diff --git a/ChangeLog.d/check_config.txt b/ChangeLog.d/check_config.txt new file mode 100644 index 000000000..f9f44a4b8 --- /dev/null +++ b/ChangeLog.d/check_config.txt @@ -0,0 +1,5 @@ +Removals + * The header no longer exists. Including it + from a custom config file was no longer needed since Mbed TLS 3.0, + and could lead to spurious errors. The checks that it performed are + now done automatically when building the library. diff --git a/framework b/framework index 893ad9e84..87dbfb290 160000 --- a/framework +++ b/framework @@ -1 +1 @@ -Subproject commit 893ad9e8450a8e7459679d952abd5d6df26c41c4 +Subproject commit 87dbfb290fa42ca2ccfb403e8c2fa7334fa4f1dd diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h index 534f01658..c6e89db67 100644 --- a/include/mbedtls/build_info.h +++ b/include/mbedtls/build_info.h @@ -85,6 +85,4 @@ */ #define MBEDTLS_CONFIG_IS_FINALIZED -#include "mbedtls/check_config.h" - #endif /* MBEDTLS_BUILD_INFO_H */ diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index ddab7d0c3..d18d0fadb 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -255,7 +255,7 @@ * * Requires: MBEDTLS_ECDH_C or PSA_WANT_ALG_ECDH * MBEDTLS_RSA_C - * MBEDTLS_PKCS1_V15 + * PSA_WANT_ALG_RSA_PKCS1V15_SIGN * MBEDTLS_X509_CRT_PARSE_C * * This enables the following ciphersuites (if other requisites are @@ -331,7 +331,7 @@ * might still happen. For this reason, this is disabled by default. * * Requires: MBEDTLS_ECJPAKE_C or PSA_WANT_ALG_JPAKE - * SHA-256 (via MBEDTLS_SHA256_C or a PSA driver) + * PSA_WANT_ALG_SHA_256 * MBEDTLS_ECP_DP_SECP256R1_ENABLED * * This enables the following ciphersuites (if other requisites are @@ -446,7 +446,7 @@ * saved after the handshake to allow for more efficient serialization, so if * you don't need this feature you'll save RAM by disabling it. * - * Requires: MBEDTLS_GCM_C or MBEDTLS_CCM_C or MBEDTLS_CHACHAPOLY_C + * Requires: PSA_WANT_ALG_GCM or PSA_WANT_ALG_CCM or PSA_WANT_ALG_CHACHA20_POLY1305 * * Comment to disable the context serialization APIs. */ @@ -824,7 +824,7 @@ * Module: library/ssl_ticket.c * Caller: * - * Requires: MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C + * Requires: PSA_WANT_ALG_GCM or PSA_WANT_ALG_CCM or PSA_WANT_ALG_CHACHA20_POLY1305 */ #define MBEDTLS_SSL_TICKET_C @@ -859,7 +859,7 @@ * MBEDTLS_X509_CRT_PARSE_C * and at least one of: * MBEDTLS_ECDSA_C or PSA_WANT_ALG_ECDSA - * MBEDTLS_PKCS1_V21 + * PSA_WANT_ALG_RSA_PSS * * Comment to disable support for the ephemeral key exchange mode in TLS 1.3. * If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any @@ -903,7 +903,7 @@ * Caller: library/ssl*_client.c * library/ssl*_server.c * - * Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C + * Requires: PSA_WANT_ALG_SHA_256 or PSA_WANT_ALG_SHA_384 * and at least one of the MBEDTLS_SSL_PROTO_XXX defines * * This module is required for SSL/TLS. @@ -1210,7 +1210,7 @@ * Enable parsing and verification of X.509 certificates, CRLs and CSRS * signed with RSASSA-PSS (aka PKCS#1 v2.1). * - * Requires: MBEDTLS_PKCS1_V21 + * Requires: PSA_WANT_ALG_RSA_PSS * * Comment this macro to disallow using RSASSA-PSS in certificates. */ diff --git a/include/mbedtls/oid.h b/include/mbedtls/oid.h index 375ea60cb..d769ff218 100644 --- a/include/mbedtls/oid.h +++ b/include/mbedtls/oid.h @@ -11,6 +11,7 @@ #define MBEDTLS_OID_H #include "mbedtls/build_info.h" +#include "mbedtls/asn1.h" /* * Top level OID tuples diff --git a/include/mbedtls/version.h b/include/mbedtls/version.h index 718e99eb4..837787bc7 100644 --- a/include/mbedtls/version.h +++ b/include/mbedtls/version.h @@ -60,7 +60,7 @@ void mbedtls_version_get_string_full(char *string); * support", "Mbed TLS modules" and "Mbed TLS feature * support" in mbedtls_config.h * - * \param feature The string for the define to check (e.g. "MBEDTLS_AES_C") + * \param feature The string for the define to check (e.g. "MBEDTLS_SSL_SRV_C") * * \return 0 if the feature is present, * -1 if the feature is not present and diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index ee0381c03..5b8dc80b5 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -1,5 +1,6 @@ set(src_x509 error.c + mbedtls_config.c pkcs7.c x509.c x509_create.c diff --git a/library/Makefile b/library/Makefile index a880f2617..f8729344b 100644 --- a/library/Makefile +++ b/library/Makefile @@ -121,6 +121,7 @@ LOCAL_CFLAGS+=$(THIRDPARTY_INCLUDES) OBJS_CRYPTO+=$(THIRDPARTY_CRYPTO_OBJECTS) OBJS_X509= \ + mbedtls_config.o \ x509.o \ x509_create.o \ x509_crl.o \ diff --git a/include/mbedtls/check_config.h b/library/mbedtls_check_config.h similarity index 100% rename from include/mbedtls/check_config.h rename to library/mbedtls_check_config.h diff --git a/library/mbedtls_config.c b/library/mbedtls_config.c new file mode 100644 index 000000000..679f8e36f --- /dev/null +++ b/library/mbedtls_config.c @@ -0,0 +1,13 @@ +/* + * Mbed TLS configuration checks + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + +#include + +/* Consistency checks in the configuration: check for incompatible options, + * missing options when at least one of a set needs to be enabled, etc. */ +#include "mbedtls_check_config.h" diff --git a/library/ssl_misc.h b/library/ssl_misc.h index a462a07e7..72dc9418f 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -10,7 +10,7 @@ #ifndef MBEDTLS_SSL_MISC_H #define MBEDTLS_SSL_MISC_H -#include "common.h" +#include "tf_psa_crypto_common.h" #include "mbedtls/build_info.h" #include "mbedtls/error.h" @@ -2376,7 +2376,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( #endif /* PSA_WANT_ALG_SHA_512 && MBEDTLS_ECP_DP_SECP521R1_ENABLED */ #endif /* PSA_HAVE_ALG_SOME_ECDSA */ -#if defined(MBEDTLS_PKCS1_V21) +#if defined(PSA_WANT_ALG_RSA_PSS) #if defined(PSA_WANT_ALG_SHA_256) case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: break; @@ -2389,7 +2389,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: break; #endif /* PSA_WANT_ALG_SHA_512 */ -#endif /* MBEDTLS_PKCS1_V21 */ +#endif /* PSA_WANT_ALG_RSA_PSS */ default: return 0; } @@ -2401,7 +2401,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_is_supported( const uint16_t sig_alg) { switch (sig_alg) { -#if defined(MBEDTLS_PKCS1_V15) +#if defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN) #if defined(PSA_WANT_ALG_SHA_256) case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256: break; @@ -2414,7 +2414,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_is_supported( case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512: break; #endif /* PSA_WANT_ALG_SHA_512 */ -#endif /* MBEDTLS_PKCS1_V15 */ +#endif /* PSA_WANT_ALG_RSA_PKCS1V15_SIGN */ default: return mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( sig_alg); @@ -2455,7 +2455,7 @@ static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( } switch (sig_alg) { -#if defined(MBEDTLS_PKCS1_V21) +#if defined(PSA_WANT_ALG_RSA_PSS) #if defined(PSA_WANT_ALG_SHA_256) case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: *md_alg = MBEDTLS_MD_SHA256; @@ -2474,7 +2474,7 @@ static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( *pk_type = MBEDTLS_PK_RSASSA_PSS; break; #endif /* PSA_WANT_ALG_SHA_512 */ -#endif /* MBEDTLS_PKCS1_V21 */ +#endif /* PSA_WANT_ALG_RSA_PSS */ default: return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; } diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index b24492155..2129da122 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -2082,8 +2082,7 @@ start_processing: #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) if (pk_alg == MBEDTLS_PK_RSASSA_PSS) { - ret = mbedtls_pk_verify_ext(pk_alg, NULL, - peer_pk, + ret = mbedtls_pk_verify_new(pk_alg, peer_pk, md_alg, hash, hashlen, p, sig_len); } else diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 44525dd15..372bf8460 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -300,13 +300,13 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len); - if ((ret = mbedtls_pk_verify_ext(sig_alg, NULL, + if ((ret = mbedtls_pk_verify_new(sig_alg, &ssl->session_negotiate->peer_cert->pk, md_alg, verify_hash, verify_hash_len, p, signature_len)) == 0) { return 0; } - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify_ext", ret); + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify_new", ret); error: /* RFC 8446 section 4.4.3 diff --git a/library/x509.c b/library/x509.c index f315821fd..03ca1b72e 100644 --- a/library/x509.c +++ b/library/x509.c @@ -24,6 +24,7 @@ #include "mbedtls/oid.h" #include "x509_oid.h" +#include #include #include diff --git a/library/x509_create.c b/library/x509_create.c index 17fc8fbeb..09ac69d00 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -14,6 +14,7 @@ #include "mbedtls/oid.h" #include "x509_oid.h" +#include #include #include "mbedtls/platform.h" diff --git a/library/x509_crt.c b/library/x509_crt.c index 4ac5d9b7e..7b65b698a 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -27,6 +27,7 @@ #include "x509_oid.h" #include "mbedtls/platform_util.h" +#include #include #if defined(MBEDTLS_PEM_PARSE_C) @@ -2060,7 +2061,7 @@ static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca, flags |= MBEDTLS_X509_BADCERT_BAD_KEY; } - if (mbedtls_pk_verify_ext(crl_list->sig_pk, NULL, &ca->pk, + if (mbedtls_pk_verify_new(crl_list->sig_pk, &ca->pk, crl_list->sig_md, hash, hash_length, crl_list->sig.p, crl_list->sig.len) != 0) { flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED; @@ -2134,7 +2135,7 @@ static int x509_crt_check_signature(const mbedtls_x509_crt *child, (void) rs_ctx; #endif - return mbedtls_pk_verify_ext(child->sig_pk, NULL, &parent->pk, + return mbedtls_pk_verify_new(child->sig_pk, &parent->pk, child->sig_md, hash, hash_len, child->sig.p, child->sig.len); } diff --git a/library/x509_internal.h b/library/x509_internal.h index 9360471b9..8160270be 100644 --- a/library/x509_internal.h +++ b/library/x509_internal.h @@ -10,7 +10,7 @@ #ifndef MBEDTLS_X509_INTERNAL_H #define MBEDTLS_X509_INTERNAL_H -#include "common.h" +#include "tf_psa_crypto_common.h" #include "mbedtls/build_info.h" #include "mbedtls/private_access.h" diff --git a/programs/fuzz/CMakeLists.txt b/programs/fuzz/CMakeLists.txt index 54b07b4dd..d5995aa19 100644 --- a/programs/fuzz/CMakeLists.txt +++ b/programs/fuzz/CMakeLists.txt @@ -31,18 +31,19 @@ foreach(exe IN LISTS executables_no_common_c executables_with_common_c) $ $) if(NOT FUZZINGENGINE_LIB) - list(APPEND exe_sources onefile.c) + list(APPEND exe_sources ${MBEDTLS_DIR}/tf-psa-crypto/programs/fuzz/fuzz_onefile.c) endif() # This emulates "if ( ... IN_LIST ... )" which becomes available in CMake 3.3 list(FIND executables_with_common_c ${exe} exe_index) if(${exe_index} GREATER -1) - list(APPEND exe_sources common.c) + list(APPEND exe_sources ${MBEDTLS_DIR}/tf-psa-crypto/programs/fuzz/fuzz_common.c) endif() add_executable(${exe} ${exe_sources}) set_base_compile_options(${exe}) target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../framework/tests/include + ${CMAKE_CURRENT_SOURCE_DIR}/../../tf-psa-crypto/programs/fuzz/ ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include) if (NOT FUZZINGENGINE_LIB) diff --git a/programs/fuzz/Makefile b/programs/fuzz/Makefile index 29483eafd..65ac6f894 100644 --- a/programs/fuzz/Makefile +++ b/programs/fuzz/Makefile @@ -3,7 +3,7 @@ MBEDTLS_TEST_PATH:=../../tests MBEDTLS_PATH := ../.. include ../../scripts/common.make -PROGRAM_FUZZ_PATH:=$(MBEDTLS_PATH)/programs/fuzz +PROGRAM_FUZZ_PATH:=$(MBEDTLS_PATH)/tf-psa-crypto/programs/fuzz DEP=${MBEDLIBS} @@ -15,6 +15,8 @@ LOCAL_CFLAGS += -I$(PROGRAM_FUZZ_PATH) # A test application is built for each fuzz_*.c file. APPS = $(basename $(wildcard fuzz_*.c)) +APPS += $(basename $(PROGRAM_FUZZ_PATH)/fuzz_privkey.c) +APPS += $(basename $(PROGRAM_FUZZ_PATH)/fuzz_pubkey.c) # Construct executable name by adding OS specific suffix $(EXEXT). BINARIES := $(addsuffix $(EXEXT),$(APPS)) @@ -32,13 +34,13 @@ C_FILES := $(addsuffix .c,$(APPS)) ifdef FUZZINGENGINE -$(BINARIES): %$(EXEXT): %.o $(PROGRAM_FUZZ_PATH)/common.o $(DEP) - echo " $(PROGRAM_FUZZ_PATH)/common.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@" - $(CXX) $(PROGRAM_FUZZ_PATH)/common.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ +$(BINARIES): %$(EXEXT): %.o $(PROGRAM_FUZZ_PATH)/fuzz_common.o $(DEP) + echo " $(CC) $(PROGRAM_FUZZ_PATH)/fuzz_common.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@" + $(CXX) $(PROGRAM_FUZZ_PATH)/fuzz_common.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ else -$(BINARIES): %$(EXEXT): %.o $(PROGRAM_FUZZ_PATH)/common.o $(PROGRAM_FUZZ_PATH)/onefile.o $(DEP) - echo " $(CC) $(PROGRAM_FUZZ_PATH)/common.o $(PROGRAM_FUZZ_PATH)/onefile.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@" - $(CC) $(PROGRAM_FUZZ_PATH)/common.o $(PROGRAM_FUZZ_PATH)/onefile.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ +$(BINARIES): %$(EXEXT): %.o $(PROGRAM_FUZZ_PATH)/fuzz_common.o $(PROGRAM_FUZZ_PATH)/fuzz_onefile.o $(DEP) + echo " $(CC) $(PROGRAM_FUZZ_PATH)/fuzz_common.o $(PROGRAM_FUZZ_PATH)/fuzz_onefile.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@" + $(CC) $(PROGRAM_FUZZ_PATH)/fuzz_common.o $(PROGRAM_FUZZ_PATH)/fuzz_onefile.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ endif clean: diff --git a/programs/fuzz/common.c b/programs/fuzz/common.c deleted file mode 100644 index 41fa858a4..000000000 --- a/programs/fuzz/common.c +++ /dev/null @@ -1,107 +0,0 @@ -#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS - -#include "common.h" -#include -#include -#include -#include -#include "mbedtls/ctr_drbg.h" - -#if defined(MBEDTLS_PLATFORM_TIME_ALT) -mbedtls_time_t dummy_constant_time(mbedtls_time_t *time) -{ - (void) time; - return 0x5af2a056; -} -#endif - -void dummy_init(void) -{ -#if defined(MBEDTLS_PLATFORM_TIME_ALT) - mbedtls_platform_set_time(dummy_constant_time); -#else - fprintf(stderr, "Warning: fuzzing without constant time\n"); -#endif -} - -int dummy_send(void *ctx, const unsigned char *buf, size_t len) -{ - //silence warning about unused parameter - (void) ctx; - (void) buf; - - //pretends we wrote everything ok - if (len > INT_MAX) { - return -1; - } - return (int) len; -} - -int fuzz_recv(void *ctx, unsigned char *buf, size_t len) -{ - //reads from the buffer from fuzzer - fuzzBufferOffset_t *biomemfuzz = (fuzzBufferOffset_t *) ctx; - - if (biomemfuzz->Offset == biomemfuzz->Size) { - //EOF - return 0; - } - if (len > INT_MAX) { - return -1; - } - if (len + biomemfuzz->Offset > biomemfuzz->Size) { - //do not overflow - len = biomemfuzz->Size - biomemfuzz->Offset; - } - memcpy(buf, biomemfuzz->Data + biomemfuzz->Offset, len); - biomemfuzz->Offset += len; - return (int) len; -} - -int dummy_random(void *p_rng, unsigned char *output, size_t output_len) -{ - int ret; - size_t i; - -#if defined(MBEDTLS_CTR_DRBG_C) - //mbedtls_ctr_drbg_random requires a valid mbedtls_ctr_drbg_context in p_rng - if (p_rng != NULL) { - //use mbedtls_ctr_drbg_random to find bugs in it - ret = mbedtls_ctr_drbg_random(p_rng, output, output_len); - } else { - //fall through to pseudo-random - ret = 0; - } -#else - (void) p_rng; - ret = 0; -#endif - for (i = 0; i < output_len; i++) { - //replace result with pseudo random - output[i] = (unsigned char) rand(); - } - return ret; -} - -int dummy_entropy(void *data, unsigned char *output, size_t len) -{ - size_t i; - (void) data; - - //use mbedtls_entropy_func to find bugs in it - //test performance impact of entropy - //ret = mbedtls_entropy_func(data, output, len); - for (i = 0; i < len; i++) { - //replace result with pseudo random - output[i] = (unsigned char) rand(); - } - return 0; -} - -int fuzz_recv_timeout(void *ctx, unsigned char *buf, size_t len, - uint32_t timeout) -{ - (void) timeout; - - return fuzz_recv(ctx, buf, len); -} diff --git a/programs/fuzz/common.h b/programs/fuzz/common.h deleted file mode 100644 index 88dceacf7..000000000 --- a/programs/fuzz/common.h +++ /dev/null @@ -1,28 +0,0 @@ -#include "mbedtls/build_info.h" - -#if defined(MBEDTLS_HAVE_TIME) -#include "mbedtls/platform_time.h" -#endif -#include -#include - -typedef struct fuzzBufferOffset { - const uint8_t *Data; - size_t Size; - size_t Offset; -} fuzzBufferOffset_t; - -#if defined(MBEDTLS_HAVE_TIME) -mbedtls_time_t dummy_constant_time(mbedtls_time_t *time); -#endif -void dummy_init(void); - -int dummy_send(void *ctx, const unsigned char *buf, size_t len); -int fuzz_recv(void *ctx, unsigned char *buf, size_t len); -int dummy_random(void *p_rng, unsigned char *output, size_t output_len); -int dummy_entropy(void *data, unsigned char *output, size_t len); -int fuzz_recv_timeout(void *ctx, unsigned char *buf, size_t len, - uint32_t timeout); - -/* Implemented in the fuzz_*.c sources and required by onefile.c */ -int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); diff --git a/programs/fuzz/fuzz_client.c b/programs/fuzz/fuzz_client.c index 6d3b73fa9..440c0245f 100644 --- a/programs/fuzz/fuzz_client.c +++ b/programs/fuzz/fuzz_client.c @@ -4,7 +4,7 @@ #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" #include "test/certs.h" -#include "common.h" +#include "fuzz_common.h" #include #include #include diff --git a/programs/fuzz/fuzz_dtlsclient.c b/programs/fuzz/fuzz_dtlsclient.c index efe136227..7a1da13c3 100644 --- a/programs/fuzz/fuzz_dtlsclient.c +++ b/programs/fuzz/fuzz_dtlsclient.c @@ -3,7 +3,7 @@ #include #include #include -#include "common.h" +#include "fuzz_common.h" #include "mbedtls/ssl.h" #if defined(MBEDTLS_SSL_PROTO_DTLS) #include "mbedtls/entropy.h" diff --git a/programs/fuzz/fuzz_dtlsserver.c b/programs/fuzz/fuzz_dtlsserver.c index 31eb51427..98a70216e 100644 --- a/programs/fuzz/fuzz_dtlsserver.c +++ b/programs/fuzz/fuzz_dtlsserver.c @@ -3,7 +3,7 @@ #include #include #include -#include "common.h" +#include "fuzz_common.h" #include "mbedtls/ssl.h" #include "test/certs.h" #if defined(MBEDTLS_SSL_PROTO_DTLS) diff --git a/programs/fuzz/fuzz_pkcs7.c b/programs/fuzz/fuzz_pkcs7.c index 9ec935179..f236190c2 100644 --- a/programs/fuzz/fuzz_pkcs7.c +++ b/programs/fuzz/fuzz_pkcs7.c @@ -2,7 +2,7 @@ #include #include "mbedtls/pkcs7.h" -#include "common.h" +#include "fuzz_common.h" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { diff --git a/programs/fuzz/fuzz_server.c b/programs/fuzz/fuzz_server.c index bb9dd0a58..05b7480cb 100644 --- a/programs/fuzz/fuzz_server.c +++ b/programs/fuzz/fuzz_server.c @@ -5,7 +5,7 @@ #include "mbedtls/ctr_drbg.h" #include "mbedtls/ssl_ticket.h" #include "test/certs.h" -#include "common.h" +#include "fuzz_common.h" #include #include #include diff --git a/programs/fuzz/fuzz_x509crl.c b/programs/fuzz/fuzz_x509crl.c index 2840fbbb0..92e0f5d12 100644 --- a/programs/fuzz/fuzz_x509crl.c +++ b/programs/fuzz/fuzz_x509crl.c @@ -2,7 +2,7 @@ #include #include "mbedtls/x509_crl.h" -#include "common.h" +#include "fuzz_common.h" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { diff --git a/programs/fuzz/fuzz_x509crt.c b/programs/fuzz/fuzz_x509crt.c index 29331b94d..c99ae2e7b 100644 --- a/programs/fuzz/fuzz_x509crt.c +++ b/programs/fuzz/fuzz_x509crt.c @@ -2,7 +2,7 @@ #include #include "mbedtls/x509_crt.h" -#include "common.h" +#include "fuzz_common.h" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { diff --git a/programs/fuzz/fuzz_x509csr.c b/programs/fuzz/fuzz_x509csr.c index e0aaabc01..4ab071f1c 100644 --- a/programs/fuzz/fuzz_x509csr.c +++ b/programs/fuzz/fuzz_x509csr.c @@ -2,7 +2,7 @@ #include #include "mbedtls/x509_csr.h" -#include "common.h" +#include "fuzz_common.h" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { diff --git a/programs/fuzz/onefile.c b/programs/fuzz/onefile.c deleted file mode 100644 index 6c02a641d..000000000 --- a/programs/fuzz/onefile.c +++ /dev/null @@ -1,70 +0,0 @@ -#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS - -#include -#include -#include -#include "common.h" - -/* This file doesn't use any Mbed TLS function, but grab mbedtls_config.h anyway - * in case it contains platform-specific #defines related to malloc or - * stdio functions. */ -#include "mbedtls/build_info.h" - -int main(int argc, char **argv) -{ - FILE *fp; - uint8_t *Data; - size_t Size; - const char *argv0 = argv[0] == NULL ? "PROGRAM_NAME" : argv[0]; - - if (argc != 2) { - fprintf(stderr, "Usage: %s REPRODUCER_FILE\n", argv0); - return 1; - } - //opens the file, get its size, and reads it into a buffer - fp = fopen(argv[1], "rb"); - if (fp == NULL) { - fprintf(stderr, "%s: Error in fopen\n", argv0); - perror(argv[1]); - return 2; - } - if (fseek(fp, 0L, SEEK_END) != 0) { - fprintf(stderr, "%s: Error in fseek(SEEK_END)\n", argv0); - perror(argv[1]); - fclose(fp); - return 2; - } - Size = ftell(fp); - if (Size == (size_t) -1) { - fprintf(stderr, "%s: Error in ftell\n", argv0); - perror(argv[1]); - fclose(fp); - return 2; - } - if (fseek(fp, 0L, SEEK_SET) != 0) { - fprintf(stderr, "%s: Error in fseek(0)\n", argv0); - perror(argv[1]); - fclose(fp); - return 2; - } - Data = malloc(Size); - if (Data == NULL) { - fprintf(stderr, "%s: Could not allocate memory\n", argv0); - perror(argv[1]); - fclose(fp); - return 2; - } - if (fread(Data, Size, 1, fp) != 1) { - fprintf(stderr, "%s: Error in fread\n", argv0); - perror(argv[1]); - free(Data); - fclose(fp); - return 2; - } - - //launch fuzzer - LLVMFuzzerTestOneInput(Data, Size); - free(Data); - fclose(fp); - return 0; -} diff --git a/programs/ssl/ssl_test_lib.c b/programs/ssl/ssl_test_lib.c index 6aa60fbfb..f9a640252 100644 --- a/programs/ssl/ssl_test_lib.c +++ b/programs/ssl/ssl_test_lib.c @@ -293,7 +293,7 @@ int pk_wrap_as_opaque(mbedtls_pk_context *pk, psa_algorithm_t psa_alg, psa_algor } mbedtls_pk_free(pk); mbedtls_pk_init(pk); - ret = mbedtls_pk_setup_opaque(pk, *key_id); + ret = mbedtls_pk_wrap_psa(pk, *key_id); if (ret != 0) { return ret; } diff --git a/programs/test/CMakeLists.txt b/programs/test/CMakeLists.txt index 949708420..ca6e8b207 100644 --- a/programs/test/CMakeLists.txt +++ b/programs/test/CMakeLists.txt @@ -56,6 +56,7 @@ if(GEN_FILES) ${CMAKE_CURRENT_SOURCE_DIR}/../../tf-psa-crypto/include/psa/crypto_config.h ${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/data_files/query_config.fmt ${CMAKE_CURRENT_BINARY_DIR}/query_config.c + WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/../.. DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/generate_query_config.pl ${CMAKE_CURRENT_SOURCE_DIR}/../../include/mbedtls/mbedtls_config.h diff --git a/programs/test/udp_proxy.c b/programs/test/udp_proxy.c index 6e9ebf9a2..c80a3f59f 100644 --- a/programs/test/udp_proxy.c +++ b/programs/test/udp_proxy.c @@ -16,6 +16,7 @@ #include "mbedtls/build_info.h" +#include #if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" #else diff --git a/scripts/data_files/error.fmt b/scripts/data_files/error.fmt index 14522ecd2..69bec9fe4 100644 --- a/scripts/data_files/error.fmt +++ b/scripts/data_files/error.fmt @@ -5,7 +5,7 @@ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ -#include "common.h" +#include "tf_psa_crypto_common.h" #include "mbedtls/error.h" diff --git a/scripts/data_files/query_config.fmt b/scripts/data_files/query_config.fmt index 12517596d..603c7dd20 100644 --- a/scripts/data_files/query_config.fmt +++ b/scripts/data_files/query_config.fmt @@ -1,4 +1,4 @@ -/* +/* -*-c-*- * Query Mbed TLS compile time configurations from mbedtls_config.h * * Copyright The Mbed TLS Contributors @@ -10,73 +10,17 @@ #include "query_config.h" #include "mbedtls/platform.h" - -/* - * Include all the headers with public APIs in case they define a macro to its - * default value when that configuration is not set in mbedtls_config.h, or - * for PSA_WANT macros, in case they're auto-defined based on mbedtls_config.h - * rather than defined directly in crypto_config.h. - */ -#include "psa/crypto.h" - -#include "mbedtls/aes.h" -#include "mbedtls/aria.h" -#include "mbedtls/asn1.h" -#include "mbedtls/asn1write.h" -#include "mbedtls/base64.h" -#include "mbedtls/bignum.h" -#include "mbedtls/camellia.h" -#include "mbedtls/ccm.h" -#include "mbedtls/chacha20.h" -#include "mbedtls/chachapoly.h" -#include "mbedtls/cipher.h" -#include "mbedtls/cmac.h" -#include "mbedtls/ctr_drbg.h" -#include "mbedtls/debug.h" -#include "mbedtls/des.h" -#include "mbedtls/ecdh.h" -#include "mbedtls/ecdsa.h" -#include "mbedtls/ecjpake.h" -#include "mbedtls/ecp.h" -#include "mbedtls/entropy.h" -#include "mbedtls/error.h" -#include "mbedtls/gcm.h" -#include "mbedtls/hmac_drbg.h" -#include "mbedtls/md.h" -#include "mbedtls/md5.h" -#include "mbedtls/memory_buffer_alloc.h" -#include "mbedtls/net_sockets.h" -#include "mbedtls/nist_kw.h" -#include "mbedtls/oid.h" -#include "mbedtls/pem.h" -#include "mbedtls/pk.h" -#include "mbedtls/pkcs12.h" -#include "mbedtls/pkcs5.h" -#if defined(MBEDTLS_HAVE_TIME) -#include "mbedtls/platform_time.h" -#endif -#include "mbedtls/platform_util.h" -#include "mbedtls/poly1305.h" -#include "mbedtls/ripemd160.h" -#include "mbedtls/rsa.h" -#include "mbedtls/sha1.h" -#include "mbedtls/sha256.h" -#include "mbedtls/sha512.h" -#include "mbedtls/ssl.h" -#include "mbedtls/ssl_cache.h" -#include "mbedtls/ssl_ciphersuites.h" -#include "mbedtls/ssl_cookie.h" -#include "mbedtls/ssl_ticket.h" -#include "mbedtls/threading.h" -#include "mbedtls/timing.h" -#include "mbedtls/version.h" -#include "mbedtls/x509.h" -#include "mbedtls/x509_crl.h" -#include "mbedtls/x509_crt.h" -#include "mbedtls/x509_csr.h" - #include +/* Work around https://github.com/Mbed-TLS/TF-PSA-Crypto/issues/393 */ +#if defined(MBEDTLS_HAVE_TIME) +#include +#endif + +/* *INDENT-OFF* */ +INCLUDE_HEADERS +/* *INDENT-ON* */ + /* * Helper macros to convert a macro or its expansion into a string * WARNING: This does not work for expanding function-like macros. However, diff --git a/scripts/generate_query_config.pl b/scripts/generate_query_config.pl index 6a2f9cbdf..99128ca7a 100755 --- a/scripts/generate_query_config.pl +++ b/scripts/generate_query_config.pl @@ -49,6 +49,8 @@ if( @ARGV ) { or die "No arguments supplied, must be run from project root or a first-level subdirectory\n"; } } +-f 'include/mbedtls/build_info.h' + or die "$0: must be run from project root, or from a first-level subdirectory with no arguments\n"; # Excluded macros from the generated query_config.c. For example, macros that # have commas or function-like macros cannot be transformed into strings easily @@ -100,6 +102,34 @@ EOT close(CONFIG_FILE); } +# We need to include all the headers with public APIs in case they +# define a macro to its default value when that configuration is not +# set in a header included by build_info.h (crypto_config.h, +# mbedtls_config.h, *adjust*.h). Some module-specific macros are set +# in that module's header. For simplicity, include all headers, with +# some ad hoc knowledge of headers that are included by other headers +# and should not be included directly. We don't include internal headers +# because those should not define configurable macros. +my @header_files = (); +my @header_roots = qw( + include + tf-psa-crypto/include + tf-psa-crypto/drivers/builtin/include + ); +for my $root (@header_roots) { + my @paths = glob "$root/*/*.h $root/*/*/*.h"; + map {s!^\Q$root/!!} @paths; + # Exclude some headers that are included by build_info.h and cannot + # be included directly. + push @header_files, grep {!m[ + ^psa/crypto_(platform|struct)\.h$ | # have alt versions, included by psa/crypto.h anyway + ^mbedtls/platform_time\.h$ | # errors without time.h + _config\.h | + [/_]adjust[/_] + ]x} @paths; +} +my $include_headers = join('', map {"#include <$_>\n"} @header_files); + # Read the full format file into a string local $/; open(FORMAT_FILE, "<", $query_config_format_file) or die "Opening query config format file '$query_config_format_file': $!"; @@ -107,6 +137,7 @@ my $query_config_format = ; close(FORMAT_FILE); # Replace the body of the query_config() function with the code we just wrote +$query_config_format =~ s/INCLUDE_HEADERS/$include_headers/g; $query_config_format =~ s/CHECK_CONFIG/$config_check/g; $query_config_format =~ s/LIST_CONFIG/$list_config/g; diff --git a/tests/psa-client-server/psasim/src/aut_psa_aead_encrypt_decrypt.c b/tests/psa-client-server/psasim/src/aut_psa_aead_encrypt_decrypt.c index 71173d2b5..87ef39a9e 100644 --- a/tests/psa-client-server/psasim/src/aut_psa_aead_encrypt_decrypt.c +++ b/tests/psa-client-server/psasim/src/aut_psa_aead_encrypt_decrypt.c @@ -12,13 +12,13 @@ * -I$(MBEDTLS_ROOT_PATH)/tf-psa-crypto/drivers/builtin/include * None of those cover tf-psa-crypto/core, so we rely on the * “-I$(MBEDTLS_ROOT_PATH)/include” entry plus a parent-relative - * include "../tf-psa-crypto/core/common.h" in order to pull in common.h here, + * include "../tf-psa-crypto/core/tf_psa_crypto_common.h" in order to pull in tf_psa_crypto_common.h here, * which in turn gets MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING (to silence the * new GCC-15 unterminated-string-initialization warning). * See GitHub issue #10223 for the proper long-term fix. * https://github.com/Mbed-TLS/mbedtls/issues/10223 */ -#include "../tf-psa-crypto/core/common.h" +#include "../tf-psa-crypto/core/tf_psa_crypto_common.h" #include #include #include diff --git a/tests/psa-client-server/psasim/src/aut_psa_cipher_encrypt_decrypt.c b/tests/psa-client-server/psasim/src/aut_psa_cipher_encrypt_decrypt.c index 25c0b8a61..82bdca54d 100644 --- a/tests/psa-client-server/psasim/src/aut_psa_cipher_encrypt_decrypt.c +++ b/tests/psa-client-server/psasim/src/aut_psa_cipher_encrypt_decrypt.c @@ -4,7 +4,7 @@ */ #include "psa/crypto.h" -#include "../tf-psa-crypto/core/common.h" +#include "../tf-psa-crypto/core/tf_psa_crypto_common.h" #include #include #include diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 67a388567..d1bb553c6 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -327,10 +327,6 @@ class DriverVSReference_cipher_aead_cmac(outcome_analysis.DriverVSReference): 'Low and high error', 'Single low error' ], - # Similar to test_suite_error above. - 'test_suite_version': [ - 'Check for MBEDTLS_AES_C when already present', - ], # The en/decryption part of PKCS#12 is not supported so far. # The rest of PKCS#12 (key derivation) works though. 'test_suite_pkcs12': [ @@ -659,10 +655,6 @@ class DriverVSReference_block_cipher_dispatch(outcome_analysis.DriverVSReference 'Single low error', 'Low and high error', ], - 'test_suite_version': [ - # Similar to test_suite_error above. - 'Check for MBEDTLS_AES_C when already present', - ], 'test_suite_platform': [ # Incompatible with sanitizers (e.g. ASan). If the driver # component uses a sanitizer but the reference component diff --git a/tests/scripts/components-basic-checks.sh b/tests/scripts/components-basic-checks.sh index 85731a171..c7d816189 100644 --- a/tests/scripts/components-basic-checks.sh +++ b/tests/scripts/components-basic-checks.sh @@ -123,4 +123,7 @@ component_check_test_helpers () { msg "unit test: translate_ciphers.py" python3 -m unittest framework/scripts/translate_ciphers.py 2>&1 + + msg "unit test: generate_config_checks.py" + tests/scripts/test_config_checks.py 2>&1 } diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index bb0375add..da776e70b 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -138,7 +138,6 @@ component_test_psa_crypto_without_heap() { component_test_no_rsa_key_pair_generation () { msg "build: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE" - scripts/config.py unset MBEDTLS_GENPRIME scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE make @@ -310,7 +309,6 @@ component_test_full_no_cipher () { msg "build: full no CIPHER" scripts/config.py full - scripts/config.py unset MBEDTLS_CIPHER_C # The built-in implementation of the following algs/key-types depends # on CIPHER_C so we disable them. @@ -329,7 +327,6 @@ component_test_full_no_cipher () { scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES # The following modules directly depends on CIPHER_C - scripts/config.py unset MBEDTLS_CMAC_C scripts/config.py unset MBEDTLS_NIST_KW_C make @@ -479,7 +476,6 @@ component_test_crypto_for_psa_service () { scripts/config.py unset MBEDTLS_VERSION_FEATURES # Crypto stuff with no PSA interface scripts/config.py unset MBEDTLS_BASE64_C - # Keep MBEDTLS_CIPHER_C because psa_crypto_cipher, CCM and GCM need it. scripts/config.py unset MBEDTLS_HKDF_C # PSA's HKDF is independent # Keep MBEDTLS_MD_C because deterministic ECDSA needs it for HMAC_DRBG. scripts/config.py unset MBEDTLS_NIST_KW_C @@ -519,11 +515,6 @@ component_test_depends_py_cipher_chaining () { tests/scripts/depends.py cipher_chaining } -component_test_depends_py_cipher_padding () { - msg "test/build: depends.py cipher_padding (gcc)" - tests/scripts/depends.py cipher_padding -} - component_test_depends_py_curves () { msg "test/build: depends.py curves (gcc)" tests/scripts/depends.py curves @@ -1148,9 +1139,6 @@ config_psa_crypto_config_accel_ecc_ffdh_no_bignum () { # on BIGNUM_C. scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_RSA_[0-9A-Z_a-z]*" scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_ALG_RSA_[0-9A-Z_a-z]*" - scripts/config.py unset MBEDTLS_RSA_C - scripts/config.py unset MBEDTLS_PKCS1_V15 - scripts/config.py unset MBEDTLS_PKCS1_V21 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT # Also disable key exchanges that depend on RSA scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED @@ -1425,12 +1413,6 @@ config_psa_crypto_accel_rsa () { helper_libtestdriver1_adjust_config "crypto_full" if [ "$driver_only" -eq 1 ]; then - # Remove RSA support and its dependencies - scripts/config.py unset MBEDTLS_RSA_C - scripts/config.py unset MBEDTLS_PKCS1_V15 - scripts/config.py unset MBEDTLS_PKCS1_V21 - scripts/config.py unset MBEDTLS_GENPRIME - # We need PEM parsing in the test library as well to support the import # of PEM encoded RSA keys. scripts/config.py -c "$CONFIG_TEST_DRIVER_H" set MBEDTLS_PEM_PARSE_C @@ -1494,7 +1476,7 @@ component_test_psa_crypto_config_reference_rsa_crypto () { # This is a temporary test to verify that full RSA support is present even when # only one single new symbols (PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) is defined. component_test_new_psa_want_key_pair_symbol () { - msg "Build: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" + msg "Build: crypto config - PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" # Create a temporary output file unless there is already one set if [ "$MBEDTLS_TEST_OUTCOME_FILE" ]; then @@ -1509,11 +1491,8 @@ component_test_new_psa_want_key_pair_symbol () { scripts/config.py crypto # Remove RSA support and its dependencies - scripts/config.py unset MBEDTLS_PKCS1_V15 - scripts/config.py unset MBEDTLS_PKCS1_V21 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED - scripts/config.py unset MBEDTLS_RSA_C scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT # Keep only PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC enabled in order to ensure @@ -1524,7 +1503,7 @@ component_test_new_psa_want_key_pair_symbol () { make - msg "Test: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" + msg "Test: crypto config - PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" make test # Parse only 1 relevant line from the outcome file, i.e. a test which is @@ -1550,15 +1529,6 @@ component_test_psa_crypto_config_accel_hash () { # Start from default config (no USE_PSA) helper_libtestdriver1_adjust_config "default" - # Disable the things that are being accelerated - scripts/config.py unset MBEDTLS_MD5_C - scripts/config.py unset MBEDTLS_RIPEMD160_C - scripts/config.py unset MBEDTLS_SHA1_C - scripts/config.py unset MBEDTLS_SHA224_C - scripts/config.py unset MBEDTLS_SHA256_C - scripts/config.py unset MBEDTLS_SHA384_C - scripts/config.py unset MBEDTLS_SHA512_C - # Build # ----- @@ -1588,14 +1558,7 @@ config_psa_crypto_hash_use_psa () { helper_libtestdriver1_adjust_config "full" if [ "$driver_only" -eq 1 ]; then # disable the built-in implementation of hashes - scripts/config.py unset MBEDTLS_MD5_C - scripts/config.py unset MBEDTLS_RIPEMD160_C - scripts/config.py unset MBEDTLS_SHA1_C - scripts/config.py unset MBEDTLS_SHA224_C - scripts/config.py unset MBEDTLS_SHA256_C # see external RNG below scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT - scripts/config.py unset MBEDTLS_SHA384_C - scripts/config.py unset MBEDTLS_SHA512_C scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT fi } @@ -1676,11 +1639,9 @@ config_psa_crypto_hmac_use_psa () { # Disable MD_C in order to disable the builtin support for HMAC. MD_LIGHT # is still enabled though (for ENTROPY_C among others). scripts/config.py unset MBEDTLS_MD_C - # Disable also the builtin hashes since they are supported by the driver - # and MD module is able to perform PSA dispathing. + # Also disable the configuration options that tune the builtin hashes, + # since those hashes are disabled. scripts/config.py unset-all MBEDTLS_SHA - scripts/config.py unset MBEDTLS_MD5_C - scripts/config.py unset MBEDTLS_RIPEMD160_C fi # Direct dependencies of MD_C. We disable them also in the reference @@ -1747,11 +1708,6 @@ component_test_psa_crypto_config_accel_aead () { # Start from full config helper_libtestdriver1_adjust_config "full" - # Disable things that are being accelerated - scripts/config.py unset MBEDTLS_GCM_C - scripts/config.py unset MBEDTLS_CCM_C - scripts/config.py unset MBEDTLS_CHACHAPOLY_C - # Disable CCM_STAR_NO_TAG because this re-enables CCM_C. scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG @@ -1802,32 +1758,10 @@ component_test_psa_crypto_config_accel_cipher_aead_cmac () { common_psa_crypto_config_accel_cipher_aead_cmac - # Disable the things that are being accelerated - scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC - scripts/config.py unset MBEDTLS_CIPHER_PADDING_PKCS7 - scripts/config.py unset MBEDTLS_CIPHER_MODE_CTR - scripts/config.py unset MBEDTLS_CIPHER_MODE_CFB - scripts/config.py unset MBEDTLS_CIPHER_MODE_OFB - scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS - scripts/config.py unset MBEDTLS_GCM_C - scripts/config.py unset MBEDTLS_CCM_C - scripts/config.py unset MBEDTLS_CHACHAPOLY_C - scripts/config.py unset MBEDTLS_CMAC_C - scripts/config.py unset MBEDTLS_DES_C - scripts/config.py unset MBEDTLS_AES_C - scripts/config.py unset MBEDTLS_ARIA_C - scripts/config.py unset MBEDTLS_CHACHA20_C - scripts/config.py unset MBEDTLS_CAMELLIA_C - scripts/config.py unset MBEDTLS_POLY1305_C - # Disable DES, if it still exists. # This can be removed once we remove DES from the library. scripts/config.py unset PSA_WANT_KEY_TYPE_DES - # Disable CIPHER_C entirely as all ciphers/AEADs are accelerated and PSA - # does not depend on it. - scripts/config.py unset MBEDTLS_CIPHER_C - # Build # ----- @@ -1887,14 +1821,6 @@ common_block_cipher_dispatch () { # Start from the full config helper_libtestdriver1_adjust_config "full" - if [ "$TEST_WITH_DRIVER" -eq 1 ]; then - # Disable key types that are accelerated (there is no legacy equivalent - # symbol for ECB) - scripts/config.py unset MBEDTLS_AES_C - scripts/config.py unset MBEDTLS_ARIA_C - scripts/config.py unset MBEDTLS_CAMELLIA_C - fi - # Disable cipher's modes that, when not accelerated, cause # legacy key types to be re-enabled in "config_adjust_legacy_from_psa.h". # Keep this also in the reference component in order to skip the same tests @@ -1999,7 +1925,6 @@ component_test_full_block_cipher_legacy_dispatch () { component_test_aead_chachapoly_disabled () { msg "build: full minus CHACHAPOLY" scripts/config.py full - scripts/config.py unset MBEDTLS_CHACHAPOLY_C scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" @@ -2010,8 +1935,6 @@ component_test_aead_chachapoly_disabled () { component_test_aead_only_ccm () { msg "build: full minus CHACHAPOLY and GCM" scripts/config.py full - scripts/config.py unset MBEDTLS_CHACHAPOLY_C - scripts/config.py unset MBEDTLS_GCM_C scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_GCM make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" @@ -2137,16 +2060,12 @@ component_build_aes_variations () { # manually set or unset those configurations to check # MBEDTLS_BLOCK_CIPHER_NO_DECRYPT with various combinations in aes.o. scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT - scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS scripts/config.py unset MBEDTLS_NIST_KW_C scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7 scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES - # Note: The two unsets below are to be removed for Mbed TLS 4.0 - scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC - scripts/config.py unset MBEDTLS_DES_C build_test_config_combos ${BUILTIN_SRC_PATH}/aes.o validate_aes_config_variations \ "MBEDTLS_AES_ROM_TABLES" \ @@ -2167,7 +2086,7 @@ END #define PSA_WANT_ALG_SHA3_256 1 #define PSA_WANT_ALG_SHA3_384 1 #define PSA_WANT_ALG_SHA3_512 1 - #define MBEDTLS_AES_C + #define PSA_WANT_KEY_TYPE_AES 1 #define MBEDTLS_CTR_DRBG_C #define MBEDTLS_ENTROPY_C #define MBEDTLS_PSA_CRYPTO_C @@ -2350,7 +2269,6 @@ helper_block_cipher_no_decrypt_build_test () { # This is a configuration function used in component_test_block_cipher_no_decrypt_xxx: config_block_cipher_no_decrypt () { scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT - scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS scripts/config.py unset MBEDTLS_NIST_KW_C # Enable support for cryptographic mechanisms through the PSA API. @@ -2359,9 +2277,6 @@ config_block_cipher_no_decrypt () { scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_DES - # Note: The two unsets below are to be removed for Mbed TLS 4.0 - scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC - scripts/config.py unset MBEDTLS_DES_C } component_test_block_cipher_no_decrypt_aesni () { @@ -2513,7 +2428,6 @@ component_build_psa_config_file () { # query_compile_time_config. echo '#undef PSA_WANT_ALG_CMAC' >psa_user_config.h echo '#undef PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128' >> psa_user_config.h - echo '#undef MBEDTLS_CMAC_C' >> psa_user_config.h make CFLAGS="-I '$PWD' -DTF_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"' -DTF_PSA_CRYPTO_USER_CONFIG_FILE='\"psa_user_config.h\"'" not programs/test/query_compile_time_config PSA_WANT_ALG_CMAC diff --git a/tests/scripts/components-configuration-tls.sh b/tests/scripts/components-configuration-tls.sh index ff8315711..450bdebab 100644 --- a/tests/scripts/components-configuration-tls.sh +++ b/tests/scripts/components-configuration-tls.sh @@ -54,18 +54,11 @@ component_test_tls1_2_default_stream_cipher_only () { scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305 - # Note: The three unsets below are to be removed for Mbed TLS 4.0 - scripts/config.py unset MBEDTLS_GCM_C - scripts/config.py unset MBEDTLS_CCM_C - scripts/config.py unset MBEDTLS_CHACHAPOLY_C #Disable TLS 1.3 (as no AEAD) scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 # Disable CBC. Note: When implemented, PSA_WANT_ALG_CBC_MAC will also need to be unset here to fully disable CBC scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7 - # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia)) - # Note: The unset below is to be removed for 4.0 - scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) @@ -90,13 +83,9 @@ component_test_tls1_2_default_cbc_legacy_cipher_only () { scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305 - # Note: The three unsets below are to be removed for Mbed TLS 4.0 - scripts/config.py unset MBEDTLS_GCM_C - scripts/config.py unset MBEDTLS_CCM_C - scripts/config.py unset MBEDTLS_CHACHAPOLY_C #Disable TLS 1.3 (as no AEAD) scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia)) + # Enable CBC-legacy scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC @@ -123,13 +112,9 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () { scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305 - # Note: The three unsets below are to be removed for Mbed TLS 4.0 - scripts/config.py unset MBEDTLS_GCM_C - scripts/config.py unset MBEDTLS_CCM_C - scripts/config.py unset MBEDTLS_CHACHAPOLY_C #Disable TLS 1.3 (as no AEAD) scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia)) + # Enable CBC-legacy scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC @@ -399,8 +384,6 @@ component_test_when_no_ciphersuites_have_mac () { scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER - scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC - scripts/config.py unset MBEDTLS_CMAC_C make @@ -472,7 +455,6 @@ component_test_tls13_only_psk () { # Note: The four unsets below are to be removed for Mbed TLS 4.0 scripts/config.py unset MBEDTLS_ECDH_C scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_PKCS1_V21 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" @@ -536,7 +518,6 @@ component_test_tls13_only_psk_ephemeral () { scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS # Note: The two unsets below are to be removed for Mbed TLS 4.0 scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_PKCS1_V21 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" @@ -566,7 +547,6 @@ component_test_tls13_only_psk_ephemeral_ffdh () { # Note: The three unsets below are to be removed for Mbed TLS 4.0 scripts/config.py unset MBEDTLS_ECDH_C scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_PKCS1_V21 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" @@ -593,7 +573,6 @@ component_test_tls13_only_psk_all () { scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS # Note: The two unsets below are to be removed for Mbed TLS 4.0 scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_PKCS1_V21 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 7fccb2006..679f05af1 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -30,11 +30,11 @@ The configuration building method can be one of the three following: direct dependencies, but rather non-trivial results of other configs missing. Then look for any unset symbols and handle their reverse dependencies. Examples of EXCLUSIVE_GROUPS usage: - - MBEDTLS_SHA512_C job turns off all hashes except SHA512. MBEDTLS_SSL_COOKIE_C + - PSA_WANT_ALG_SHA_512 job turns off all hashes except SHA512. MBEDTLS_SSL_COOKIE_C requires either SHA256 or SHA384 to work, so it also has to be disabled. - This is not a dependency on SHA512_C, but a result of an exclusive domain + This is not a dependency on SHA512, but a result of an exclusive domain config building method. Relevant field: - 'MBEDTLS_SHA512_C': ['-MBEDTLS_SSL_COOKIE_C'], + 'PSA_WANT_ALG_SHA_512': ['-MBEDTLS_SSL_COOKIE_C'], - DualDomain - combination of the two above - both complementary and exclusive domain job generation code will be run. Currently only used for hashes. @@ -251,34 +251,11 @@ and subsequent commands are tests that cannot run if the build failed).''' REVERSE_DEPENDENCIES = { 'PSA_WANT_KEY_TYPE_AES': ['PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128', 'MBEDTLS_CTR_DRBG_C', - 'MBEDTLS_NIST_KW_C', - 'MBEDTLS_AES_C'], - 'PSA_WANT_KEY_TYPE_ARIA': ['MBEDTLS_ARIA_C'], - 'PSA_WANT_KEY_TYPE_CAMELLIA': ['MBEDTLS_CAMELLIA_C'], + 'MBEDTLS_NIST_KW_C'], 'PSA_WANT_KEY_TYPE_CHACHA20': ['PSA_WANT_ALG_CHACHA20_POLY1305', - 'PSA_WANT_ALG_STREAM_CIPHER', - 'MBEDTLS_CHACHA20_C', - 'MBEDTLS_CHACHAPOLY_C'], - 'PSA_WANT_KEY_TYPE_DES': ['MBEDTLS_DES_C'], - 'PSA_WANT_ALG_CCM': ['PSA_WANT_ALG_CCM_STAR_NO_TAG', - 'MBEDTLS_CCM_C'], - 'PSA_WANT_ALG_CMAC': ['PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128', - 'MBEDTLS_CMAC_C'], - 'PSA_WANT_ALG_GCM': ['MBEDTLS_GCM_C'], - - 'PSA_WANT_ALG_CBC_NO_PADDING': ['MBEDTLS_CIPHER_MODE_CBC'], - 'PSA_WANT_ALG_CBC_PKCS7': ['MBEDTLS_CIPHER_MODE_CBC'], - 'PSA_WANT_ALG_CFB': ['MBEDTLS_CIPHER_MODE_CFB'], - 'PSA_WANT_ALG_CTR': ['MBEDTLS_CIPHER_MODE_CTR'], - 'PSA_WANT_ALG_OFB': ['MBEDTLS_CIPHER_MODE_OFB'], - 'PSA_WANT_ALG_XTS': ['MBEDTLS_CIPHER_MODE_XTS'], - - 'MBEDTLS_CIPHER_PADDING_PKCS7': ['MBEDTLS_PKCS5_C', - 'MBEDTLS_PKCS12_C', - 'PSA_WANT_ALG_CBC_PKCS7'], - 'MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS': ['MBEDTLS_CIPHER_MODE_CBC'], - 'MBEDTLS_CIPHER_PADDING_ZEROS': ['MBEDTLS_CIPHER_MODE_CBC'], - 'MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN': ['MBEDTLS_CIPHER_MODE_CBC'], + 'PSA_WANT_ALG_STREAM_CIPHER'], + 'PSA_WANT_ALG_CCM': ['PSA_WANT_ALG_CCM_STAR_NO_TAG'], + 'PSA_WANT_ALG_CMAC': ['PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128'], 'PSA_WANT_ECC_BRAINPOOL_P_R1_256': ['MBEDTLS_ECP_DP_BP256R1_ENABLED'], 'PSA_WANT_ECC_BRAINPOOL_P_R1_384': ['MBEDTLS_ECP_DP_BP384R1_ENABLED'], @@ -319,11 +296,9 @@ REVERSE_DEPENDENCIES = { 'PSA_WANT_ALG_JPAKE': ['MBEDTLS_ECJPAKE_C', 'MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'], 'PSA_WANT_ALG_RSA_OAEP': ['PSA_WANT_ALG_RSA_PSS', - 'MBEDTLS_X509_RSASSA_PSS_SUPPORT', - 'MBEDTLS_PKCS1_V21'], + 'MBEDTLS_X509_RSASSA_PSS_SUPPORT'], 'PSA_WANT_ALG_RSA_PKCS1V15_CRYPT': ['PSA_WANT_ALG_RSA_PKCS1V15_SIGN', - 'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED', - 'MBEDTLS_PKCS1_V15'], + 'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED'], 'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC': [ 'PSA_WANT_ALG_RSA_PKCS1V15_CRYPT', 'PSA_WANT_ALG_RSA_OAEP', @@ -331,29 +306,21 @@ REVERSE_DEPENDENCIES = { 'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT', 'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT', 'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE', - 'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED', - 'MBEDTLS_RSA_C'], + 'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED'], - 'PSA_WANT_ALG_MD5': ['MBEDTLS_MD5_C'], - 'PSA_WANT_ALG_RIPEMD160': ['MBEDTLS_RIPEMD160_C'], - 'PSA_WANT_ALG_SHA_1': ['MBEDTLS_SHA1_C'], 'PSA_WANT_ALG_SHA_224': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED', 'MBEDTLS_ENTROPY_FORCE_SHA256', 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT', - 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY', - 'MBEDTLS_SHA224_C'], + 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY'], 'PSA_WANT_ALG_SHA_256': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED', 'MBEDTLS_ENTROPY_FORCE_SHA256', 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT', 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY', 'MBEDTLS_LMS_C', 'MBEDTLS_LMS_PRIVATE', - 'MBEDTLS_SHA256_C', 'PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS'], - 'PSA_WANT_ALG_SHA_384': ['MBEDTLS_SHA384_C'], 'PSA_WANT_ALG_SHA_512': ['MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT', - 'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY', - 'MBEDTLS_SHA512_C'], + 'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY'], 'PSA_WANT_ALG_ECB_NO_PADDING' : ['MBEDTLS_NIST_KW_C'], } @@ -531,9 +498,6 @@ class DomainData: # Get cipher modes cipher_chaining_symbols = {algs[cipher_alg] for cipher_alg in cipher_algs} - # Find block padding mode enabling macros by name. - cipher_padding_symbols = self.config_symbols_matching(r'MBEDTLS_CIPHER_PADDING_\w+\Z') - self.domains = { # Cipher key types 'cipher_id': ExclusiveDomain(cipher_key_types, build_and_test), @@ -544,9 +508,6 @@ class DomainData: build_and_test, exclude=r'PSA_WANT_ALG_XTS'), - 'cipher_padding': ExclusiveDomain(cipher_padding_symbols, - build_and_test), - # Elliptic curves. Run the test suites. 'curves': ExclusiveDomain(curve_symbols, build_and_test), @@ -639,8 +600,8 @@ def main(): description= "Test Mbed TLS with a subset of algorithms.\n\n" "Example usage:\n" - r"./tests/scripts/depends.py \!MBEDTLS_SHA1_C MBEDTLS_SHA256_C""\n" - "./tests/scripts/depends.py MBEDTLS_AES_C hashes\n" + r"./tests/scripts/depends.py \!PSA_WANT_ALG_SHA_1 PSA_WANT_ALG_SHA_256""\n" + "./tests/scripts/depends.py PSA_WANT_KEY_TYPE_AES hashes\n" "./tests/scripts/depends.py cipher_id cipher_chaining\n") parser.add_argument('--color', metavar='WHEN', help='Colorize the output (always/auto/never)', diff --git a/tests/scripts/test_config_checks.py b/tests/scripts/test_config_checks.py new file mode 100755 index 000000000..540144923 --- /dev/null +++ b/tests/scripts/test_config_checks.py @@ -0,0 +1,63 @@ +#!/usr/bin/env python3 +"""Test the configuration checks generated by generate_config_checks.py. +""" + +## Copyright The Mbed TLS Contributors +## SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +import unittest + +import scripts_path # pylint: disable=unused-import +from mbedtls_framework import unittest_config_checks + + +class MbedtlsTestConfigChecks(unittest_config_checks.TestConfigChecks): + """Mbed TLS unit tests for checks generated by config_checks_generator.""" + + #pylint: disable=invalid-name # uppercase letters make sense here + + PROJECT_CONFIG_C = 'library/mbedtls_config.c' + PROJECT_SPECIFIC_INCLUDE_DIRECTORIES = [ + 'tf-psa-crypto/include', + 'tf-psa-crypto/drivers/builtin/include', + ] + + @unittest.skip("At this time, mbedtls does not go through crypto's check_config.h.") + def test_crypto_no_fs_io(self) -> None: + """A sample error expected from crypto's check_config.h.""" + self.bad_case('#undef MBEDTLS_FS_IO', + None, + error=('MBEDTLS_PSA_ITS_FILE_C')) + + def test_mbedtls_no_session_tickets_for_early_data(self) -> None: + """An error expected from mbedtls_check_config.h based on the TLS configuration.""" + self.bad_case(None, + ''' + #define MBEDTLS_SSL_EARLY_DATA + #undef MBEDTLS_SSL_SESSION_TICKETS + ''', + error=('MBEDTLS_SSL_EARLY_DATA')) + + def test_mbedtls_no_ecdsa(self) -> None: + """An error expected from mbedtls_check_config.h based on crypto+TLS configuration.""" + self.bad_case(''' + #undef PSA_WANT_ALG_ECDSA + #undef PSA_WANT_ALG_DETERMINISTIC_ECDSA + #undef MBEDTLS_ECDSA_C + ''', + ''' + #if defined(PSA_WANT_ALG_ECDSA) + #error PSA_WANT_ALG_ECDSA unexpected + #endif + #if defined(PSA_WANT_ALG_DETERMINSTIC_ECDSA) + #error PSA_WANT_ALG_DETERMINSTIC_ECDSA unexpected + #endif + #if defined(MBEDTLS_ECDSA_C) + #error MBEDTLS_ECDSA_C unexpected + #endif + ''', + error=('MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED')) + + +if __name__ == '__main__': + unittest.main() diff --git a/tests/scripts/test_config_script.py b/tests/scripts/test_config_script.py index e500b3362..b58a3114c 100755 --- a/tests/scripts/test_config_script.py +++ b/tests/scripts/test_config_script.py @@ -130,7 +130,7 @@ def run_one(options, args, stem_prefix='', input_file=None): ### config.py stops handling that case correctly. TEST_SYMBOLS = [ 'CUSTOM_SYMBOL', # does not exist - 'MBEDTLS_AES_C', # set, no value + 'PSA_WANT_KEY_TYPE_AES', # set, no value 'MBEDTLS_MPI_MAX_SIZE', # unset, has a value 'MBEDTLS_NO_UDBL_DIVISION', # unset, in "System support" 'MBEDTLS_PLATFORM_ZEROIZE_ALT', # unset, in "Customisation configuration options" diff --git a/tests/src/certs.c b/tests/src/certs.c index f7a73bf74..c45f0628c 100644 --- a/tests/src/certs.c +++ b/tests/src/certs.c @@ -5,7 +5,7 @@ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ -#include "common.h" +#include "tf_psa_crypto_common.h" #include diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index e6c082eac..1eca6e496 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -11,6 +11,8 @@ #include #include "mbedtls/psa_util.h" +#include + #if defined(MBEDTLS_SSL_TLS_C) int mbedtls_test_random(void *p_rng, unsigned char *output, size_t output_len) { @@ -772,7 +774,7 @@ int mbedtls_test_ssl_endpoint_certificate_init(mbedtls_test_ssl_endpoint *ep, TEST_EQUAL(mbedtls_pk_import_into_psa(ep->pkey, &key_attr, &key_slot), 0); mbedtls_pk_free(ep->pkey); mbedtls_pk_init(ep->pkey); - TEST_EQUAL(mbedtls_pk_setup_opaque(ep->pkey, key_slot), 0); + TEST_EQUAL(mbedtls_pk_wrap_psa(ep->pkey, key_slot), 0); } #else (void) opaque_alg; diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index 4dcd96722..3860076d2 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -47,7 +47,7 @@ depends_on:PSA_WANT_ALG_SHA_1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 x509_csr_check:"../framework/data_files/server1.key":"../framework/data_files/server1.req.ku-ct":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0 Certificate Request check Server5 ECDSA, key_usage -depends_on:PSA_WANT_ALG_SHA_1:PSA_HAVE_ALG_ECDSA_SIGN:MBEDTLS_ECDSA_DETERMINISTIC:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ALG_SHA_1:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ECC_SECP_R1_256 x509_csr_check:"../framework/data_files/server5.key":"../framework/data_files/server5.req.ku.sha1":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:1:0:0:0 Certificate Request check Server1, set_extension @@ -155,11 +155,11 @@ depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5 x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"ffffffffffffffffffffffffffffffff":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"../framework/data_files/server1.long_serial_FF.crt":0:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server5 ECDSA -depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:MBEDTLS_ECDSA_DETERMINISTIC:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256 x509_crt_check:"../framework/data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"../framework/data_files/server5.crt":0:0:"../framework/data_files/test-ca2.crt":0 Certificate write check Server5 ECDSA, Opaque -depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:MBEDTLS_ECDSA_DETERMINISTIC:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_USE_PSA_CRYPTO +depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_USE_PSA_CRYPTO x509_crt_check:"../framework/data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"":2:0:"../framework/data_files/test-ca2.crt":0 Certificate write check Server1 SHA1, SubjectAltNames @@ -337,4 +337,3 @@ oid_from_numeric_string:"2.4294967215":0:"8FFFFFFF7F" OID from numeric string - OID with overflowing subidentifier oid_from_numeric_string:"2.4294967216":MBEDTLS_ERR_ASN1_INVALID_DATA:"" - diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index 49ecc5427..e0aad90a0 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -41,7 +41,7 @@ static int x509_crt_verifycsr(const unsigned char *buf, size_t buflen) goto cleanup; } - if (mbedtls_pk_verify_ext(csr.sig_pk, NULL, &csr.pk, + if (mbedtls_pk_verify_new(csr.sig_pk, &csr.pk, csr.sig_md, hash, mbedtls_md_get_size_from_type(csr.sig_md), csr.sig.p, csr.sig.len) != 0) { ret = MBEDTLS_ERR_X509_CERT_VERIFY_FAILED; @@ -286,7 +286,7 @@ void x509_csr_check_opaque(char *key_file, int md_type, int key_usage, TEST_EQUAL(mbedtls_pk_import_into_psa(&key, &key_attr, &key_id), 0); mbedtls_pk_free(&key); mbedtls_pk_init(&key); - TEST_EQUAL(mbedtls_pk_setup_opaque(&key, key_id), 0); + TEST_EQUAL(mbedtls_pk_wrap_psa(&key, key_id), 0); mbedtls_x509write_csr_set_md_alg(&req, md_type); mbedtls_x509write_csr_set_key(&req, &key); @@ -417,7 +417,7 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd, TEST_EQUAL(mbedtls_pk_import_into_psa(&issuer_key, &key_attr, &key_id), 0); mbedtls_pk_free(&issuer_key); mbedtls_pk_init(&issuer_key); - TEST_EQUAL(mbedtls_pk_setup_opaque(&issuer_key, key_id), 0); + TEST_EQUAL(mbedtls_pk_wrap_psa(&issuer_key, key_id), 0); } #endif /* MBEDTLS_USE_PSA_CRYPTO */ diff --git a/tf-psa-crypto b/tf-psa-crypto index b1c98ebee..19edaa785 160000 --- a/tf-psa-crypto +++ b/tf-psa-crypto @@ -1 +1 @@ -Subproject commit b1c98ebee82c1056cec0f64e24f1b780a5889a0d +Subproject commit 19edaa785dd71ec8f0c9f72235243314c3d895fa