO_C" 510 make test 511 } 512 513 # This is a common configurator and test function that is used in: 514 # - component_test_full_no_cipher_with_psa_crypto 515 # - component_test_full_no_cipher_with_psa_crypto_config 516 # It accepts 2 input parameters: 517 # - $1: boolean value which basically reflects status of MBEDTLS_PSA_CRYPTO_CONFIG 518 # - $2: a text string which describes the test component 519 common_test_full_no_cipher_with_psa_crypto () { 520 USE_CRYPTO_CONFIG="$1" 521 COMPONENT_DESCRIPTION="$2" 522 523 msg "build: $COMPONENT_DESCRIPTION" 524 525 scripts/config.py full 526 scripts/config.py unset MBEDTLS_CIPHER_C 527 528 if [ "$USE_CRYPTO_CONFIG" -eq 1 ]; then 529 # The built-in implementation of the following algs/key-types depends 530 # on CIPHER_C so we disable them. 531 # This does not hold for KEY_TYPE_CHACHA20 and ALG_CHACHA20_POLY1305 532 # so we keep them enabled. 533 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG 534 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CMAC 535 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING 536 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7 537 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CFB 538 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CTR 539 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING 540 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_OFB 541 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 542 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_STREAM_CIPHER 543 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES 544 else 545 # Don't pull in cipher via PSA mechanisms 546 scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG 547 # Disable cipher modes/keys that make PSA depend on CIPHER_C. 548 # Keep CHACHA20 and CHACHAPOLY enabled since they do not depend on CIPHER_C. 549 scripts/config.py unset-all MBEDTLS_CIPHER_MODE 550 fi 551 # The following modules directly depends on CIPHER_C 552 scripts/config.py unset MBEDTLS_CMAC_C 553 scripts/config.py unset MBEDTLS_NIST_KW_C 554 555 make 556 557 # Ensure that CIPHER_C was not re-enabled 558 not grep mbedtls_cipher_init library/cipher.o 559 560 msg "test: $COMPONENT_DESCRIPTION" 561 make test 562 } 563 564 component_test_full_no_cipher_with_psa_crypto () { 565 common_test_full_no_cipher_with_psa_crypto 0 "full no CIPHER no CRYPTO_CONFIG" 566 } 567 568 component_test_full_no_cipher_with_psa_crypto_config () { 569 common_test_full_no_cipher_with_psa_crypto 1 "full no CIPHER" 570 } 571 572 component_test_full_no_ccm () { 573 msg "build: full no PSA_WANT_ALG_CCM" 574 575 # Full config enables: 576 # - USE_PSA_CRYPTO so that TLS code dispatches cipher/AEAD to PSA 577 # - CRYPTO_CONFIG so that PSA_WANT config symbols are evaluated 578 scripts/config.py full 579 580 # Disable PSA_WANT_ALG_CCM so that CCM is not supported in PSA. CCM_C is still 581 # enabled, but not used from TLS since USE_PSA is set. 582 # This is helpful to ensure that TLS tests below have proper dependencies. 583 # 584 # Note: also PSA_WANT_ALG_CCM_STAR_NO_TAG is enabled, but it does not cause 585 # PSA_WANT_ALG_CCM to be re-enabled. 586 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM 587 588 make 589 590 msg "test: full no PSA_WANT_ALG_CCM" 591 make test 592 } 593 594 component_test_full_no_ccm_star_no_tag () { 595 msg "build: full no PSA_WANT_ALG_CCM_STAR_NO_TAG" 596 597 # Full config enables CRYPTO_CONFIG so that PSA_WANT config symbols are evaluated 598 scripts/config.py full 599 600 # Disable CCM_STAR_NO_TAG, which is the target of this test, as well as all 601 # other components that enable MBEDTLS_PSA_BUILTIN_CIPHER internal symbol. 602 # This basically disables all unauthenticated ciphers on the PSA side, while 603 # keeping AEADs enabled. 604 # 605 # Note: PSA_WANT_ALG_CCM is enabled, but it does not cause 606 # PSA_WANT_ALG_CCM_STAR_NO_TAG to be re-enabled. 607 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG 608 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_STREAM_CIPHER 609 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CTR 610 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CFB 611 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_OFB 612 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING 613 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING 614 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 615 616 make 617 618 # Ensure MBEDTLS_PSA_BUILTIN_CIPHER was not enabled 619 not grep mbedtls_psa_cipher library/psa_crypto_cipher.o 620 621 msg "test: full no PSA_WANT_ALG_CCM_STAR_NO_TAG" 622 make test 623 } 624 625 component_test_config_symmetric_only_legacy () { 626 msg "build: configs/config-symmetric-only.h" 627 cp configs/config-symmetric-only.h "$CONFIG_H" 628 # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake 629 # want to re-generate generated files that depend on it, quite correctly. 630 # However this doesn't work as the generation script expects a specific 631 # format for mbedtls_config.h, which the other files don't follow. Also, 632 # cmake can't know this, but re-generation is actually not necessary as 633 # the generated files only depend on the list of available options, not 634 # whether they're on or off. So, disable cmake's (over-sensitive here) 635 # dependency resolution for generated files and just rely on them being 636 # present (thanks to pre_generate_files) by turning GEN_FILES off. 637 CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . 638 make 639 640 msg "test: configs/config-symmetric-only.h - unit tests" 641 make test 642 } 643 644 component_test_config_symmetric_only_psa () { 645 msg "build: configs/config-symmetric-only.h + USE_PSA_CRYPTO" 646 cp configs/config-symmetric-only.h "$CONFIG_H" 647 scripts/config.py set MBEDTLS_PSA_CRYPTO_C 648 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO 649 # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake 650 # want to re-generate generated files that depend on it, quite correctly. 651 # However this doesn't work as the generation script expects a specific 652 # format for mbedtls_config.h, which the other files don't follow. Also, 653 # cmake can't know this, but re-generation is actually not necessary as 654 # the generated files only depend on the list of available options, not 655 # whether they're on or off. So, disable cmake's (over-sensitive here) 656 # dependency resolution for generated files and just rely on them being 657 # present (thanks to pre_generate_files) by turning GEN_FILES off. 658 CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . 659 make 660 661 msg "test: configs/config-symmetric-only.h + USE_PSA_CRYPTO - unit tests" 662 make test 663 } 664 665 component_test_full_no_bignum () { 666 msg "build: full minus bignum" 667 scripts/config.py full 668 scripts/config.py unset MBEDTLS_BIGNUM_C 669 # Direct dependencies of bignum 670 scripts/config.py unset MBEDTLS_ECP_C 671 scripts/config.py unset MBEDTLS_RSA_C 672 scripts/config.py unset MBEDTLS_DHM_C 673 # Direct dependencies of ECP 674 scripts/config.py unset MBEDTLS_ECDH_C 675 scripts/config.py unset MBEDTLS_ECDSA_C 676 scripts/config.py unset MBEDTLS_ECJPAKE_C 677 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE 678 # Disable what auto-enables ECP_LIGHT 679 scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED 680 scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED 681 # Indirect dependencies of ECP 682 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 683 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 684 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 685 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 686 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 687 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 688 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED 689 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED 690 # Direct dependencies of DHM 691 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 692 # Direct dependencies of RSA 693 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 694 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 695 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 696 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT 697 # PK and its dependencies 698 scripts/config.py unset MBEDTLS_PK_C 699 scripts/config.py unset MBEDTLS_PK_PARSE_C 700 scripts/config.py unset MBEDTLS_PK_WRITE_C 701 scripts/config.py unset MBEDTLS_X509_USE_C 702 scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C 703 scripts/config.py unset MBEDTLS_X509_CRL_PARSE_C 704 scripts/config.py unset MBEDTLS_X509_CSR_PARSE_C 705 scripts/config.py unset MBEDTLS_X509_CREATE_C 706 scripts/config.py unset MBEDTLS_X509_CRT_WRITE_C 707 scripts/config.py unset MBEDTLS_X509_CSR_WRITE_C 708 scripts/config.py unset MBEDTLS_PKCS7_C 709 scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION 710 scripts/config.py unset MBEDTLS_SSL_ASYNC_PRIVATE 711 scripts/config.py unset MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK 712 713 make 714 715 msg "test: full minus bignum" 716 make test 717 } 718 719 component_build_dhm_alt () { 720 msg "build: MBEDTLS_DHM_ALT" # ~30s 721 scripts/config.py full 722 scripts/config.py set MBEDTLS_DHM_ALT 723 # debug.c currently references mbedtls_dhm_context fields directly. 724 scripts/config.py unset MBEDTLS_DEBUG_C 725 # We can only compile, not link, since we don't have any implementations 726 # suitable for testing with the dummy alt headers. 727 make CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy' lib 728 } 729 730 component_test_everest () { 731 msg "build: Everest ECDH context (ASan build)" # ~ 6 min 732 scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED 733 CC=clang cmake -D CMAKE_BUILD_TYPE:String=Asan . 734 make 735 736 msg "test: Everest ECDH context - main suites (inc. selftests) (ASan build)" # ~ 50s 737 make test 738 739 msg "test: metatests (clang, ASan)" 740 tests/scripts/run-metatests.sh any asan poison 741 742 msg "test: Everest ECDH context - ECDH-related part of ssl-opt.sh (ASan build)" # ~ 5s 743 tests/ssl-opt.sh -f ECDH 744 745 msg "test: Everest ECDH context - compat.sh with some ECDH ciphersuites (ASan build)" # ~ 3 min 746 # Exclude some symmetric ciphers that are redundant here to gain time. 747 tests/compat.sh -f ECDH -V NO -e 'ARIA\|CAMELLIA\|CHACHA' 748 } 749 750 component_test_everest_curve25519_only () { 751 msg "build: Everest ECDH context, only Curve25519" # ~ 6 min 752 scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED 753 scripts/config.py unset MBEDTLS_ECDSA_C 754 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 755 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 756 scripts/config.py unset MBEDTLS_ECJPAKE_C 757 # Disable all curves 758 scripts/config.py unset-all "MBEDTLS_ECP_DP_[0-9A-Z_a-z]*_ENABLED" 759 scripts/config.py set MBEDTLS_ECP_DP_CURVE25519_ENABLED 760 761 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" 762 763 msg "test: Everest ECDH context, only Curve25519" # ~ 50s 764 make test 765 } 766 767 component_test_psa_collect_statuses () { 768 msg "build+test: psa_collect_statuses" # ~30s 769 scripts/config.py full 770 tests/scripts/psa_collect_statuses.py 771 # Check that psa_crypto_init() succeeded at least once 772 grep -q '^0:psa_crypto_init:' tests/statuses.log 773 rm -f tests/statuses.log 774 } 775 776 # Check that the specified libraries exist and are empty. 777 are_empty_libraries () { 778 nm "$@" >/dev/null 2>/dev/null 779 ! nm "$@" 2>/dev/null | grep -v ':$' | grep . 780 } 781 782 component_build_crypto_default () { 783 msg "build: make, crypto only" 784 scripts/config.py crypto 785 make CFLAGS='-O1 -Werror' 786 are_empty_libraries library/libmbedx509.* library/libmbedtls.* 787 } 788 789 component_build_crypto_full () { 790 msg "build: make, crypto only, full config" 791 scripts/config.py crypto_full 792 make CFLAGS='-O1 -Werror' 793 are_empty_libraries library/libmbedx509.* library/libmbedtls.* 794 } 795 796 component_test_crypto_for_psa_service () { 797 msg "build: make, config for PSA crypto service" 798 scripts/config.py crypto 799 scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER 800 # Disable things that are not needed for just cryptography, to 801 # reach a configuration that would be typical for a PSA cryptography 802 # service providing all implemented PSA algorithms. 803 # System stuff 804 scripts/config.py unset MBEDTLS_ERROR_C 805 scripts/config.py unset MBEDTLS_TIMING_C 806 scripts/config.py unset MBEDTLS_VERSION_FEATURES 807 # Crypto stuff with no PSA interface 808 scripts/config.py unset MBEDTLS_BASE64_C 809 # Keep MBEDTLS_CIPHER_C because psa_crypto_cipher, CCM and GCM need it. 810 scripts/config.py unset MBEDTLS_HKDF_C # PSA's HKDF is independent 811 # Keep MBEDTLS_MD_C because deterministic ECDSA needs it for HMAC_DRBG. 812 scripts/config.py unset MBEDTLS_NIST_KW_C 813 scripts/config.py unset MBEDTLS_PEM_PARSE_C 814 scripts/config.py unset MBEDTLS_PEM_WRITE_C 815 scripts/config.py unset MBEDTLS_PKCS12_C 816 scripts/config.py unset MBEDTLS_PKCS5_C 817 # MBEDTLS_PK_PARSE_C and MBEDTLS_PK_WRITE_C are actually currently needed 818 # in PSA code to work with RSA keys. We don't require users to set those: 819 # they will be reenabled in build_info.h. 820 scripts/config.py unset MBEDTLS_PK_C 821 scripts/config.py unset MBEDTLS_PK_PARSE_C 822 scripts/config.py unset MBEDTLS_PK_WRITE_C 823 make CFLAGS='-O1 -Werror' all test 824 are_empty_libraries library/libmbedx509.* library/libmbedtls.* 825 } 826 827 component_build_crypto_baremetal () { 828 msg "build: make, crypto only, baremetal config" 829 scripts/config.py crypto_baremetal 830 make CFLAGS="-O1 -Werror -I$PWD/framework/tests/include/baremetal-override/" 831 are_empty_libraries library/libmbedx509.* library/libmbedtls.* 832 } 833 834 support_build_crypto_baremetal () { 835 support_build_baremetal "$@" 836 } 837 838 # depends.py family of tests 839 component_test_depends_py_cipher_id () { 840 msg "test/build: depends.py cipher_id (gcc)" 841 tests/scripts/depends.py cipher_id --unset-use-psa 842 } 843 844 component_test_depends_py_cipher_chaining () { 845 msg "test/build: depends.py cipher_chaining (gcc)" 846 tests/scripts/depends.py cipher_chaining --unset-use-psa 847 } 848 849 component_test_depends_py_cipher_padding () { 850 msg "test/build: depends.py cipher_padding (gcc)" 851 tests/scripts/depends.py cipher_padding --unset-use-psa 852 } 853 854 component_test_depends_py_curves () { 855 msg "test/build: depends.py curves (gcc)" 856 tests/scripts/depends.py curves --unset-use-psa 857 } 858 859 component_test_depends_py_hashes () { 860 msg "test/build: depends.py hashes (gcc)" 861 tests/scripts/depends.py hashes --unset-use-psa 862 } 863 864 component_test_depends_py_pkalgs () { 865 msg "test/build: depends.py pkalgs (gcc)" 866 tests/scripts/depends.py pkalgs --unset-use-psa 867 } 868 869 # PSA equivalents of the depends.py tests 870 component_test_depends_py_cipher_id_psa () { 871 msg "test/build: depends.py cipher_id (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" 872 tests/scripts/depends.py cipher_id 873 } 874 875 component_test_depends_py_cipher_chaining_psa () { 876 msg "test/build: depends.py cipher_chaining (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" 877 tests/scripts/depends.py cipher_chaining 878 } 879 880 component_test_depends_py_cipher_padding_psa () { 881 msg "test/build: depends.py cipher_padding (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" 882 tests/scripts/depends.py cipher_padding 883 } 884 885 component_test_depends_py_curves_psa () { 886 msg "test/build: depends.py curves (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" 887 tests/scripts/depends.py curves 888 } 889 890 component_test_depends_py_hashes_psa () { 891 msg "test/build: depends.py hashes (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" 892 tests/scripts/depends.py hashes 893 } 894 895 component_test_depends_py_pkalgs_psa () { 896 msg "test/build: depends.py pkalgs (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" 897 tests/scripts/depends.py pkalgs 898 } 899 900 component_test_psa_crypto_config_ffdh_2048_only () { 901 msg "build: full config - only DH 2048" 902 903 scripts/config.py full 904 905 # Disable all DH groups other than 2048. 906 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_3072 907 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_4096 908 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_6144 909 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_8192 910 911 make CFLAGS="$ASAN_CFLAGS -Werror" LDFLAGS="$ASAN_CFLAGS" 912 913 msg "test: full config - only DH 2048" 914 make test 915 916 msg "ssl-opt: full config - only DH 2048" 917 tests/ssl-opt.sh -f "ffdh" 918 } 919 920 component_build_no_pk_rsa_alt_support () { 921 msg "build: !MBEDTLS_PK_RSA_ALT_SUPPORT" # ~30s 922 923 scripts/config.py full 924 scripts/config.py unset MBEDTLS_PK_RSA_ALT_SUPPORT 925 scripts/config.py set MBEDTLS_RSA_C 926 scripts/config.py set MBEDTLS_X509_CRT_WRITE_C 927 928 # Only compile - this is primarily to test for compile issues 929 make CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy' 930 } 931 932 component_build_module_alt () { 933 msg "build: MBEDTLS_XXX_ALT" # ~30s 934 scripts/config.py full 935 936 # Disable options that are incompatible with some ALT implementations: 937 # aesni.c and padlock.c reference mbedtls_aes_context fields directly. 938 scripts/config.py unset MBEDTLS_AESNI_C 939 scripts/config.py unset MBEDTLS_PADLOCK_C 940 scripts/config.py unset MBEDTLS_AESCE_C 941 # MBEDTLS_ECP_RESTARTABLE is documented as incompatible. 942 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE 943 # You can only have one threading implementation: alt or pthread, not both. 944 scripts/config.py unset MBEDTLS_THREADING_PTHREAD 945 # The SpecifiedECDomain parsing code accesses mbedtls_ecp_group fields 946 # directly and assumes the implementation works with partial groups. 947 scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED 948 # MBEDTLS_SHA256_*ALT can't be used with MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_* 949 scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT 950 scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY 951 # MBEDTLS_SHA512_*ALT can't be used with MBEDTLS_SHA512_USE_A64_CRYPTO_* 952 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT 953 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY 954 955 # Enable all MBEDTLS_XXX_ALT for whole modules. Do not enable 956 # MBEDTLS_XXX_YYY_ALT which are for single functions. 957 scripts/config.py set-all 'MBEDTLS_([A-Z0-9]*|NIST_KW)_ALT' 958 scripts/config.py unset MBEDTLS_DHM_ALT #incompatible with MBEDTLS_DEBUG_C 959 960 # We can only compile, not link, since we don't have any implementations 961 # suitable for testing with the dummy alt headers. 962 make CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy' lib 963 } 964 965 component_test_psa_crypto_config_accel_ecdsa () { 966 msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA" 967 968 # Algorithms and key types to accelerate 969 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ 970 $(helper_get_psa_key_type_list "ECC") \ 971 $(helper_get_psa_curve_list)" 972 973 # Configure 974 # --------- 975 976 # Start from default config (no USE_PSA) + TLS 1.3 977 helper_libtestdriver1_adjust_config "default" 978 979 # Disable the module that's accelerated 980 scripts/config.py unset MBEDTLS_ECDSA_C 981 982 # Disable things that depend on it 983 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 984 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 985 986 # Build 987 # ----- 988 989 # These hashes are needed for some ECDSA signature tests. 990 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 991 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 992 993 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" 994 995 helper_libtestdriver1_make_main "$loc_accel_list" 996 997 # Make sure this was not re-enabled by accident (additive config) 998 not grep mbedtls_ecdsa_ library/ecdsa.o 999 1000 # Run the tests 1001 # ------------- 1002 1003 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA" 1004 make test 1005 } 1006 1007 component_test_psa_crypto_config_accel_ecdh () { 1008 msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH" 1009 1010 # Algorithms and key types to accelerate 1011 loc_accel_list="ALG_ECDH \ 1012 $(helper_get_psa_key_type_list "ECC") \ 1013 $(helper_get_psa_curve_list)" 1014 1015 # Configure 1016 # --------- 1017 1018 # Start from default config (no USE_PSA) 1019 helper_libtestdriver1_adjust_config "default" 1020 1021 # Disable the module that's accelerated 1022 scripts/config.py unset MBEDTLS_ECDH_C 1023 1024 # Disable things that depend on it 1025 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 1026 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 1027 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 1028 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 1029 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 1030 1031 # Build 1032 # ----- 1033 1034 helper_libtestdriver1_make_drivers "$loc_accel_list" 1035 1036 helper_libtestdriver1_make_main "$loc_accel_list" 1037 1038 # Make sure this was not re-enabled by accident (additive config) 1039 not grep mbedtls_ecdh_ library/ecdh.o 1040 1041 # Run the tests 1042 # ------------- 1043 1044 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH" 1045 make test 1046 } 1047 1048 component_test_psa_crypto_config_accel_ffdh () { 1049 msg "build: full with accelerated FFDH" 1050 1051 # Algorithms and key types to accelerate 1052 loc_accel_list="ALG_FFDH \ 1053 $(helper_get_psa_key_type_list "DH") \ 1054 $(helper_get_psa_dh_group_list)" 1055 1056 # Configure 1057 # --------- 1058 1059 # start with full (USE_PSA and TLS 1.3) 1060 helper_libtestdriver1_adjust_config "full" 1061 1062 # Disable the module that's accelerated 1063 scripts/config.py unset MBEDTLS_DHM_C 1064 1065 # Disable things that depend on it 1066 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 1067 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 1068 1069 # Build 1070 # ----- 1071 1072 helper_libtestdriver1_make_drivers "$loc_accel_list" 1073 1074 helper_libtestdriver1_make_main "$loc_accel_list" 1075 1076 # Make sure this was not re-enabled by accident (additive config) 1077 not grep mbedtls_dhm_ library/dhm.o 1078 1079 # Run the tests 1080 # ------------- 1081 1082 msg "test: full with accelerated FFDH" 1083 make test 1084 1085 msg "ssl-opt: full with accelerated FFDH alg" 1086 tests/ssl-opt.sh -f "ffdh" 1087 } 1088 1089 component_test_psa_crypto_config_reference_ffdh () { 1090 msg "build: full with non-accelerated FFDH" 1091 1092 # Start with full (USE_PSA and TLS 1.3) 1093 helper_libtestdriver1_adjust_config "full" 1094 1095 # Disable things that are not supported 1096 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 1097 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 1098 make 1099 1100 msg "test suites: full with non-accelerated FFDH alg" 1101 make test 1102 1103 msg "ssl-opt: full with non-accelerated FFDH alg" 1104 tests/ssl-opt.sh -f "ffdh" 1105 } 1106 1107 component_test_psa_crypto_config_accel_pake () { 1108 msg "build: full with accelerated PAKE" 1109 1110 loc_accel_list="ALG_JPAKE \ 1111 $(helper_get_psa_key_type_list "ECC") \ 1112 $(helper_get_psa_curve_list)" 1113 1114 # Configure 1115 # --------- 1116 1117 helper_libtestdriver1_adjust_config "full" 1118 1119 # Make built-in fallback not available 1120 scripts/config.py unset MBEDTLS_ECJPAKE_C 1121 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 1122 1123 # Build 1124 # ----- 1125 1126 helper_libtestdriver1_make_drivers "$loc_accel_list" 1127 1128 helper_libtestdriver1_make_main "$loc_accel_list" 1129 1130 # Make sure this was not re-enabled by accident (additive config) 1131 not grep mbedtls_ecjpake_init library/ecjpake.o 1132 1133 # Run the tests 1134 # ------------- 1135 1136 msg "test: full with accelerated PAKE" 1137 make test 1138 } 1139 1140 component_test_psa_crypto_config_accel_ecc_some_key_types () { 1141 msg "build: full with accelerated EC algs and some key types" 1142 1143 # Algorithms and key types to accelerate 1144 # For key types, use an explicitly list to omit GENERATE (and DERIVE) 1145 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ 1146 ALG_ECDH \ 1147 ALG_JPAKE \ 1148 KEY_TYPE_ECC_PUBLIC_KEY \ 1149 KEY_TYPE_ECC_KEY_PAIR_BASIC \ 1150 KEY_TYPE_ECC_KEY_PAIR_IMPORT \ 1151 KEY_TYPE_ECC_KEY_PAIR_EXPORT \ 1152 $(helper_get_psa_curve_list)" 1153 1154 # Configure 1155 # --------- 1156 1157 # start with config full for maximum coverage (also enables USE_PSA) 1158 helper_libtestdriver1_adjust_config "full" 1159 1160 # Disable modules that are accelerated - some will be re-enabled 1161 scripts/config.py unset MBEDTLS_ECDSA_C 1162 scripts/config.py unset MBEDTLS_ECDH_C 1163 scripts/config.py unset MBEDTLS_ECJPAKE_C 1164 scripts/config.py unset MBEDTLS_ECP_C 1165 1166 # Disable all curves - those that aren't accelerated should be re-enabled 1167 helper_disable_builtin_curves 1168 1169 # Restartable feature is not yet supported by PSA. Once it will in 1170 # the future, the following line could be removed (see issues 1171 # 6061, 6332 and following ones) 1172 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE 1173 1174 # this is not supported by the driver API yet 1175 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1176 1177 # Build 1178 # ----- 1179 1180 # These hashes are needed for some ECDSA signature tests. 1181 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 1182 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 1183 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" 1184 1185 helper_libtestdriver1_make_main "$loc_accel_list" 1186 1187 # ECP should be re-enabled but not the others 1188 not grep mbedtls_ecdh_ library/ecdh.o 1189 not grep mbedtls_ecdsa library/ecdsa.o 1190 not grep mbedtls_ecjpake library/ecjpake.o 1191 grep mbedtls_ecp library/ecp.o 1192 1193 # Run the tests 1194 # ------------- 1195 1196 msg "test suites: full with accelerated EC algs and some key types" 1197 make test 1198 } 1199 1200 # Run tests with only (non-)Weierstrass accelerated 1201 # Common code used in: 1202 # - component_test_psa_crypto_config_accel_ecc_weierstrass_curves 1203 # - component_test_psa_crypto_config_accel_ecc_non_weierstrass_curves 1204 common_test_psa_crypto_config_accel_ecc_some_curves () { 1205 weierstrass=$1 1206 if [ $weierstrass -eq 1 ]; then 1207 desc="Weierstrass" 1208 else 1209 desc="non-Weierstrass" 1210 fi 1211 1212 msg "build: crypto_full minus PK with accelerated EC algs and $desc curves" 1213 1214 # Note: Curves are handled in a special way by the libtestdriver machinery, 1215 # so we only want to include them in the accel list when building the main 1216 # libraries, hence the use of a separate variable. 1217 # Note: the following loop is a modified version of 1218 # helper_get_psa_curve_list that only keeps Weierstrass families. 1219 loc_weierstrass_list="" 1220 loc_non_weierstrass_list="" 1221 for item in $(sed -n 's/^#define PSA_WANT_\(ECC_[0-9A-Z_a-z]*\).*/\1/p' <"$CRYPTO_CONFIG_H"); do 1222 case $item in 1223 ECC_BRAINPOOL*|ECC_SECP*) 1224 loc_weierstrass_list="$loc_weierstrass_list $item" 1225 ;; 1226 *) 1227 loc_non_weierstrass_list="$loc_non_weierstrass_list $item" 1228 ;; 1229 esac 1230 done 1231 if [ $weierstrass -eq 1 ]; then 1232 loc_curve_list=$loc_weierstrass_list 1233 else 1234 loc_curve_list=$loc_non_weierstrass_list 1235 fi 1236 1237 # Algorithms and key types to accelerate 1238 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ 1239 ALG_ECDH \ 1240 ALG_JPAKE \ 1241 $(helper_get_psa_key_type_list "ECC") \ 1242 $loc_curve_list" 1243 1244 # Configure 1245 # --------- 1246 1247 # Start with config crypto_full and remove PK_C: 1248 # that's what's supported now, see docs/driver-only-builds.md. 1249 helper_libtestdriver1_adjust_config "crypto_full" 1250 scripts/config.py unset MBEDTLS_PK_C 1251 scripts/config.py unset MBEDTLS_PK_PARSE_C 1252 scripts/config.py unset MBEDTLS_PK_WRITE_C 1253 1254 # Disable modules that are accelerated - some will be re-enabled 1255 scripts/config.py unset MBEDTLS_ECDSA_C 1256 scripts/config.py unset MBEDTLS_ECDH_C 1257 scripts/config.py unset MBEDTLS_ECJPAKE_C 1258 scripts/config.py unset MBEDTLS_ECP_C 1259 1260 # Disable all curves - those that aren't accelerated should be re-enabled 1261 helper_disable_builtin_curves 1262 1263 # Restartable feature is not yet supported by PSA. Once it will in 1264 # the future, the following line could be removed (see issues 1265 # 6061, 6332 and following ones) 1266 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE 1267 1268 # this is not supported by the driver API yet 1269 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1270 1271 # Build 1272 # ----- 1273 1274 # These hashes are needed for some ECDSA signature tests. 1275 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 1276 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 1277 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" 1278 1279 helper_libtestdriver1_make_main "$loc_accel_list" 1280 1281 # We expect ECDH to be re-enabled for the missing curves 1282 grep mbedtls_ecdh_ library/ecdh.o 1283 # We expect ECP to be re-enabled, however the parts specific to the 1284 # families of curves that are accelerated should be ommited. 1285 # - functions with mxz in the name are specific to Montgomery curves 1286 # - ecp_muladd is specific to Weierstrass curves 1287 ##nm library/ecp.o | tee ecp.syms 1288 if [ $weierstrass -eq 1 ]; then 1289 not grep mbedtls_ecp_muladd library/ecp.o 1290 grep mxz library/ecp.o 1291 else 1292 grep mbedtls_ecp_muladd library/ecp.o 1293 not grep mxz library/ecp.o 1294 fi 1295 # We expect ECDSA and ECJPAKE to be re-enabled only when 1296 # Weierstrass curves are not accelerated 1297 if [ $weierstrass -eq 1 ]; then 1298 not grep mbedtls_ecdsa library/ecdsa.o 1299 not grep mbedtls_ecjpake library/ecjpake.o 1300 else 1301 grep mbedtls_ecdsa library/ecdsa.o 1302 grep mbedtls_ecjpake library/ecjpake.o 1303 fi 1304 1305 # Run the tests 1306 # ------------- 1307 1308 msg "test suites: crypto_full minus PK with accelerated EC algs and $desc curves" 1309 make test 1310 } 1311 1312 component_test_psa_crypto_config_accel_ecc_weierstrass_curves () { 1313 common_test_psa_crypto_config_accel_ecc_some_curves 1 1314 } 1315 1316 component_test_psa_crypto_config_accel_ecc_non_weierstrass_curves () { 1317 common_test_psa_crypto_config_accel_ecc_some_curves 0 1318 } 1319 1320 # Auxiliary function to build config for all EC based algorithms (EC-JPAKE, 1321 # ECDH, ECDSA) with and without drivers. 1322 # The input parameter is a boolean value which indicates: 1323 # - 0 keep built-in EC algs, 1324 # - 1 exclude built-in EC algs (driver only). 1325 # 1326 # This is used by the two following components to ensure they always use the 1327 # same config, except for the use of driver or built-in EC algorithms: 1328 # - component_test_psa_crypto_config_accel_ecc_ecp_light_only; 1329 # - component_test_psa_crypto_config_reference_ecc_ecp_light_only. 1330 # This supports comparing their test coverage with analyze_outcomes.py. 1331 config_psa_crypto_config_ecp_light_only () { 1332 driver_only="$1" 1333 # start with config full for maximum coverage (also enables USE_PSA) 1334 helper_libtestdriver1_adjust_config "full" 1335 if [ "$driver_only" -eq 1 ]; then 1336 # Disable modules that are accelerated 1337 scripts/config.py unset MBEDTLS_ECDSA_C 1338 scripts/config.py unset MBEDTLS_ECDH_C 1339 scripts/config.py unset MBEDTLS_ECJPAKE_C 1340 scripts/config.py unset MBEDTLS_ECP_C 1341 fi 1342 1343 # Restartable feature is not yet supported by PSA. Once it will in 1344 # the future, the following line could be removed (see issues 1345 # 6061, 6332 and following ones) 1346 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE 1347 } 1348 1349 # Keep in sync with component_test_psa_crypto_config_reference_ecc_ecp_light_only 1350 component_test_psa_crypto_config_accel_ecc_ecp_light_only () { 1351 msg "build: full with accelerated EC algs" 1352 1353 # Algorithms and key types to accelerate 1354 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ 1355 ALG_ECDH \ 1356 ALG_JPAKE \ 1357 $(helper_get_psa_key_type_list "ECC") \ 1358 $(helper_get_psa_curve_list)" 1359 1360 # Configure 1361 # --------- 1362 1363 # Use the same config as reference, only without built-in EC algs 1364 config_psa_crypto_config_ecp_light_only 1 1365 1366 # Do not disable builtin curves because that support is required for: 1367 # - MBEDTLS_PK_PARSE_EC_EXTENDED 1368 # - MBEDTLS_PK_PARSE_EC_COMPRESSED 1369 1370 # Build 1371 # ----- 1372 1373 # These hashes are needed for some ECDSA signature tests. 1374 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 1375 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 1376 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" 1377 1378 helper_libtestdriver1_make_main "$loc_accel_list" 1379 1380 # Make sure any built-in EC alg was not re-enabled by accident (additive config) 1381 not grep mbedtls_ecdsa_ library/ecdsa.o 1382 not grep mbedtls_ecdh_ library/ecdh.o 1383 not grep mbedtls_ecjpake_ library/ecjpake.o 1384 not grep mbedtls_ecp_mul library/ecp.o 1385 1386 # Run the tests 1387 # ------------- 1388 1389 msg "test suites: full with accelerated EC algs" 1390 make test 1391 1392 msg "ssl-opt: full with accelerated EC algs" 1393 tests/ssl-opt.sh 1394 } 1395 1396 # Keep in sync with component_test_psa_crypto_config_accel_ecc_ecp_light_only 1397 component_test_psa_crypto_config_reference_ecc_ecp_light_only () { 1398 msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with non-accelerated EC algs" 1399 1400 config_psa_crypto_config_ecp_light_only 0 1401 1402 make 1403 1404 msg "test suites: full with non-accelerated EC algs" 1405 make test 1406 1407 msg "ssl-opt: full with non-accelerated EC algs" 1408 tests/ssl-opt.sh 1409 } 1410 1411 # This helper function is used by: 1412 # - component_test_psa_crypto_config_accel_ecc_no_ecp_at_all() 1413 # - component_test_psa_crypto_config_reference_ecc_no_ecp_at_all() 1414 # to ensure that both tests use the same underlying configuration when testing 1415 # driver's coverage with analyze_outcomes.py. 1416 # 1417 # This functions accepts 1 boolean parameter as follows: 1418 # - 1: building with accelerated EC algorithms (ECDSA, ECDH, ECJPAKE), therefore 1419 # excluding their built-in implementation as well as ECP_C & ECP_LIGHT 1420 # - 0: include built-in implementation of EC algorithms. 1421 # 1422 # PK_C and RSA_C are always disabled to ensure there is no remaining dependency 1423 # on the ECP module. 1424 config_psa_crypto_no_ecp_at_all () { 1425 driver_only="$1" 1426 # start with full config for maximum coverage (also enables USE_PSA) 1427 helper_libtestdriver1_adjust_config "full" 1428 1429 if [ "$driver_only" -eq 1 ]; then 1430 # Disable modules that are accelerated 1431 scripts/config.py unset MBEDTLS_ECDSA_C 1432 scripts/config.py unset MBEDTLS_ECDH_C 1433 scripts/config.py unset MBEDTLS_ECJPAKE_C 1434 # Disable ECP module (entirely) 1435 scripts/config.py unset MBEDTLS_ECP_C 1436 fi 1437 1438 # Disable all the features that auto-enable ECP_LIGHT (see build_info.h) 1439 scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED 1440 scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED 1441 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1442 1443 # Restartable feature is not yet supported by PSA. Once it will in 1444 # the future, the following line could be removed (see issues 1445 # 6061, 6332 and following ones) 1446 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE 1447 } 1448 1449 # Build and test a configuration where driver accelerates all EC algs while 1450 # all support and dependencies from ECP and ECP_LIGHT are removed on the library 1451 # side. 1452 # 1453 # Keep in sync with component_test_psa_crypto_config_reference_ecc_no_ecp_at_all() 1454 component_test_psa_crypto_config_accel_ecc_no_ecp_at_all () { 1455 msg "build: full + accelerated EC algs - ECP" 1456 1457 # Algorithms and key types to accelerate 1458 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ 1459 ALG_ECDH \ 1460 ALG_JPAKE \ 1461 $(helper_get_psa_key_type_list "ECC") \ 1462 $(helper_get_psa_curve_list)" 1463 1464 # Configure 1465 # --------- 1466 1467 # Set common configurations between library's and driver's builds 1468 config_psa_crypto_no_ecp_at_all 1 1469 # Disable all the builtin curves. All the required algs are accelerated. 1470 helper_disable_builtin_curves 1471 1472 # Build 1473 # ----- 1474 1475 # Things we wanted supported in libtestdriver1, but not accelerated in the main library: 1476 # SHA-1 and all SHA-2/3 variants, as they are used by ECDSA deterministic. 1477 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 1478 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 1479 1480 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" 1481 1482 helper_libtestdriver1_make_main "$loc_accel_list" 1483 1484 # Make sure any built-in EC alg was not re-enabled by accident (additive config) 1485 not grep mbedtls_ecdsa_ library/ecdsa.o 1486 not grep mbedtls_ecdh_ library/ecdh.o 1487 not grep mbedtls_ecjpake_ library/ecjpake.o 1488 # Also ensure that ECP module was not re-enabled 1489 not grep mbedtls_ecp_ library/ecp.o 1490 1491 # Run the tests 1492 # ------------- 1493 1494 msg "test: full + accelerated EC algs - ECP" 1495 make test 1496 1497 msg "ssl-opt: full + accelerated EC algs - ECP" 1498 tests/ssl-opt.sh 1499 } 1500 1501 # Reference function used for driver's coverage analysis in analyze_outcomes.py 1502 # in conjunction with component_test_psa_crypto_config_accel_ecc_no_ecp_at_all(). 1503 # Keep in sync with its accelerated counterpart. 1504 component_test_psa_crypto_config_reference_ecc_no_ecp_at_all () { 1505 msg "build: full + non accelerated EC algs" 1506 1507 config_psa_crypto_no_ecp_at_all 0 1508 1509 make 1510 1511 msg "test: full + non accelerated EC algs" 1512 make test 1513 1514 msg "ssl-opt: full + non accelerated EC algs" 1515 tests/ssl-opt.sh 1516 } 1517 1518 # This is a common configuration helper used directly from: 1519 # - common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum 1520 # - common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum 1521 # and indirectly from: 1522 # - component_test_psa_crypto_config_accel_ecc_no_bignum 1523 # - accelerate all EC algs, disable RSA and FFDH 1524 # - component_test_psa_crypto_config_reference_ecc_no_bignum 1525 # - this is the reference component of the above 1526 # - it still disables RSA and FFDH, but it uses builtin EC algs 1527 # - component_test_psa_crypto_config_accel_ecc_ffdh_no_bignum 1528 # - accelerate all EC and FFDH algs, disable only RSA 1529 # - component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum 1530 # - this is the reference component of the above 1531 # - it still disables RSA, but it uses builtin EC and FFDH algs 1532 # 1533 # This function accepts 2 parameters: 1534 # $1: a boolean value which states if we are testing an accelerated scenario 1535 # or not. 1536 # $2: a string value which states which components are tested. Allowed values 1537 # are "ECC" or "ECC_DH". 1538 config_psa_crypto_config_accel_ecc_ffdh_no_bignum () { 1539 driver_only="$1" 1540 test_target="$2" 1541 # start with full config for maximum coverage (also enables USE_PSA) 1542 helper_libtestdriver1_adjust_config "full" 1543 1544 if [ "$driver_only" -eq 1 ]; then 1545 # Disable modules that are accelerated 1546 scripts/config.py unset MBEDTLS_ECDSA_C 1547 scripts/config.py unset MBEDTLS_ECDH_C 1548 scripts/config.py unset MBEDTLS_ECJPAKE_C 1549 # Disable ECP module (entirely) 1550 scripts/config.py unset MBEDTLS_ECP_C 1551 # Also disable bignum 1552 scripts/config.py unset MBEDTLS_BIGNUM_C 1553 fi 1554 1555 # Disable all the features that auto-enable ECP_LIGHT (see build_info.h) 1556 scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED 1557 scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED 1558 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1559 1560 # RSA support is intentionally disabled on this test because RSA_C depends 1561 # on BIGNUM_C. 1562 scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_RSA_[0-9A-Z_a-z]*" 1563 scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_ALG_RSA_[0-9A-Z_a-z]*" 1564 scripts/config.py unset MBEDTLS_RSA_C 1565 scripts/config.py unset MBEDTLS_PKCS1_V15 1566 scripts/config.py unset MBEDTLS_PKCS1_V21 1567 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT 1568 # Also disable key exchanges that depend on RSA 1569 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 1570 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 1571 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 1572 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 1573 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 1574 1575 if [ "$test_target" = "ECC" ]; then 1576 # When testing ECC only, we disable FFDH support, both from builtin and 1577 # PSA sides, and also disable the key exchanges that depend on DHM. 1578 scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_FFDH 1579 scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_DH_[0-9A-Z_a-z]*" 1580 scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_DH_RFC7919_[0-9]*" 1581 scripts/config.py unset MBEDTLS_DHM_C 1582 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 1583 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 1584 else 1585 # When testing ECC and DH instead, we disable DHM and depending key 1586 # exchanges only in the accelerated build 1587 if [ "$driver_only" -eq 1 ]; then 1588 scripts/config.py unset MBEDTLS_DHM_C 1589 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 1590 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 1591 fi 1592 fi 1593 1594 # Restartable feature is not yet supported by PSA. Once it will in 1595 # the future, the following line could be removed (see issues 1596 # 6061, 6332 and following ones) 1597 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE 1598 } 1599 1600 # Common helper used by: 1601 # - component_test_psa_crypto_config_accel_ecc_no_bignum 1602 # - component_test_psa_crypto_config_accel_ecc_ffdh_no_bignum 1603 # 1604 # The goal is to build and test accelerating either: 1605 # - ECC only or 1606 # - both ECC and FFDH 1607 # 1608 # It is meant to be used in conjunction with 1609 # common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum() for drivers 1610 # coverage analysis in the "analyze_outcomes.py" script. 1611 common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () { 1612 test_target="$1" 1613 1614 # This is an internal helper to simplify text message handling 1615 if [ "$test_target" = "ECC_DH" ]; then 1616 accel_text="ECC/FFDH" 1617 removed_text="ECP - DH" 1618 else 1619 accel_text="ECC" 1620 removed_text="ECP" 1621 fi 1622 1623 msg "build: full + accelerated $accel_text algs + USE_PSA - $removed_text - BIGNUM" 1624 1625 # By default we accelerate all EC keys/algs 1626 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ 1627 ALG_ECDH \ 1628 ALG_JPAKE \ 1629 $(helper_get_psa_key_type_list "ECC") \ 1630 $(helper_get_psa_curve_list)" 1631 # Optionally we can also add DH to the list of accelerated items 1632 if [ "$test_target" = "ECC_DH" ]; then 1633 loc_accel_list="$loc_accel_list \ 1634 ALG_FFDH \ 1635 $(helper_get_psa_key_type_list "DH") \ 1636 $(helper_get_psa_dh_group_list)" 1637 fi 1638 1639 # Configure 1640 # --------- 1641 1642 # Set common configurations between library's and driver's builds 1643 config_psa_crypto_config_accel_ecc_ffdh_no_bignum 1 "$test_target" 1644 # Disable all the builtin curves. All the required algs are accelerated. 1645 helper_disable_builtin_curves 1646 1647 # Build 1648 # ----- 1649 1650 # Things we wanted supported in libtestdriver1, but not accelerated in the main library: 1651 # SHA-1 and all SHA-2/3 variants, as they are used by ECDSA deterministic. 1652 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 1653 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 1654 1655 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" 1656 1657 helper_libtestdriver1_make_main "$loc_accel_list" 1658 1659 # Make sure any built-in EC alg was not re-enabled by accident (additive config) 1660 not grep mbedtls_ecdsa_ library/ecdsa.o 1661 not grep mbedtls_ecdh_ library/ecdh.o 1662 not grep mbedtls_ecjpake_ library/ecjpake.o 1663 # Also ensure that ECP, RSA, [DHM] or BIGNUM modules were not re-enabled 1664 not grep mbedtls_ecp_ library/ecp.o 1665 not grep mbedtls_rsa_ library/rsa.o 1666 not grep mbedtls_mpi_ library/bignum.o 1667 not grep mbedtls_dhm_ library/dhm.o 1668 1669 # Run the tests 1670 # ------------- 1671 1672 msg "test suites: full + accelerated $accel_text algs + USE_PSA - $removed_text - DHM - BIGNUM" 1673 1674 make test 1675 1676 msg "ssl-opt: full + accelerated $accel_text algs + USE_PSA - $removed_text - BIGNUM" 1677 tests/ssl-opt.sh 1678 } 1679 1680 # Common helper used by: 1681 # - component_test_psa_crypto_config_reference_ecc_no_bignum 1682 # - component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum 1683 # 1684 # The goal is to build and test a reference scenario (i.e. with builtin 1685 # components) compared to the ones used in 1686 # common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum() above. 1687 # 1688 # It is meant to be used in conjunction with 1689 # common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum() for drivers' 1690 # coverage analysis in "analyze_outcomes.py" script. 1691 common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () { 1692 test_target="$1" 1693 1694 # This is an internal helper to simplify text message handling 1695 if [ "$test_target" = "ECC_DH" ]; then 1696 accel_text="ECC/FFDH" 1697 else 1698 accel_text="ECC" 1699 fi 1700 1701 msg "build: full + non accelerated $accel_text algs + USE_PSA" 1702 1703 config_psa_crypto_config_accel_ecc_ffdh_no_bignum 0 "$test_target" 1704 1705 make 1706 1707 msg "test suites: full + non accelerated EC algs + USE_PSA" 1708 make test 1709 1710 msg "ssl-opt: full + non accelerated $accel_text algs + USE_PSA" 1711 tests/ssl-opt.sh 1712 } 1713 1714 component_test_psa_crypto_config_accel_ecc_no_bignum () { 1715 common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum "ECC" 1716 } 1717 1718 component_test_psa_crypto_config_reference_ecc_no_bignum () { 1719 common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum "ECC" 1720 } 1721 1722 component_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () { 1723 common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum "ECC_DH" 1724 } 1725 1726 component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () { 1727 common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum "ECC_DH" 1728 } 1729 1730 component_test_tfm_config_as_is () { 1731 msg "build: configs/config-tfm.h" 1732 cp configs/config-tfm.h "$CONFIG_H" 1733 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 1734 make 1735 1736 msg "test: configs/config-tfm.h - unit tests" 1737 make test 1738 } 1739 1740 # Helper for setting common configurations between: 1741 # - component_test_tfm_config_p256m_driver_accel_ec() 1742 # - component_test_tfm_config_no_p256m() 1743 common_tfm_config () { 1744 # Enable TF-M config 1745 cp configs/config-tfm.h "$CONFIG_H" 1746 echo "#undef MBEDTLS_PSA_CRYPTO_CONFIG_FILE" >> "$CONFIG_H" 1747 cp configs/ext/crypto_config_profile_medium.h "$CRYPTO_CONFIG_H" 1748 1749 # Other config adjustment to make the tests pass. 1750 # This should probably be adopted upstream. 1751 # 1752 # - USE_PSA_CRYPTO for PK_HAVE_ECC_KEYS 1753 echo "#define MBEDTLS_USE_PSA_CRYPTO" >> "$CONFIG_H" 1754 1755 # Config adjustment for better test coverage in our environment. 1756 # This is not needed just to build and pass tests. 1757 # 1758 # Enable filesystem I/O for the benefit of PK parse/write tests. 1759 echo "#define MBEDTLS_FS_IO" >> "$CONFIG_H" 1760 } 1761 1762 # Keep this in sync with component_test_tfm_config() as they are both meant 1763 # to be used in analyze_outcomes.py for driver's coverage analysis. 1764 component_test_tfm_config_p256m_driver_accel_ec () { 1765 msg "build: TF-M config + p256m driver + accel ECDH(E)/ECDSA" 1766 1767 common_tfm_config 1768 1769 # Build crypto library 1770 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -I../framework/tests/include/spe" LDFLAGS="$ASAN_CFLAGS" 1771 1772 # Make sure any built-in EC alg was not re-enabled by accident (additive config) 1773 not grep mbedtls_ecdsa_ library/ecdsa.o 1774 not grep mbedtls_ecdh_ library/ecdh.o 1775 not grep mbedtls_ecjpake_ library/ecjpake.o 1776 # Also ensure that ECP, RSA, DHM or BIGNUM modules were not re-enabled 1777 not grep mbedtls_ecp_ library/ecp.o 1778 not grep mbedtls_rsa_ library/rsa.o 1779 not grep mbedtls_dhm_ library/dhm.o 1780 not grep mbedtls_mpi_ library/bignum.o 1781 # Check that p256m was built 1782 grep -q p256_ecdsa_ library/libmbedcrypto.a 1783 1784 # In "config-tfm.h" we disabled CIPHER_C tweaking TF-M's configuration 1785 # files, so we want to ensure that it has not be re-enabled accidentally. 1786 not grep mbedtls_cipher library/cipher.o 1787 1788 # Run the tests 1789 msg "test: TF-M config + p256m driver + accel ECDH(E)/ECDSA" 1790 make test 1791 } 1792 1793 # Keep this in sync with component_test_tfm_config_p256m_driver_accel_ec() as 1794 # they are both meant to be used in analyze_outcomes.py for driver's coverage 1795 # analysis. 1796 component_test_tfm_config_no_p256m () { 1797 common_tfm_config 1798 1799 # Disable P256M driver, which is on by default, so that analyze_outcomes 1800 # can compare this test with test_tfm_config_p256m_driver_accel_ec 1801 echo "#undef MBEDTLS_PSA_P256M_DRIVER_ENABLED" >> "$CONFIG_H" 1802 1803 msg "build: TF-M config without p256m" 1804 make CFLAGS='-Werror -Wall -Wextra -I../framework/tests/include/spe' tests 1805 1806 # Check that p256m was not built 1807 not grep p256_ecdsa_ library/libmbedcrypto.a 1808 1809 # In "config-tfm.h" we disabled CIPHER_C tweaking TF-M's configuration 1810 # files, so we want to ensure that it has not be re-enabled accidentally. 1811 not grep mbedtls_cipher library/cipher.o 1812 1813 msg "test: TF-M config without p256m" 1814 make test 1815 } 1816 1817 # This is an helper used by: 1818 # - component_test_psa_ecc_key_pair_no_derive 1819 # - component_test_psa_ecc_key_pair_no_generate 1820 # The goal is to test with all PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy symbols 1821 # enabled, but one. Input arguments are as follows: 1822 # - $1 is the key type under test, i.e. ECC/RSA/DH 1823 # - $2 is the key option to be unset (i.e. generate, derive, etc) 1824 build_and_test_psa_want_key_pair_partial () { 1825 key_type=$1 1826 unset_option=$2 1827 disabled_psa_want="PSA_WANT_KEY_TYPE_${key_type}_KEY_PAIR_${unset_option}" 1828 1829 msg "build: full - MBEDTLS_USE_PSA_CRYPTO - ${disabled_psa_want}" 1830 scripts/config.py full 1831 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 1832 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 1833 1834 # All the PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy are enabled by default in 1835 # crypto_config.h so we just disable the one we don't want. 1836 scripts/config.py -f "$CRYPTO_CONFIG_H" unset "$disabled_psa_want" 1837 1838 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" 1839 1840 msg "test: full - MBEDTLS_USE_PSA_CRYPTO - ${disabled_psa_want}" 1841 make test 1842 } 1843 1844 component_test_psa_ecc_key_pair_no_derive () { 1845 build_and_test_psa_want_key_pair_partial "ECC" "DERIVE" 1846 } 1847 1848 component_test_psa_ecc_key_pair_no_generate () { 1849 build_and_test_psa_want_key_pair_partial "ECC" "GENERATE" 1850 } 1851 1852 config_psa_crypto_accel_rsa () { 1853 driver_only=$1 1854 1855 # Start from crypto_full config (no X.509, no TLS) 1856 # Note: PK will be ignored when comparing driver to reference in 1857 # analyze_outcomes.py 1858 helper_libtestdriver1_adjust_config "crypto_full" 1859 1860 if [ "$driver_only" -eq 1 ]; then 1861 # Remove RSA support and its dependencies 1862 scripts/config.py unset MBEDTLS_RSA_C 1863 scripts/config.py unset MBEDTLS_PKCS1_V15 1864 scripts/config.py unset MBEDTLS_PKCS1_V21 1865 1866 # We need PEM parsing in the test library as well to support the import 1867 # of PEM encoded RSA keys. 1868 scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_PEM_PARSE_C 1869 scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_BASE64_C 1870 fi 1871 } 1872 1873 component_test_psa_crypto_config_accel_rsa_crypto () { 1874 msg "build: crypto_full with accelerated RSA" 1875 1876 loc_accel_list="ALG_RSA_OAEP ALG_RSA_PSS \ 1877 ALG_RSA_PKCS1V15_CRYPT ALG_RSA_PKCS1V15_SIGN \ 1878 KEY_TYPE_RSA_PUBLIC_KEY \ 1879 KEY_TYPE_RSA_KEY_PAIR_BASIC \ 1880 KEY_TYPE_RSA_KEY_PAIR_GENERATE \ 1881 KEY_TYPE_RSA_KEY_PAIR_IMPORT \ 1882 KEY_TYPE_RSA_KEY_PAIR_EXPORT" 1883 1884 # Configure 1885 # --------- 1886 1887 config_psa_crypto_accel_rsa 1 1888 1889 # Build 1890 # ----- 1891 1892 # These hashes are needed for unit tests. 1893 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 1894 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512 ALG_MD5" 1895 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" 1896 1897 helper_libtestdriver1_make_main "$loc_accel_list" 1898 1899 # Make sure this was not re-enabled by accident (additive config) 1900 not grep mbedtls_rsa library/rsa.o 1901 1902 # Run the tests 1903 # ------------- 1904 1905 msg "test: crypto_full with accelerated RSA" 1906 make test 1907 } 1908 1909 component_test_psa_crypto_config_reference_rsa_crypto () { 1910 msg "build: crypto_full with non-accelerated RSA" 1911 1912 # Configure 1913 # --------- 1914 config_psa_crypto_accel_rsa 0 1915 1916 # Build 1917 # ----- 1918 make 1919 1920 # Run the tests 1921 # ------------- 1922 msg "test: crypto_full with non-accelerated RSA" 1923 make test 1924 } 1925 1926 # This is a temporary test to verify that full RSA support is present even when 1927 # only one single new symbols (PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) is defined. 1928 component_test_new_psa_want_key_pair_symbol () { 1929 msg "Build: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" 1930 1931 # Create a temporary output file unless there is already one set 1932 if [ "$MBEDTLS_TEST_OUTCOME_FILE" ]; then 1933 REMOVE_OUTCOME_ON_EXIT="no" 1934 else 1935 REMOVE_OUTCOME_ON_EXIT="yes" 1936 MBEDTLS_TEST_OUTCOME_FILE="$PWD/out.csv" 1937 export MBEDTLS_TEST_OUTCOME_FILE 1938 fi 1939 1940 # Start from crypto configuration 1941 scripts/config.py crypto 1942 1943 # Remove RSA support and its dependencies 1944 scripts/config.py unset MBEDTLS_PKCS1_V15 1945 scripts/config.py unset MBEDTLS_PKCS1_V21 1946 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 1947 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 1948 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 1949 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 1950 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 1951 scripts/config.py unset MBEDTLS_RSA_C 1952 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT 1953 1954 # Enable PSA support 1955 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG 1956 1957 # Keep only PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC enabled in order to ensure 1958 # that proper translations is done in crypto_legacy.h. 1959 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT 1960 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT 1961 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE 1962 1963 make 1964 1965 msg "Test: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" 1966 make test 1967 1968 # Parse only 1 relevant line from the outcome file, i.e. a test which is 1969 # performing RSA signature. 1970 msg "Verify that 'RSA PKCS1 Sign #1 (SHA512, 1536 bits RSA)' is PASS" 1971 cat $MBEDTLS_TEST_OUTCOME_FILE | grep 'RSA PKCS1 Sign #1 (SHA512, 1536 bits RSA)' | grep -q "PASS" 1972 1973 if [ "$REMOVE_OUTCOME_ON_EXIT" == "yes" ]; then 1974 rm $MBEDTLS_TEST_OUTCOME_FILE 1975 fi 1976 } 1977 1978 component_test_psa_crypto_config_accel_hash () { 1979 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash" 1980 1981 loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \ 1982 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 1983 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 1984 1985 # Configure 1986 # --------- 1987 1988 # Start from default config (no USE_PSA) 1989 helper_libtestdriver1_adjust_config "default" 1990 1991 # Disable the things that are being accelerated 1992 scripts/config.py unset MBEDTLS_MD5_C 1993 scripts/config.py unset MBEDTLS_RIPEMD160_C 1994 scripts/config.py unset MBEDTLS_SHA1_C 1995 scripts/config.py unset MBEDTLS_SHA224_C 1996 scripts/config.py unset MBEDTLS_SHA256_C 1997 scripts/config.py unset MBEDTLS_SHA384_C 1998 scripts/config.py unset MBEDTLS_SHA512_C 1999 scripts/config.py unset MBEDTLS_SHA3_C 2000 2001 # Build 2002 # ----- 2003 2004 helper_libtestdriver1_make_drivers "$loc_accel_list" 2005 2006 helper_libtestdriver1_make_main "$loc_accel_list" 2007 2008 # There's a risk of something getting re-enabled via config_psa.h; 2009 # make sure it did not happen. Note: it's OK for MD_C to be enabled. 2010 not grep mbedtls_md5 library/md5.o 2011 not grep mbedtls_sha1 library/sha1.o 2012 not grep mbedtls_sha256 library/sha256.o 2013 not grep mbedtls_sha512 library/sha512.o 2014 not grep mbedtls_ripemd160 library/ripemd160.o 2015 2016 # Run the tests 2017 # ------------- 2018 2019 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash" 2020 make test 2021 } 2022 2023 component_test_psa_crypto_config_accel_hash_keep_builtins () { 2024 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated+builtin hash" 2025 # This component ensures that all the test cases for 2026 # md_psa_dynamic_dispatch with legacy+driver in test_suite_md are run. 2027 2028 loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \ 2029 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 2030 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 2031 2032 # Start from default config (no USE_PSA) 2033 helper_libtestdriver1_adjust_config "default" 2034 2035 helper_libtestdriver1_make_drivers "$loc_accel_list" 2036 2037 helper_libtestdriver1_make_main "$loc_accel_list" 2038 2039 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated+builtin hash" 2040 make test 2041 } 2042 2043 # This should be renamed to test and updated once the accelerator ECDH code is in place and ready to test. 2044 component_build_psa_accel_alg_ecdh () { 2045 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_ECDH without MBEDTLS_ECDH_C" 2046 scripts/config.py full 2047 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 2048 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 2049 scripts/config.py unset MBEDTLS_ECDH_C 2050 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 2051 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 2052 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 2053 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 2054 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 2055 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 2056 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_ECDH -I../framework/tests/include" LDFLAGS="$ASAN_CFLAGS" 2057 } 2058 2059 # This should be renamed to test and updated once the accelerator HMAC code is in place and ready to test. 2060 component_build_psa_accel_alg_hmac () { 2061 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_HMAC" 2062 scripts/config.py full 2063 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 2064 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 2065 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 2066 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_HMAC -I../framework/tests/include" LDFLAGS="$ASAN_CFLAGS" 2067 } 2068 2069 # This should be renamed to test and updated once the accelerator HKDF code is in place and ready to test. 2070 component_build_psa_accel_alg_hkdf () { 2071 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_HKDF without MBEDTLS_HKDF_C" 2072 scripts/config.py full 2073 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 2074 scripts/config.py unset MBEDTLS_HKDF_C 2075 # Make sure to unset TLS1_3 since it requires HKDF_C and will not build properly without it. 2076 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 2077 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 2078 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_HKDF -I../framework/tests/include" LDFLAGS="$ASAN_CFLAGS" 2079 } 2080 2081 # This should be renamed to test and updated once the accelerator MD5 code is in place and ready to test. 2082 component_build_psa_accel_alg_md5 () { 2083 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_MD5 - other hashes" 2084 scripts/config.py full 2085 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 2086 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 2087 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 2088 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 2089 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 2090 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256 2091 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 2092 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512 2093 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 2094 scripts/config.py unset MBEDTLS_LMS_C 2095 scripts/config.py unset MBEDTLS_LMS_PRIVATE 2096 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 2097 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_MD5 -I../framework/tests/include" LDFLAGS="$ASAN_CFLAGS" 2098 } 2099 2100 # This should be renamed to test and updated once the accelerator RIPEMD160 code is in place and ready to test. 2101 component_build_psa_accel_alg_ripemd160 () { 2102 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RIPEMD160 - other hashes" 2103 scripts/config.py full 2104 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 2105 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 2106 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 2107 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 2108 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 2109 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256 2110 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 2111 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512 2112 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 2113 scripts/config.py unset MBEDTLS_LMS_C 2114 scripts/config.py unset MBEDTLS_LMS_PRIVATE 2115 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 2116 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RIPEMD160 -I../framework/tests/include" LDFLAGS="$ASAN_CFLAGS" 2117 } 2118 2119 # This should be renamed to test and updated once the accelerator SHA1 code is in place and ready to test. 2120 component_build_psa_accel_alg_sha1 () { 2121 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_1 - other hashes" 2122 scripts/config.py full 2123 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 2124 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 2125 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 2126 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 2127 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 2128 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256 2129 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 2130 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512 2131 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 2132 scripts/config.py unset MBEDTLS_LMS_C 2133 scripts/config.py unset MBEDTLS_LMS_PRIVATE 2134 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 2135 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_1 -I../framework/tests/include" LDFLAGS="$ASAN_CFLAGS" 2136 } 2137 2138 # This should be renamed to test and updated once the accelerator SHA224 code is in place and ready to test. 2139 component_build_psa_accel_alg_sha224 () { 2140 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_224 - other hashes" 2141 scripts/config.py full 2142 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 2143 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 2144 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 2145 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 2146 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 2147 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 2148 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512 2149 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 2150 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 2151 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_224 -I../framework/tests/include" LDFLAGS="$ASAN_CFLAGS" 2152 } 2153 2154 # This should be renamed to test and updated once the accelerator SHA256 code is in place and ready to test. 2155 component_build_psa_accel_alg_sha256 () { 2156 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_256 - other hashes" 2157 scripts/config.py full 2158 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 2159 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 2160 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 2161 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 2162 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 2163 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 2164 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 2165 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512 2166 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 2167 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_256 -I../framework/tests/include" LDFLAGS="$ASAN_CFLAGS" 2168 } 2169 2170 # This should be renamed to test and updated once the accelerator SHA384 code is in place and ready to test. 2171 component_build_psa_accel_alg_sha384 () { 2172 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_384 - other hashes" 2173 scripts/config.py full 2174 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 2175 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 2176 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 2177 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 2178 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 2179 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 2180 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256 2181 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 2182 scripts/config.py unset MBEDTLS_LMS_C 2183 scripts/config.py unset MBEDTLS_LMS_PRIVATE 2184 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 2185 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_384 -I../framework/tests/include" LDFLAGS="$ASAN_CFLAGS" 2186 } 2187 2188 # This should be renamed to test and updated once the accelerator SHA512 code is in place and ready to test. 2189 component_build_psa_accel_alg_sha512 () { 2190 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_512 - other hashes" 2191 scripts/config.py full 2192 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 2193 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 2194 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 2195 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 2196 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 2197 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 2198 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256 2199 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 2200 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 2201 scripts/config.py unset MBEDTLS_LMS_C 2202 scripts/config.py unset MBEDTLS_LMS_PRIVATE 2203 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 2204 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_512 -I../framework/tests/include" LDFLAGS="$ASAN_CFLAGS" 2205 } 2206 2207 # This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. 2208 component_build_psa_accel_alg_rsa_pkcs1v15_crypt () { 2209 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_PKCS1V15_CRYPT + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" 2210 scripts/config.py full 2211 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 2212 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 2213 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 1 2214 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_SIGN 2215 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_OAEP 2216 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PSS 2217 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 2218 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT -I../framework/tests/include" LDFLAGS="$ASAN_CFLAGS" 2219 } 2220 2221 # This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. 2222 component_build_psa_accel_alg_rsa_pkcs1v15_sign () { 2223 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_PKCS1V15_SIGN + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" 2224 scripts/config.py full 2225 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 2226 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 2227 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PKCS1V15_SIGN 1 2228 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 2229 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_OAEP 2230 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PSS 2231 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 2232 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN -I../framework/tests/include" LDFLAGS="$ASAN_CFLAGS" 2233 } 2234 2235 # This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. 2236 component_build_psa_accel_alg_rsa_oaep () { 2237 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_OAEP + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" 2238 scripts/config.py full 2239 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 2240 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 2241 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_OAEP 1 2242 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 2243 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_SIGN 2244 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PSS 2245 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 2246 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_OAEP -I../framework/tests/include" LDFLAGS="$ASAN_CFLAGS" 2247 } 2248 2249 # This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. 2250 component_build_psa_accel_alg_rsa_pss () { 2251 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_PSS + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" 2252 scripts/config.py full 2253 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 2254 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 2255 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PSS 1 2256 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 2257 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_SIGN 2258 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_OAEP 2259 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 2260 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PSS -I../framework/tests/include" LDFLAGS="$ASAN_CFLAGS" 2261 } 2262 2263 # This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. 2264 component_build_psa_accel_key_type_rsa_key_pair () { 2265 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_xxx + PSA_WANT_ALG_RSA_PSS" 2266 scripts/config.py full 2267 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 2268 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 2269 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PSS 1 2270 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC 1 2271 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT 1 2272 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT 1 2273 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE 1 2274 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 2275 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR -I../framework/tests/include" LDFLAGS="$ASAN_CFLAGS" 2276 } 2277 2278 # This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. 2279 component_build_psa_accel_key_type_rsa_public_key () { 2280 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY + PSA_WANT_ALG_RSA_PSS" 2281 scripts/config.py full 2282 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 2283 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 2284 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PSS 1 2285 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1 2286 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 2287 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY -I../framework/tests/include" LDFLAGS="$ASAN_CFLAGS" 2288 } 2289 2290 # Auxiliary function to build config for hashes with and without drivers 2291 config_psa_crypto_hash_use_psa () { 2292 driver_only="$1" 2293 # start with config full for maximum coverage (also enables USE_PSA) 2294 helper_libtestdriver1_adjust_config "full" 2295 if [ "$driver_only" -eq 1 ]; then 2296 # disable the built-in implementation of hashes 2297 scripts/config.py unset MBEDTLS_MD5_C 2298 scripts/config.py unset MBEDTLS_RIPEMD160_C 2299 scripts/config.py unset MBEDTLS_SHA1_C 2300 scripts/config.py unset MBEDTLS_SHA224_C 2301 scripts/config.py unset MBEDTLS_SHA256_C # see external RNG below 2302 scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT 2303 scripts/config.py unset MBEDTLS_SHA384_C 2304 scripts/config.py unset MBEDTLS_SHA512_C 2305 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT 2306 scripts/config.py unset MBEDTLS_SHA3_C 2307 fi 2308 } 2309 2310 # Note that component_test_psa_crypto_config_reference_hash_use_psa 2311 # is related to this component and both components need to be kept in sync. 2312 # For details please see comments for component_test_psa_crypto_config_reference_hash_use_psa. 2313 component_test_psa_crypto_config_accel_hash_use_psa () { 2314 msg "test: full with accelerated hashes" 2315 2316 loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \ 2317 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 2318 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 2319 2320 # Configure 2321 # --------- 2322 2323 config_psa_crypto_hash_use_psa 1 2324 2325 # Build 2326 # ----- 2327 2328 helper_libtestdriver1_make_drivers "$loc_accel_list" 2329 2330 helper_libtestdriver1_make_main "$loc_accel_list" 2331 2332 # There's a risk of something getting re-enabled via config_psa.h; 2333 # make sure it did not happen. Note: it's OK for MD_C to be enabled. 2334 not grep mbedtls_md5 library/md5.o 2335 not grep mbedtls_sha1 library/sha1.o 2336 not grep mbedtls_sha256 library/sha256.o 2337 not grep mbedtls_sha512 library/sha512.o 2338 not grep mbedtls_ripemd160 library/ripemd160.o 2339 2340 # Run the tests 2341 # ------------- 2342 2343 msg "test: full with accelerated hashes" 2344 make test 2345 2346 # This is mostly useful so that we can later compare outcome files with 2347 # the reference config in analyze_outcomes.py, to check that the 2348 # dependency declarations in ssl-opt.sh and in TLS code are correct. 2349 msg "test: ssl-opt.sh, full with accelerated hashes" 2350 tests/ssl-opt.sh 2351 2352 # This is to make sure all ciphersuites are exercised, but we don't need 2353 # interop testing (besides, we already got some from ssl-opt.sh). 2354 msg "test: compat.sh, full with accelerated hashes" 2355 tests/compat.sh -p mbedTLS -V YES 2356 } 2357 2358 # This component provides reference configuration for test_psa_crypto_config_accel_hash_use_psa 2359 # without accelerated hash. The outcome from both components are used by the analyze_outcomes.py 2360 # script to find regression in test coverage when accelerated hash is used (tests and ssl-opt). 2361 # Both components need to be kept in sync. 2362 component_test_psa_crypto_config_reference_hash_use_psa () { 2363 msg "test: full without accelerated hashes" 2364 2365 config_psa_crypto_hash_use_psa 0 2366 2367 make 2368 2369 msg "test: full without accelerated hashes" 2370 make test 2371 2372 msg "test: ssl-opt.sh, full without accelerated hashes" 2373 tests/ssl-opt.sh 2374 } 2375 2376 # Auxiliary function to build config for hashes with and without drivers 2377 config_psa_crypto_hmac_use_psa () { 2378 driver_only="$1" 2379 # start with config full for maximum coverage (also enables USE_PSA) 2380 helper_libtestdriver1_adjust_config "full" 2381 2382 if [ "$driver_only" -eq 1 ]; then 2383 # Disable MD_C in order to disable the builtin support for HMAC. MD_LIGHT 2384 # is still enabled though (for ENTROPY_C among others). 2385 scripts/config.py unset MBEDTLS_MD_C 2386 # Disable also the builtin hashes since they are supported by the driver 2387 # and MD module is able to perform PSA dispathing. 2388 scripts/config.py unset-all MBEDTLS_SHA 2389 scripts/config.py unset MBEDTLS_MD5_C 2390 scripts/config.py unset MBEDTLS_RIPEMD160_C 2391 fi 2392 2393 # Direct dependencies of MD_C. We disable them also in the reference 2394 # component to work with the same set of features. 2395 scripts/config.py unset MBEDTLS_PKCS7_C 2396 scripts/config.py unset MBEDTLS_PKCS5_C 2397 scripts/config.py unset MBEDTLS_HMAC_DRBG_C 2398 scripts/config.py unset MBEDTLS_HKDF_C 2399 # Dependencies of HMAC_DRBG 2400 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC 2401 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_DETERMINISTIC_ECDSA 2402 } 2403 2404 component_test_psa_crypto_config_accel_hmac () { 2405 msg "test: full with accelerated hmac" 2406 2407 loc_accel_list="ALG_HMAC KEY_TYPE_HMAC \ 2408 ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \ 2409 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 2410 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 2411 2412 # Configure 2413 # --------- 2414 2415 config_psa_crypto_hmac_use_psa 1 2416 2417 # Build 2418 # ----- 2419 2420 helper_libtestdriver1_make_drivers "$loc_accel_list" 2421 2422 helper_libtestdriver1_make_main "$loc_accel_list" 2423 2424 # Ensure that built-in support for HMAC is disabled. 2425 not grep mbedtls_md_hmac library/md.o 2426 2427 # Run the tests 2428 # ------------- 2429 2430 msg "test: full with accelerated hmac" 2431 make test 2432 } 2433 2434 component_test_psa_crypto_config_reference_hmac () { 2435 msg "test: full without accelerated hmac" 2436 2437 config_psa_crypto_hmac_use_psa 0 2438 2439 make 2440 2441 msg "test: full without accelerated hmac" 2442 make test 2443 } 2444 2445 component_test_psa_crypto_config_accel_des () { 2446 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated DES" 2447 2448 # Albeit this components aims at accelerating DES which should only support 2449 # CBC and ECB modes, we need to accelerate more than that otherwise DES_C 2450 # would automatically be re-enabled by "config_adjust_legacy_from_psa.c" 2451 loc_accel_list="ALG_ECB_NO_PADDING ALG_CBC_NO_PADDING ALG_CBC_PKCS7 \ 2452 ALG_CTR ALG_CFB ALG_OFB ALG_XTS ALG_CMAC \ 2453 KEY_TYPE_DES" 2454 2455 # Note: we cannot accelerate all ciphers' key types otherwise we would also 2456 # have to either disable CCM/GCM or accelerate them, but that's out of scope 2457 # of this component. This limitation will be addressed by #8598. 2458 2459 # Configure 2460 # --------- 2461 2462 # Start from the full config 2463 helper_libtestdriver1_adjust_config "full" 2464 2465 # Disable the things that are being accelerated 2466 scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC 2467 scripts/config.py unset MBEDTLS_CIPHER_PADDING_PKCS7 2468 scripts/config.py unset MBEDTLS_CIPHER_MODE_CTR 2469 scripts/config.py unset MBEDTLS_CIPHER_MODE_CFB 2470 scripts/config.py unset MBEDTLS_CIPHER_MODE_OFB 2471 scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS 2472 scripts/config.py unset MBEDTLS_DES_C 2473 scripts/config.py unset MBEDTLS_CMAC_C 2474 2475 # Build 2476 # ----- 2477 2478 helper_libtestdriver1_make_drivers "$loc_accel_list" 2479 2480 helper_libtestdriver1_make_main "$loc_accel_list" 2481 2482 # Make sure this was not re-enabled by accident (additive config) 2483 not grep mbedtls_des library/des.o 2484 2485 # Run the tests 2486 # ------------- 2487 2488 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated DES" 2489 make test 2490 } 2491 2492 component_test_psa_crypto_config_accel_aead () { 2493 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated AEAD" 2494 2495 loc_accel_list="ALG_GCM ALG_CCM ALG_CHACHA20_POLY1305 \ 2496 KEY_TYPE_AES KEY_TYPE_CHACHA20 KEY_TYPE_ARIA KEY_TYPE_CAMELLIA" 2497 2498 # Configure 2499 # --------- 2500 2501 # Start from full config 2502 helper_libtestdriver1_adjust_config "full" 2503 2504 # Disable things that are being accelerated 2505 scripts/config.py unset MBEDTLS_GCM_C 2506 scripts/config.py unset MBEDTLS_CCM_C 2507 scripts/config.py unset MBEDTLS_CHACHAPOLY_C 2508 2509 # Disable CCM_STAR_NO_TAG because this re-enables CCM_C. 2510 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG 2511 2512 # Build 2513 # ----- 2514 2515 helper_libtestdriver1_make_drivers "$loc_accel_list" 2516 2517 helper_libtestdriver1_make_main "$loc_accel_list" 2518 2519 # Make sure this was not re-enabled by accident (additive config) 2520 not grep mbedtls_ccm library/ccm.o 2521 not grep mbedtls_gcm library/gcm.o 2522 not grep mbedtls_chachapoly library/chachapoly.o 2523 2524 # Run the tests 2525 # ------------- 2526 2527 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated AEAD" 2528 make test 2529 } 2530 2531 # This is a common configuration function used in: 2532 # - component_test_psa_crypto_config_accel_cipher_aead_cmac 2533 # - component_test_psa_crypto_config_reference_cipher_aead_cmac 2534 common_psa_crypto_config_accel_cipher_aead_cmac () { 2535 # Start from the full config 2536 helper_libtestdriver1_adjust_config "full" 2537 2538 scripts/config.py unset MBEDTLS_NIST_KW_C 2539 } 2540 2541 # The 2 following test components, i.e. 2542 # - component_test_psa_crypto_config_accel_cipher_aead_cmac 2543 # - component_test_psa_crypto_config_reference_cipher_aead_cmac 2544 # are meant to be used together in analyze_outcomes.py script in order to test 2545 # driver's coverage for ciphers and AEADs. 2546 component_test_psa_crypto_config_accel_cipher_aead_cmac () { 2547 msg "build: full config with accelerated cipher inc. AEAD and CMAC" 2548 2549 loc_accel_list="ALG_ECB_NO_PADDING ALG_CBC_NO_PADDING ALG_CBC_PKCS7 ALG_CTR ALG_CFB \ 2550 ALG_OFB ALG_XTS ALG_STREAM_CIPHER ALG_CCM_STAR_NO_TAG \ 2551 ALG_GCM ALG_CCM ALG_CHACHA20_POLY1305 ALG_CMAC \ 2552 KEY_TYPE_DES KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CHACHA20 KEY_TYPE_CAMELLIA" 2553 2554 # Configure 2555 # --------- 2556 2557 common_psa_crypto_config_accel_cipher_aead_cmac 2558 2559 # Disable the things that are being accelerated 2560 scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC 2561 scripts/config.py unset MBEDTLS_CIPHER_PADDING_PKCS7 2562 scripts/config.py unset MBEDTLS_CIPHER_MODE_CTR 2563 scripts/config.py unset MBEDTLS_CIPHER_MODE_CFB 2564 scripts/config.py unset MBEDTLS_CIPHER_MODE_OFB 2565 scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS 2566 scripts/config.py unset MBEDTLS_GCM_C 2567 scripts/config.py unset MBEDTLS_CCM_C 2568 scripts/config.py unset MBEDTLS_CHACHAPOLY_C 2569 scripts/config.py unset MBEDTLS_CMAC_C 2570 scripts/config.py unset MBEDTLS_DES_C 2571 scripts/config.py unset MBEDTLS_AES_C 2572 scripts/config.py unset MBEDTLS_ARIA_C 2573 scripts/config.py unset MBEDTLS_CHACHA20_C 2574 scripts/config.py unset MBEDTLS_CAMELLIA_C 2575 2576 # Disable CIPHER_C entirely as all ciphers/AEADs are accelerated and PSA 2577 # does not depend on it. 2578 scripts/config.py unset MBEDTLS_CIPHER_C 2579 2580 # Build 2581 # ----- 2582 2583 helper_libtestdriver1_make_drivers "$loc_accel_list" 2584 2585 helper_libtestdriver1_make_main "$loc_accel_list" 2586 2587 # Make sure this was not re-enabled by accident (additive config) 2588 not grep mbedtls_cipher library/cipher.o 2589 not grep mbedtls_des library/des.o 2590 not grep mbedtls_aes library/aes.o 2591 not grep mbedtls_aria library/aria.o 2592 not grep mbedtls_camellia library/camellia.o 2593 not grep mbedtls_ccm library/ccm.o 2594 not grep mbedtls_gcm library/gcm.o 2595 not grep mbedtls_chachapoly library/chachapoly.o 2596 not grep mbedtls_cmac library/cmac.o 2597 2598 # Run the tests 2599 # ------------- 2600 2601 msg "test: full config with accelerated cipher inc. AEAD and CMAC" 2602 make test 2603 2604 msg "ssl-opt: full config with accelerated cipher inc. AEAD and CMAC" 2605 tests/ssl-opt.sh 2606 2607 msg "compat.sh: full config with accelerated cipher inc. AEAD and CMAC" 2608 tests/compat.sh -V NO -p mbedTLS 2609 } 2610 2611 component_test_psa_crypto_config_reference_cipher_aead_cmac () { 2612 msg "build: full config with non-accelerated cipher inc. AEAD and CMAC" 2613 common_psa_crypto_config_accel_cipher_aead_cmac 2614 2615 make 2616 2617 msg "test: full config with non-accelerated cipher inc. AEAD and CMAC" 2618 make test 2619 2620 msg "ssl-opt: full config with non-accelerated cipher inc. AEAD and CMAC" 2621 tests/ssl-opt.sh 2622 2623 msg "compat.sh: full config with non-accelerated cipher inc. AEAD and CMAC" 2624 tests/compat.sh -V NO -p mbedTLS 2625 } 2626 2627 common_block_cipher_dispatch () { 2628 TEST_WITH_DRIVER="$1" 2629 2630 # Start from the full config 2631 helper_libtestdriver1_adjust_config "full" 2632 2633 if [ "$TEST_WITH_DRIVER" -eq 1 ]; then 2634 # Disable key types that are accelerated (there is no legacy equivalent 2635 # symbol for ECB) 2636 scripts/config.py unset MBEDTLS_AES_C 2637 scripts/config.py unset MBEDTLS_ARIA_C 2638 scripts/config.py unset MBEDTLS_CAMELLIA_C 2639 fi 2640 2641 # Disable cipher's modes that, when not accelerated, cause 2642 # legacy key types to be re-enabled in "config_adjust_legacy_from_psa.h". 2643 # Keep this also in the reference component in order to skip the same tests 2644 # that were skipped in the accelerated one. 2645 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CTR 2646 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CFB 2647 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_OFB 2648 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING 2649 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 2650 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC 2651 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG 2652 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 2653 2654 # Disable direct dependency on AES_C 2655 scripts/config.py unset MBEDTLS_NIST_KW_C 2656 2657 # Prevent the cipher module from using deprecated PSA path. The reason is 2658 # that otherwise there will be tests relying on "aes_info" (defined in 2659 # "cipher_wrap.c") whose functions are not available when AES_C is 2660 # not defined. ARIA and Camellia are not a problem in this case because 2661 # the PSA path is not tested for these key types. 2662 scripts/config.py set MBEDTLS_DEPRECATED_REMOVED 2663 } 2664 2665 component_test_full_block_cipher_psa_dispatch_static_keystore () { 2666 msg "build: full + PSA dispatch in block_cipher with static keystore" 2667 # Check that the static key store works well when CTR_DRBG uses a 2668 # PSA key for AES. 2669 scripts/config.py unset MBEDTLS_PSA_KEY_STORE_DYNAMIC 2670 2671 loc_accel_list="ALG_ECB_NO_PADDING \ 2672 KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CAMELLIA" 2673 2674 # Configure 2675 # --------- 2676 2677 common_block_cipher_dispatch 1 2678 2679 # Build 2680 # ----- 2681 2682 helper_libtestdriver1_make_drivers "$loc_accel_list" 2683 2684 helper_libtestdriver1_make_main "$loc_accel_list" 2685 2686 # Make sure disabled components were not re-enabled by accident (additive 2687 # config) 2688 not grep mbedtls_aes_ library/aes.o 2689 not grep mbedtls_aria_ library/aria.o 2690 not grep mbedtls_camellia_ library/camellia.o 2691 2692 # Run the tests 2693 # ------------- 2694 2695 msg "test: full + PSA dispatch in block_cipher with static keystore" 2696 make test 2697 } 2698 2699 component_test_full_block_cipher_psa_dispatch () { 2700 msg "build: full + PSA dispatch in block_cipher" 2701 2702 loc_accel_list="ALG_ECB_NO_PADDING \ 2703 KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CAMELLIA" 2704 2705 # Configure 2706 # --------- 2707 2708 common_block_cipher_dispatch 1 2709 2710 # Build 2711 # ----- 2712 2713 helper_libtestdriver1_make_drivers "$loc_accel_list" 2714 2715 helper_libtestdriver1_make_main "$loc_accel_list" 2716 2717 # Make sure disabled components were not re-enabled by accident (additive 2718 # config) 2719 not grep mbedtls_aes_ library/aes.o 2720 not grep mbedtls_aria_ library/aria.o 2721 not grep mbedtls_camellia_ library/camellia.o 2722 2723 # Run the tests 2724 # ------------- 2725 2726 msg "test: full + PSA dispatch in block_cipher" 2727 make test 2728 } 2729 2730 # This is the reference component of component_test_full_block_cipher_psa_dispatch 2731 component_test_full_block_cipher_legacy_dispatch () { 2732 msg "build: full + legacy dispatch in block_cipher" 2733 2734 common_block_cipher_dispatch 0 2735 2736 make 2737 2738 msg "test: full + legacy dispatch in block_cipher" 2739 make test 2740 } 2741 2742 component_test_aead_chachapoly_disabled () { 2743 msg "build: full minus CHACHAPOLY" 2744 scripts/config.py full 2745 scripts/config.py unset MBEDTLS_CHACHAPOLY_C 2746 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305 2747 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" 2748 2749 msg "test: full minus CHACHAPOLY" 2750 make test 2751 } 2752 2753 component_test_aead_only_ccm () { 2754 msg "build: full minus CHACHAPOLY and GCM" 2755 scripts/config.py full 2756 scripts/config.py unset MBEDTLS_CHACHAPOLY_C 2757 scripts/config.py unset MBEDTLS_GCM_C 2758 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305 2759 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_GCM 2760 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" 2761 2762 msg "test: full minus CHACHAPOLY and GCM" 2763 make test 2764 } 2765 2766 component_test_ccm_aes_sha256 () { 2767 msg "build: CCM + AES + SHA256 configuration" 2768 2769 cp "$CONFIG_TEST_DRIVER_H" "$CONFIG_H" 2770 cp configs/crypto-config-ccm-aes-sha256.h "$CRYPTO_CONFIG_H" 2771 2772 make 2773 2774 msg "test: CCM + AES + SHA256 configuration" 2775 make test 2776 } 2777 2778 # Test that the given .o file builds with all (valid) combinations of the given options. 2779 # 2780 # Syntax: build_test_config_combos FILE VALIDATOR_FUNCTION OPT1 OPT2 ... 2781 # 2782 # The validator function is the name of a function to validate the combination of options. 2783 # It may be "" if all combinations are valid. 2784 # It receives a string containing a combination of options, as passed to the compiler, 2785 # e.g. "-DOPT1 -DOPT2 ...". It must return 0 iff the combination is valid, non-zero if invalid. 2786 build_test_config_combos () { 2787 file=$1 2788 shift 2789 validate_options=$1 2790 shift 2791 options=("$@") 2792 2793 # clear all of the options so that they can be overridden on the clang commandline 2794 for opt in "${options[@]}"; do 2795 ./scripts/config.py unset ${opt} 2796 done 2797 2798 # enter the directory containing the target file & strip the dir from the filename 2799 cd $(dirname ${file}) 2800 file=$(basename ${file}) 2801 2802 # The most common issue is unused variables/functions, so ensure -Wunused is set. 2803 warning_flags="-Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wasm-operand-widths -Wunused" 2804 2805 # Extract the command generated by the Makefile to build the target file. 2806 # This ensures that we have any include paths, macro definitions, etc 2807 # that may be applied by make. 2808 # Add -fsyntax-only as we only want a syntax check and don't need to generate a file. 2809 compile_cmd="clang \$(LOCAL_CFLAGS) ${warning_flags} -fsyntax-only -c" 2810 2811 makefile=$(TMPDIR=. mktemp) 2812 deps="" 2813 2814 len=${#options[@]} 2815 source_file=${file%.o}.c 2816 2817 targets=0 2818 echo 'include Makefile' >${makefile} 2819 2820 for ((i = 0; i < $((2**${len})); i++)); do 2821 # generate each of 2^n combinations of options 2822 # each bit of $i is used to determine if options[i] will be set or not 2823 target="t" 2824 clang_args="" 2825 for ((j = 0; j < ${len}; j++)); do 2826 if (((i >> j) & 1)); then 2827 opt=-D${options[$j]} 2828 clang_args="${clang_args} ${opt}" 2829 target="${target}${opt}" 2830 fi 2831 done 2832 2833 # if combination is not known to be invalid, add it to the makefile 2834 if [[ -z $validate_options ]] || $validate_options "${clang_args}"; then 2835 cmd="${compile_cmd} ${clang_args}" 2836 echo "${target}: ${source_file}; $cmd ${source_file}" >> ${makefile} 2837 2838 deps="${deps} ${target}" 2839 ((++targets)) 2840 fi 2841 done 2842 2843 echo "build_test_config_combos: ${deps}" >> ${makefile} 2844 2845 # execute all of the commands via Make (probably in parallel) 2846 make -s -f ${makefile} build_test_config_combos 2847 echo "$targets targets checked" 2848 2849 # clean up the temporary makefile 2850 rm ${makefile} 2851 } 2852 2853 validate_aes_config_variations () { 2854 if [[ "$1" == *"MBEDTLS_AES_USE_HARDWARE_ONLY"* ]]; then 2855 if [[ "$1" == *"MBEDTLS_PADLOCK_C"* ]]; then 2856 return 1 2857 fi 2858 if [[ !(("$HOSTTYPE" == "aarch64" && "$1" != *"MBEDTLS_AESCE_C"*) || \ 2859 ("$HOSTTYPE" == "x86_64" && "$1" != *"MBEDTLS_AESNI_C"*)) ]]; then 2860 return 1 2861 fi 2862 fi 2863 return 0 2864 } 2865 2866 component_build_aes_variations () { 2867 # 18s - around 90ms per clang invocation on M1 Pro 2868 # 2869 # aes.o has many #if defined(...) guards that intersect in complex ways. 2870 # Test that all the combinations build cleanly. 2871 2872 MBEDTLS_ROOT_DIR="$PWD" 2873 msg "build: aes.o for all combinations of relevant config options" 2874 2875 build_test_config_combos library/aes.o validate_aes_config_variations \ 2876 "MBEDTLS_AES_SETKEY_ENC_ALT" "MBEDTLS_AES_DECRYPT_ALT" \ 2877 "MBEDTLS_AES_ROM_TABLES" "MBEDTLS_AES_ENCRYPT_ALT" "MBEDTLS_AES_SETKEY_DEC_ALT" \ 2878 "MBEDTLS_AES_FEWER_TABLES" "MBEDTLS_PADLOCK_C" "MBEDTLS_AES_USE_HARDWARE_ONLY" \ 2879 "MBEDTLS_AESNI_C" "MBEDTLS_AESCE_C" "MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH" 2880 2881 cd "$MBEDTLS_ROOT_DIR" 2882 msg "build: aes.o for all combinations of relevant config options + BLOCK_CIPHER_NO_DECRYPT" 2883 2884 # MBEDTLS_BLOCK_CIPHER_NO_DECRYPT is incompatible with ECB in PSA, CBC/XTS/NIST_KW/DES, 2885 # manually set or unset those configurations to check 2886 # MBEDTLS_BLOCK_CIPHER_NO_DECRYPT with various combinations in aes.o. 2887 scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT 2888 scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC 2889 scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS 2890 scripts/config.py unset MBEDTLS_DES_C 2891 scripts/config.py unset MBEDTLS_NIST_KW_C 2892 build_test_config_combos library/aes.o validate_aes_config_variations \ 2893 "MBEDTLS_AES_SETKEY_ENC_ALT" "MBEDTLS_AES_DECRYPT_ALT" \ 2894 "MBEDTLS_AES_ROM_TABLES" "MBEDTLS_AES_ENCRYPT_ALT" "MBEDTLS_AES_SETKEY_DEC_ALT" \ 2895 "MBEDTLS_AES_FEWER_TABLES" "MBEDTLS_PADLOCK_C" "MBEDTLS_AES_USE_HARDWARE_ONLY" \ 2896 "MBEDTLS_AESNI_C" "MBEDTLS_AESCE_C" "MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH" 2897 } 2898 2899 component_test_sha3_variations () { 2900 msg "sha3 loop unroll variations" 2901 2902 # define minimal config sufficient to test SHA3 2903 cat > include/mbedtls/mbedtls_config.h << END 2904 #define MBEDTLS_SELF_TEST 2905 #define MBEDTLS_SHA3_C 2906 END 2907 2908 msg "all loops unrolled" 2909 make clean 2910 make -C tests test_suite_shax CFLAGS="-DMBEDTLS_SHA3_THETA_UNROLL=1 -DMBEDTLS_SHA3_PI_UNROLL=1 -DMBEDTLS_SHA3_CHI_UNROLL=1 -DMBEDTLS_SHA3_RHO_UNROLL=1" 2911 ./tests/test_suite_shax 2912 2913 msg "all loops rolled up" 2914 make clean 2915 make -C tests test_suite_shax CFLAGS="-DMBEDTLS_SHA3_THETA_UNROLL=0 -DMBEDTLS_SHA3_PI_UNROLL=0 -DMBEDTLS_SHA3_CHI_UNROLL=0 -DMBEDTLS_SHA3_RHO_UNROLL=0" 2916 ./tests/test_suite_shax 2917 } 2918 2919 # For timebeing, no aarch64 gcc available in CI and no arm64 CI node. 2920 component_build_aes_aesce_armcc () { 2921 msg "Build: AESCE test on arm64 platform without plain C." 2922 scripts/config.py baremetal 2923 2924 # armc[56] don't support SHA-512 intrinsics 2925 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT 2926 2927 # Stop armclang warning about feature detection for A64_CRYPTO. 2928 # With this enabled, the library does build correctly under armclang, 2929 # but in baremetal builds (as tested here), feature detection is 2930 # unavailable, and the user is notified via a #warning. So enabling 2931 # this feature would prevent us from building with -Werror on 2932 # armclang. Tracked in #7198. 2933 scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT 2934 scripts/config.py set MBEDTLS_HAVE_ASM 2935 2936 msg "AESCE, build with default configuration." 2937 scripts/config.py set MBEDTLS_AESCE_C 2938 scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY 2939 helper_armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto" 2940 2941 msg "AESCE, build AESCE only" 2942 scripts/config.py set MBEDTLS_AESCE_C 2943 scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY 2944 helper_armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto" 2945 } 2946 2947 support_build_aes_aesce_armcc () { 2948 support_build_armcc 2949 } 2950 2951 component_test_aes_only_128_bit_keys () { 2952 msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH" 2953 scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH 2954 scripts/config.py unset MBEDTLS_PADLOCK_C 2955 2956 make CFLAGS='-O2 -Werror -Wall -Wextra' 2957 2958 msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH" 2959 make test 2960 } 2961 2962 component_test_no_ctr_drbg_aes_only_128_bit_keys () { 2963 msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH - CTR_DRBG_C" 2964 scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH 2965 scripts/config.py unset MBEDTLS_CTR_DRBG_C 2966 scripts/config.py unset MBEDTLS_PADLOCK_C 2967 2968 make CC=clang CFLAGS='-Werror -Wall -Wextra' 2969 2970 msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH - CTR_DRBG_C" 2971 make test 2972 } 2973 2974 component_test_aes_only_128_bit_keys_have_builtins () { 2975 msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C" 2976 scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH 2977 scripts/config.py unset MBEDTLS_PADLOCK_C 2978 scripts/config.py unset MBEDTLS_AESNI_C 2979 scripts/config.py unset MBEDTLS_AESCE_C 2980 2981 make CFLAGS='-O2 -Werror -Wall -Wextra' 2982 2983 msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C" 2984 make test 2985 2986 msg "selftest: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C" 2987 programs/test/selftest 2988 } 2989 2990 component_test_gcm_largetable () { 2991 msg "build: default config + GCM_LARGE_TABLE - AESNI_C - AESCE_C" 2992 scripts/config.py set MBEDTLS_GCM_LARGE_TABLE 2993 scripts/config.py unset MBEDTLS_PADLOCK_C 2994 scripts/config.py unset MBEDTLS_AESNI_C 2995 scripts/config.py unset MBEDTLS_AESCE_C 2996 2997 make CFLAGS='-O2 -Werror -Wall -Wextra' 2998 2999 msg "test: default config - GCM_LARGE_TABLE - AESNI_C - AESCE_C" 3000 make test 3001 } 3002 3003 component_test_aes_fewer_tables () { 3004 msg "build: default config with AES_FEWER_TABLES enabled" 3005 scripts/config.py set MBEDTLS_AES_FEWER_TABLES 3006 make CFLAGS='-O2 -Werror -Wall -Wextra' 3007 3008 msg "test: AES_FEWER_TABLES" 3009 make test 3010 } 3011 3012 component_test_aes_rom_tables () { 3013 msg "build: default config with AES_ROM_TABLES enabled" 3014 scripts/config.py set MBEDTLS_AES_ROM_TABLES 3015 make CFLAGS='-O2 -Werror -Wall -Wextra' 3016 3017 msg "test: AES_ROM_TABLES" 3018 make test 3019 } 3020 3021 component_test_aes_fewer_tables_and_rom_tables () { 3022 msg "build: default config with AES_ROM_TABLES and AES_FEWER_TABLES enabled" 3023 scripts/config.py set MBEDTLS_AES_FEWER_TABLES 3024 scripts/config.py set MBEDTLS_AES_ROM_TABLES 3025 make CFLAGS='-O2 -Werror -Wall -Wextra' 3026 3027 msg "test: AES_FEWER_TABLES + AES_ROM_TABLES" 3028 make test 3029 } 3030 3031 # helper for common_block_cipher_no_decrypt() which: 3032 # - enable/disable the list of config options passed from -s/-u respectively. 3033 # - build 3034 # - test for tests_suite_xxx 3035 # - selftest 3036 # 3037 # Usage: helper_block_cipher_no_decrypt_build_test 3038 # [-s set_opts] [-u unset_opts] [-c cflags] [-l ldflags] [option [...]] 3039 # Options: -s set_opts the list of config options to enable 3040 # -u unset_opts the list of config options to disable 3041 # -c cflags the list of options passed to CFLAGS 3042 # -l ldflags the list of options passed to LDFLAGS 3043 helper_block_cipher_no_decrypt_build_test () { 3044 while [ $# -gt 0 ]; do 3045 case "$1" in 3046 -s) 3047 shift; local set_opts="$1";; 3048 -u) 3049 shift; local unset_opts="$1";; 3050 -c) 3051 shift; local cflags="-Werror -Wall -Wextra $1";; 3052 -l) 3053 shift; local ldflags="$1";; 3054 esac 3055 shift 3056 done 3057 set_opts="${set_opts:-}" 3058 unset_opts="${unset_opts:-}" 3059 cflags="${cflags:-}" 3060 ldflags="${ldflags:-}" 3061 3062 [ -n "$set_opts" ] && echo "Enabling: $set_opts" && scripts/config.py set-all $set_opts 3063 [ -n "$unset_opts" ] && echo "Disabling: $unset_opts" && scripts/config.py unset-all $unset_opts 3064 3065 msg "build: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}" 3066 make clean 3067 make CFLAGS="-O2 $cflags" LDFLAGS="$ldflags" 3068 3069 # Make sure we don't have mbedtls_xxx_setkey_dec in AES/ARIA/CAMELLIA 3070 not grep mbedtls_aes_setkey_dec library/aes.o 3071 not grep mbedtls_aria_setkey_dec library/aria.o 3072 not grep mbedtls_camellia_setkey_dec library/camellia.o 3073 # Make sure we don't have mbedtls_internal_aes_decrypt in AES 3074 not grep mbedtls_internal_aes_decrypt library/aes.o 3075 # Make sure we don't have mbedtls_aesni_inverse_key in AESNI 3076 not grep mbedtls_aesni_inverse_key library/aesni.o 3077 3078 msg "test: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}" 3079 make test 3080 3081 msg "selftest: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}" 3082 programs/test/selftest 3083 } 3084 3085 # This is a common configuration function used in: 3086 # - component_test_block_cipher_no_decrypt_aesni_legacy() 3087 # - component_test_block_cipher_no_decrypt_aesni_use_psa() 3088 # in order to test BLOCK_CIPHER_NO_DECRYPT with AESNI intrinsics, 3089 # AESNI assembly and AES C implementation on x86_64 and with AESNI intrinsics 3090 # on x86. 3091 common_block_cipher_no_decrypt () { 3092 # test AESNI intrinsics 3093 helper_block_cipher_no_decrypt_build_test \ 3094 -s "MBEDTLS_AESNI_C" \ 3095 -c "-mpclmul -msse2 -maes" 3096 3097 # test AESNI assembly 3098 helper_block_cipher_no_decrypt_build_test \ 3099 -s "MBEDTLS_AESNI_C" \ 3100 -c "-mno-pclmul -mno-sse2 -mno-aes" 3101 3102 # test AES C implementation 3103 helper_block_cipher_no_decrypt_build_test \ 3104 -u "MBEDTLS_AESNI_C" 3105 3106 # test AESNI intrinsics for i386 target 3107 helper_block_cipher_no_decrypt_build_test \ 3108 -s "MBEDTLS_AESNI_C" \ 3109 -c "-m32 -mpclmul -msse2 -maes" \ 3110 -l "-m32" 3111 } 3112 3113 # This is a configuration function used in component_test_block_cipher_no_decrypt_xxx: 3114 # usage: 0: no PSA crypto configuration 3115 # 1: use PSA crypto configuration 3116 config_block_cipher_no_decrypt () { 3117 use_psa=$1 3118 3119 scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT 3120 scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC 3121 scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS 3122 scripts/config.py unset MBEDTLS_DES_C 3123 scripts/config.py unset MBEDTLS_NIST_KW_C 3124 3125 if [ "$use_psa" -eq 1 ]; then 3126 # Enable support for cryptographic mechanisms through the PSA API. 3127 # Note: XTS, KW are not yet supported via the PSA API in Mbed TLS. 3128 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG 3129 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING 3130 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 3131 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING 3132 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_DES 3133 fi 3134 } 3135 3136 component_test_block_cipher_no_decrypt_aesni () { 3137 # This consistently causes an llvm crash on clang 3.8, so use gcc 3138 export CC=gcc 3139 config_block_cipher_no_decrypt 0 3140 common_block_cipher_no_decrypt 3141 } 3142 3143 component_test_block_cipher_no_decrypt_aesni_use_psa () { 3144 # This consistently causes an llvm crash on clang 3.8, so use gcc 3145 export CC=gcc 3146 config_block_cipher_no_decrypt 1 3147 common_block_cipher_no_decrypt 3148 } 3149 3150 support_test_block_cipher_no_decrypt_aesce_armcc () { 3151 support_build_armcc 3152 } 3153 3154 component_test_block_cipher_no_decrypt_aesce_armcc () { 3155 scripts/config.py baremetal 3156 3157 # armc[56] don't support SHA-512 intrinsics 3158 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT 3159 3160 # Stop armclang warning about feature detection for A64_CRYPTO. 3161 # With this enabled, the library does build correctly under armclang, 3162 # but in baremetal builds (as tested here), feature detection is 3163 # unavailable, and the user is notified via a #warning. So enabling 3164 # this feature would prevent us from building with -Werror on 3165 # armclang. Tracked in #7198. 3166 scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT 3167 scripts/config.py set MBEDTLS_HAVE_ASM 3168 3169 config_block_cipher_no_decrypt 1 3170 3171 # test AESCE baremetal build 3172 scripts/config.py set MBEDTLS_AESCE_C 3173 msg "build: default config + BLOCK_CIPHER_NO_DECRYPT with AESCE" 3174 helper_armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto -Werror -Wall -Wextra" 3175 3176 # Make sure we don't have mbedtls_xxx_setkey_dec in AES/ARIA/CAMELLIA 3177 not grep mbedtls_aes_setkey_dec library/aes.o 3178 not grep mbedtls_aria_setkey_dec library/aria.o 3179 not grep mbedtls_camellia_setkey_dec library/camellia.o 3180 # Make sure we don't have mbedtls_internal_aes_decrypt in AES 3181 not grep mbedtls_internal_aes_decrypt library/aes.o 3182 # Make sure we don't have mbedtls_aesce_inverse_key and aesce_decrypt_block in AESCE 3183 not grep mbedtls_aesce_inverse_key library/aesce.o 3184 not grep aesce_decrypt_block library/aesce.o 3185 } 3186 3187 component_test_ctr_drbg_aes_256_sha_256 () { 3188 msg "build: full + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)" 3189 scripts/config.py full 3190 scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C 3191 scripts/config.py set MBEDTLS_ENTROPY_FORCE_SHA256 3192 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 3193 make 3194 3195 msg "test: full + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)" 3196 make test 3197 } 3198 3199 component_test_ctr_drbg_aes_128_sha_512 () { 3200 msg "build: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY (ASan build)" 3201 scripts/config.py full 3202 scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C 3203 scripts/config.py set MBEDTLS_CTR_DRBG_USE_128_BIT_KEY 3204 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 3205 make 3206 3207 msg "test: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY (ASan build)" 3208 make test 3209 } 3210 3211 component_test_ctr_drbg_aes_128_sha_256 () { 3212 msg "build: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)" 3213 scripts/config.py full 3214 scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C 3215 scripts/config.py set MBEDTLS_CTR_DRBG_USE_128_BIT_KEY 3216 scripts/config.py set MBEDTLS_ENTROPY_FORCE_SHA256 3217 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 3218 make 3219 3220 msg "test: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)" 3221 make test 3222 } 3223 3224 component_test_se_default () { 3225 msg "build: default config + MBEDTLS_PSA_CRYPTO_SE_C" 3226 scripts/config.py set MBEDTLS_PSA_CRYPTO_SE_C 3227 make CC=clang CFLAGS="$ASAN_CFLAGS -Os" LDFLAGS="$ASAN_CFLAGS" 3228 3229 msg "test: default config + MBEDTLS_PSA_CRYPTO_SE_C" 3230 make test 3231 } 3232 3233 component_test_full_static_keystore () { 3234 msg "build: full config - MBEDTLS_PSA_KEY_STORE_DYNAMIC" 3235 scripts/config.py full 3236 scripts/config.py unset MBEDTLS_PSA_KEY_STORE_DYNAMIC 3237 make CC=clang CFLAGS="$ASAN_CFLAGS -Os" LDFLAGS="$ASAN_CFLAGS" 3238 3239 msg "test: full config - MBEDTLS_PSA_KEY_STORE_DYNAMIC" 3240 make test 3241 } 3242 3243 component_test_psa_crypto_drivers () { 3244 msg "build: full + test drivers dispatching to builtins" 3245 scripts/config.py full 3246 scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG 3247 loc_cflags="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST_ALL" 3248 loc_cflags="${loc_cflags} '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'" 3249 loc_cflags="${loc_cflags} -I../framework/tests/include -O2" 3250 3251 make CC=$ASAN_CC CFLAGS="${loc_cflags}" LDFLAGS="$ASAN_CFLAGS" 3252 3253 msg "test: full + test drivers dispatching to builtins" 3254 make test 3255 } 3256 3257 component_build_psa_config_file () { 3258 msg "build: make with MBEDTLS_PSA_CRYPTO_CONFIG_FILE" # ~40s 3259 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG 3260 cp "$CRYPTO_CONFIG_H" psa_test_config.h 3261 echo '#error "MBEDTLS_PSA_CRYPTO_CONFIG_FILE is not working"' >"$CRYPTO_CONFIG_H" 3262 make CFLAGS="-I '$PWD' -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"'" 3263 # Make sure this feature is enabled. We'll disable it in the next phase. 3264 programs/test/query_compile_time_config MBEDTLS_CMAC_C 3265 make clean 3266 3267 msg "build: make with MBEDTLS_PSA_CRYPTO_CONFIG_FILE + MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE" # ~40s 3268 # In the user config, disable one feature and its dependencies, which will 3269 # reflect on the mbedtls configuration so we can query it with 3270 # query_compile_time_config. 3271 echo '#undef PSA_WANT_ALG_CMAC' >psa_user_config.h 3272 echo '#undef PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128' >> psa_user_config.h 3273 scripts/config.py unset MBEDTLS_CMAC_C 3274 make CFLAGS="-I '$PWD' -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"' -DMBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE='\"psa_user_config.h\"'" 3275 not programs/test/query_compile_time_config MBEDTLS_CMAC_C 3276 3277 rm -f psa_test_config.h psa_user_config.h 3278 } 3279 3280 component_build_psa_alt_headers () { 3281 msg "build: make with PSA alt headers" # ~20s 3282 3283 # Generate alternative versions of the substitutable headers with the 3284 # same content except different include guards. 3285 make -C tests ../framework/tests/include/alt-extra/psa/crypto_platform_alt.h ../framework/tests/include/alt-extra/psa/crypto_struct_alt.h 3286 3287 # Build the library and some programs. 3288 # Don't build the fuzzers to avoid having to go through hoops to set 3289 # a correct include path for programs/fuzz/Makefile. 3290 make CFLAGS="-I ../framework/tests/include/alt-extra -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'" lib 3291 make -C programs -o fuzz CFLAGS="-I ../framework/tests/include/alt-extra -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'" 3292 3293 # Check that we're getting the alternative include guards and not the 3294 # original include guards. 3295 programs/test/query_included_headers | grep -x PSA_CRYPTO_PLATFORM_ALT_H 3296 programs/test/query_included_headers | grep -x PSA_CRYPTO_STRUCT_ALT_H 3297 programs/test/query_included_headers | not grep -x PSA_CRYPTO_PLATFORM_H 3298 programs/test/query_included_headers | not grep -x PSA_CRYPTO_STRUCT_H 3299 } 3300 3301 component_test_min_mpi_window_size () { 3302 msg "build: Default + MBEDTLS_MPI_WINDOW_SIZE=1 (ASan build)" # ~ 10s 3303 scripts/config.py set MBEDTLS_MPI_WINDOW_SIZE 1 3304 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 3305 make 3306 3307 msg "test: MBEDTLS_MPI_WINDOW_SIZE=1 - main suites (inc. selftests) (ASan build)" # ~ 10s 3308 make test 3309 }