cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-09-23 04:26:46 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #10317 from ronald-cron-arm/legacy-crypto-options-cleanup

Browse Source 
Clean-up following the removal of crypto config options but ECC ones
This commit is contained in:
Ronald Cron 2025-07-25 15:11:34 +00:00 committed by GitHub
commit b23424cc61
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
8 changed files with 36 additions and 190 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
include/mbedtls/mbedtls_config.h
View File

@ -255,7 +255,7 @@
*
* Requires: MBEDTLS_ECDH_C or PSA_WANT_ALG_ECDH
* MBEDTLS_RSA_C
* MBEDTLS_PKCS1_V15
* PSA_WANT_ALG_RSA_PKCS1V15_SIGN
* MBEDTLS_X509_CRT_PARSE_C
*
* This enables the following ciphersuites (if other requisites are
@ -331,7 +331,7 @@
* might still happen. For this reason, this is disabled by default.
*
* Requires: MBEDTLS_ECJPAKE_C or PSA_WANT_ALG_JPAKE
* SHA-256 (via MBEDTLS_SHA256_C or a PSA driver)
* PSA_WANT_ALG_SHA_256
* MBEDTLS_ECP_DP_SECP256R1_ENABLED
*
* This enables the following ciphersuites (if other requisites are
@ -446,7 +446,7 @@
* saved after the handshake to allow for more efficient serialization, so if
* you don't need this feature you'll save RAM by disabling it.
*
* Requires: MBEDTLS_GCM_C or MBEDTLS_CCM_C or MBEDTLS_CHACHAPOLY_C
* Requires: PSA_WANT_ALG_GCM or PSA_WANT_ALG_CCM or PSA_WANT_ALG_CHACHA20_POLY1305
*
* Comment to disable the context serialization APIs.
*/
@ -824,7 +824,7 @@
* Module: library/ssl_ticket.c
* Caller:
*
* Requires: MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C
* Requires: PSA_WANT_ALG_GCM or PSA_WANT_ALG_CCM or PSA_WANT_ALG_CHACHA20_POLY1305
*/
#define MBEDTLS_SSL_TICKET_C
@ -859,7 +859,7 @@
* MBEDTLS_X509_CRT_PARSE_C
* and at least one of:
* MBEDTLS_ECDSA_C or PSA_WANT_ALG_ECDSA
* MBEDTLS_PKCS1_V21
* PSA_WANT_ALG_RSA_PSS
*
* Comment to disable support for the ephemeral key exchange mode in TLS 1.3.
* If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any
@ -903,7 +903,7 @@
* Caller: library/ssl*_client.c
* library/ssl*_server.c
*
* Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C
* Requires: PSA_WANT_ALG_SHA_256 or PSA_WANT_ALG_SHA_384
* and at least one of the MBEDTLS_SSL_PROTO_XXX defines
*
* This module is required for SSL/TLS.
@ -1210,7 +1210,7 @@
* Enable parsing and verification of X.509 certificates, CRLs and CSRS
* signed with RSASSA-PSS (aka PKCS#1 v2.1).
*
* Requires: MBEDTLS_PKCS1_V21
* Requires: PSA_WANT_ALG_RSA_PSS
*
* Comment this macro to disallow using RSASSA-PSS in certificates.
*/

2
include/mbedtls/version.h
View File

@ -60,7 +60,7 @@ void mbedtls_version_get_string_full(char *string);
* support", "Mbed TLS modules" and "Mbed TLS feature
* support" in mbedtls_config.h
*
* \param feature The string for the define to check (e.g. "MBEDTLS_AES_C")
* \param feature The string for the define to check (e.g. "MBEDTLS_SSL_SRV_C")
*
* \return 0 if the feature is present,
* -1 if the feature is not present and

12
library/ssl_misc.h
View File

@ -2376,7 +2376,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
#endif /* PSA_WANT_ALG_SHA_512 && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
#endif /* PSA_HAVE_ALG_SOME_ECDSA */
#if defined(MBEDTLS_PKCS1_V21)
#if defined(PSA_WANT_ALG_RSA_PSS)
#if defined(PSA_WANT_ALG_SHA_256)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
break;
@ -2389,7 +2389,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
break;
#endif /* PSA_WANT_ALG_SHA_512 */
#endif /* MBEDTLS_PKCS1_V21 */
#endif /* PSA_WANT_ALG_RSA_PSS */
default:
return 0;
}
@ -2401,7 +2401,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_is_supported(
const uint16_t sig_alg)
{
switch (sig_alg) {
#if defined(MBEDTLS_PKCS1_V15)
#if defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN)
#if defined(PSA_WANT_ALG_SHA_256)
case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
break;
@ -2414,7 +2414,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_is_supported(
case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
break;
#endif /* PSA_WANT_ALG_SHA_512 */
#endif /* MBEDTLS_PKCS1_V15 */
#endif /* PSA_WANT_ALG_RSA_PKCS1V15_SIGN */
default:
return mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
sig_alg);
@ -2455,7 +2455,7 @@ static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
}
switch (sig_alg) {
#if defined(MBEDTLS_PKCS1_V21)
#if defined(PSA_WANT_ALG_RSA_PSS)
#if defined(PSA_WANT_ALG_SHA_256)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
*md_alg = MBEDTLS_MD_SHA256;
@ -2474,7 +2474,7 @@ static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
*pk_type = MBEDTLS_PK_RSASSA_PSS;
break;
#endif /* PSA_WANT_ALG_SHA_512 */
#endif /* MBEDTLS_PKCS1_V21 */
#endif /* PSA_WANT_ALG_RSA_PSS */
default:
return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
}

8
tests/scripts/analyze_outcomes.py
View File

@ -327,10 +327,6 @@ class DriverVSReference_cipher_aead_cmac(outcome_analysis.DriverVSReference):
'Low and high error',
'Single low error'
],
# Similar to test_suite_error above.
'test_suite_version': [
'Check for MBEDTLS_AES_C when already present',
],
# The en/decryption part of PKCS#12 is not supported so far.
# The rest of PKCS#12 (key derivation) works though.
'test_suite_pkcs12': [
@ -659,10 +655,6 @@ class DriverVSReference_block_cipher_dispatch(outcome_analysis.DriverVSReference
'Single low error',
'Low and high error',
],
'test_suite_version': [
# Similar to test_suite_error above.
'Check for MBEDTLS_AES_C when already present',
],
'test_suite_platform': [
# Incompatible with sanitizers (e.g. ASan). If the driver
# component uses a sanitizer but the reference component

96
tests/scripts/components-configuration-crypto.sh
View File

@ -138,7 +138,6 @@ component_test_psa_crypto_without_heap() {
component_test_no_rsa_key_pair_generation () {
msg "build: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE"
scripts/config.py unset MBEDTLS_GENPRIME
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
make
@ -310,7 +309,6 @@ component_test_full_no_cipher () {
msg "build: full no CIPHER"
scripts/config.py full
scripts/config.py unset MBEDTLS_CIPHER_C
# The built-in implementation of the following algs/key-types depends
# on CIPHER_C so we disable them.
@ -329,7 +327,6 @@ component_test_full_no_cipher () {
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES
# The following modules directly depends on CIPHER_C
scripts/config.py unset MBEDTLS_CMAC_C
scripts/config.py unset MBEDTLS_NIST_KW_C
make
@ -479,7 +476,6 @@ component_test_crypto_for_psa_service () {
scripts/config.py unset MBEDTLS_VERSION_FEATURES
# Crypto stuff with no PSA interface
scripts/config.py unset MBEDTLS_BASE64_C
# Keep MBEDTLS_CIPHER_C because psa_crypto_cipher, CCM and GCM need it.
scripts/config.py unset MBEDTLS_HKDF_C # PSA's HKDF is independent
# Keep MBEDTLS_MD_C because deterministic ECDSA needs it for HMAC_DRBG.
scripts/config.py unset MBEDTLS_NIST_KW_C
@ -519,11 +515,6 @@ component_test_depends_py_cipher_chaining () {
tests/scripts/depends.py cipher_chaining
}
component_test_depends_py_cipher_padding () {
msg "test/build: depends.py cipher_padding (gcc)"
tests/scripts/depends.py cipher_padding
}
component_test_depends_py_curves () {
msg "test/build: depends.py curves (gcc)"
tests/scripts/depends.py curves
@ -1148,9 +1139,6 @@ config_psa_crypto_config_accel_ecc_ffdh_no_bignum () {
# on BIGNUM_C.
scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_RSA_[0-9A-Z_a-z]*"
scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_ALG_RSA_[0-9A-Z_a-z]*"
scripts/config.py unset MBEDTLS_RSA_C
scripts/config.py unset MBEDTLS_PKCS1_V15
scripts/config.py unset MBEDTLS_PKCS1_V21
scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
# Also disable key exchanges that depend on RSA
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
@ -1425,12 +1413,6 @@ config_psa_crypto_accel_rsa () {
helper_libtestdriver1_adjust_config "crypto_full"
if [ "$driver_only" -eq 1 ]; then
# Remove RSA support and its dependencies
scripts/config.py unset MBEDTLS_RSA_C
scripts/config.py unset MBEDTLS_PKCS1_V15
scripts/config.py unset MBEDTLS_PKCS1_V21
scripts/config.py unset MBEDTLS_GENPRIME
# We need PEM parsing in the test library as well to support the import
# of PEM encoded RSA keys.
scripts/config.py -c "$CONFIG_TEST_DRIVER_H" set MBEDTLS_PEM_PARSE_C
@ -1494,7 +1476,7 @@ component_test_psa_crypto_config_reference_rsa_crypto () {
# This is a temporary test to verify that full RSA support is present even when
# only one single new symbols (PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) is defined.
component_test_new_psa_want_key_pair_symbol () {
msg "Build: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC"
msg "Build: crypto config - PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC"
# Create a temporary output file unless there is already one set
if [ "$MBEDTLS_TEST_OUTCOME_FILE" ]; then
@ -1509,11 +1491,8 @@ component_test_new_psa_want_key_pair_symbol () {
scripts/config.py crypto
# Remove RSA support and its dependencies
scripts/config.py unset MBEDTLS_PKCS1_V15
scripts/config.py unset MBEDTLS_PKCS1_V21
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
scripts/config.py unset MBEDTLS_RSA_C
scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
# Keep only PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC enabled in order to ensure
@ -1524,7 +1503,7 @@ component_test_new_psa_want_key_pair_symbol () {
make
msg "Test: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC"
msg "Test: crypto config - PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC"
make test
# Parse only 1 relevant line from the outcome file, i.e. a test which is
@ -1550,15 +1529,6 @@ component_test_psa_crypto_config_accel_hash () {
# Start from default config (no USE_PSA)
helper_libtestdriver1_adjust_config "default"
# Disable the things that are being accelerated
scripts/config.py unset MBEDTLS_MD5_C
scripts/config.py unset MBEDTLS_RIPEMD160_C
scripts/config.py unset MBEDTLS_SHA1_C
scripts/config.py unset MBEDTLS_SHA224_C
scripts/config.py unset MBEDTLS_SHA256_C
scripts/config.py unset MBEDTLS_SHA384_C
scripts/config.py unset MBEDTLS_SHA512_C
# Build
# -----
@ -1588,14 +1558,7 @@ config_psa_crypto_hash_use_psa () {
helper_libtestdriver1_adjust_config "full"
if [ "$driver_only" -eq 1 ]; then
# disable the built-in implementation of hashes
scripts/config.py unset MBEDTLS_MD5_C
scripts/config.py unset MBEDTLS_RIPEMD160_C
scripts/config.py unset MBEDTLS_SHA1_C
scripts/config.py unset MBEDTLS_SHA224_C
scripts/config.py unset MBEDTLS_SHA256_C # see external RNG below
scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
scripts/config.py unset MBEDTLS_SHA384_C
scripts/config.py unset MBEDTLS_SHA512_C
scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
fi
}
@ -1676,11 +1639,9 @@ config_psa_crypto_hmac_use_psa () {
# Disable MD_C in order to disable the builtin support for HMAC. MD_LIGHT
# is still enabled though (for ENTROPY_C among others).
scripts/config.py unset MBEDTLS_MD_C
# Disable also the builtin hashes since they are supported by the driver
# and MD module is able to perform PSA dispathing.
# Also disable the configuration options that tune the builtin hashes,
# since those hashes are disabled.
scripts/config.py unset-all MBEDTLS_SHA
scripts/config.py unset MBEDTLS_MD5_C
scripts/config.py unset MBEDTLS_RIPEMD160_C
fi
# Direct dependencies of MD_C. We disable them also in the reference
@ -1747,11 +1708,6 @@ component_test_psa_crypto_config_accel_aead () {
# Start from full config
helper_libtestdriver1_adjust_config "full"
# Disable things that are being accelerated
scripts/config.py unset MBEDTLS_GCM_C
scripts/config.py unset MBEDTLS_CCM_C
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
# Disable CCM_STAR_NO_TAG because this re-enables CCM_C.
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG
@ -1802,32 +1758,10 @@ component_test_psa_crypto_config_accel_cipher_aead_cmac () {
common_psa_crypto_config_accel_cipher_aead_cmac
# Disable the things that are being accelerated
scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
scripts/config.py unset MBEDTLS_CIPHER_PADDING_PKCS7
scripts/config.py unset MBEDTLS_CIPHER_MODE_CTR
scripts/config.py unset MBEDTLS_CIPHER_MODE_CFB
scripts/config.py unset MBEDTLS_CIPHER_MODE_OFB
scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
scripts/config.py unset MBEDTLS_GCM_C
scripts/config.py unset MBEDTLS_CCM_C
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
scripts/config.py unset MBEDTLS_CMAC_C
scripts/config.py unset MBEDTLS_DES_C
scripts/config.py unset MBEDTLS_AES_C
scripts/config.py unset MBEDTLS_ARIA_C
scripts/config.py unset MBEDTLS_CHACHA20_C
scripts/config.py unset MBEDTLS_CAMELLIA_C
scripts/config.py unset MBEDTLS_POLY1305_C
# Disable DES, if it still exists.
# This can be removed once we remove DES from the library.
scripts/config.py unset PSA_WANT_KEY_TYPE_DES
# Disable CIPHER_C entirely as all ciphers/AEADs are accelerated and PSA
# does not depend on it.
scripts/config.py unset MBEDTLS_CIPHER_C
# Build
# -----
@ -1887,14 +1821,6 @@ common_block_cipher_dispatch () {
# Start from the full config
helper_libtestdriver1_adjust_config "full"
if [ "$TEST_WITH_DRIVER" -eq 1 ]; then
# Disable key types that are accelerated (there is no legacy equivalent
# symbol for ECB)
scripts/config.py unset MBEDTLS_AES_C
scripts/config.py unset MBEDTLS_ARIA_C
scripts/config.py unset MBEDTLS_CAMELLIA_C
fi
# Disable cipher's modes that, when not accelerated, cause
# legacy key types to be re-enabled in "config_adjust_legacy_from_psa.h".
# Keep this also in the reference component in order to skip the same tests
@ -1999,7 +1925,6 @@ component_test_full_block_cipher_legacy_dispatch () {
component_test_aead_chachapoly_disabled () {
msg "build: full minus CHACHAPOLY"
scripts/config.py full
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
@ -2010,8 +1935,6 @@ component_test_aead_chachapoly_disabled () {
component_test_aead_only_ccm () {
msg "build: full minus CHACHAPOLY and GCM"
scripts/config.py full
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
scripts/config.py unset MBEDTLS_GCM_C
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_GCM
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
@ -2137,16 +2060,12 @@ component_build_aes_variations () {
# manually set or unset those configurations to check
# MBEDTLS_BLOCK_CIPHER_NO_DECRYPT with various combinations in aes.o.
scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
scripts/config.py unset MBEDTLS_NIST_KW_C
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES
# Note: The two unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
scripts/config.py unset MBEDTLS_DES_C
build_test_config_combos ${BUILTIN_SRC_PATH}/aes.o validate_aes_config_variations \
"MBEDTLS_AES_ROM_TABLES" \
@ -2167,7 +2086,7 @@ END
#define PSA_WANT_ALG_SHA3_256 1
#define PSA_WANT_ALG_SHA3_384 1
#define PSA_WANT_ALG_SHA3_512 1
#define MBEDTLS_AES_C
#define PSA_WANT_KEY_TYPE_AES 1
#define MBEDTLS_CTR_DRBG_C
#define MBEDTLS_ENTROPY_C
#define MBEDTLS_PSA_CRYPTO_C
@ -2350,7 +2269,6 @@ helper_block_cipher_no_decrypt_build_test () {
# This is a configuration function used in component_test_block_cipher_no_decrypt_xxx:
config_block_cipher_no_decrypt () {
scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
scripts/config.py unset MBEDTLS_NIST_KW_C
# Enable support for cryptographic mechanisms through the PSA API.
@ -2359,9 +2277,6 @@ config_block_cipher_no_decrypt () {
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_DES
# Note: The two unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
scripts/config.py unset MBEDTLS_DES_C
}
component_test_block_cipher_no_decrypt_aesni () {
@ -2513,7 +2428,6 @@ component_build_psa_config_file () {
# query_compile_time_config.
echo '#undef PSA_WANT_ALG_CMAC' >psa_user_config.h
echo '#undef PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128' >> psa_user_config.h
echo '#undef MBEDTLS_CMAC_C' >> psa_user_config.h
make CFLAGS="-I '$PWD' -DTF_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"' -DTF_PSA_CRYPTO_USER_CONFIG_FILE='\"psa_user_config.h\"'"
not programs/test/query_compile_time_config PSA_WANT_ALG_CMAC

25
tests/scripts/components-configuration-tls.sh
View File

@ -54,18 +54,11 @@ component_test_tls1_2_default_stream_cipher_only () {
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
# Note: The three unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_GCM_C
scripts/config.py unset MBEDTLS_CCM_C
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
#Disable TLS 1.3 (as no AEAD)
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
# Disable CBC. Note: When implemented, PSA_WANT_ALG_CBC_MAC will also need to be unset here to fully disable CBC
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7
# Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia))
# Note: The unset below is to be removed for 4.0
scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
# Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
# Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
@ -90,13 +83,9 @@ component_test_tls1_2_default_cbc_legacy_cipher_only () {
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
# Note: The three unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_GCM_C
scripts/config.py unset MBEDTLS_CCM_C
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
#Disable TLS 1.3 (as no AEAD)
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
# Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia))
# Enable CBC-legacy
scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
# Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
@ -123,13 +112,9 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () {
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
# Note: The three unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_GCM_C
scripts/config.py unset MBEDTLS_CCM_C
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
#Disable TLS 1.3 (as no AEAD)
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
# Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia))
# Enable CBC-legacy
scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
# Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC
@ -399,8 +384,6 @@ component_test_when_no_ciphersuites_have_mac () {
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER
scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
scripts/config.py unset MBEDTLS_CMAC_C
make
@ -472,7 +455,6 @@ component_test_tls13_only_psk () {
# Note: The four unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_ECDH_C
scripts/config.py unset MBEDTLS_ECDSA_C
scripts/config.py unset MBEDTLS_PKCS1_V21
make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
@ -536,7 +518,6 @@ component_test_tls13_only_psk_ephemeral () {
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS
# Note: The two unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_ECDSA_C
scripts/config.py unset MBEDTLS_PKCS1_V21
make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
@ -566,7 +547,6 @@ component_test_tls13_only_psk_ephemeral_ffdh () {
# Note: The three unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_ECDH_C
scripts/config.py unset MBEDTLS_ECDSA_C
scripts/config.py unset MBEDTLS_PKCS1_V21
make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
@ -593,7 +573,6 @@ component_test_tls13_only_psk_all () {
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS
# Note: The two unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_ECDSA_C
scripts/config.py unset MBEDTLS_PKCS1_V21
make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"

67
tests/scripts/depends.py
View File

@ -30,11 +30,11 @@ The configuration building method can be one of the three following:
direct dependencies, but rather non-trivial results of other configs missing. Then
look for any unset symbols and handle their reverse dependencies.
Examples of EXCLUSIVE_GROUPS usage:
- MBEDTLS_SHA512_C job turns off all hashes except SHA512. MBEDTLS_SSL_COOKIE_C
- PSA_WANT_ALG_SHA_512 job turns off all hashes except SHA512. MBEDTLS_SSL_COOKIE_C
requires either SHA256 or SHA384 to work, so it also has to be disabled.
This is not a dependency on SHA512_C, but a result of an exclusive domain
This is not a dependency on SHA512, but a result of an exclusive domain
config building method. Relevant field:
'MBEDTLS_SHA512_C': ['-MBEDTLS_SSL_COOKIE_C'],
'PSA_WANT_ALG_SHA_512': ['-MBEDTLS_SSL_COOKIE_C'],
- DualDomain - combination of the two above - both complementary and exclusive domain
job generation code will be run. Currently only used for hashes.
@ -251,34 +251,11 @@ and subsequent commands are tests that cannot run if the build failed).'''
REVERSE_DEPENDENCIES = {
'PSA_WANT_KEY_TYPE_AES': ['PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128',
'MBEDTLS_CTR_DRBG_C',
'MBEDTLS_NIST_KW_C',
'MBEDTLS_AES_C'],
'PSA_WANT_KEY_TYPE_ARIA': ['MBEDTLS_ARIA_C'],
'PSA_WANT_KEY_TYPE_CAMELLIA': ['MBEDTLS_CAMELLIA_C'],
'MBEDTLS_NIST_KW_C'],
'PSA_WANT_KEY_TYPE_CHACHA20': ['PSA_WANT_ALG_CHACHA20_POLY1305',
'PSA_WANT_ALG_STREAM_CIPHER',
'MBEDTLS_CHACHA20_C',
'MBEDTLS_CHACHAPOLY_C'],
'PSA_WANT_KEY_TYPE_DES': ['MBEDTLS_DES_C'],
'PSA_WANT_ALG_CCM': ['PSA_WANT_ALG_CCM_STAR_NO_TAG',
'MBEDTLS_CCM_C'],
'PSA_WANT_ALG_CMAC': ['PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128',
'MBEDTLS_CMAC_C'],
'PSA_WANT_ALG_GCM': ['MBEDTLS_GCM_C'],
'PSA_WANT_ALG_CBC_NO_PADDING': ['MBEDTLS_CIPHER_MODE_CBC'],
'PSA_WANT_ALG_CBC_PKCS7': ['MBEDTLS_CIPHER_MODE_CBC'],
'PSA_WANT_ALG_CFB': ['MBEDTLS_CIPHER_MODE_CFB'],
'PSA_WANT_ALG_CTR': ['MBEDTLS_CIPHER_MODE_CTR'],
'PSA_WANT_ALG_OFB': ['MBEDTLS_CIPHER_MODE_OFB'],
'PSA_WANT_ALG_XTS': ['MBEDTLS_CIPHER_MODE_XTS'],
'MBEDTLS_CIPHER_PADDING_PKCS7': ['MBEDTLS_PKCS5_C',
'MBEDTLS_PKCS12_C',
'PSA_WANT_ALG_CBC_PKCS7'],
'MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS': ['MBEDTLS_CIPHER_MODE_CBC'],
'MBEDTLS_CIPHER_PADDING_ZEROS': ['MBEDTLS_CIPHER_MODE_CBC'],
'MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN': ['MBEDTLS_CIPHER_MODE_CBC'],
'PSA_WANT_ALG_STREAM_CIPHER'],
'PSA_WANT_ALG_CCM': ['PSA_WANT_ALG_CCM_STAR_NO_TAG'],
'PSA_WANT_ALG_CMAC': ['PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128'],
'PSA_WANT_ECC_BRAINPOOL_P_R1_256': ['MBEDTLS_ECP_DP_BP256R1_ENABLED'],
'PSA_WANT_ECC_BRAINPOOL_P_R1_384': ['MBEDTLS_ECP_DP_BP384R1_ENABLED'],
@ -319,11 +296,9 @@ REVERSE_DEPENDENCIES = {
'PSA_WANT_ALG_JPAKE': ['MBEDTLS_ECJPAKE_C',
'MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'],
'PSA_WANT_ALG_RSA_OAEP': ['PSA_WANT_ALG_RSA_PSS',
'MBEDTLS_X509_RSASSA_PSS_SUPPORT',
'MBEDTLS_PKCS1_V21'],
'MBEDTLS_X509_RSASSA_PSS_SUPPORT'],
'PSA_WANT_ALG_RSA_PKCS1V15_CRYPT': ['PSA_WANT_ALG_RSA_PKCS1V15_SIGN',
'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED',
'MBEDTLS_PKCS1_V15'],
'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED'],
'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC': [
'PSA_WANT_ALG_RSA_PKCS1V15_CRYPT',
'PSA_WANT_ALG_RSA_OAEP',
@ -331,29 +306,21 @@ REVERSE_DEPENDENCIES = {
'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT',
'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT',
'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE',
'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED',
'MBEDTLS_RSA_C'],
'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED'],
'PSA_WANT_ALG_MD5': ['MBEDTLS_MD5_C'],
'PSA_WANT_ALG_RIPEMD160': ['MBEDTLS_RIPEMD160_C'],
'PSA_WANT_ALG_SHA_1': ['MBEDTLS_SHA1_C'],
'PSA_WANT_ALG_SHA_224': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED',
'MBEDTLS_ENTROPY_FORCE_SHA256',
'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT',
'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY',
'MBEDTLS_SHA224_C'],
'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY'],
'PSA_WANT_ALG_SHA_256': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED',
'MBEDTLS_ENTROPY_FORCE_SHA256',
'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT',
'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY',
'MBEDTLS_LMS_C',
'MBEDTLS_LMS_PRIVATE',
'MBEDTLS_SHA256_C',
'PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS'],
'PSA_WANT_ALG_SHA_384': ['MBEDTLS_SHA384_C'],
'PSA_WANT_ALG_SHA_512': ['MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT',
'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY',
'MBEDTLS_SHA512_C'],
'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY'],
'PSA_WANT_ALG_ECB_NO_PADDING' : ['MBEDTLS_NIST_KW_C'],
}
@ -531,9 +498,6 @@ class DomainData:
# Get cipher modes
cipher_chaining_symbols = {algs[cipher_alg] for cipher_alg in cipher_algs}
# Find block padding mode enabling macros by name.
cipher_padding_symbols = self.config_symbols_matching(r'MBEDTLS_CIPHER_PADDING_\w+\Z')
self.domains = {
# Cipher key types
'cipher_id': ExclusiveDomain(cipher_key_types, build_and_test),
@ -544,9 +508,6 @@ class DomainData:
build_and_test,
exclude=r'PSA_WANT_ALG_XTS'),
'cipher_padding': ExclusiveDomain(cipher_padding_symbols,
build_and_test),
# Elliptic curves. Run the test suites.
'curves': ExclusiveDomain(curve_symbols, build_and_test),
@ -639,8 +600,8 @@ def main():
description=
"Test Mbed TLS with a subset of algorithms.\n\n"
"Example usage:\n"
r"./tests/scripts/depends.py \!MBEDTLS_SHA1_C MBEDTLS_SHA256_C""\n"
"./tests/scripts/depends.py MBEDTLS_AES_C hashes\n"
r"./tests/scripts/depends.py \!PSA_WANT_ALG_SHA_1 PSA_WANT_ALG_SHA_256""\n"
"./tests/scripts/depends.py PSA_WANT_KEY_TYPE_AES hashes\n"
"./tests/scripts/depends.py cipher_id cipher_chaining\n")
parser.add_argument('--color', metavar='WHEN',
help='Colorize the output (always/auto/never)',

2
tests/scripts/test_config_script.py
View File

@ -130,7 +130,7 @@ def run_one(options, args, stem_prefix='', input_file=None):
### config.py stops handling that case correctly.
TEST_SYMBOLS = [
'CUSTOM_SYMBOL', # does not exist
'MBEDTLS_AES_C', # set, no value
'PSA_WANT_KEY_TYPE_AES', # set, no value
'MBEDTLS_MPI_MAX_SIZE', # unset, has a value
'MBEDTLS_NO_UDBL_DIVISION', # unset, in "System support"
'MBEDTLS_PLATFORM_ZEROIZE_ALT', # unset, in "Customisation configuration options"