From 306ffd3a369a33d492543af24fc7da8170dfe0af Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Mon, 7 Jul 2025 09:41:34 +0100 Subject: [PATCH 01/36] Switch to mbedtls_pk_verify_new Signed-off-by: Ben Taylor --- library/ssl_tls12_client.c | 3 +-- library/ssl_tls13_generic.c | 2 +- library/x509_crt.c | 4 ++-- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index b24492155..2129da122 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -2082,8 +2082,7 @@ start_processing: #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) if (pk_alg == MBEDTLS_PK_RSASSA_PSS) { - ret = mbedtls_pk_verify_ext(pk_alg, NULL, - peer_pk, + ret = mbedtls_pk_verify_new(pk_alg, peer_pk, md_alg, hash, hashlen, p, sig_len); } else diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 44525dd15..f5cdc65e5 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -300,7 +300,7 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len); - if ((ret = mbedtls_pk_verify_ext(sig_alg, NULL, + if ((ret = mbedtls_pk_verify_new(sig_alg, &ssl->session_negotiate->peer_cert->pk, md_alg, verify_hash, verify_hash_len, p, signature_len)) == 0) { diff --git a/library/x509_crt.c b/library/x509_crt.c index 4ac5d9b7e..3947eb09a 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -2060,7 +2060,7 @@ static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca, flags |= MBEDTLS_X509_BADCERT_BAD_KEY; } - if (mbedtls_pk_verify_ext(crl_list->sig_pk, NULL, &ca->pk, + if (mbedtls_pk_verify_new(crl_list->sig_pk, &ca->pk, crl_list->sig_md, hash, hash_length, crl_list->sig.p, crl_list->sig.len) != 0) { flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED; @@ -2134,7 +2134,7 @@ static int x509_crt_check_signature(const mbedtls_x509_crt *child, (void) rs_ctx; #endif - return mbedtls_pk_verify_ext(child->sig_pk, NULL, &parent->pk, + return mbedtls_pk_verify_new(child->sig_pk, &parent->pk, child->sig_md, hash, hash_len, child->sig.p, child->sig.len); } From 0de87611bbbac901376249f44a6ace45be661466 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Mon, 14 Jul 2025 08:27:01 +0100 Subject: [PATCH 02/36] Remove additional calls to mbedtls_pk_verify_ext Signed-off-by: Ben Taylor --- library/ssl_tls13_generic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index f5cdc65e5..372bf8460 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -306,7 +306,7 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl, p, signature_len)) == 0) { return 0; } - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify_ext", ret); + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify_new", ret); error: /* RFC 8446 section 4.4.3 From 0c787e3de84c77075fbecf006d16e1253bd8be99 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Mon, 14 Jul 2025 08:33:24 +0100 Subject: [PATCH 03/36] Remove additional calls to mbedtls_pk_verify_ext Signed-off-by: Ben Taylor --- tests/suites/test_suite_x509write.function | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index 49ecc5427..b7e531e65 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -41,7 +41,7 @@ static int x509_crt_verifycsr(const unsigned char *buf, size_t buflen) goto cleanup; } - if (mbedtls_pk_verify_ext(csr.sig_pk, NULL, &csr.pk, + if (mbedtls_pk_verify_new(csr.sig_pk, NULL, &csr.pk, csr.sig_md, hash, mbedtls_md_get_size_from_type(csr.sig_md), csr.sig.p, csr.sig.len) != 0) { ret = MBEDTLS_ERR_X509_CERT_VERIFY_FAILED; From 5be8511151e8a982b87165452dca532fc01d3f9f Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Thu, 17 Jul 2025 10:05:23 +0100 Subject: [PATCH 04/36] Fix too many arguments in mbedtls_pk_verify_new Signed-off-by: Ben Taylor --- tests/suites/test_suite_x509write.function | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index b7e531e65..db571dab6 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -41,7 +41,7 @@ static int x509_crt_verifycsr(const unsigned char *buf, size_t buflen) goto cleanup; } - if (mbedtls_pk_verify_new(csr.sig_pk, NULL, &csr.pk, + if (mbedtls_pk_verify_new(csr.sig_pk, &csr.pk, csr.sig_md, hash, mbedtls_md_get_size_from_type(csr.sig_md), csr.sig.p, csr.sig.len) != 0) { ret = MBEDTLS_ERR_X509_CERT_VERIFY_FAILED; From 27125ceacfd0f97294d34d519ed2fbd945668a71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bence=20Sz=C3=A9pk=C3=BAti?= Date: Fri, 18 Jul 2025 19:10:04 +0200 Subject: [PATCH 05/36] Update references to tf-psa-crypto/core/common.h MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit was generated using the following command: sed -i 's/\(^\|[^_]\)common\.h/\1tf_psa_crypto_common.h/g' \ $(git ls-files . \ ':!:programs/fuzz' \ ':!:tests/psa-client-server' \ ':!:tf-psa-crypto' \ ':!:framework') \ $(git grep -l 'tf-psa-crypto/core/common.h') Signed-off-by: Bence Szépkúti --- library/ssl_misc.h | 2 +- library/x509_internal.h | 2 +- scripts/data_files/error.fmt | 2 +- .../psasim/src/aut_psa_aead_encrypt_decrypt.c | 4 ++-- .../psasim/src/aut_psa_cipher_encrypt_decrypt.c | 2 +- tests/src/certs.c | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index a462a07e7..a30871175 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -10,7 +10,7 @@ #ifndef MBEDTLS_SSL_MISC_H #define MBEDTLS_SSL_MISC_H -#include "common.h" +#include "tf_psa_crypto_common.h" #include "mbedtls/build_info.h" #include "mbedtls/error.h" diff --git a/library/x509_internal.h b/library/x509_internal.h index 9360471b9..8160270be 100644 --- a/library/x509_internal.h +++ b/library/x509_internal.h @@ -10,7 +10,7 @@ #ifndef MBEDTLS_X509_INTERNAL_H #define MBEDTLS_X509_INTERNAL_H -#include "common.h" +#include "tf_psa_crypto_common.h" #include "mbedtls/build_info.h" #include "mbedtls/private_access.h" diff --git a/scripts/data_files/error.fmt b/scripts/data_files/error.fmt index 14522ecd2..69bec9fe4 100644 --- a/scripts/data_files/error.fmt +++ b/scripts/data_files/error.fmt @@ -5,7 +5,7 @@ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ -#include "common.h" +#include "tf_psa_crypto_common.h" #include "mbedtls/error.h" diff --git a/tests/psa-client-server/psasim/src/aut_psa_aead_encrypt_decrypt.c b/tests/psa-client-server/psasim/src/aut_psa_aead_encrypt_decrypt.c index 71173d2b5..87ef39a9e 100644 --- a/tests/psa-client-server/psasim/src/aut_psa_aead_encrypt_decrypt.c +++ b/tests/psa-client-server/psasim/src/aut_psa_aead_encrypt_decrypt.c @@ -12,13 +12,13 @@ * -I$(MBEDTLS_ROOT_PATH)/tf-psa-crypto/drivers/builtin/include * None of those cover tf-psa-crypto/core, so we rely on the * “-I$(MBEDTLS_ROOT_PATH)/include” entry plus a parent-relative - * include "../tf-psa-crypto/core/common.h" in order to pull in common.h here, + * include "../tf-psa-crypto/core/tf_psa_crypto_common.h" in order to pull in tf_psa_crypto_common.h here, * which in turn gets MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING (to silence the * new GCC-15 unterminated-string-initialization warning). * See GitHub issue #10223 for the proper long-term fix. * https://github.com/Mbed-TLS/mbedtls/issues/10223 */ -#include "../tf-psa-crypto/core/common.h" +#include "../tf-psa-crypto/core/tf_psa_crypto_common.h" #include #include #include diff --git a/tests/psa-client-server/psasim/src/aut_psa_cipher_encrypt_decrypt.c b/tests/psa-client-server/psasim/src/aut_psa_cipher_encrypt_decrypt.c index 25c0b8a61..82bdca54d 100644 --- a/tests/psa-client-server/psasim/src/aut_psa_cipher_encrypt_decrypt.c +++ b/tests/psa-client-server/psasim/src/aut_psa_cipher_encrypt_decrypt.c @@ -4,7 +4,7 @@ */ #include "psa/crypto.h" -#include "../tf-psa-crypto/core/common.h" +#include "../tf-psa-crypto/core/tf_psa_crypto_common.h" #include #include #include diff --git a/tests/src/certs.c b/tests/src/certs.c index f7a73bf74..c45f0628c 100644 --- a/tests/src/certs.c +++ b/tests/src/certs.c @@ -5,7 +5,7 @@ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ -#include "common.h" +#include "tf_psa_crypto_common.h" #include From e6167e7a51569ae6f67756df9885fe9513fdeadb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bence=20Sz=C3=A9pk=C3=BAti?= Date: Fri, 18 Jul 2025 19:06:18 +0200 Subject: [PATCH 06/36] Update tf-psa-crypto submodule MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Bence Szépkúti --- tf-psa-crypto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf-psa-crypto b/tf-psa-crypto index b1c98ebee..a0ff5d648 160000 --- a/tf-psa-crypto +++ b/tf-psa-crypto @@ -1 +1 @@ -Subproject commit b1c98ebee82c1056cec0f64e24f1b780a5889a0d +Subproject commit a0ff5d64831aad7d19aa7e02eb8af065e07506f2 From 89becc987f6452410a473566920a689c60e28aea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bence=20Sz=C3=A9pk=C3=BAti?= Date: Tue, 22 Jul 2025 10:26:44 +0200 Subject: [PATCH 07/36] Update framework submodule MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Bence Szépkúti --- framework | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/framework b/framework index 893ad9e84..df3307f2b 160000 --- a/framework +++ b/framework @@ -1 +1 @@ -Subproject commit 893ad9e8450a8e7459679d952abd5d6df26c41c4 +Subproject commit df3307f2b4fe512def60886024f7be8fd1523ccd From 772a8ad219e38512fe78c638ddc69539c2fb6c7e Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 21 Jul 2025 12:36:29 +0200 Subject: [PATCH 08/36] all.sh: Remove unset of now removed legacy hash config options Signed-off-by: Ronald Cron --- .../components-configuration-crypto.sh | 22 ++----------------- 1 file changed, 2 insertions(+), 20 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index bb0375add..61a043d40 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -1550,15 +1550,6 @@ component_test_psa_crypto_config_accel_hash () { # Start from default config (no USE_PSA) helper_libtestdriver1_adjust_config "default" - # Disable the things that are being accelerated - scripts/config.py unset MBEDTLS_MD5_C - scripts/config.py unset MBEDTLS_RIPEMD160_C - scripts/config.py unset MBEDTLS_SHA1_C - scripts/config.py unset MBEDTLS_SHA224_C - scripts/config.py unset MBEDTLS_SHA256_C - scripts/config.py unset MBEDTLS_SHA384_C - scripts/config.py unset MBEDTLS_SHA512_C - # Build # ----- @@ -1588,14 +1579,7 @@ config_psa_crypto_hash_use_psa () { helper_libtestdriver1_adjust_config "full" if [ "$driver_only" -eq 1 ]; then # disable the built-in implementation of hashes - scripts/config.py unset MBEDTLS_MD5_C - scripts/config.py unset MBEDTLS_RIPEMD160_C - scripts/config.py unset MBEDTLS_SHA1_C - scripts/config.py unset MBEDTLS_SHA224_C - scripts/config.py unset MBEDTLS_SHA256_C # see external RNG below scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT - scripts/config.py unset MBEDTLS_SHA384_C - scripts/config.py unset MBEDTLS_SHA512_C scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT fi } @@ -1676,11 +1660,9 @@ config_psa_crypto_hmac_use_psa () { # Disable MD_C in order to disable the builtin support for HMAC. MD_LIGHT # is still enabled though (for ENTROPY_C among others). scripts/config.py unset MBEDTLS_MD_C - # Disable also the builtin hashes since they are supported by the driver - # and MD module is able to perform PSA dispathing. + # Also disable the configuration options that tune the builtin hashes, + # since those hashes are disabled. scripts/config.py unset-all MBEDTLS_SHA - scripts/config.py unset MBEDTLS_MD5_C - scripts/config.py unset MBEDTLS_RIPEMD160_C fi # Direct dependencies of MD_C. We disable them also in the reference From 8719c2f00bbd0e27e83f83294e5271e48fe1a48c Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 22 Jul 2025 11:27:39 +0200 Subject: [PATCH 09/36] ssl_misc.h: Update PKCS1 dependencies Signed-off-by: Ronald Cron --- library/ssl_misc.h | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index a30871175..72dc9418f 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2376,7 +2376,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( #endif /* PSA_WANT_ALG_SHA_512 && MBEDTLS_ECP_DP_SECP521R1_ENABLED */ #endif /* PSA_HAVE_ALG_SOME_ECDSA */ -#if defined(MBEDTLS_PKCS1_V21) +#if defined(PSA_WANT_ALG_RSA_PSS) #if defined(PSA_WANT_ALG_SHA_256) case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: break; @@ -2389,7 +2389,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: break; #endif /* PSA_WANT_ALG_SHA_512 */ -#endif /* MBEDTLS_PKCS1_V21 */ +#endif /* PSA_WANT_ALG_RSA_PSS */ default: return 0; } @@ -2401,7 +2401,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_is_supported( const uint16_t sig_alg) { switch (sig_alg) { -#if defined(MBEDTLS_PKCS1_V15) +#if defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN) #if defined(PSA_WANT_ALG_SHA_256) case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256: break; @@ -2414,7 +2414,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_is_supported( case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512: break; #endif /* PSA_WANT_ALG_SHA_512 */ -#endif /* MBEDTLS_PKCS1_V15 */ +#endif /* PSA_WANT_ALG_RSA_PKCS1V15_SIGN */ default: return mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( sig_alg); @@ -2455,7 +2455,7 @@ static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( } switch (sig_alg) { -#if defined(MBEDTLS_PKCS1_V21) +#if defined(PSA_WANT_ALG_RSA_PSS) #if defined(PSA_WANT_ALG_SHA_256) case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: *md_alg = MBEDTLS_MD_SHA256; @@ -2474,7 +2474,7 @@ static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( *pk_type = MBEDTLS_PK_RSASSA_PSS; break; #endif /* PSA_WANT_ALG_SHA_512 */ -#endif /* MBEDTLS_PKCS1_V21 */ +#endif /* PSA_WANT_ALG_RSA_PSS */ default: return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; } From 892bb612946a48c4b9a5f489522347eb590f3f85 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 21 Jul 2025 14:26:27 +0200 Subject: [PATCH 10/36] all.sh: Remove unset of now removed legacy RSA config options Signed-off-by: Ronald Cron --- .../scripts/components-configuration-crypto.sh | 17 ++--------------- tests/scripts/components-configuration-tls.sh | 4 ---- 2 files changed, 2 insertions(+), 19 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 61a043d40..faca87206 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -138,7 +138,6 @@ component_test_psa_crypto_without_heap() { component_test_no_rsa_key_pair_generation () { msg "build: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE" - scripts/config.py unset MBEDTLS_GENPRIME scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE make @@ -1148,9 +1147,6 @@ config_psa_crypto_config_accel_ecc_ffdh_no_bignum () { # on BIGNUM_C. scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_RSA_[0-9A-Z_a-z]*" scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_ALG_RSA_[0-9A-Z_a-z]*" - scripts/config.py unset MBEDTLS_RSA_C - scripts/config.py unset MBEDTLS_PKCS1_V15 - scripts/config.py unset MBEDTLS_PKCS1_V21 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT # Also disable key exchanges that depend on RSA scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED @@ -1425,12 +1421,6 @@ config_psa_crypto_accel_rsa () { helper_libtestdriver1_adjust_config "crypto_full" if [ "$driver_only" -eq 1 ]; then - # Remove RSA support and its dependencies - scripts/config.py unset MBEDTLS_RSA_C - scripts/config.py unset MBEDTLS_PKCS1_V15 - scripts/config.py unset MBEDTLS_PKCS1_V21 - scripts/config.py unset MBEDTLS_GENPRIME - # We need PEM parsing in the test library as well to support the import # of PEM encoded RSA keys. scripts/config.py -c "$CONFIG_TEST_DRIVER_H" set MBEDTLS_PEM_PARSE_C @@ -1494,7 +1484,7 @@ component_test_psa_crypto_config_reference_rsa_crypto () { # This is a temporary test to verify that full RSA support is present even when # only one single new symbols (PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) is defined. component_test_new_psa_want_key_pair_symbol () { - msg "Build: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" + msg "Build: crypto config - PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" # Create a temporary output file unless there is already one set if [ "$MBEDTLS_TEST_OUTCOME_FILE" ]; then @@ -1509,11 +1499,8 @@ component_test_new_psa_want_key_pair_symbol () { scripts/config.py crypto # Remove RSA support and its dependencies - scripts/config.py unset MBEDTLS_PKCS1_V15 - scripts/config.py unset MBEDTLS_PKCS1_V21 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED - scripts/config.py unset MBEDTLS_RSA_C scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT # Keep only PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC enabled in order to ensure @@ -1524,7 +1511,7 @@ component_test_new_psa_want_key_pair_symbol () { make - msg "Test: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" + msg "Test: crypto config - PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" make test # Parse only 1 relevant line from the outcome file, i.e. a test which is diff --git a/tests/scripts/components-configuration-tls.sh b/tests/scripts/components-configuration-tls.sh index ff8315711..f9678b98f 100644 --- a/tests/scripts/components-configuration-tls.sh +++ b/tests/scripts/components-configuration-tls.sh @@ -472,7 +472,6 @@ component_test_tls13_only_psk () { # Note: The four unsets below are to be removed for Mbed TLS 4.0 scripts/config.py unset MBEDTLS_ECDH_C scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_PKCS1_V21 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" @@ -536,7 +535,6 @@ component_test_tls13_only_psk_ephemeral () { scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS # Note: The two unsets below are to be removed for Mbed TLS 4.0 scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_PKCS1_V21 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" @@ -566,7 +564,6 @@ component_test_tls13_only_psk_ephemeral_ffdh () { # Note: The three unsets below are to be removed for Mbed TLS 4.0 scripts/config.py unset MBEDTLS_ECDH_C scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_PKCS1_V21 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" @@ -593,7 +590,6 @@ component_test_tls13_only_psk_all () { scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS # Note: The two unsets below are to be removed for Mbed TLS 4.0 scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_PKCS1_V21 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" From e13c7015ea8309c59c17bf611103b3ac19c8bd9c Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 21 Jul 2025 14:22:59 +0200 Subject: [PATCH 11/36] all.sh: Remove unset of now removed legacy symmetric crypto options Signed-off-by: Ronald Cron --- .../components-configuration-crypto.sh | 50 ------------------- tests/scripts/components-configuration-tls.sh | 21 +------- 2 files changed, 2 insertions(+), 69 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index faca87206..6cf8cd915 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -309,7 +309,6 @@ component_test_full_no_cipher () { msg "build: full no CIPHER" scripts/config.py full - scripts/config.py unset MBEDTLS_CIPHER_C # The built-in implementation of the following algs/key-types depends # on CIPHER_C so we disable them. @@ -328,7 +327,6 @@ component_test_full_no_cipher () { scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES # The following modules directly depends on CIPHER_C - scripts/config.py unset MBEDTLS_CMAC_C scripts/config.py unset MBEDTLS_NIST_KW_C make @@ -478,7 +476,6 @@ component_test_crypto_for_psa_service () { scripts/config.py unset MBEDTLS_VERSION_FEATURES # Crypto stuff with no PSA interface scripts/config.py unset MBEDTLS_BASE64_C - # Keep MBEDTLS_CIPHER_C because psa_crypto_cipher, CCM and GCM need it. scripts/config.py unset MBEDTLS_HKDF_C # PSA's HKDF is independent # Keep MBEDTLS_MD_C because deterministic ECDSA needs it for HMAC_DRBG. scripts/config.py unset MBEDTLS_NIST_KW_C @@ -1716,11 +1713,6 @@ component_test_psa_crypto_config_accel_aead () { # Start from full config helper_libtestdriver1_adjust_config "full" - # Disable things that are being accelerated - scripts/config.py unset MBEDTLS_GCM_C - scripts/config.py unset MBEDTLS_CCM_C - scripts/config.py unset MBEDTLS_CHACHAPOLY_C - # Disable CCM_STAR_NO_TAG because this re-enables CCM_C. scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG @@ -1771,32 +1763,10 @@ component_test_psa_crypto_config_accel_cipher_aead_cmac () { common_psa_crypto_config_accel_cipher_aead_cmac - # Disable the things that are being accelerated - scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC - scripts/config.py unset MBEDTLS_CIPHER_PADDING_PKCS7 - scripts/config.py unset MBEDTLS_CIPHER_MODE_CTR - scripts/config.py unset MBEDTLS_CIPHER_MODE_CFB - scripts/config.py unset MBEDTLS_CIPHER_MODE_OFB - scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS - scripts/config.py unset MBEDTLS_GCM_C - scripts/config.py unset MBEDTLS_CCM_C - scripts/config.py unset MBEDTLS_CHACHAPOLY_C - scripts/config.py unset MBEDTLS_CMAC_C - scripts/config.py unset MBEDTLS_DES_C - scripts/config.py unset MBEDTLS_AES_C - scripts/config.py unset MBEDTLS_ARIA_C - scripts/config.py unset MBEDTLS_CHACHA20_C - scripts/config.py unset MBEDTLS_CAMELLIA_C - scripts/config.py unset MBEDTLS_POLY1305_C - # Disable DES, if it still exists. # This can be removed once we remove DES from the library. scripts/config.py unset PSA_WANT_KEY_TYPE_DES - # Disable CIPHER_C entirely as all ciphers/AEADs are accelerated and PSA - # does not depend on it. - scripts/config.py unset MBEDTLS_CIPHER_C - # Build # ----- @@ -1856,14 +1826,6 @@ common_block_cipher_dispatch () { # Start from the full config helper_libtestdriver1_adjust_config "full" - if [ "$TEST_WITH_DRIVER" -eq 1 ]; then - # Disable key types that are accelerated (there is no legacy equivalent - # symbol for ECB) - scripts/config.py unset MBEDTLS_AES_C - scripts/config.py unset MBEDTLS_ARIA_C - scripts/config.py unset MBEDTLS_CAMELLIA_C - fi - # Disable cipher's modes that, when not accelerated, cause # legacy key types to be re-enabled in "config_adjust_legacy_from_psa.h". # Keep this also in the reference component in order to skip the same tests @@ -1968,7 +1930,6 @@ component_test_full_block_cipher_legacy_dispatch () { component_test_aead_chachapoly_disabled () { msg "build: full minus CHACHAPOLY" scripts/config.py full - scripts/config.py unset MBEDTLS_CHACHAPOLY_C scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" @@ -1979,8 +1940,6 @@ component_test_aead_chachapoly_disabled () { component_test_aead_only_ccm () { msg "build: full minus CHACHAPOLY and GCM" scripts/config.py full - scripts/config.py unset MBEDTLS_CHACHAPOLY_C - scripts/config.py unset MBEDTLS_GCM_C scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_GCM make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" @@ -2106,16 +2065,12 @@ component_build_aes_variations () { # manually set or unset those configurations to check # MBEDTLS_BLOCK_CIPHER_NO_DECRYPT with various combinations in aes.o. scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT - scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS scripts/config.py unset MBEDTLS_NIST_KW_C scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7 scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES - # Note: The two unsets below are to be removed for Mbed TLS 4.0 - scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC - scripts/config.py unset MBEDTLS_DES_C build_test_config_combos ${BUILTIN_SRC_PATH}/aes.o validate_aes_config_variations \ "MBEDTLS_AES_ROM_TABLES" \ @@ -2319,7 +2274,6 @@ helper_block_cipher_no_decrypt_build_test () { # This is a configuration function used in component_test_block_cipher_no_decrypt_xxx: config_block_cipher_no_decrypt () { scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT - scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS scripts/config.py unset MBEDTLS_NIST_KW_C # Enable support for cryptographic mechanisms through the PSA API. @@ -2328,9 +2282,6 @@ config_block_cipher_no_decrypt () { scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_DES - # Note: The two unsets below are to be removed for Mbed TLS 4.0 - scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC - scripts/config.py unset MBEDTLS_DES_C } component_test_block_cipher_no_decrypt_aesni () { @@ -2482,7 +2433,6 @@ component_build_psa_config_file () { # query_compile_time_config. echo '#undef PSA_WANT_ALG_CMAC' >psa_user_config.h echo '#undef PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128' >> psa_user_config.h - echo '#undef MBEDTLS_CMAC_C' >> psa_user_config.h make CFLAGS="-I '$PWD' -DTF_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"' -DTF_PSA_CRYPTO_USER_CONFIG_FILE='\"psa_user_config.h\"'" not programs/test/query_compile_time_config PSA_WANT_ALG_CMAC diff --git a/tests/scripts/components-configuration-tls.sh b/tests/scripts/components-configuration-tls.sh index f9678b98f..450bdebab 100644 --- a/tests/scripts/components-configuration-tls.sh +++ b/tests/scripts/components-configuration-tls.sh @@ -54,18 +54,11 @@ component_test_tls1_2_default_stream_cipher_only () { scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305 - # Note: The three unsets below are to be removed for Mbed TLS 4.0 - scripts/config.py unset MBEDTLS_GCM_C - scripts/config.py unset MBEDTLS_CCM_C - scripts/config.py unset MBEDTLS_CHACHAPOLY_C #Disable TLS 1.3 (as no AEAD) scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 # Disable CBC. Note: When implemented, PSA_WANT_ALG_CBC_MAC will also need to be unset here to fully disable CBC scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7 - # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia)) - # Note: The unset below is to be removed for 4.0 - scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) @@ -90,13 +83,9 @@ component_test_tls1_2_default_cbc_legacy_cipher_only () { scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305 - # Note: The three unsets below are to be removed for Mbed TLS 4.0 - scripts/config.py unset MBEDTLS_GCM_C - scripts/config.py unset MBEDTLS_CCM_C - scripts/config.py unset MBEDTLS_CHACHAPOLY_C #Disable TLS 1.3 (as no AEAD) scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia)) + # Enable CBC-legacy scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC @@ -123,13 +112,9 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () { scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305 - # Note: The three unsets below are to be removed for Mbed TLS 4.0 - scripts/config.py unset MBEDTLS_GCM_C - scripts/config.py unset MBEDTLS_CCM_C - scripts/config.py unset MBEDTLS_CHACHAPOLY_C #Disable TLS 1.3 (as no AEAD) scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia)) + # Enable CBC-legacy scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC @@ -399,8 +384,6 @@ component_test_when_no_ciphersuites_have_mac () { scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER - scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC - scripts/config.py unset MBEDTLS_CMAC_C make From 0668036ada60730071e21be06dc1587bba6c7ad3 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 21 Jul 2025 15:21:22 +0200 Subject: [PATCH 12/36] Replace MBEDTLS_AES_C Replace the remaining instances of MBEDTLS_AES_C as a configuration option. Signed-off-by: Ronald Cron --- include/mbedtls/version.h | 2 +- tests/scripts/analyze_outcomes.py | 8 -------- tests/scripts/components-configuration-crypto.sh | 2 +- tests/scripts/test_config_script.py | 2 +- 4 files changed, 3 insertions(+), 11 deletions(-) diff --git a/include/mbedtls/version.h b/include/mbedtls/version.h index 718e99eb4..837787bc7 100644 --- a/include/mbedtls/version.h +++ b/include/mbedtls/version.h @@ -60,7 +60,7 @@ void mbedtls_version_get_string_full(char *string); * support", "Mbed TLS modules" and "Mbed TLS feature * support" in mbedtls_config.h * - * \param feature The string for the define to check (e.g. "MBEDTLS_AES_C") + * \param feature The string for the define to check (e.g. "MBEDTLS_SSL_SRV_C") * * \return 0 if the feature is present, * -1 if the feature is not present and diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 67a388567..d1bb553c6 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -327,10 +327,6 @@ class DriverVSReference_cipher_aead_cmac(outcome_analysis.DriverVSReference): 'Low and high error', 'Single low error' ], - # Similar to test_suite_error above. - 'test_suite_version': [ - 'Check for MBEDTLS_AES_C when already present', - ], # The en/decryption part of PKCS#12 is not supported so far. # The rest of PKCS#12 (key derivation) works though. 'test_suite_pkcs12': [ @@ -659,10 +655,6 @@ class DriverVSReference_block_cipher_dispatch(outcome_analysis.DriverVSReference 'Single low error', 'Low and high error', ], - 'test_suite_version': [ - # Similar to test_suite_error above. - 'Check for MBEDTLS_AES_C when already present', - ], 'test_suite_platform': [ # Incompatible with sanitizers (e.g. ASan). If the driver # component uses a sanitizer but the reference component diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 6cf8cd915..834eb1f3a 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -2091,7 +2091,7 @@ END #define PSA_WANT_ALG_SHA3_256 1 #define PSA_WANT_ALG_SHA3_384 1 #define PSA_WANT_ALG_SHA3_512 1 - #define MBEDTLS_AES_C + #define PSA_WANT_KEY_TYPE_AES 1 #define MBEDTLS_CTR_DRBG_C #define MBEDTLS_ENTROPY_C #define MBEDTLS_PSA_CRYPTO_C diff --git a/tests/scripts/test_config_script.py b/tests/scripts/test_config_script.py index e500b3362..b58a3114c 100755 --- a/tests/scripts/test_config_script.py +++ b/tests/scripts/test_config_script.py @@ -130,7 +130,7 @@ def run_one(options, args, stem_prefix='', input_file=None): ### config.py stops handling that case correctly. TEST_SYMBOLS = [ 'CUSTOM_SYMBOL', # does not exist - 'MBEDTLS_AES_C', # set, no value + 'PSA_WANT_KEY_TYPE_AES', # set, no value 'MBEDTLS_MPI_MAX_SIZE', # unset, has a value 'MBEDTLS_NO_UDBL_DIVISION', # unset, in "System support" 'MBEDTLS_PLATFORM_ZEROIZE_ALT', # unset, in "Customisation configuration options" From fb03d1391b321914da88ef12c4dba43ddb821317 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 9 Jul 2025 11:54:26 +0200 Subject: [PATCH 13/36] depends.py: Remove cipher_padding domain Signed-off-by: Ronald Cron --- tests/scripts/components-configuration-crypto.sh | 5 ----- tests/scripts/depends.py | 13 ------------- 2 files changed, 18 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 834eb1f3a..da776e70b 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -515,11 +515,6 @@ component_test_depends_py_cipher_chaining () { tests/scripts/depends.py cipher_chaining } -component_test_depends_py_cipher_padding () { - msg "test/build: depends.py cipher_padding (gcc)" - tests/scripts/depends.py cipher_padding -} - component_test_depends_py_curves () { msg "test/build: depends.py curves (gcc)" tests/scripts/depends.py curves diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 7fccb2006..265b99fc1 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -273,13 +273,6 @@ REVERSE_DEPENDENCIES = { 'PSA_WANT_ALG_OFB': ['MBEDTLS_CIPHER_MODE_OFB'], 'PSA_WANT_ALG_XTS': ['MBEDTLS_CIPHER_MODE_XTS'], - 'MBEDTLS_CIPHER_PADDING_PKCS7': ['MBEDTLS_PKCS5_C', - 'MBEDTLS_PKCS12_C', - 'PSA_WANT_ALG_CBC_PKCS7'], - 'MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS': ['MBEDTLS_CIPHER_MODE_CBC'], - 'MBEDTLS_CIPHER_PADDING_ZEROS': ['MBEDTLS_CIPHER_MODE_CBC'], - 'MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN': ['MBEDTLS_CIPHER_MODE_CBC'], - 'PSA_WANT_ECC_BRAINPOOL_P_R1_256': ['MBEDTLS_ECP_DP_BP256R1_ENABLED'], 'PSA_WANT_ECC_BRAINPOOL_P_R1_384': ['MBEDTLS_ECP_DP_BP384R1_ENABLED'], 'PSA_WANT_ECC_BRAINPOOL_P_R1_512': ['MBEDTLS_ECP_DP_BP512R1_ENABLED'], @@ -531,9 +524,6 @@ class DomainData: # Get cipher modes cipher_chaining_symbols = {algs[cipher_alg] for cipher_alg in cipher_algs} - # Find block padding mode enabling macros by name. - cipher_padding_symbols = self.config_symbols_matching(r'MBEDTLS_CIPHER_PADDING_\w+\Z') - self.domains = { # Cipher key types 'cipher_id': ExclusiveDomain(cipher_key_types, build_and_test), @@ -544,9 +534,6 @@ class DomainData: build_and_test, exclude=r'PSA_WANT_ALG_XTS'), - 'cipher_padding': ExclusiveDomain(cipher_padding_symbols, - build_and_test), - # Elliptic curves. Run the test suites. 'curves': ExclusiveDomain(curve_symbols, build_and_test), From dfd501d3fb2352a004fd1f6ed702f719025d7e5b Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 21 Jul 2025 14:44:12 +0200 Subject: [PATCH 14/36] depends.py: Adapt to the removal of legacy crypto config options Adapt to the removal of the legacy hash, cipher, cmac, aead and RSA configuration options. Signed-off-by: Ronald Cron --- tests/scripts/depends.py | 54 +++++++++++----------------------------- 1 file changed, 14 insertions(+), 40 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 265b99fc1..679f05af1 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -30,11 +30,11 @@ The configuration building method can be one of the three following: direct dependencies, but rather non-trivial results of other configs missing. Then look for any unset symbols and handle their reverse dependencies. Examples of EXCLUSIVE_GROUPS usage: - - MBEDTLS_SHA512_C job turns off all hashes except SHA512. MBEDTLS_SSL_COOKIE_C + - PSA_WANT_ALG_SHA_512 job turns off all hashes except SHA512. MBEDTLS_SSL_COOKIE_C requires either SHA256 or SHA384 to work, so it also has to be disabled. - This is not a dependency on SHA512_C, but a result of an exclusive domain + This is not a dependency on SHA512, but a result of an exclusive domain config building method. Relevant field: - 'MBEDTLS_SHA512_C': ['-MBEDTLS_SSL_COOKIE_C'], + 'PSA_WANT_ALG_SHA_512': ['-MBEDTLS_SSL_COOKIE_C'], - DualDomain - combination of the two above - both complementary and exclusive domain job generation code will be run. Currently only used for hashes. @@ -251,27 +251,11 @@ and subsequent commands are tests that cannot run if the build failed).''' REVERSE_DEPENDENCIES = { 'PSA_WANT_KEY_TYPE_AES': ['PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128', 'MBEDTLS_CTR_DRBG_C', - 'MBEDTLS_NIST_KW_C', - 'MBEDTLS_AES_C'], - 'PSA_WANT_KEY_TYPE_ARIA': ['MBEDTLS_ARIA_C'], - 'PSA_WANT_KEY_TYPE_CAMELLIA': ['MBEDTLS_CAMELLIA_C'], + 'MBEDTLS_NIST_KW_C'], 'PSA_WANT_KEY_TYPE_CHACHA20': ['PSA_WANT_ALG_CHACHA20_POLY1305', - 'PSA_WANT_ALG_STREAM_CIPHER', - 'MBEDTLS_CHACHA20_C', - 'MBEDTLS_CHACHAPOLY_C'], - 'PSA_WANT_KEY_TYPE_DES': ['MBEDTLS_DES_C'], - 'PSA_WANT_ALG_CCM': ['PSA_WANT_ALG_CCM_STAR_NO_TAG', - 'MBEDTLS_CCM_C'], - 'PSA_WANT_ALG_CMAC': ['PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128', - 'MBEDTLS_CMAC_C'], - 'PSA_WANT_ALG_GCM': ['MBEDTLS_GCM_C'], - - 'PSA_WANT_ALG_CBC_NO_PADDING': ['MBEDTLS_CIPHER_MODE_CBC'], - 'PSA_WANT_ALG_CBC_PKCS7': ['MBEDTLS_CIPHER_MODE_CBC'], - 'PSA_WANT_ALG_CFB': ['MBEDTLS_CIPHER_MODE_CFB'], - 'PSA_WANT_ALG_CTR': ['MBEDTLS_CIPHER_MODE_CTR'], - 'PSA_WANT_ALG_OFB': ['MBEDTLS_CIPHER_MODE_OFB'], - 'PSA_WANT_ALG_XTS': ['MBEDTLS_CIPHER_MODE_XTS'], + 'PSA_WANT_ALG_STREAM_CIPHER'], + 'PSA_WANT_ALG_CCM': ['PSA_WANT_ALG_CCM_STAR_NO_TAG'], + 'PSA_WANT_ALG_CMAC': ['PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128'], 'PSA_WANT_ECC_BRAINPOOL_P_R1_256': ['MBEDTLS_ECP_DP_BP256R1_ENABLED'], 'PSA_WANT_ECC_BRAINPOOL_P_R1_384': ['MBEDTLS_ECP_DP_BP384R1_ENABLED'], @@ -312,11 +296,9 @@ REVERSE_DEPENDENCIES = { 'PSA_WANT_ALG_JPAKE': ['MBEDTLS_ECJPAKE_C', 'MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'], 'PSA_WANT_ALG_RSA_OAEP': ['PSA_WANT_ALG_RSA_PSS', - 'MBEDTLS_X509_RSASSA_PSS_SUPPORT', - 'MBEDTLS_PKCS1_V21'], + 'MBEDTLS_X509_RSASSA_PSS_SUPPORT'], 'PSA_WANT_ALG_RSA_PKCS1V15_CRYPT': ['PSA_WANT_ALG_RSA_PKCS1V15_SIGN', - 'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED', - 'MBEDTLS_PKCS1_V15'], + 'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED'], 'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC': [ 'PSA_WANT_ALG_RSA_PKCS1V15_CRYPT', 'PSA_WANT_ALG_RSA_OAEP', @@ -324,29 +306,21 @@ REVERSE_DEPENDENCIES = { 'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT', 'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT', 'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE', - 'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED', - 'MBEDTLS_RSA_C'], + 'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED'], - 'PSA_WANT_ALG_MD5': ['MBEDTLS_MD5_C'], - 'PSA_WANT_ALG_RIPEMD160': ['MBEDTLS_RIPEMD160_C'], - 'PSA_WANT_ALG_SHA_1': ['MBEDTLS_SHA1_C'], 'PSA_WANT_ALG_SHA_224': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED', 'MBEDTLS_ENTROPY_FORCE_SHA256', 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT', - 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY', - 'MBEDTLS_SHA224_C'], + 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY'], 'PSA_WANT_ALG_SHA_256': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED', 'MBEDTLS_ENTROPY_FORCE_SHA256', 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT', 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY', 'MBEDTLS_LMS_C', 'MBEDTLS_LMS_PRIVATE', - 'MBEDTLS_SHA256_C', 'PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS'], - 'PSA_WANT_ALG_SHA_384': ['MBEDTLS_SHA384_C'], 'PSA_WANT_ALG_SHA_512': ['MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT', - 'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY', - 'MBEDTLS_SHA512_C'], + 'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY'], 'PSA_WANT_ALG_ECB_NO_PADDING' : ['MBEDTLS_NIST_KW_C'], } @@ -626,8 +600,8 @@ def main(): description= "Test Mbed TLS with a subset of algorithms.\n\n" "Example usage:\n" - r"./tests/scripts/depends.py \!MBEDTLS_SHA1_C MBEDTLS_SHA256_C""\n" - "./tests/scripts/depends.py MBEDTLS_AES_C hashes\n" + r"./tests/scripts/depends.py \!PSA_WANT_ALG_SHA_1 PSA_WANT_ALG_SHA_256""\n" + "./tests/scripts/depends.py PSA_WANT_KEY_TYPE_AES hashes\n" "./tests/scripts/depends.py cipher_id cipher_chaining\n") parser.add_argument('--color', metavar='WHEN', help='Colorize the output (always/auto/never)', From 5eb9aba3589aa93320909697b48b582549c084f7 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 22 Jul 2025 10:58:44 +0200 Subject: [PATCH 15/36] mbedtls_config.h: Update "requires" comments Following the removal of the legacy hash, cipher, CMAC, AEAD, and RSA configuration options in TF-PSA-Crypto, update the "requires" comments that referred to the removed options. Signed-off-by: Ronald Cron --- include/mbedtls/mbedtls_config.h | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index ddab7d0c3..d18d0fadb 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -255,7 +255,7 @@ * * Requires: MBEDTLS_ECDH_C or PSA_WANT_ALG_ECDH * MBEDTLS_RSA_C - * MBEDTLS_PKCS1_V15 + * PSA_WANT_ALG_RSA_PKCS1V15_SIGN * MBEDTLS_X509_CRT_PARSE_C * * This enables the following ciphersuites (if other requisites are @@ -331,7 +331,7 @@ * might still happen. For this reason, this is disabled by default. * * Requires: MBEDTLS_ECJPAKE_C or PSA_WANT_ALG_JPAKE - * SHA-256 (via MBEDTLS_SHA256_C or a PSA driver) + * PSA_WANT_ALG_SHA_256 * MBEDTLS_ECP_DP_SECP256R1_ENABLED * * This enables the following ciphersuites (if other requisites are @@ -446,7 +446,7 @@ * saved after the handshake to allow for more efficient serialization, so if * you don't need this feature you'll save RAM by disabling it. * - * Requires: MBEDTLS_GCM_C or MBEDTLS_CCM_C or MBEDTLS_CHACHAPOLY_C + * Requires: PSA_WANT_ALG_GCM or PSA_WANT_ALG_CCM or PSA_WANT_ALG_CHACHA20_POLY1305 * * Comment to disable the context serialization APIs. */ @@ -824,7 +824,7 @@ * Module: library/ssl_ticket.c * Caller: * - * Requires: MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C + * Requires: PSA_WANT_ALG_GCM or PSA_WANT_ALG_CCM or PSA_WANT_ALG_CHACHA20_POLY1305 */ #define MBEDTLS_SSL_TICKET_C @@ -859,7 +859,7 @@ * MBEDTLS_X509_CRT_PARSE_C * and at least one of: * MBEDTLS_ECDSA_C or PSA_WANT_ALG_ECDSA - * MBEDTLS_PKCS1_V21 + * PSA_WANT_ALG_RSA_PSS * * Comment to disable support for the ephemeral key exchange mode in TLS 1.3. * If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any @@ -903,7 +903,7 @@ * Caller: library/ssl*_client.c * library/ssl*_server.c * - * Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C + * Requires: PSA_WANT_ALG_SHA_256 or PSA_WANT_ALG_SHA_384 * and at least one of the MBEDTLS_SSL_PROTO_XXX defines * * This module is required for SSL/TLS. @@ -1210,7 +1210,7 @@ * Enable parsing and verification of X.509 certificates, CRLs and CSRS * signed with RSASSA-PSS (aka PKCS#1 v2.1). * - * Requires: MBEDTLS_PKCS1_V21 + * Requires: PSA_WANT_ALG_RSA_PSS * * Comment this macro to disallow using RSASSA-PSS in certificates. */ From c7c480a95fbb771d28b495f0f6af8330e411153d Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Wed, 4 Jun 2025 08:29:58 +0100 Subject: [PATCH 16/36] Revert temporary merge changes Signed-off-by: Ben Taylor --- programs/fuzz/CMakeLists.txt | 5 +- programs/fuzz/common.c | 107 ----------------------------------- programs/fuzz/common.h | 28 --------- programs/fuzz/onefile.c | 70 ----------------------- 4 files changed, 3 insertions(+), 207 deletions(-) delete mode 100644 programs/fuzz/common.c delete mode 100644 programs/fuzz/common.h delete mode 100644 programs/fuzz/onefile.c diff --git a/programs/fuzz/CMakeLists.txt b/programs/fuzz/CMakeLists.txt index 54b07b4dd..bd9bf91d9 100644 --- a/programs/fuzz/CMakeLists.txt +++ b/programs/fuzz/CMakeLists.txt @@ -31,18 +31,19 @@ foreach(exe IN LISTS executables_no_common_c executables_with_common_c) $ $) if(NOT FUZZINGENGINE_LIB) - list(APPEND exe_sources onefile.c) + list(APPEND exe_sources ${MBEDTLS_DIR}/tf-psa-crypto/programs/fuzz/onefile.c) endif() # This emulates "if ( ... IN_LIST ... )" which becomes available in CMake 3.3 list(FIND executables_with_common_c ${exe} exe_index) if(${exe_index} GREATER -1) - list(APPEND exe_sources common.c) + list(APPEND exe_sources ${MBEDTLS_DIR}/tf-psa-crypto/programs/fuzz/fuzz_common.c) endif() add_executable(${exe} ${exe_sources}) set_base_compile_options(${exe}) target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../framework/tests/include + ${CMAKE_CURRENT_SOURCE_DIR}/../../tf-psa-crypto/programs/fuzz/ ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include) if (NOT FUZZINGENGINE_LIB) diff --git a/programs/fuzz/common.c b/programs/fuzz/common.c deleted file mode 100644 index 41fa858a4..000000000 --- a/programs/fuzz/common.c +++ /dev/null @@ -1,107 +0,0 @@ -#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS - -#include "common.h" -#include -#include -#include -#include -#include "mbedtls/ctr_drbg.h" - -#if defined(MBEDTLS_PLATFORM_TIME_ALT) -mbedtls_time_t dummy_constant_time(mbedtls_time_t *time) -{ - (void) time; - return 0x5af2a056; -} -#endif - -void dummy_init(void) -{ -#if defined(MBEDTLS_PLATFORM_TIME_ALT) - mbedtls_platform_set_time(dummy_constant_time); -#else - fprintf(stderr, "Warning: fuzzing without constant time\n"); -#endif -} - -int dummy_send(void *ctx, const unsigned char *buf, size_t len) -{ - //silence warning about unused parameter - (void) ctx; - (void) buf; - - //pretends we wrote everything ok - if (len > INT_MAX) { - return -1; - } - return (int) len; -} - -int fuzz_recv(void *ctx, unsigned char *buf, size_t len) -{ - //reads from the buffer from fuzzer - fuzzBufferOffset_t *biomemfuzz = (fuzzBufferOffset_t *) ctx; - - if (biomemfuzz->Offset == biomemfuzz->Size) { - //EOF - return 0; - } - if (len > INT_MAX) { - return -1; - } - if (len + biomemfuzz->Offset > biomemfuzz->Size) { - //do not overflow - len = biomemfuzz->Size - biomemfuzz->Offset; - } - memcpy(buf, biomemfuzz->Data + biomemfuzz->Offset, len); - biomemfuzz->Offset += len; - return (int) len; -} - -int dummy_random(void *p_rng, unsigned char *output, size_t output_len) -{ - int ret; - size_t i; - -#if defined(MBEDTLS_CTR_DRBG_C) - //mbedtls_ctr_drbg_random requires a valid mbedtls_ctr_drbg_context in p_rng - if (p_rng != NULL) { - //use mbedtls_ctr_drbg_random to find bugs in it - ret = mbedtls_ctr_drbg_random(p_rng, output, output_len); - } else { - //fall through to pseudo-random - ret = 0; - } -#else - (void) p_rng; - ret = 0; -#endif - for (i = 0; i < output_len; i++) { - //replace result with pseudo random - output[i] = (unsigned char) rand(); - } - return ret; -} - -int dummy_entropy(void *data, unsigned char *output, size_t len) -{ - size_t i; - (void) data; - - //use mbedtls_entropy_func to find bugs in it - //test performance impact of entropy - //ret = mbedtls_entropy_func(data, output, len); - for (i = 0; i < len; i++) { - //replace result with pseudo random - output[i] = (unsigned char) rand(); - } - return 0; -} - -int fuzz_recv_timeout(void *ctx, unsigned char *buf, size_t len, - uint32_t timeout) -{ - (void) timeout; - - return fuzz_recv(ctx, buf, len); -} diff --git a/programs/fuzz/common.h b/programs/fuzz/common.h deleted file mode 100644 index 88dceacf7..000000000 --- a/programs/fuzz/common.h +++ /dev/null @@ -1,28 +0,0 @@ -#include "mbedtls/build_info.h" - -#if defined(MBEDTLS_HAVE_TIME) -#include "mbedtls/platform_time.h" -#endif -#include -#include - -typedef struct fuzzBufferOffset { - const uint8_t *Data; - size_t Size; - size_t Offset; -} fuzzBufferOffset_t; - -#if defined(MBEDTLS_HAVE_TIME) -mbedtls_time_t dummy_constant_time(mbedtls_time_t *time); -#endif -void dummy_init(void); - -int dummy_send(void *ctx, const unsigned char *buf, size_t len); -int fuzz_recv(void *ctx, unsigned char *buf, size_t len); -int dummy_random(void *p_rng, unsigned char *output, size_t output_len); -int dummy_entropy(void *data, unsigned char *output, size_t len); -int fuzz_recv_timeout(void *ctx, unsigned char *buf, size_t len, - uint32_t timeout); - -/* Implemented in the fuzz_*.c sources and required by onefile.c */ -int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); diff --git a/programs/fuzz/onefile.c b/programs/fuzz/onefile.c deleted file mode 100644 index 6c02a641d..000000000 --- a/programs/fuzz/onefile.c +++ /dev/null @@ -1,70 +0,0 @@ -#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS - -#include -#include -#include -#include "common.h" - -/* This file doesn't use any Mbed TLS function, but grab mbedtls_config.h anyway - * in case it contains platform-specific #defines related to malloc or - * stdio functions. */ -#include "mbedtls/build_info.h" - -int main(int argc, char **argv) -{ - FILE *fp; - uint8_t *Data; - size_t Size; - const char *argv0 = argv[0] == NULL ? "PROGRAM_NAME" : argv[0]; - - if (argc != 2) { - fprintf(stderr, "Usage: %s REPRODUCER_FILE\n", argv0); - return 1; - } - //opens the file, get its size, and reads it into a buffer - fp = fopen(argv[1], "rb"); - if (fp == NULL) { - fprintf(stderr, "%s: Error in fopen\n", argv0); - perror(argv[1]); - return 2; - } - if (fseek(fp, 0L, SEEK_END) != 0) { - fprintf(stderr, "%s: Error in fseek(SEEK_END)\n", argv0); - perror(argv[1]); - fclose(fp); - return 2; - } - Size = ftell(fp); - if (Size == (size_t) -1) { - fprintf(stderr, "%s: Error in ftell\n", argv0); - perror(argv[1]); - fclose(fp); - return 2; - } - if (fseek(fp, 0L, SEEK_SET) != 0) { - fprintf(stderr, "%s: Error in fseek(0)\n", argv0); - perror(argv[1]); - fclose(fp); - return 2; - } - Data = malloc(Size); - if (Data == NULL) { - fprintf(stderr, "%s: Could not allocate memory\n", argv0); - perror(argv[1]); - fclose(fp); - return 2; - } - if (fread(Data, Size, 1, fp) != 1) { - fprintf(stderr, "%s: Error in fread\n", argv0); - perror(argv[1]); - free(Data); - fclose(fp); - return 2; - } - - //launch fuzzer - LLVMFuzzerTestOneInput(Data, Size); - free(Data); - fclose(fp); - return 0; -} From 52510b27fc282660ca5bddf8fee8663437719093 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Wed, 4 Jun 2025 09:35:35 +0100 Subject: [PATCH 17/36] Update header names Signed-off-by: Ben Taylor --- programs/fuzz/fuzz_client.c | 2 +- programs/fuzz/fuzz_dtlsclient.c | 2 +- programs/fuzz/fuzz_dtlsserver.c | 2 +- programs/fuzz/fuzz_pkcs7.c | 2 +- programs/fuzz/fuzz_server.c | 2 +- programs/fuzz/fuzz_x509crl.c | 2 +- programs/fuzz/fuzz_x509crt.c | 2 +- programs/fuzz/fuzz_x509csr.c | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/programs/fuzz/fuzz_client.c b/programs/fuzz/fuzz_client.c index 6d3b73fa9..440c0245f 100644 --- a/programs/fuzz/fuzz_client.c +++ b/programs/fuzz/fuzz_client.c @@ -4,7 +4,7 @@ #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" #include "test/certs.h" -#include "common.h" +#include "fuzz_common.h" #include #include #include diff --git a/programs/fuzz/fuzz_dtlsclient.c b/programs/fuzz/fuzz_dtlsclient.c index efe136227..7a1da13c3 100644 --- a/programs/fuzz/fuzz_dtlsclient.c +++ b/programs/fuzz/fuzz_dtlsclient.c @@ -3,7 +3,7 @@ #include #include #include -#include "common.h" +#include "fuzz_common.h" #include "mbedtls/ssl.h" #if defined(MBEDTLS_SSL_PROTO_DTLS) #include "mbedtls/entropy.h" diff --git a/programs/fuzz/fuzz_dtlsserver.c b/programs/fuzz/fuzz_dtlsserver.c index 31eb51427..98a70216e 100644 --- a/programs/fuzz/fuzz_dtlsserver.c +++ b/programs/fuzz/fuzz_dtlsserver.c @@ -3,7 +3,7 @@ #include #include #include -#include "common.h" +#include "fuzz_common.h" #include "mbedtls/ssl.h" #include "test/certs.h" #if defined(MBEDTLS_SSL_PROTO_DTLS) diff --git a/programs/fuzz/fuzz_pkcs7.c b/programs/fuzz/fuzz_pkcs7.c index 9ec935179..f236190c2 100644 --- a/programs/fuzz/fuzz_pkcs7.c +++ b/programs/fuzz/fuzz_pkcs7.c @@ -2,7 +2,7 @@ #include #include "mbedtls/pkcs7.h" -#include "common.h" +#include "fuzz_common.h" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { diff --git a/programs/fuzz/fuzz_server.c b/programs/fuzz/fuzz_server.c index bb9dd0a58..05b7480cb 100644 --- a/programs/fuzz/fuzz_server.c +++ b/programs/fuzz/fuzz_server.c @@ -5,7 +5,7 @@ #include "mbedtls/ctr_drbg.h" #include "mbedtls/ssl_ticket.h" #include "test/certs.h" -#include "common.h" +#include "fuzz_common.h" #include #include #include diff --git a/programs/fuzz/fuzz_x509crl.c b/programs/fuzz/fuzz_x509crl.c index 2840fbbb0..92e0f5d12 100644 --- a/programs/fuzz/fuzz_x509crl.c +++ b/programs/fuzz/fuzz_x509crl.c @@ -2,7 +2,7 @@ #include #include "mbedtls/x509_crl.h" -#include "common.h" +#include "fuzz_common.h" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { diff --git a/programs/fuzz/fuzz_x509crt.c b/programs/fuzz/fuzz_x509crt.c index 29331b94d..c99ae2e7b 100644 --- a/programs/fuzz/fuzz_x509crt.c +++ b/programs/fuzz/fuzz_x509crt.c @@ -2,7 +2,7 @@ #include #include "mbedtls/x509_crt.h" -#include "common.h" +#include "fuzz_common.h" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { diff --git a/programs/fuzz/fuzz_x509csr.c b/programs/fuzz/fuzz_x509csr.c index e0aaabc01..4ab071f1c 100644 --- a/programs/fuzz/fuzz_x509csr.c +++ b/programs/fuzz/fuzz_x509csr.c @@ -2,7 +2,7 @@ #include #include "mbedtls/x509_csr.h" -#include "common.h" +#include "fuzz_common.h" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { From 60a5b32198ab28037e22d9aadbbbfa6e8979acde Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Wed, 4 Jun 2025 10:45:15 +0100 Subject: [PATCH 18/36] Correct onefile name Signed-off-by: Ben Taylor --- programs/fuzz/CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/programs/fuzz/CMakeLists.txt b/programs/fuzz/CMakeLists.txt index bd9bf91d9..d5995aa19 100644 --- a/programs/fuzz/CMakeLists.txt +++ b/programs/fuzz/CMakeLists.txt @@ -31,7 +31,7 @@ foreach(exe IN LISTS executables_no_common_c executables_with_common_c) $ $) if(NOT FUZZINGENGINE_LIB) - list(APPEND exe_sources ${MBEDTLS_DIR}/tf-psa-crypto/programs/fuzz/onefile.c) + list(APPEND exe_sources ${MBEDTLS_DIR}/tf-psa-crypto/programs/fuzz/fuzz_onefile.c) endif() # This emulates "if ( ... IN_LIST ... )" which becomes available in CMake 3.3 From 8beeed046258d9308652af846aa2fe6dec8e744d Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Fri, 13 Jun 2025 11:05:09 +0100 Subject: [PATCH 19/36] Add further updates to paths Signed-off-by: Ben Taylor --- programs/fuzz/Makefile | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/programs/fuzz/Makefile b/programs/fuzz/Makefile index 29483eafd..bf66a1dde 100644 --- a/programs/fuzz/Makefile +++ b/programs/fuzz/Makefile @@ -3,7 +3,7 @@ MBEDTLS_TEST_PATH:=../../tests MBEDTLS_PATH := ../.. include ../../scripts/common.make -PROGRAM_FUZZ_PATH:=$(MBEDTLS_PATH)/programs/fuzz +PROGRAM_FUZZ_PATH:=$(MBEDTLS_PATH)/tf-psa-crypto/programs/fuzz/ DEP=${MBEDLIBS} @@ -15,6 +15,8 @@ LOCAL_CFLAGS += -I$(PROGRAM_FUZZ_PATH) # A test application is built for each fuzz_*.c file. APPS = $(basename $(wildcard fuzz_*.c)) +APPS += $(basename $(PROGRAM_FUZZ_PATH)/fuzz_privkey.c) +APPS += $(basename $(PROGRAM_FUZZ_PATH)/fuzz_pubkey.c) # Construct executable name by adding OS specific suffix $(EXEXT). BINARIES := $(addsuffix $(EXEXT),$(APPS)) @@ -32,13 +34,13 @@ C_FILES := $(addsuffix .c,$(APPS)) ifdef FUZZINGENGINE -$(BINARIES): %$(EXEXT): %.o $(PROGRAM_FUZZ_PATH)/common.o $(DEP) - echo " $(PROGRAM_FUZZ_PATH)/common.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@" - $(CXX) $(PROGRAM_FUZZ_PATH)/common.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ +$(BINARIES): %$(EXEXT): %.o $(PROGRAM_FUZZ_PATH)/fuzz_common.o $(DEP) + echo " $(PROGRAM_FUZZ_PATH)/fuzz_common.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@" + $(CXX) $(PROGRAM_FUZZ_PATH)/fuzz_common.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ else -$(BINARIES): %$(EXEXT): %.o $(PROGRAM_FUZZ_PATH)/common.o $(PROGRAM_FUZZ_PATH)/onefile.o $(DEP) - echo " $(CC) $(PROGRAM_FUZZ_PATH)/common.o $(PROGRAM_FUZZ_PATH)/onefile.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@" - $(CC) $(PROGRAM_FUZZ_PATH)/common.o $(PROGRAM_FUZZ_PATH)/onefile.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ +$(BINARIES): %$(EXEXT): %.o $(PROGRAM_FUZZ_PATH)/fuzz_common.o $(PROGRAM_FUZZ_PATH)/fuzz_onefile.o $(DEP) + echo " $(CC) $(PROGRAM_FUZZ_PATH)/fuzz_common.o $(PROGRAM_FUZZ_PATH)/fuzz_onefile.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@" + $(CC) $(PROGRAM_FUZZ_PATH)/fuzz_common.o $(PROGRAM_FUZZ_PATH)/fuzz_onefile.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ endif clean: From 4e85cbd2275adfc2db22889a4b6544f76bed3dd2 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Fri, 13 Jun 2025 11:00:07 +0100 Subject: [PATCH 20/36] update submodules to pull in previous PR's Signed-off-by: Ben Taylor --- tf-psa-crypto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf-psa-crypto b/tf-psa-crypto index a0ff5d648..5157a286d 160000 --- a/tf-psa-crypto +++ b/tf-psa-crypto @@ -1 +1 @@ -Subproject commit a0ff5d64831aad7d19aa7e02eb8af065e07506f2 +Subproject commit 5157a286d52c1e5fe825476bec6a2ee3a4a0c4c5 From 250e8b8b6d3d37083cb1320b1530ee6aefe14839 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Wed, 23 Jul 2025 15:15:05 +0100 Subject: [PATCH 21/36] Update submodule pointer Signed-off-by: Ben Taylor --- tf-psa-crypto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf-psa-crypto b/tf-psa-crypto index 5157a286d..19edaa785 160000 --- a/tf-psa-crypto +++ b/tf-psa-crypto @@ -1 +1 @@ -Subproject commit 5157a286d52c1e5fe825476bec6a2ee3a4a0c4c5 +Subproject commit 19edaa785dd71ec8f0c9f72235243314c3d895fa From 361ce2b484d42846bcc67c3da89554fe5aaf59a1 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Fri, 4 Jul 2025 10:36:53 +0100 Subject: [PATCH 22/36] Rename mbedtls_pk_setup_opaque to mbedtls_pk_wrap_psa Signed-off-by: Ben Taylor --- programs/ssl/ssl_test_lib.c | 2 +- tests/src/test_helpers/ssl_helpers.c | 2 +- tests/suites/test_suite_x509write.function | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/programs/ssl/ssl_test_lib.c b/programs/ssl/ssl_test_lib.c index 6aa60fbfb..f9a640252 100644 --- a/programs/ssl/ssl_test_lib.c +++ b/programs/ssl/ssl_test_lib.c @@ -293,7 +293,7 @@ int pk_wrap_as_opaque(mbedtls_pk_context *pk, psa_algorithm_t psa_alg, psa_algor } mbedtls_pk_free(pk); mbedtls_pk_init(pk); - ret = mbedtls_pk_setup_opaque(pk, *key_id); + ret = mbedtls_pk_wrap_psa(pk, *key_id); if (ret != 0) { return ret; } diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index e6c082eac..faa79ffd9 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -772,7 +772,7 @@ int mbedtls_test_ssl_endpoint_certificate_init(mbedtls_test_ssl_endpoint *ep, TEST_EQUAL(mbedtls_pk_import_into_psa(ep->pkey, &key_attr, &key_slot), 0); mbedtls_pk_free(ep->pkey); mbedtls_pk_init(ep->pkey); - TEST_EQUAL(mbedtls_pk_setup_opaque(ep->pkey, key_slot), 0); + TEST_EQUAL(mbedtls_pk_wrap_psa(ep->pkey, key_slot), 0); } #else (void) opaque_alg; diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index db571dab6..e0aad90a0 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -286,7 +286,7 @@ void x509_csr_check_opaque(char *key_file, int md_type, int key_usage, TEST_EQUAL(mbedtls_pk_import_into_psa(&key, &key_attr, &key_id), 0); mbedtls_pk_free(&key); mbedtls_pk_init(&key); - TEST_EQUAL(mbedtls_pk_setup_opaque(&key, key_id), 0); + TEST_EQUAL(mbedtls_pk_wrap_psa(&key, key_id), 0); mbedtls_x509write_csr_set_md_alg(&req, md_type); mbedtls_x509write_csr_set_key(&req, &key); @@ -417,7 +417,7 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd, TEST_EQUAL(mbedtls_pk_import_into_psa(&issuer_key, &key_attr, &key_id), 0); mbedtls_pk_free(&issuer_key); mbedtls_pk_init(&issuer_key); - TEST_EQUAL(mbedtls_pk_setup_opaque(&issuer_key, key_id), 0); + TEST_EQUAL(mbedtls_pk_wrap_psa(&issuer_key, key_id), 0); } #endif /* MBEDTLS_USE_PSA_CRYPTO */ From 02c76ebb21dc303b07d568e4ef994c534073ecb8 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Thu, 24 Jul 2025 11:13:23 +0100 Subject: [PATCH 23/36] Add minor corrections to the fuzz Makefile Signed-off-by: Ben Taylor --- programs/fuzz/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/programs/fuzz/Makefile b/programs/fuzz/Makefile index bf66a1dde..65ac6f894 100644 --- a/programs/fuzz/Makefile +++ b/programs/fuzz/Makefile @@ -3,7 +3,7 @@ MBEDTLS_TEST_PATH:=../../tests MBEDTLS_PATH := ../.. include ../../scripts/common.make -PROGRAM_FUZZ_PATH:=$(MBEDTLS_PATH)/tf-psa-crypto/programs/fuzz/ +PROGRAM_FUZZ_PATH:=$(MBEDTLS_PATH)/tf-psa-crypto/programs/fuzz DEP=${MBEDLIBS} @@ -35,7 +35,7 @@ C_FILES := $(addsuffix .c,$(APPS)) ifdef FUZZINGENGINE $(BINARIES): %$(EXEXT): %.o $(PROGRAM_FUZZ_PATH)/fuzz_common.o $(DEP) - echo " $(PROGRAM_FUZZ_PATH)/fuzz_common.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@" + echo " $(CC) $(PROGRAM_FUZZ_PATH)/fuzz_common.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@" $(CXX) $(PROGRAM_FUZZ_PATH)/fuzz_common.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ else $(BINARIES): %$(EXEXT): %.o $(PROGRAM_FUZZ_PATH)/fuzz_common.o $(PROGRAM_FUZZ_PATH)/fuzz_onefile.o $(DEP) From c0a562c8959564e4c34f748b4eea28e2cb77bd07 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 25 Jul 2025 17:07:13 +0200 Subject: [PATCH 24/36] query_config.fmt: glob headers instead of listing them explicitly This lets us remove or rename crypto headers without hassle, and means we don't risk forgetting to add a new header. Fix #10323 Signed-off-by: Gilles Peskine --- scripts/data_files/query_config.fmt | 69 ++--------------------------- scripts/generate_query_config.pl | 24 ++++++++++ 2 files changed, 27 insertions(+), 66 deletions(-) diff --git a/scripts/data_files/query_config.fmt b/scripts/data_files/query_config.fmt index 12517596d..559734a6a 100644 --- a/scripts/data_files/query_config.fmt +++ b/scripts/data_files/query_config.fmt @@ -1,4 +1,4 @@ -/* +/* -*-c-*- * Query Mbed TLS compile time configurations from mbedtls_config.h * * Copyright The Mbed TLS Contributors @@ -10,73 +10,10 @@ #include "query_config.h" #include "mbedtls/platform.h" - -/* - * Include all the headers with public APIs in case they define a macro to its - * default value when that configuration is not set in mbedtls_config.h, or - * for PSA_WANT macros, in case they're auto-defined based on mbedtls_config.h - * rather than defined directly in crypto_config.h. - */ -#include "psa/crypto.h" - -#include "mbedtls/aes.h" -#include "mbedtls/aria.h" -#include "mbedtls/asn1.h" -#include "mbedtls/asn1write.h" -#include "mbedtls/base64.h" -#include "mbedtls/bignum.h" -#include "mbedtls/camellia.h" -#include "mbedtls/ccm.h" -#include "mbedtls/chacha20.h" -#include "mbedtls/chachapoly.h" -#include "mbedtls/cipher.h" -#include "mbedtls/cmac.h" -#include "mbedtls/ctr_drbg.h" -#include "mbedtls/debug.h" -#include "mbedtls/des.h" -#include "mbedtls/ecdh.h" -#include "mbedtls/ecdsa.h" -#include "mbedtls/ecjpake.h" -#include "mbedtls/ecp.h" -#include "mbedtls/entropy.h" -#include "mbedtls/error.h" -#include "mbedtls/gcm.h" -#include "mbedtls/hmac_drbg.h" -#include "mbedtls/md.h" -#include "mbedtls/md5.h" -#include "mbedtls/memory_buffer_alloc.h" -#include "mbedtls/net_sockets.h" -#include "mbedtls/nist_kw.h" -#include "mbedtls/oid.h" -#include "mbedtls/pem.h" -#include "mbedtls/pk.h" -#include "mbedtls/pkcs12.h" -#include "mbedtls/pkcs5.h" -#if defined(MBEDTLS_HAVE_TIME) -#include "mbedtls/platform_time.h" -#endif -#include "mbedtls/platform_util.h" -#include "mbedtls/poly1305.h" -#include "mbedtls/ripemd160.h" -#include "mbedtls/rsa.h" -#include "mbedtls/sha1.h" -#include "mbedtls/sha256.h" -#include "mbedtls/sha512.h" -#include "mbedtls/ssl.h" -#include "mbedtls/ssl_cache.h" -#include "mbedtls/ssl_ciphersuites.h" -#include "mbedtls/ssl_cookie.h" -#include "mbedtls/ssl_ticket.h" -#include "mbedtls/threading.h" -#include "mbedtls/timing.h" -#include "mbedtls/version.h" -#include "mbedtls/x509.h" -#include "mbedtls/x509_crl.h" -#include "mbedtls/x509_crt.h" -#include "mbedtls/x509_csr.h" - #include +INCLUDE_HEADERS + /* * Helper macros to convert a macro or its expansion into a string * WARNING: This does not work for expanding function-like macros. However, diff --git a/scripts/generate_query_config.pl b/scripts/generate_query_config.pl index 6a2f9cbdf..61ea9028a 100755 --- a/scripts/generate_query_config.pl +++ b/scripts/generate_query_config.pl @@ -100,6 +100,29 @@ EOT close(CONFIG_FILE); } +# We need to include all the headers with public APIs in case they +# define a macro to its default value when that configuration is not +# set in a header included by build_info.h (crypto_config.h, +# mbedtls_config.h, *adjust*.h). Some module-specific macros are set +# in that module's header. For simplicity, include all headers, with +# some ad hoc knowledge of headers that are included by other headers +# and should not be included directly. We don't include internal headers +# because those should not define configurable macros. +my @header_files = (); +my @header_roots = qw( + include + tf-psa-crypto/include + tf-psa-crypto/drivers/builtin/include + ); +for my $root (@header_roots) { + my @paths = glob "$root/*/*.h $root/*/*/*.h"; + map {s!^\Q$root/!!} @paths; + # Exclude some headers that are included by build_info.h and cannot + # be included directly. + push @header_files, grep {!m!_config\.h|[/_]adjust[/_]!} @paths; +} +my $include_headers = join('', map {"#include <$_>\n"} @header_files); + # Read the full format file into a string local $/; open(FORMAT_FILE, "<", $query_config_format_file) or die "Opening query config format file '$query_config_format_file': $!"; @@ -107,6 +130,7 @@ my $query_config_format = ; close(FORMAT_FILE); # Replace the body of the query_config() function with the code we just wrote +$query_config_format =~ s/INCLUDE_HEADERS/$include_headers/g; $query_config_format =~ s/CHECK_CONFIG/$config_check/g; $query_config_format =~ s/LIST_CONFIG/$list_config/g; From 8b006ce95f627be702df7a1c583903847e137a12 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 25 Jul 2025 19:51:17 +0200 Subject: [PATCH 25/36] Invoke generate_query_config.pl from the root Otherwise it can't find headers to include. Signed-off-by: Gilles Peskine --- programs/test/CMakeLists.txt | 1 + scripts/generate_query_config.pl | 2 ++ 2 files changed, 3 insertions(+) diff --git a/programs/test/CMakeLists.txt b/programs/test/CMakeLists.txt index 949708420..ca6e8b207 100644 --- a/programs/test/CMakeLists.txt +++ b/programs/test/CMakeLists.txt @@ -56,6 +56,7 @@ if(GEN_FILES) ${CMAKE_CURRENT_SOURCE_DIR}/../../tf-psa-crypto/include/psa/crypto_config.h ${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/data_files/query_config.fmt ${CMAKE_CURRENT_BINARY_DIR}/query_config.c + WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/../.. DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/generate_query_config.pl ${CMAKE_CURRENT_SOURCE_DIR}/../../include/mbedtls/mbedtls_config.h diff --git a/scripts/generate_query_config.pl b/scripts/generate_query_config.pl index 61ea9028a..e99d633de 100755 --- a/scripts/generate_query_config.pl +++ b/scripts/generate_query_config.pl @@ -49,6 +49,8 @@ if( @ARGV ) { or die "No arguments supplied, must be run from project root or a first-level subdirectory\n"; } } +-f 'include/mbedtls/build_info.h' + or die "$0: must be run from project root, or from a first-level subdirectory with no arguments\n"; # Excluded macros from the generated query_config.c. For example, macros that # have commas or function-like macros cannot be transformed into strings easily From 1b4bfdf554e3badaf65c34a20becd00694d8b8cf Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 26 Jul 2025 00:00:49 +0200 Subject: [PATCH 26/36] Add missing include Fix compilation error when `mbedtls/oid.h` is included without having first included `mbedtls/asn1.h`. Fix #10326 Signed-off-by: Gilles Peskine --- include/mbedtls/oid.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/mbedtls/oid.h b/include/mbedtls/oid.h index 375ea60cb..d769ff218 100644 --- a/include/mbedtls/oid.h +++ b/include/mbedtls/oid.h @@ -11,6 +11,7 @@ #define MBEDTLS_OID_H #include "mbedtls/build_info.h" +#include "mbedtls/asn1.h" /* * Top level OID tuples From 409c688c4b595db2e178e805260fbfbbb9de5fd7 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 26 Jul 2025 00:15:21 +0200 Subject: [PATCH 27/36] Include mbedtls/platform_time.h conditionally on MBEDTLS_HAVE_TIME Work around https://github.com/Mbed-TLS/TF-PSA-Crypto/issues/393 Signed-off-by: Gilles Peskine --- scripts/data_files/query_config.fmt | 5 +++++ scripts/generate_query_config.pl | 6 +++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/scripts/data_files/query_config.fmt b/scripts/data_files/query_config.fmt index 559734a6a..c60458b61 100644 --- a/scripts/data_files/query_config.fmt +++ b/scripts/data_files/query_config.fmt @@ -12,6 +12,11 @@ #include "mbedtls/platform.h" #include +/* Work around https://github.com/Mbed-TLS/TF-PSA-Crypto/issues/393 */ +#if defined(MBEDTLS_HAVE_TIME) +#include +#endif + INCLUDE_HEADERS /* diff --git a/scripts/generate_query_config.pl b/scripts/generate_query_config.pl index e99d633de..49e363de5 100755 --- a/scripts/generate_query_config.pl +++ b/scripts/generate_query_config.pl @@ -121,7 +121,11 @@ for my $root (@header_roots) { map {s!^\Q$root/!!} @paths; # Exclude some headers that are included by build_info.h and cannot # be included directly. - push @header_files, grep {!m!_config\.h|[/_]adjust[/_]!} @paths; + push @header_files, grep {!m[ + ^mbedtls/platform_time\.h$ | # errors without time.h + _config\.h | + [/_]adjust[/_] + ]x} @paths; } my $include_headers = join('', map {"#include <$_>\n"} @header_files); From 4995d4435c26fe8bcaa11a7db73669ac153d41a2 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 26 Jul 2025 00:19:32 +0200 Subject: [PATCH 28/36] Don't incude auxiliary headers that have alternative versions When compiling with `MBEDTLS_PSA_CRYPTO_PLATFORM_FILE`, we must not include ``. Signed-off-by: Gilles Peskine --- scripts/generate_query_config.pl | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/generate_query_config.pl b/scripts/generate_query_config.pl index 49e363de5..99128ca7a 100755 --- a/scripts/generate_query_config.pl +++ b/scripts/generate_query_config.pl @@ -122,6 +122,7 @@ for my $root (@header_roots) { # Exclude some headers that are included by build_info.h and cannot # be included directly. push @header_files, grep {!m[ + ^psa/crypto_(platform|struct)\.h$ | # have alt versions, included by psa/crypto.h anyway ^mbedtls/platform_time\.h$ | # errors without time.h _config\.h | [/_]adjust[/_] From bb8bafa5e55952e4eaa2ae61d69aac5c59db872a Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 26 Jul 2025 00:23:05 +0200 Subject: [PATCH 29/36] Pacify uncrustify Signed-off-by: Gilles Peskine --- scripts/data_files/query_config.fmt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/data_files/query_config.fmt b/scripts/data_files/query_config.fmt index c60458b61..603c7dd20 100644 --- a/scripts/data_files/query_config.fmt +++ b/scripts/data_files/query_config.fmt @@ -17,7 +17,9 @@ #include #endif +/* *INDENT-OFF* */ INCLUDE_HEADERS +/* *INDENT-ON* */ /* * Helper macros to convert a macro or its expansion into a string From 018e09872d728f291e32f03dd5fbe0a36ae25269 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 9 Jul 2025 16:16:45 +0200 Subject: [PATCH 30/36] New source file for configuration checks This will be populated in subsequent commits. Signed-off-by: Gilles Peskine --- library/CMakeLists.txt | 1 + library/Makefile | 1 + library/mbedtls_config.c | 9 +++++++++ 3 files changed, 11 insertions(+) create mode 100644 library/mbedtls_config.c diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 451dbfdb7..0875bb92d 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -1,5 +1,6 @@ set(src_x509 error.c + mbedtls_config.c pkcs7.c x509.c x509_create.c diff --git a/library/Makefile b/library/Makefile index a880f2617..f8729344b 100644 --- a/library/Makefile +++ b/library/Makefile @@ -121,6 +121,7 @@ LOCAL_CFLAGS+=$(THIRDPARTY_INCLUDES) OBJS_CRYPTO+=$(THIRDPARTY_CRYPTO_OBJECTS) OBJS_X509= \ + mbedtls_config.o \ x509.o \ x509_create.o \ x509_crl.o \ diff --git a/library/mbedtls_config.c b/library/mbedtls_config.c new file mode 100644 index 000000000..692dce705 --- /dev/null +++ b/library/mbedtls_config.c @@ -0,0 +1,9 @@ +/* + * Mbed TLS configuration checks + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + +#include From ac637ac9f81c4218b8c2dfffec244e85915f9338 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 22 Jul 2025 21:54:31 +0200 Subject: [PATCH 31/36] Make check_config.h private `check_config.h` only needs to run once on the configuration. It doesn't need to run every time an application is built. It used to be public up to Mbed TLS 2.x because it was included from `config.h`, and users could substitute that file completely and should still include `check_config.h` from their file. But since Mbed TLS 3.x, including `check_config.h` is a purely internal thing (done in `build_info.h`). So make the file itself purely internal. We don't need to include `check_config.h` when building every library file, just one: `mbedtls_config.c`, that's its job. Give the file a unique name, to avoid any clashes with TF-PSA-Crypto's `check_config.h`. Signed-off-by: Gilles Peskine --- include/mbedtls/build_info.h | 2 -- .../mbedtls/check_config.h => library/mbedtls_check_config.h | 0 library/mbedtls_config.c | 4 ++++ 3 files changed, 4 insertions(+), 2 deletions(-) rename include/mbedtls/check_config.h => library/mbedtls_check_config.h (100%) diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h index 534f01658..c6e89db67 100644 --- a/include/mbedtls/build_info.h +++ b/include/mbedtls/build_info.h @@ -85,6 +85,4 @@ */ #define MBEDTLS_CONFIG_IS_FINALIZED -#include "mbedtls/check_config.h" - #endif /* MBEDTLS_BUILD_INFO_H */ diff --git a/include/mbedtls/check_config.h b/library/mbedtls_check_config.h similarity index 100% rename from include/mbedtls/check_config.h rename to library/mbedtls_check_config.h diff --git a/library/mbedtls_config.c b/library/mbedtls_config.c index 692dce705..679f8e36f 100644 --- a/library/mbedtls_config.c +++ b/library/mbedtls_config.c @@ -7,3 +7,7 @@ */ #include + +/* Consistency checks in the configuration: check for incompatible options, + * missing options when at least one of a set needs to be enabled, etc. */ +#include "mbedtls_check_config.h" From 1819a915bccedd06783b333311a3fd43c5572b81 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 22 Jul 2025 21:54:50 +0200 Subject: [PATCH 32/36] Include limits.h where needed This will be needed when TF-PSA-Crypto's `build_info.h` stops including `limits.h`, which it currently does by accident because it includes `check_config.h` which wants `limits.h` to check `CHAR_BIT`. Signed-off-by: Gilles Peskine --- library/x509.c | 1 + library/x509_create.c | 1 + library/x509_crt.c | 1 + programs/test/udp_proxy.c | 1 + tests/src/test_helpers/ssl_helpers.c | 2 ++ 5 files changed, 6 insertions(+) diff --git a/library/x509.c b/library/x509.c index f315821fd..03ca1b72e 100644 --- a/library/x509.c +++ b/library/x509.c @@ -24,6 +24,7 @@ #include "mbedtls/oid.h" #include "x509_oid.h" +#include #include #include diff --git a/library/x509_create.c b/library/x509_create.c index 17fc8fbeb..09ac69d00 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -14,6 +14,7 @@ #include "mbedtls/oid.h" #include "x509_oid.h" +#include #include #include "mbedtls/platform.h" diff --git a/library/x509_crt.c b/library/x509_crt.c index 3947eb09a..7b65b698a 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -27,6 +27,7 @@ #include "x509_oid.h" #include "mbedtls/platform_util.h" +#include #include #if defined(MBEDTLS_PEM_PARSE_C) diff --git a/programs/test/udp_proxy.c b/programs/test/udp_proxy.c index 6e9ebf9a2..c80a3f59f 100644 --- a/programs/test/udp_proxy.c +++ b/programs/test/udp_proxy.c @@ -16,6 +16,7 @@ #include "mbedtls/build_info.h" +#include #if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" #else diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index faa79ffd9..1eca6e496 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -11,6 +11,8 @@ #include #include "mbedtls/psa_util.h" +#include + #if defined(MBEDTLS_SSL_TLS_C) int mbedtls_test_random(void *p_rng, unsigned char *output, size_t output_len) { From aca3b5ec79d2cea605de2d8c28d0725e6acec6af Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 22 Jul 2025 23:40:36 +0200 Subject: [PATCH 33/36] Update framework with unittest_config_checks.py Signed-off-by: Gilles Peskine --- framework | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/framework b/framework index df3307f2b..87dbfb290 160000 --- a/framework +++ b/framework @@ -1 +1 @@ -Subproject commit df3307f2b4fe512def60886024f7be8fd1523ccd +Subproject commit 87dbfb290fa42ca2ccfb403e8c2fa7334fa4f1dd From 01def64425c4a1477a2dcf08c473ca18abb293ce Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 25 Apr 2025 18:30:47 +0200 Subject: [PATCH 34/36] Unit tests for check_config.h Ensure that `mbedtls_check_config.h` is taken into account. Signed-off-by: Gilles Peskine --- tests/scripts/components-basic-checks.sh | 3 ++ tests/scripts/test_config_checks.py | 63 ++++++++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100755 tests/scripts/test_config_checks.py diff --git a/tests/scripts/components-basic-checks.sh b/tests/scripts/components-basic-checks.sh index 85731a171..c7d816189 100644 --- a/tests/scripts/components-basic-checks.sh +++ b/tests/scripts/components-basic-checks.sh @@ -123,4 +123,7 @@ component_check_test_helpers () { msg "unit test: translate_ciphers.py" python3 -m unittest framework/scripts/translate_ciphers.py 2>&1 + + msg "unit test: generate_config_checks.py" + tests/scripts/test_config_checks.py 2>&1 } diff --git a/tests/scripts/test_config_checks.py b/tests/scripts/test_config_checks.py new file mode 100755 index 000000000..540144923 --- /dev/null +++ b/tests/scripts/test_config_checks.py @@ -0,0 +1,63 @@ +#!/usr/bin/env python3 +"""Test the configuration checks generated by generate_config_checks.py. +""" + +## Copyright The Mbed TLS Contributors +## SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +import unittest + +import scripts_path # pylint: disable=unused-import +from mbedtls_framework import unittest_config_checks + + +class MbedtlsTestConfigChecks(unittest_config_checks.TestConfigChecks): + """Mbed TLS unit tests for checks generated by config_checks_generator.""" + + #pylint: disable=invalid-name # uppercase letters make sense here + + PROJECT_CONFIG_C = 'library/mbedtls_config.c' + PROJECT_SPECIFIC_INCLUDE_DIRECTORIES = [ + 'tf-psa-crypto/include', + 'tf-psa-crypto/drivers/builtin/include', + ] + + @unittest.skip("At this time, mbedtls does not go through crypto's check_config.h.") + def test_crypto_no_fs_io(self) -> None: + """A sample error expected from crypto's check_config.h.""" + self.bad_case('#undef MBEDTLS_FS_IO', + None, + error=('MBEDTLS_PSA_ITS_FILE_C')) + + def test_mbedtls_no_session_tickets_for_early_data(self) -> None: + """An error expected from mbedtls_check_config.h based on the TLS configuration.""" + self.bad_case(None, + ''' + #define MBEDTLS_SSL_EARLY_DATA + #undef MBEDTLS_SSL_SESSION_TICKETS + ''', + error=('MBEDTLS_SSL_EARLY_DATA')) + + def test_mbedtls_no_ecdsa(self) -> None: + """An error expected from mbedtls_check_config.h based on crypto+TLS configuration.""" + self.bad_case(''' + #undef PSA_WANT_ALG_ECDSA + #undef PSA_WANT_ALG_DETERMINISTIC_ECDSA + #undef MBEDTLS_ECDSA_C + ''', + ''' + #if defined(PSA_WANT_ALG_ECDSA) + #error PSA_WANT_ALG_ECDSA unexpected + #endif + #if defined(PSA_WANT_ALG_DETERMINSTIC_ECDSA) + #error PSA_WANT_ALG_DETERMINSTIC_ECDSA unexpected + #endif + #if defined(MBEDTLS_ECDSA_C) + #error MBEDTLS_ECDSA_C unexpected + #endif + ''', + error=('MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED')) + + +if __name__ == '__main__': + unittest.main() From fff4b323242f0c2cad2be2de8ee23ab71a7bf066 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 22 Jul 2025 23:44:07 +0200 Subject: [PATCH 35/36] Announce that no longer exists It was already deprecated since 3.0 (although we forgot to announce it in the changelog back then). Signed-off-by: Gilles Peskine --- ChangeLog.d/check_config.txt | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 ChangeLog.d/check_config.txt diff --git a/ChangeLog.d/check_config.txt b/ChangeLog.d/check_config.txt new file mode 100644 index 000000000..f9f44a4b8 --- /dev/null +++ b/ChangeLog.d/check_config.txt @@ -0,0 +1,5 @@ +Removals + * The header no longer exists. Including it + from a custom config file was no longer needed since Mbed TLS 3.0, + and could lead to spurious errors. The checks that it performed are + now done automatically when building the library. From cd1b7ffa705bbf4600e21205e2991f1655522457 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 29 Jul 2025 10:40:12 +0200 Subject: [PATCH 36/36] tests: x509write: replace MBEDTLS_ECDSA_DETERMINISTIC with PSA_WANT one Signed-off-by: Valerio Setti --- tests/suites/test_suite_x509write.data | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index 4dcd96722..3860076d2 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -47,7 +47,7 @@ depends_on:PSA_WANT_ALG_SHA_1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 x509_csr_check:"../framework/data_files/server1.key":"../framework/data_files/server1.req.ku-ct":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0 Certificate Request check Server5 ECDSA, key_usage -depends_on:PSA_WANT_ALG_SHA_1:PSA_HAVE_ALG_ECDSA_SIGN:MBEDTLS_ECDSA_DETERMINISTIC:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ALG_SHA_1:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ECC_SECP_R1_256 x509_csr_check:"../framework/data_files/server5.key":"../framework/data_files/server5.req.ku.sha1":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:1:0:0:0 Certificate Request check Server1, set_extension @@ -155,11 +155,11 @@ depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5 x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"ffffffffffffffffffffffffffffffff":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"../framework/data_files/server1.long_serial_FF.crt":0:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server5 ECDSA -depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:MBEDTLS_ECDSA_DETERMINISTIC:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256 x509_crt_check:"../framework/data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"../framework/data_files/server5.crt":0:0:"../framework/data_files/test-ca2.crt":0 Certificate write check Server5 ECDSA, Opaque -depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:MBEDTLS_ECDSA_DETERMINISTIC:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_USE_PSA_CRYPTO +depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_USE_PSA_CRYPTO x509_crt_check:"../framework/data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"":2:0:"../framework/data_files/test-ca2.crt":0 Certificate write check Server1 SHA1, SubjectAltNames @@ -337,4 +337,3 @@ oid_from_numeric_string:"2.4294967215":0:"8FFFFFFF7F" OID from numeric string - OID with overflowing subidentifier oid_from_numeric_string:"2.4294967216":MBEDTLS_ERR_ASN1_INVALID_DATA:"" -