diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index ddab7d0c3..d18d0fadb 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -255,7 +255,7 @@ * * Requires: MBEDTLS_ECDH_C or PSA_WANT_ALG_ECDH * MBEDTLS_RSA_C - * MBEDTLS_PKCS1_V15 + * PSA_WANT_ALG_RSA_PKCS1V15_SIGN * MBEDTLS_X509_CRT_PARSE_C * * This enables the following ciphersuites (if other requisites are @@ -331,7 +331,7 @@ * might still happen. For this reason, this is disabled by default. * * Requires: MBEDTLS_ECJPAKE_C or PSA_WANT_ALG_JPAKE - * SHA-256 (via MBEDTLS_SHA256_C or a PSA driver) + * PSA_WANT_ALG_SHA_256 * MBEDTLS_ECP_DP_SECP256R1_ENABLED * * This enables the following ciphersuites (if other requisites are @@ -446,7 +446,7 @@ * saved after the handshake to allow for more efficient serialization, so if * you don't need this feature you'll save RAM by disabling it. * - * Requires: MBEDTLS_GCM_C or MBEDTLS_CCM_C or MBEDTLS_CHACHAPOLY_C + * Requires: PSA_WANT_ALG_GCM or PSA_WANT_ALG_CCM or PSA_WANT_ALG_CHACHA20_POLY1305 * * Comment to disable the context serialization APIs. */ @@ -824,7 +824,7 @@ * Module: library/ssl_ticket.c * Caller: * - * Requires: MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C + * Requires: PSA_WANT_ALG_GCM or PSA_WANT_ALG_CCM or PSA_WANT_ALG_CHACHA20_POLY1305 */ #define MBEDTLS_SSL_TICKET_C @@ -859,7 +859,7 @@ * MBEDTLS_X509_CRT_PARSE_C * and at least one of: * MBEDTLS_ECDSA_C or PSA_WANT_ALG_ECDSA - * MBEDTLS_PKCS1_V21 + * PSA_WANT_ALG_RSA_PSS * * Comment to disable support for the ephemeral key exchange mode in TLS 1.3. * If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any @@ -903,7 +903,7 @@ * Caller: library/ssl*_client.c * library/ssl*_server.c * - * Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C + * Requires: PSA_WANT_ALG_SHA_256 or PSA_WANT_ALG_SHA_384 * and at least one of the MBEDTLS_SSL_PROTO_XXX defines * * This module is required for SSL/TLS. @@ -1210,7 +1210,7 @@ * Enable parsing and verification of X.509 certificates, CRLs and CSRS * signed with RSASSA-PSS (aka PKCS#1 v2.1). * - * Requires: MBEDTLS_PKCS1_V21 + * Requires: PSA_WANT_ALG_RSA_PSS * * Comment this macro to disallow using RSASSA-PSS in certificates. */ diff --git a/include/mbedtls/version.h b/include/mbedtls/version.h index 718e99eb4..837787bc7 100644 --- a/include/mbedtls/version.h +++ b/include/mbedtls/version.h @@ -60,7 +60,7 @@ void mbedtls_version_get_string_full(char *string); * support", "Mbed TLS modules" and "Mbed TLS feature * support" in mbedtls_config.h * - * \param feature The string for the define to check (e.g. "MBEDTLS_AES_C") + * \param feature The string for the define to check (e.g. "MBEDTLS_SSL_SRV_C") * * \return 0 if the feature is present, * -1 if the feature is not present and diff --git a/library/ssl_misc.h b/library/ssl_misc.h index a30871175..72dc9418f 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2376,7 +2376,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( #endif /* PSA_WANT_ALG_SHA_512 && MBEDTLS_ECP_DP_SECP521R1_ENABLED */ #endif /* PSA_HAVE_ALG_SOME_ECDSA */ -#if defined(MBEDTLS_PKCS1_V21) +#if defined(PSA_WANT_ALG_RSA_PSS) #if defined(PSA_WANT_ALG_SHA_256) case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: break; @@ -2389,7 +2389,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: break; #endif /* PSA_WANT_ALG_SHA_512 */ -#endif /* MBEDTLS_PKCS1_V21 */ +#endif /* PSA_WANT_ALG_RSA_PSS */ default: return 0; } @@ -2401,7 +2401,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_is_supported( const uint16_t sig_alg) { switch (sig_alg) { -#if defined(MBEDTLS_PKCS1_V15) +#if defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN) #if defined(PSA_WANT_ALG_SHA_256) case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256: break; @@ -2414,7 +2414,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_is_supported( case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512: break; #endif /* PSA_WANT_ALG_SHA_512 */ -#endif /* MBEDTLS_PKCS1_V15 */ +#endif /* PSA_WANT_ALG_RSA_PKCS1V15_SIGN */ default: return mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( sig_alg); @@ -2455,7 +2455,7 @@ static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( } switch (sig_alg) { -#if defined(MBEDTLS_PKCS1_V21) +#if defined(PSA_WANT_ALG_RSA_PSS) #if defined(PSA_WANT_ALG_SHA_256) case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: *md_alg = MBEDTLS_MD_SHA256; @@ -2474,7 +2474,7 @@ static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( *pk_type = MBEDTLS_PK_RSASSA_PSS; break; #endif /* PSA_WANT_ALG_SHA_512 */ -#endif /* MBEDTLS_PKCS1_V21 */ +#endif /* PSA_WANT_ALG_RSA_PSS */ default: return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; } diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 67a388567..d1bb553c6 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -327,10 +327,6 @@ class DriverVSReference_cipher_aead_cmac(outcome_analysis.DriverVSReference): 'Low and high error', 'Single low error' ], - # Similar to test_suite_error above. - 'test_suite_version': [ - 'Check for MBEDTLS_AES_C when already present', - ], # The en/decryption part of PKCS#12 is not supported so far. # The rest of PKCS#12 (key derivation) works though. 'test_suite_pkcs12': [ @@ -659,10 +655,6 @@ class DriverVSReference_block_cipher_dispatch(outcome_analysis.DriverVSReference 'Single low error', 'Low and high error', ], - 'test_suite_version': [ - # Similar to test_suite_error above. - 'Check for MBEDTLS_AES_C when already present', - ], 'test_suite_platform': [ # Incompatible with sanitizers (e.g. ASan). If the driver # component uses a sanitizer but the reference component diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index bb0375add..da776e70b 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -138,7 +138,6 @@ component_test_psa_crypto_without_heap() { component_test_no_rsa_key_pair_generation () { msg "build: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE" - scripts/config.py unset MBEDTLS_GENPRIME scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE make @@ -310,7 +309,6 @@ component_test_full_no_cipher () { msg "build: full no CIPHER" scripts/config.py full - scripts/config.py unset MBEDTLS_CIPHER_C # The built-in implementation of the following algs/key-types depends # on CIPHER_C so we disable them. @@ -329,7 +327,6 @@ component_test_full_no_cipher () { scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES # The following modules directly depends on CIPHER_C - scripts/config.py unset MBEDTLS_CMAC_C scripts/config.py unset MBEDTLS_NIST_KW_C make @@ -479,7 +476,6 @@ component_test_crypto_for_psa_service () { scripts/config.py unset MBEDTLS_VERSION_FEATURES # Crypto stuff with no PSA interface scripts/config.py unset MBEDTLS_BASE64_C - # Keep MBEDTLS_CIPHER_C because psa_crypto_cipher, CCM and GCM need it. scripts/config.py unset MBEDTLS_HKDF_C # PSA's HKDF is independent # Keep MBEDTLS_MD_C because deterministic ECDSA needs it for HMAC_DRBG. scripts/config.py unset MBEDTLS_NIST_KW_C @@ -519,11 +515,6 @@ component_test_depends_py_cipher_chaining () { tests/scripts/depends.py cipher_chaining } -component_test_depends_py_cipher_padding () { - msg "test/build: depends.py cipher_padding (gcc)" - tests/scripts/depends.py cipher_padding -} - component_test_depends_py_curves () { msg "test/build: depends.py curves (gcc)" tests/scripts/depends.py curves @@ -1148,9 +1139,6 @@ config_psa_crypto_config_accel_ecc_ffdh_no_bignum () { # on BIGNUM_C. scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_RSA_[0-9A-Z_a-z]*" scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_ALG_RSA_[0-9A-Z_a-z]*" - scripts/config.py unset MBEDTLS_RSA_C - scripts/config.py unset MBEDTLS_PKCS1_V15 - scripts/config.py unset MBEDTLS_PKCS1_V21 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT # Also disable key exchanges that depend on RSA scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED @@ -1425,12 +1413,6 @@ config_psa_crypto_accel_rsa () { helper_libtestdriver1_adjust_config "crypto_full" if [ "$driver_only" -eq 1 ]; then - # Remove RSA support and its dependencies - scripts/config.py unset MBEDTLS_RSA_C - scripts/config.py unset MBEDTLS_PKCS1_V15 - scripts/config.py unset MBEDTLS_PKCS1_V21 - scripts/config.py unset MBEDTLS_GENPRIME - # We need PEM parsing in the test library as well to support the import # of PEM encoded RSA keys. scripts/config.py -c "$CONFIG_TEST_DRIVER_H" set MBEDTLS_PEM_PARSE_C @@ -1494,7 +1476,7 @@ component_test_psa_crypto_config_reference_rsa_crypto () { # This is a temporary test to verify that full RSA support is present even when # only one single new symbols (PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) is defined. component_test_new_psa_want_key_pair_symbol () { - msg "Build: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" + msg "Build: crypto config - PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" # Create a temporary output file unless there is already one set if [ "$MBEDTLS_TEST_OUTCOME_FILE" ]; then @@ -1509,11 +1491,8 @@ component_test_new_psa_want_key_pair_symbol () { scripts/config.py crypto # Remove RSA support and its dependencies - scripts/config.py unset MBEDTLS_PKCS1_V15 - scripts/config.py unset MBEDTLS_PKCS1_V21 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED - scripts/config.py unset MBEDTLS_RSA_C scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT # Keep only PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC enabled in order to ensure @@ -1524,7 +1503,7 @@ component_test_new_psa_want_key_pair_symbol () { make - msg "Test: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" + msg "Test: crypto config - PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" make test # Parse only 1 relevant line from the outcome file, i.e. a test which is @@ -1550,15 +1529,6 @@ component_test_psa_crypto_config_accel_hash () { # Start from default config (no USE_PSA) helper_libtestdriver1_adjust_config "default" - # Disable the things that are being accelerated - scripts/config.py unset MBEDTLS_MD5_C - scripts/config.py unset MBEDTLS_RIPEMD160_C - scripts/config.py unset MBEDTLS_SHA1_C - scripts/config.py unset MBEDTLS_SHA224_C - scripts/config.py unset MBEDTLS_SHA256_C - scripts/config.py unset MBEDTLS_SHA384_C - scripts/config.py unset MBEDTLS_SHA512_C - # Build # ----- @@ -1588,14 +1558,7 @@ config_psa_crypto_hash_use_psa () { helper_libtestdriver1_adjust_config "full" if [ "$driver_only" -eq 1 ]; then # disable the built-in implementation of hashes - scripts/config.py unset MBEDTLS_MD5_C - scripts/config.py unset MBEDTLS_RIPEMD160_C - scripts/config.py unset MBEDTLS_SHA1_C - scripts/config.py unset MBEDTLS_SHA224_C - scripts/config.py unset MBEDTLS_SHA256_C # see external RNG below scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT - scripts/config.py unset MBEDTLS_SHA384_C - scripts/config.py unset MBEDTLS_SHA512_C scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT fi } @@ -1676,11 +1639,9 @@ config_psa_crypto_hmac_use_psa () { # Disable MD_C in order to disable the builtin support for HMAC. MD_LIGHT # is still enabled though (for ENTROPY_C among others). scripts/config.py unset MBEDTLS_MD_C - # Disable also the builtin hashes since they are supported by the driver - # and MD module is able to perform PSA dispathing. + # Also disable the configuration options that tune the builtin hashes, + # since those hashes are disabled. scripts/config.py unset-all MBEDTLS_SHA - scripts/config.py unset MBEDTLS_MD5_C - scripts/config.py unset MBEDTLS_RIPEMD160_C fi # Direct dependencies of MD_C. We disable them also in the reference @@ -1747,11 +1708,6 @@ component_test_psa_crypto_config_accel_aead () { # Start from full config helper_libtestdriver1_adjust_config "full" - # Disable things that are being accelerated - scripts/config.py unset MBEDTLS_GCM_C - scripts/config.py unset MBEDTLS_CCM_C - scripts/config.py unset MBEDTLS_CHACHAPOLY_C - # Disable CCM_STAR_NO_TAG because this re-enables CCM_C. scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG @@ -1802,32 +1758,10 @@ component_test_psa_crypto_config_accel_cipher_aead_cmac () { common_psa_crypto_config_accel_cipher_aead_cmac - # Disable the things that are being accelerated - scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC - scripts/config.py unset MBEDTLS_CIPHER_PADDING_PKCS7 - scripts/config.py unset MBEDTLS_CIPHER_MODE_CTR - scripts/config.py unset MBEDTLS_CIPHER_MODE_CFB - scripts/config.py unset MBEDTLS_CIPHER_MODE_OFB - scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS - scripts/config.py unset MBEDTLS_GCM_C - scripts/config.py unset MBEDTLS_CCM_C - scripts/config.py unset MBEDTLS_CHACHAPOLY_C - scripts/config.py unset MBEDTLS_CMAC_C - scripts/config.py unset MBEDTLS_DES_C - scripts/config.py unset MBEDTLS_AES_C - scripts/config.py unset MBEDTLS_ARIA_C - scripts/config.py unset MBEDTLS_CHACHA20_C - scripts/config.py unset MBEDTLS_CAMELLIA_C - scripts/config.py unset MBEDTLS_POLY1305_C - # Disable DES, if it still exists. # This can be removed once we remove DES from the library. scripts/config.py unset PSA_WANT_KEY_TYPE_DES - # Disable CIPHER_C entirely as all ciphers/AEADs are accelerated and PSA - # does not depend on it. - scripts/config.py unset MBEDTLS_CIPHER_C - # Build # ----- @@ -1887,14 +1821,6 @@ common_block_cipher_dispatch () { # Start from the full config helper_libtestdriver1_adjust_config "full" - if [ "$TEST_WITH_DRIVER" -eq 1 ]; then - # Disable key types that are accelerated (there is no legacy equivalent - # symbol for ECB) - scripts/config.py unset MBEDTLS_AES_C - scripts/config.py unset MBEDTLS_ARIA_C - scripts/config.py unset MBEDTLS_CAMELLIA_C - fi - # Disable cipher's modes that, when not accelerated, cause # legacy key types to be re-enabled in "config_adjust_legacy_from_psa.h". # Keep this also in the reference component in order to skip the same tests @@ -1999,7 +1925,6 @@ component_test_full_block_cipher_legacy_dispatch () { component_test_aead_chachapoly_disabled () { msg "build: full minus CHACHAPOLY" scripts/config.py full - scripts/config.py unset MBEDTLS_CHACHAPOLY_C scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" @@ -2010,8 +1935,6 @@ component_test_aead_chachapoly_disabled () { component_test_aead_only_ccm () { msg "build: full minus CHACHAPOLY and GCM" scripts/config.py full - scripts/config.py unset MBEDTLS_CHACHAPOLY_C - scripts/config.py unset MBEDTLS_GCM_C scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_GCM make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" @@ -2137,16 +2060,12 @@ component_build_aes_variations () { # manually set or unset those configurations to check # MBEDTLS_BLOCK_CIPHER_NO_DECRYPT with various combinations in aes.o. scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT - scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS scripts/config.py unset MBEDTLS_NIST_KW_C scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7 scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES - # Note: The two unsets below are to be removed for Mbed TLS 4.0 - scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC - scripts/config.py unset MBEDTLS_DES_C build_test_config_combos ${BUILTIN_SRC_PATH}/aes.o validate_aes_config_variations \ "MBEDTLS_AES_ROM_TABLES" \ @@ -2167,7 +2086,7 @@ END #define PSA_WANT_ALG_SHA3_256 1 #define PSA_WANT_ALG_SHA3_384 1 #define PSA_WANT_ALG_SHA3_512 1 - #define MBEDTLS_AES_C + #define PSA_WANT_KEY_TYPE_AES 1 #define MBEDTLS_CTR_DRBG_C #define MBEDTLS_ENTROPY_C #define MBEDTLS_PSA_CRYPTO_C @@ -2350,7 +2269,6 @@ helper_block_cipher_no_decrypt_build_test () { # This is a configuration function used in component_test_block_cipher_no_decrypt_xxx: config_block_cipher_no_decrypt () { scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT - scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS scripts/config.py unset MBEDTLS_NIST_KW_C # Enable support for cryptographic mechanisms through the PSA API. @@ -2359,9 +2277,6 @@ config_block_cipher_no_decrypt () { scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_DES - # Note: The two unsets below are to be removed for Mbed TLS 4.0 - scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC - scripts/config.py unset MBEDTLS_DES_C } component_test_block_cipher_no_decrypt_aesni () { @@ -2513,7 +2428,6 @@ component_build_psa_config_file () { # query_compile_time_config. echo '#undef PSA_WANT_ALG_CMAC' >psa_user_config.h echo '#undef PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128' >> psa_user_config.h - echo '#undef MBEDTLS_CMAC_C' >> psa_user_config.h make CFLAGS="-I '$PWD' -DTF_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"' -DTF_PSA_CRYPTO_USER_CONFIG_FILE='\"psa_user_config.h\"'" not programs/test/query_compile_time_config PSA_WANT_ALG_CMAC diff --git a/tests/scripts/components-configuration-tls.sh b/tests/scripts/components-configuration-tls.sh index ff8315711..450bdebab 100644 --- a/tests/scripts/components-configuration-tls.sh +++ b/tests/scripts/components-configuration-tls.sh @@ -54,18 +54,11 @@ component_test_tls1_2_default_stream_cipher_only () { scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305 - # Note: The three unsets below are to be removed for Mbed TLS 4.0 - scripts/config.py unset MBEDTLS_GCM_C - scripts/config.py unset MBEDTLS_CCM_C - scripts/config.py unset MBEDTLS_CHACHAPOLY_C #Disable TLS 1.3 (as no AEAD) scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 # Disable CBC. Note: When implemented, PSA_WANT_ALG_CBC_MAC will also need to be unset here to fully disable CBC scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7 - # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia)) - # Note: The unset below is to be removed for 4.0 - scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) @@ -90,13 +83,9 @@ component_test_tls1_2_default_cbc_legacy_cipher_only () { scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305 - # Note: The three unsets below are to be removed for Mbed TLS 4.0 - scripts/config.py unset MBEDTLS_GCM_C - scripts/config.py unset MBEDTLS_CCM_C - scripts/config.py unset MBEDTLS_CHACHAPOLY_C #Disable TLS 1.3 (as no AEAD) scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia)) + # Enable CBC-legacy scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC @@ -123,13 +112,9 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () { scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305 - # Note: The three unsets below are to be removed for Mbed TLS 4.0 - scripts/config.py unset MBEDTLS_GCM_C - scripts/config.py unset MBEDTLS_CCM_C - scripts/config.py unset MBEDTLS_CHACHAPOLY_C #Disable TLS 1.3 (as no AEAD) scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia)) + # Enable CBC-legacy scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC @@ -399,8 +384,6 @@ component_test_when_no_ciphersuites_have_mac () { scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER - scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC - scripts/config.py unset MBEDTLS_CMAC_C make @@ -472,7 +455,6 @@ component_test_tls13_only_psk () { # Note: The four unsets below are to be removed for Mbed TLS 4.0 scripts/config.py unset MBEDTLS_ECDH_C scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_PKCS1_V21 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" @@ -536,7 +518,6 @@ component_test_tls13_only_psk_ephemeral () { scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS # Note: The two unsets below are to be removed for Mbed TLS 4.0 scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_PKCS1_V21 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" @@ -566,7 +547,6 @@ component_test_tls13_only_psk_ephemeral_ffdh () { # Note: The three unsets below are to be removed for Mbed TLS 4.0 scripts/config.py unset MBEDTLS_ECDH_C scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_PKCS1_V21 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" @@ -593,7 +573,6 @@ component_test_tls13_only_psk_all () { scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS # Note: The two unsets below are to be removed for Mbed TLS 4.0 scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_PKCS1_V21 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 7fccb2006..679f05af1 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -30,11 +30,11 @@ The configuration building method can be one of the three following: direct dependencies, but rather non-trivial results of other configs missing. Then look for any unset symbols and handle their reverse dependencies. Examples of EXCLUSIVE_GROUPS usage: - - MBEDTLS_SHA512_C job turns off all hashes except SHA512. MBEDTLS_SSL_COOKIE_C + - PSA_WANT_ALG_SHA_512 job turns off all hashes except SHA512. MBEDTLS_SSL_COOKIE_C requires either SHA256 or SHA384 to work, so it also has to be disabled. - This is not a dependency on SHA512_C, but a result of an exclusive domain + This is not a dependency on SHA512, but a result of an exclusive domain config building method. Relevant field: - 'MBEDTLS_SHA512_C': ['-MBEDTLS_SSL_COOKIE_C'], + 'PSA_WANT_ALG_SHA_512': ['-MBEDTLS_SSL_COOKIE_C'], - DualDomain - combination of the two above - both complementary and exclusive domain job generation code will be run. Currently only used for hashes. @@ -251,34 +251,11 @@ and subsequent commands are tests that cannot run if the build failed).''' REVERSE_DEPENDENCIES = { 'PSA_WANT_KEY_TYPE_AES': ['PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128', 'MBEDTLS_CTR_DRBG_C', - 'MBEDTLS_NIST_KW_C', - 'MBEDTLS_AES_C'], - 'PSA_WANT_KEY_TYPE_ARIA': ['MBEDTLS_ARIA_C'], - 'PSA_WANT_KEY_TYPE_CAMELLIA': ['MBEDTLS_CAMELLIA_C'], + 'MBEDTLS_NIST_KW_C'], 'PSA_WANT_KEY_TYPE_CHACHA20': ['PSA_WANT_ALG_CHACHA20_POLY1305', - 'PSA_WANT_ALG_STREAM_CIPHER', - 'MBEDTLS_CHACHA20_C', - 'MBEDTLS_CHACHAPOLY_C'], - 'PSA_WANT_KEY_TYPE_DES': ['MBEDTLS_DES_C'], - 'PSA_WANT_ALG_CCM': ['PSA_WANT_ALG_CCM_STAR_NO_TAG', - 'MBEDTLS_CCM_C'], - 'PSA_WANT_ALG_CMAC': ['PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128', - 'MBEDTLS_CMAC_C'], - 'PSA_WANT_ALG_GCM': ['MBEDTLS_GCM_C'], - - 'PSA_WANT_ALG_CBC_NO_PADDING': ['MBEDTLS_CIPHER_MODE_CBC'], - 'PSA_WANT_ALG_CBC_PKCS7': ['MBEDTLS_CIPHER_MODE_CBC'], - 'PSA_WANT_ALG_CFB': ['MBEDTLS_CIPHER_MODE_CFB'], - 'PSA_WANT_ALG_CTR': ['MBEDTLS_CIPHER_MODE_CTR'], - 'PSA_WANT_ALG_OFB': ['MBEDTLS_CIPHER_MODE_OFB'], - 'PSA_WANT_ALG_XTS': ['MBEDTLS_CIPHER_MODE_XTS'], - - 'MBEDTLS_CIPHER_PADDING_PKCS7': ['MBEDTLS_PKCS5_C', - 'MBEDTLS_PKCS12_C', - 'PSA_WANT_ALG_CBC_PKCS7'], - 'MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS': ['MBEDTLS_CIPHER_MODE_CBC'], - 'MBEDTLS_CIPHER_PADDING_ZEROS': ['MBEDTLS_CIPHER_MODE_CBC'], - 'MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN': ['MBEDTLS_CIPHER_MODE_CBC'], + 'PSA_WANT_ALG_STREAM_CIPHER'], + 'PSA_WANT_ALG_CCM': ['PSA_WANT_ALG_CCM_STAR_NO_TAG'], + 'PSA_WANT_ALG_CMAC': ['PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128'], 'PSA_WANT_ECC_BRAINPOOL_P_R1_256': ['MBEDTLS_ECP_DP_BP256R1_ENABLED'], 'PSA_WANT_ECC_BRAINPOOL_P_R1_384': ['MBEDTLS_ECP_DP_BP384R1_ENABLED'], @@ -319,11 +296,9 @@ REVERSE_DEPENDENCIES = { 'PSA_WANT_ALG_JPAKE': ['MBEDTLS_ECJPAKE_C', 'MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'], 'PSA_WANT_ALG_RSA_OAEP': ['PSA_WANT_ALG_RSA_PSS', - 'MBEDTLS_X509_RSASSA_PSS_SUPPORT', - 'MBEDTLS_PKCS1_V21'], + 'MBEDTLS_X509_RSASSA_PSS_SUPPORT'], 'PSA_WANT_ALG_RSA_PKCS1V15_CRYPT': ['PSA_WANT_ALG_RSA_PKCS1V15_SIGN', - 'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED', - 'MBEDTLS_PKCS1_V15'], + 'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED'], 'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC': [ 'PSA_WANT_ALG_RSA_PKCS1V15_CRYPT', 'PSA_WANT_ALG_RSA_OAEP', @@ -331,29 +306,21 @@ REVERSE_DEPENDENCIES = { 'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT', 'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT', 'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE', - 'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED', - 'MBEDTLS_RSA_C'], + 'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED'], - 'PSA_WANT_ALG_MD5': ['MBEDTLS_MD5_C'], - 'PSA_WANT_ALG_RIPEMD160': ['MBEDTLS_RIPEMD160_C'], - 'PSA_WANT_ALG_SHA_1': ['MBEDTLS_SHA1_C'], 'PSA_WANT_ALG_SHA_224': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED', 'MBEDTLS_ENTROPY_FORCE_SHA256', 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT', - 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY', - 'MBEDTLS_SHA224_C'], + 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY'], 'PSA_WANT_ALG_SHA_256': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED', 'MBEDTLS_ENTROPY_FORCE_SHA256', 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT', 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY', 'MBEDTLS_LMS_C', 'MBEDTLS_LMS_PRIVATE', - 'MBEDTLS_SHA256_C', 'PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS'], - 'PSA_WANT_ALG_SHA_384': ['MBEDTLS_SHA384_C'], 'PSA_WANT_ALG_SHA_512': ['MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT', - 'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY', - 'MBEDTLS_SHA512_C'], + 'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY'], 'PSA_WANT_ALG_ECB_NO_PADDING' : ['MBEDTLS_NIST_KW_C'], } @@ -531,9 +498,6 @@ class DomainData: # Get cipher modes cipher_chaining_symbols = {algs[cipher_alg] for cipher_alg in cipher_algs} - # Find block padding mode enabling macros by name. - cipher_padding_symbols = self.config_symbols_matching(r'MBEDTLS_CIPHER_PADDING_\w+\Z') - self.domains = { # Cipher key types 'cipher_id': ExclusiveDomain(cipher_key_types, build_and_test), @@ -544,9 +508,6 @@ class DomainData: build_and_test, exclude=r'PSA_WANT_ALG_XTS'), - 'cipher_padding': ExclusiveDomain(cipher_padding_symbols, - build_and_test), - # Elliptic curves. Run the test suites. 'curves': ExclusiveDomain(curve_symbols, build_and_test), @@ -639,8 +600,8 @@ def main(): description= "Test Mbed TLS with a subset of algorithms.\n\n" "Example usage:\n" - r"./tests/scripts/depends.py \!MBEDTLS_SHA1_C MBEDTLS_SHA256_C""\n" - "./tests/scripts/depends.py MBEDTLS_AES_C hashes\n" + r"./tests/scripts/depends.py \!PSA_WANT_ALG_SHA_1 PSA_WANT_ALG_SHA_256""\n" + "./tests/scripts/depends.py PSA_WANT_KEY_TYPE_AES hashes\n" "./tests/scripts/depends.py cipher_id cipher_chaining\n") parser.add_argument('--color', metavar='WHEN', help='Colorize the output (always/auto/never)', diff --git a/tests/scripts/test_config_script.py b/tests/scripts/test_config_script.py index e500b3362..b58a3114c 100755 --- a/tests/scripts/test_config_script.py +++ b/tests/scripts/test_config_script.py @@ -130,7 +130,7 @@ def run_one(options, args, stem_prefix='', input_file=None): ### config.py stops handling that case correctly. TEST_SYMBOLS = [ 'CUSTOM_SYMBOL', # does not exist - 'MBEDTLS_AES_C', # set, no value + 'PSA_WANT_KEY_TYPE_AES', # set, no value 'MBEDTLS_MPI_MAX_SIZE', # unset, has a value 'MBEDTLS_NO_UDBL_DIVISION', # unset, in "System support" 'MBEDTLS_PLATFORM_ZEROIZE_ALT', # unset, in "Customisation configuration options"