Merge remote-tracking branch 'development' into dependency-on-generated-files-dev

ChangeLog.d/check_config.txt

@@ -0,0 +1,5 @@
+Removals
+   * The header <mbedtls/check_config.h> no longer exists. Including it
+     from a custom config file was no longer needed since Mbed TLS 3.0,
+     and could lead to spurious errors. The checks that it performed are
+     now done automatically when building the library.

framework

@@ -1 +1 @@
-Subproject commit 893ad9e8450a8e7459679d952abd5d6df26c41c4
+Subproject commit 87dbfb290fa42ca2ccfb403e8c2fa7334fa4f1dd

include/mbedtls/build_info.h

@@ -85,6 +85,4 @@
  */
 #define MBEDTLS_CONFIG_IS_FINALIZED
 
-#include "mbedtls/check_config.h"
-
 #endif /* MBEDTLS_BUILD_INFO_H */

include/mbedtls/mbedtls_config.h

@@ -255,7 +255,7 @@
  *
  * Requires: MBEDTLS_ECDH_C or PSA_WANT_ALG_ECDH
  *           MBEDTLS_RSA_C
- *           MBEDTLS_PKCS1_V15
+ *           PSA_WANT_ALG_RSA_PKCS1V15_SIGN
  *           MBEDTLS_X509_CRT_PARSE_C
  *
  * This enables the following ciphersuites (if other requisites are
@@ -331,7 +331,7 @@
  * might still happen. For this reason, this is disabled by default.
  *
  * Requires: MBEDTLS_ECJPAKE_C or PSA_WANT_ALG_JPAKE
- *           SHA-256 (via MBEDTLS_SHA256_C or a PSA driver)
+ *           PSA_WANT_ALG_SHA_256
  *           MBEDTLS_ECP_DP_SECP256R1_ENABLED
  *
  * This enables the following ciphersuites (if other requisites are
@@ -446,7 +446,7 @@
  * saved after the handshake to allow for more efficient serialization, so if
  * you don't need this feature you'll save RAM by disabling it.
  *
- * Requires: MBEDTLS_GCM_C or MBEDTLS_CCM_C or MBEDTLS_CHACHAPOLY_C
+ * Requires: PSA_WANT_ALG_GCM or PSA_WANT_ALG_CCM or PSA_WANT_ALG_CHACHA20_POLY1305
  *
  * Comment to disable the context serialization APIs.
  */
@@ -824,7 +824,7 @@
  * Module:  library/ssl_ticket.c
  * Caller:
  *
- * Requires: MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C
+ * Requires: PSA_WANT_ALG_GCM or PSA_WANT_ALG_CCM or PSA_WANT_ALG_CHACHA20_POLY1305
  */
 #define MBEDTLS_SSL_TICKET_C
 
@@ -859,7 +859,7 @@
  *           MBEDTLS_X509_CRT_PARSE_C
  *           and at least one of:
  *               MBEDTLS_ECDSA_C or PSA_WANT_ALG_ECDSA
- *               MBEDTLS_PKCS1_V21
+ *               PSA_WANT_ALG_RSA_PSS
  *
  * Comment to disable support for the ephemeral key exchange mode in TLS 1.3.
  * If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any
@@ -903,7 +903,7 @@
  * Caller:  library/ssl*_client.c
  *          library/ssl*_server.c
  *
- * Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C
+ * Requires: PSA_WANT_ALG_SHA_256 or PSA_WANT_ALG_SHA_384
  *           and at least one of the MBEDTLS_SSL_PROTO_XXX defines
  *
  * This module is required for SSL/TLS.
@@ -1210,7 +1210,7 @@
  * Enable parsing and verification of X.509 certificates, CRLs and CSRS
  * signed with RSASSA-PSS (aka PKCS#1 v2.1).
  *
- * Requires: MBEDTLS_PKCS1_V21
+ * Requires: PSA_WANT_ALG_RSA_PSS
  *
  * Comment this macro to disallow using RSASSA-PSS in certificates.
  */

include/mbedtls/oid.h

@@ -11,6 +11,7 @@
 #define MBEDTLS_OID_H
 
 #include "mbedtls/build_info.h"
+#include "mbedtls/asn1.h"
 
 /*
  * Top level OID tuples

include/mbedtls/version.h

@@ -60,7 +60,7 @@ void mbedtls_version_get_string_full(char *string);
  *                  support", "Mbed TLS modules" and "Mbed TLS feature
  *                  support" in mbedtls_config.h
  *
- * \param feature   The string for the define to check (e.g. "MBEDTLS_AES_C")
+ * \param feature   The string for the define to check (e.g. "MBEDTLS_SSL_SRV_C")
  *
  * \return          0 if the feature is present,
  *                  -1 if the feature is not present and

library/CMakeLists.txt

@@ -1,5 +1,6 @@
 set(src_x509
     error.c
+    mbedtls_config.c
     pkcs7.c
     x509.c
     x509_create.c

library/Makefile

@@ -121,6 +121,7 @@ LOCAL_CFLAGS+=$(THIRDPARTY_INCLUDES)
 OBJS_CRYPTO+=$(THIRDPARTY_CRYPTO_OBJECTS)
 
 OBJS_X509= \
+	   mbedtls_config.o \
 	   x509.o \
 	   x509_create.o \
 	   x509_crl.o \

library/mbedtls_config.c

@@ -0,0 +1,13 @@
+/*
+ *  Mbed TLS configuration checks
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include <mbedtls/build_info.h>
+
+/* Consistency checks in the configuration: check for incompatible options,
+ * missing options when at least one of a set needs to be enabled, etc. */
+#include "mbedtls_check_config.h"

library/ssl_misc.h

@@ -10,7 +10,7 @@
 #ifndef MBEDTLS_SSL_MISC_H
 #define MBEDTLS_SSL_MISC_H
 
-#include "common.h"
+#include "tf_psa_crypto_common.h"
 #include "mbedtls/build_info.h"
 
 #include "mbedtls/error.h"
@@ -2376,7 +2376,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
 #endif /* PSA_WANT_ALG_SHA_512 && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
 #endif /* PSA_HAVE_ALG_SOME_ECDSA */
 
-#if defined(MBEDTLS_PKCS1_V21)
+#if defined(PSA_WANT_ALG_RSA_PSS)
 #if defined(PSA_WANT_ALG_SHA_256)
         case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
             break;
@@ -2389,7 +2389,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
         case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
             break;
 #endif /* PSA_WANT_ALG_SHA_512 */
-#endif /* MBEDTLS_PKCS1_V21 */
+#endif /* PSA_WANT_ALG_RSA_PSS */
         default:
             return 0;
     }
@@ -2401,7 +2401,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_is_supported(
     const uint16_t sig_alg)
 {
     switch (sig_alg) {
-#if defined(MBEDTLS_PKCS1_V15)
+#if defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN)
 #if defined(PSA_WANT_ALG_SHA_256)
         case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
             break;
@@ -2414,7 +2414,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_is_supported(
         case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
             break;
 #endif /* PSA_WANT_ALG_SHA_512 */
-#endif /* MBEDTLS_PKCS1_V15 */
+#endif /* PSA_WANT_ALG_RSA_PKCS1V15_SIGN */
         default:
             return mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
                 sig_alg);
@@ -2455,7 +2455,7 @@ static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
     }
 
     switch (sig_alg) {
-#if defined(MBEDTLS_PKCS1_V21)
+#if defined(PSA_WANT_ALG_RSA_PSS)
 #if defined(PSA_WANT_ALG_SHA_256)
         case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
             *md_alg = MBEDTLS_MD_SHA256;
@@ -2474,7 +2474,7 @@ static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
             *pk_type = MBEDTLS_PK_RSASSA_PSS;
             break;
 #endif /* PSA_WANT_ALG_SHA_512 */
-#endif /* MBEDTLS_PKCS1_V21 */
+#endif /* PSA_WANT_ALG_RSA_PSS */
         default:
             return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
     }

library/ssl_tls12_client.c

@@ -2082,8 +2082,7 @@ start_processing:
 
 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
         if (pk_alg == MBEDTLS_PK_RSASSA_PSS) {
-            ret = mbedtls_pk_verify_ext(pk_alg, NULL,
+            ret = mbedtls_pk_verify_new(pk_alg, peer_pk,
-                                        peer_pk,
                                         md_alg, hash, hashlen,
                                         p, sig_len);
         } else

library/ssl_tls13_generic.c

@@ -300,13 +300,13 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl,
 
     MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len);
 
-    if ((ret = mbedtls_pk_verify_ext(sig_alg, NULL,
+    if ((ret = mbedtls_pk_verify_new(sig_alg,
                                      &ssl->session_negotiate->peer_cert->pk,
                                      md_alg, verify_hash, verify_hash_len,
                                      p, signature_len)) == 0) {
         return 0;
     }
-    MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify_ext", ret);
+    MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify_new", ret);
 
 error:
     /* RFC 8446 section 4.4.3

library/x509.c

@@ -24,6 +24,7 @@
 #include "mbedtls/oid.h"
 #include "x509_oid.h"
 
+#include <limits.h>
 #include <stdio.h>
 #include <string.h>
 

library/x509_create.c

@@ -14,6 +14,7 @@
 #include "mbedtls/oid.h"
 #include "x509_oid.h"
 
+#include <limits.h>
 #include <string.h>
 
 #include "mbedtls/platform.h"

library/x509_crt.c

@@ -27,6 +27,7 @@
 #include "x509_oid.h"
 #include "mbedtls/platform_util.h"
 
+#include <limits.h>
 #include <string.h>
 
 #if defined(MBEDTLS_PEM_PARSE_C)
@@ -2060,7 +2061,7 @@ static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
             flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
         }
 
-        if (mbedtls_pk_verify_ext(crl_list->sig_pk, NULL, &ca->pk,
+        if (mbedtls_pk_verify_new(crl_list->sig_pk, &ca->pk,
                                   crl_list->sig_md, hash, hash_length,
                                   crl_list->sig.p, crl_list->sig.len) != 0) {
             flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
@@ -2134,7 +2135,7 @@ static int x509_crt_check_signature(const mbedtls_x509_crt *child,
     (void) rs_ctx;
 #endif
 
-    return mbedtls_pk_verify_ext(child->sig_pk, NULL, &parent->pk,
+    return mbedtls_pk_verify_new(child->sig_pk, &parent->pk,
                                  child->sig_md, hash, hash_len,
                                  child->sig.p, child->sig.len);
 }

library/x509_internal.h

@@ -10,7 +10,7 @@
 #ifndef MBEDTLS_X509_INTERNAL_H
 #define MBEDTLS_X509_INTERNAL_H
 
-#include "common.h"
+#include "tf_psa_crypto_common.h"
 #include "mbedtls/build_info.h"
 #include "mbedtls/private_access.h"
 

programs/fuzz/CMakeLists.txt

@@ -31,18 +31,19 @@ foreach(exe IN LISTS executables_no_common_c executables_with_common_c)
         $<TARGET_OBJECTS:mbedtls_test_helpers>
         $<TARGET_OBJECTS:mbedtls_test>)
     if(NOT FUZZINGENGINE_LIB)
-        list(APPEND exe_sources onefile.c)
+        list(APPEND exe_sources ${MBEDTLS_DIR}/tf-psa-crypto/programs/fuzz/fuzz_onefile.c)
     endif()
 
     # This emulates "if ( ... IN_LIST ... )" which becomes available in CMake 3.3
     list(FIND executables_with_common_c ${exe} exe_index)
     if(${exe_index} GREATER -1)
-        list(APPEND exe_sources common.c)
+        list(APPEND exe_sources ${MBEDTLS_DIR}/tf-psa-crypto/programs/fuzz/fuzz_common.c)
     endif()
 
     add_executable(${exe} ${exe_sources})
     set_base_compile_options(${exe})
     target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../framework/tests/include
+                                              ${CMAKE_CURRENT_SOURCE_DIR}/../../tf-psa-crypto/programs/fuzz/
                                               ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
 
     if (NOT FUZZINGENGINE_LIB)

programs/fuzz/Makefile

@@ -3,7 +3,7 @@ MBEDTLS_TEST_PATH:=../../tests
 MBEDTLS_PATH := ../..
 include ../../scripts/common.make
 
-PROGRAM_FUZZ_PATH:=$(MBEDTLS_PATH)/programs/fuzz
+PROGRAM_FUZZ_PATH:=$(MBEDTLS_PATH)/tf-psa-crypto/programs/fuzz
 
 DEP=${MBEDLIBS}
 
@@ -15,6 +15,8 @@ LOCAL_CFLAGS += -I$(PROGRAM_FUZZ_PATH)
 
 # A test application is built for each fuzz_*.c file.
 APPS = $(basename $(wildcard fuzz_*.c))
+APPS += $(basename $(PROGRAM_FUZZ_PATH)/fuzz_privkey.c)
+APPS += $(basename $(PROGRAM_FUZZ_PATH)/fuzz_pubkey.c)
 
 # Construct executable name by adding OS specific suffix $(EXEXT).
 BINARIES := $(addsuffix $(EXEXT),$(APPS))
@@ -32,13 +34,13 @@ C_FILES := $(addsuffix .c,$(APPS))
 
 
 ifdef FUZZINGENGINE
-$(BINARIES): %$(EXEXT): %.o $(PROGRAM_FUZZ_PATH)/common.o $(DEP)
+$(BINARIES): %$(EXEXT): %.o $(PROGRAM_FUZZ_PATH)/fuzz_common.o $(DEP)
-	echo " $(PROGRAM_FUZZ_PATH)/common.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@"
+	echo " $(CC) $(PROGRAM_FUZZ_PATH)/fuzz_common.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@"
-	$(CXX) $(PROGRAM_FUZZ_PATH)/common.o $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+	$(CXX) $(PROGRAM_FUZZ_PATH)/fuzz_common.o $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
 else
-$(BINARIES): %$(EXEXT): %.o $(PROGRAM_FUZZ_PATH)/common.o $(PROGRAM_FUZZ_PATH)/onefile.o $(DEP)
+$(BINARIES): %$(EXEXT): %.o $(PROGRAM_FUZZ_PATH)/fuzz_common.o $(PROGRAM_FUZZ_PATH)/fuzz_onefile.o $(DEP)
-	echo " $(CC) $(PROGRAM_FUZZ_PATH)/common.o $(PROGRAM_FUZZ_PATH)/onefile.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@"
+	echo " $(CC) $(PROGRAM_FUZZ_PATH)/fuzz_common.o $(PROGRAM_FUZZ_PATH)/fuzz_onefile.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@"
-	$(CC) $(PROGRAM_FUZZ_PATH)/common.o $(PROGRAM_FUZZ_PATH)/onefile.o $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+	$(CC) $(PROGRAM_FUZZ_PATH)/fuzz_common.o $(PROGRAM_FUZZ_PATH)/fuzz_onefile.o $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
 endif
 
 clean:

programs/fuzz/common.c

@@ -1,107 +0,0 @@
-#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS
-
-#include "common.h"
-#include <limits.h>
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include "mbedtls/ctr_drbg.h"
-
-#if defined(MBEDTLS_PLATFORM_TIME_ALT)
-mbedtls_time_t dummy_constant_time(mbedtls_time_t *time)
-{
-    (void) time;
-    return 0x5af2a056;
-}
-#endif
-
-void dummy_init(void)
-{
-#if defined(MBEDTLS_PLATFORM_TIME_ALT)
-    mbedtls_platform_set_time(dummy_constant_time);
-#else
-    fprintf(stderr, "Warning: fuzzing without constant time\n");
-#endif
-}
-
-int dummy_send(void *ctx, const unsigned char *buf, size_t len)
-{
-    //silence warning about unused parameter
-    (void) ctx;
-    (void) buf;
-
-    //pretends we wrote everything ok
-    if (len > INT_MAX) {
-        return -1;
-    }
-    return (int) len;
-}
-
-int fuzz_recv(void *ctx, unsigned char *buf, size_t len)
-{
-    //reads from the buffer from fuzzer
-    fuzzBufferOffset_t *biomemfuzz = (fuzzBufferOffset_t *) ctx;
-
-    if (biomemfuzz->Offset == biomemfuzz->Size) {
-        //EOF
-        return 0;
-    }
-    if (len > INT_MAX) {
-        return -1;
-    }
-    if (len + biomemfuzz->Offset > biomemfuzz->Size) {
-        //do not overflow
-        len = biomemfuzz->Size - biomemfuzz->Offset;
-    }
-    memcpy(buf, biomemfuzz->Data + biomemfuzz->Offset, len);
-    biomemfuzz->Offset += len;
-    return (int) len;
-}
-
-int dummy_random(void *p_rng, unsigned char *output, size_t output_len)
-{
-    int ret;
-    size_t i;
-
-#if defined(MBEDTLS_CTR_DRBG_C)
-    //mbedtls_ctr_drbg_random requires a valid mbedtls_ctr_drbg_context in p_rng
-    if (p_rng != NULL) {
-        //use mbedtls_ctr_drbg_random to find bugs in it
-        ret = mbedtls_ctr_drbg_random(p_rng, output, output_len);
-    } else {
-        //fall through to pseudo-random
-        ret = 0;
-    }
-#else
-    (void) p_rng;
-    ret = 0;
-#endif
-    for (i = 0; i < output_len; i++) {
-        //replace result with pseudo random
-        output[i] = (unsigned char) rand();
-    }
-    return ret;
-}
-
-int dummy_entropy(void *data, unsigned char *output, size_t len)
-{
-    size_t i;
-    (void) data;
-
-    //use mbedtls_entropy_func to find bugs in it
-    //test performance impact of entropy
-    //ret = mbedtls_entropy_func(data, output, len);
-    for (i = 0; i < len; i++) {
-        //replace result with pseudo random
-        output[i] = (unsigned char) rand();
-    }
-    return 0;
-}
-
-int fuzz_recv_timeout(void *ctx, unsigned char *buf, size_t len,
-                      uint32_t timeout)
-{
-    (void) timeout;
-
-    return fuzz_recv(ctx, buf, len);
-}

programs/fuzz/common.h

@@ -1,28 +0,0 @@
-#include "mbedtls/build_info.h"
-
-#if defined(MBEDTLS_HAVE_TIME)
-#include "mbedtls/platform_time.h"
-#endif
-#include <stddef.h>
-#include <stdint.h>
-
-typedef struct fuzzBufferOffset {
-    const uint8_t *Data;
-    size_t Size;
-    size_t Offset;
-} fuzzBufferOffset_t;
-
-#if defined(MBEDTLS_HAVE_TIME)
-mbedtls_time_t dummy_constant_time(mbedtls_time_t *time);
-#endif
-void dummy_init(void);
-
-int dummy_send(void *ctx, const unsigned char *buf, size_t len);
-int fuzz_recv(void *ctx, unsigned char *buf, size_t len);
-int dummy_random(void *p_rng, unsigned char *output, size_t output_len);
-int dummy_entropy(void *data, unsigned char *output, size_t len);
-int fuzz_recv_timeout(void *ctx, unsigned char *buf, size_t len,
-                      uint32_t timeout);
-
-/* Implemented in the fuzz_*.c sources and required by onefile.c */
-int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);

programs/fuzz/fuzz_client.c

@@ -4,7 +4,7 @@
 #include "mbedtls/entropy.h"
 #include "mbedtls/ctr_drbg.h"
 #include "test/certs.h"
-#include "common.h"
+#include "fuzz_common.h"
 #include <string.h>
 #include <stdlib.h>
 #include <stdint.h>

programs/fuzz/fuzz_dtlsclient.c

@@ -3,7 +3,7 @@
 #include <string.h>
 #include <stdlib.h>
 #include <stdint.h>
-#include "common.h"
+#include "fuzz_common.h"
 #include "mbedtls/ssl.h"
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
 #include "mbedtls/entropy.h"

programs/fuzz/fuzz_dtlsserver.c

@@ -3,7 +3,7 @@
 #include <string.h>
 #include <stdlib.h>
 #include <stdint.h>
-#include "common.h"
+#include "fuzz_common.h"
 #include "mbedtls/ssl.h"
 #include "test/certs.h"
 #if defined(MBEDTLS_SSL_PROTO_DTLS)

programs/fuzz/fuzz_pkcs7.c

@@ -2,7 +2,7 @@
 
 #include <stdint.h>
 #include "mbedtls/pkcs7.h"
-#include "common.h"
+#include "fuzz_common.h"
 
 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
 {

programs/fuzz/fuzz_server.c

@@ -5,7 +5,7 @@
 #include "mbedtls/ctr_drbg.h"
 #include "mbedtls/ssl_ticket.h"
 #include "test/certs.h"
-#include "common.h"
+#include "fuzz_common.h"
 #include <string.h>
 #include <stdlib.h>
 #include <stdint.h>

programs/fuzz/fuzz_x509crl.c

@@ -2,7 +2,7 @@
 
 #include <stdint.h>
 #include "mbedtls/x509_crl.h"
-#include "common.h"
+#include "fuzz_common.h"
 
 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
 {

programs/fuzz/fuzz_x509crt.c

@@ -2,7 +2,7 @@
 
 #include <stdint.h>
 #include "mbedtls/x509_crt.h"
-#include "common.h"
+#include "fuzz_common.h"
 
 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
 {

programs/fuzz/fuzz_x509csr.c

@@ -2,7 +2,7 @@
 
 #include <stdint.h>
 #include "mbedtls/x509_csr.h"
-#include "common.h"
+#include "fuzz_common.h"
 
 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
 {

programs/fuzz/onefile.c

@@ -1,70 +0,0 @@
-#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS
-
-#include <stdint.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include "common.h"
-
-/* This file doesn't use any Mbed TLS function, but grab mbedtls_config.h anyway
- * in case it contains platform-specific #defines related to malloc or
- * stdio functions. */
-#include "mbedtls/build_info.h"
-
-int main(int argc, char **argv)
-{
-    FILE *fp;
-    uint8_t *Data;
-    size_t Size;
-    const char *argv0 = argv[0] == NULL ? "PROGRAM_NAME" : argv[0];
-
-    if (argc != 2) {
-        fprintf(stderr, "Usage: %s REPRODUCER_FILE\n", argv0);
-        return 1;
-    }
-    //opens the file, get its size, and reads it into a buffer
-    fp = fopen(argv[1], "rb");
-    if (fp == NULL) {
-        fprintf(stderr, "%s: Error in fopen\n", argv0);
-        perror(argv[1]);
-        return 2;
-    }
-    if (fseek(fp, 0L, SEEK_END) != 0) {
-        fprintf(stderr, "%s: Error in fseek(SEEK_END)\n", argv0);
-        perror(argv[1]);
-        fclose(fp);
-        return 2;
-    }
-    Size = ftell(fp);
-    if (Size == (size_t) -1) {
-        fprintf(stderr, "%s: Error in ftell\n", argv0);
-        perror(argv[1]);
-        fclose(fp);
-        return 2;
-    }
-    if (fseek(fp, 0L, SEEK_SET) != 0) {
-        fprintf(stderr, "%s: Error in fseek(0)\n", argv0);
-        perror(argv[1]);
-        fclose(fp);
-        return 2;
-    }
-    Data = malloc(Size);
-    if (Data == NULL) {
-        fprintf(stderr, "%s: Could not allocate memory\n", argv0);
-        perror(argv[1]);
-        fclose(fp);
-        return 2;
-    }
-    if (fread(Data, Size, 1, fp) != 1) {
-        fprintf(stderr, "%s: Error in fread\n", argv0);
-        perror(argv[1]);
-        free(Data);
-        fclose(fp);
-        return 2;
-    }
-
-    //launch fuzzer
-    LLVMFuzzerTestOneInput(Data, Size);
-    free(Data);
-    fclose(fp);
-    return 0;
-}

programs/ssl/ssl_test_lib.c

@@ -293,7 +293,7 @@ int pk_wrap_as_opaque(mbedtls_pk_context *pk, psa_algorithm_t psa_alg, psa_algor
     }
     mbedtls_pk_free(pk);
     mbedtls_pk_init(pk);
-    ret = mbedtls_pk_setup_opaque(pk, *key_id);
+    ret = mbedtls_pk_wrap_psa(pk, *key_id);
     if (ret != 0) {
         return ret;
     }

programs/test/CMakeLists.txt

@@ -56,6 +56,7 @@ if(GEN_FILES)
                 ${CMAKE_CURRENT_SOURCE_DIR}/../../tf-psa-crypto/include/psa/crypto_config.h
                 ${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/data_files/query_config.fmt
                 ${CMAKE_CURRENT_BINARY_DIR}/query_config.c
+        WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/../..
         DEPENDS
             ${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/generate_query_config.pl
             ${CMAKE_CURRENT_SOURCE_DIR}/../../include/mbedtls/mbedtls_config.h

programs/test/udp_proxy.c

@@ -16,6 +16,7 @@
 
 #include "mbedtls/build_info.h"
 
+#include <limits.h>
 #if defined(MBEDTLS_PLATFORM_C)
 #include "mbedtls/platform.h"
 #else

scripts/data_files/error.fmt

@@ -5,7 +5,7 @@
  *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
-#include "common.h"
+#include "tf_psa_crypto_common.h"
 
 #include "mbedtls/error.h"
 

scripts/data_files/query_config.fmt

@@ -1,4 +1,4 @@
-/*
+/* -*-c-*-
  *  Query Mbed TLS compile time configurations from mbedtls_config.h
  *
  *  Copyright The Mbed TLS Contributors
@@ -10,73 +10,17 @@
 #include "query_config.h"
 
 #include "mbedtls/platform.h"
-
-/*
- * Include all the headers with public APIs in case they define a macro to its
- * default value when that configuration is not set in mbedtls_config.h, or
- * for PSA_WANT macros, in case they're auto-defined based on mbedtls_config.h
- * rather than defined directly in crypto_config.h.
- */
-#include "psa/crypto.h"
-
-#include "mbedtls/aes.h"
-#include "mbedtls/aria.h"
-#include "mbedtls/asn1.h"
-#include "mbedtls/asn1write.h"
-#include "mbedtls/base64.h"
-#include "mbedtls/bignum.h"
-#include "mbedtls/camellia.h"
-#include "mbedtls/ccm.h"
-#include "mbedtls/chacha20.h"
-#include "mbedtls/chachapoly.h"
-#include "mbedtls/cipher.h"
-#include "mbedtls/cmac.h"
-#include "mbedtls/ctr_drbg.h"
-#include "mbedtls/debug.h"
-#include "mbedtls/des.h"
-#include "mbedtls/ecdh.h"
-#include "mbedtls/ecdsa.h"
-#include "mbedtls/ecjpake.h"
-#include "mbedtls/ecp.h"
-#include "mbedtls/entropy.h"
-#include "mbedtls/error.h"
-#include "mbedtls/gcm.h"
-#include "mbedtls/hmac_drbg.h"
-#include "mbedtls/md.h"
-#include "mbedtls/md5.h"
-#include "mbedtls/memory_buffer_alloc.h"
-#include "mbedtls/net_sockets.h"
-#include "mbedtls/nist_kw.h"
-#include "mbedtls/oid.h"
-#include "mbedtls/pem.h"
-#include "mbedtls/pk.h"
-#include "mbedtls/pkcs12.h"
-#include "mbedtls/pkcs5.h"
-#if defined(MBEDTLS_HAVE_TIME)
-#include "mbedtls/platform_time.h"
-#endif
-#include "mbedtls/platform_util.h"
-#include "mbedtls/poly1305.h"
-#include "mbedtls/ripemd160.h"
-#include "mbedtls/rsa.h"
-#include "mbedtls/sha1.h"
-#include "mbedtls/sha256.h"
-#include "mbedtls/sha512.h"
-#include "mbedtls/ssl.h"
-#include "mbedtls/ssl_cache.h"
-#include "mbedtls/ssl_ciphersuites.h"
-#include "mbedtls/ssl_cookie.h"
-#include "mbedtls/ssl_ticket.h"
-#include "mbedtls/threading.h"
-#include "mbedtls/timing.h"
-#include "mbedtls/version.h"
-#include "mbedtls/x509.h"
-#include "mbedtls/x509_crl.h"
-#include "mbedtls/x509_crt.h"
-#include "mbedtls/x509_csr.h"
-
 #include <string.h>
 
+/* Work around https://github.com/Mbed-TLS/TF-PSA-Crypto/issues/393 */
+#if defined(MBEDTLS_HAVE_TIME)
+#include <mbedtls/platform_time.h>
+#endif
+
+/* *INDENT-OFF* */
+INCLUDE_HEADERS
+/* *INDENT-ON* */
+
 /*
  * Helper macros to convert a macro or its expansion into a string
  * WARNING: This does not work for expanding function-like macros. However,

scripts/generate_query_config.pl

@@ -49,6 +49,8 @@ if( @ARGV ) {
           or die "No arguments supplied, must be run from project root or a first-level subdirectory\n";
     }
 }
+-f 'include/mbedtls/build_info.h'
+  or die "$0: must be run from project root, or from a first-level subdirectory with no arguments\n";
 
 # Excluded macros from the generated query_config.c. For example, macros that
 # have commas or function-like macros cannot be transformed into strings easily
@@ -100,6 +102,34 @@ EOT
     close(CONFIG_FILE);
 }
 
+# We need to include all the headers with public APIs in case they
+# define a macro to its default value when that configuration is not
+# set in a header included by build_info.h (crypto_config.h,
+# mbedtls_config.h, *adjust*.h). Some module-specific macros are set
+# in that module's header. For simplicity, include all headers, with
+# some ad hoc knowledge of headers that are included by other headers
+# and should not be included directly. We don't include internal headers
+# because those should not define configurable macros.
+my @header_files = ();
+my @header_roots = qw(
+                         include
+                         tf-psa-crypto/include
+                         tf-psa-crypto/drivers/builtin/include
+                    );
+for my $root (@header_roots) {
+    my @paths = glob "$root/*/*.h $root/*/*/*.h";
+    map {s!^\Q$root/!!} @paths;
+    # Exclude some headers that are included by build_info.h and cannot
+    # be included directly.
+    push @header_files, grep {!m[
+            ^psa/crypto_(platform|struct)\.h$ | # have alt versions, included by psa/crypto.h anyway
+            ^mbedtls/platform_time\.h$ | # errors without time.h
+            _config\.h |
+            [/_]adjust[/_]
+        ]x} @paths;
+}
+my $include_headers = join('', map {"#include <$_>\n"} @header_files);
+
 # Read the full format file into a string
 local $/;
 open(FORMAT_FILE, "<", $query_config_format_file) or die "Opening query config format file '$query_config_format_file': $!";
@@ -107,6 +137,7 @@ my $query_config_format = <FORMAT_FILE>;
 close(FORMAT_FILE);
 
 # Replace the body of the query_config() function with the code we just wrote
+$query_config_format =~ s/INCLUDE_HEADERS/$include_headers/g;
 $query_config_format =~ s/CHECK_CONFIG/$config_check/g;
 $query_config_format =~ s/LIST_CONFIG/$list_config/g;
 

tests/psa-client-server/psasim/src/aut_psa_aead_encrypt_decrypt.c

@@ -12,13 +12,13 @@
  *  -I$(MBEDTLS_ROOT_PATH)/tf-psa-crypto/drivers/builtin/include
  * None of those cover tf-psa-crypto/core, so we rely on the
  * “-I$(MBEDTLS_ROOT_PATH)/include” entry plus a parent-relative
- * include "../tf-psa-crypto/core/common.h" in order to pull in common.h here,
+ * include "../tf-psa-crypto/core/tf_psa_crypto_common.h" in order to pull in tf_psa_crypto_common.h here,
  * which in turn gets MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING (to silence the
  * new GCC-15 unterminated-string-initialization warning).
  * See GitHub issue #10223 for the proper long-term fix.
  * https://github.com/Mbed-TLS/mbedtls/issues/10223
  */
-#include "../tf-psa-crypto/core/common.h"
+#include "../tf-psa-crypto/core/tf_psa_crypto_common.h"
 #include <string.h>
 #include <stdio.h>
 #include <stdlib.h>

tests/psa-client-server/psasim/src/aut_psa_cipher_encrypt_decrypt.c

@@ -4,7 +4,7 @@
  */
 
 #include "psa/crypto.h"
-#include "../tf-psa-crypto/core/common.h"
+#include "../tf-psa-crypto/core/tf_psa_crypto_common.h"
 #include <string.h>
 #include <stdio.h>
 #include <stdlib.h>

tests/scripts/analyze_outcomes.py

@@ -327,10 +327,6 @@ class DriverVSReference_cipher_aead_cmac(outcome_analysis.DriverVSReference):
             'Low and high error',
             'Single low error'
         ],
-        # Similar to test_suite_error above.
-        'test_suite_version': [
-            'Check for MBEDTLS_AES_C when already present',
-        ],
         # The en/decryption part of PKCS#12 is not supported so far.
         # The rest of PKCS#12 (key derivation) works though.
         'test_suite_pkcs12': [
@@ -659,10 +655,6 @@ class DriverVSReference_block_cipher_dispatch(outcome_analysis.DriverVSReference
             'Single low error',
             'Low and high error',
         ],
-        'test_suite_version': [
-            # Similar to test_suite_error above.
-            'Check for MBEDTLS_AES_C when already present',
-        ],
         'test_suite_platform': [
             # Incompatible with sanitizers (e.g. ASan). If the driver
             # component uses a sanitizer but the reference component

tests/scripts/components-basic-checks.sh

@@ -123,4 +123,7 @@ component_check_test_helpers () {
 
     msg "unit test: translate_ciphers.py"
     python3 -m unittest framework/scripts/translate_ciphers.py 2>&1
+
+    msg "unit test: generate_config_checks.py"
+    tests/scripts/test_config_checks.py 2>&1
 }

tests/scripts/components-configuration-crypto.sh

@@ -138,7 +138,6 @@ component_test_psa_crypto_without_heap() {
 
 component_test_no_rsa_key_pair_generation () {
     msg "build: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE"
-    scripts/config.py unset MBEDTLS_GENPRIME
     scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
     make
 
@@ -310,7 +309,6 @@ component_test_full_no_cipher () {
     msg "build: full no CIPHER"
 
     scripts/config.py full
-    scripts/config.py unset MBEDTLS_CIPHER_C
 
     # The built-in implementation of the following algs/key-types depends
     # on CIPHER_C so we disable them.
@@ -329,7 +327,6 @@ component_test_full_no_cipher () {
     scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES
 
     # The following modules directly depends on CIPHER_C
-    scripts/config.py unset MBEDTLS_CMAC_C
     scripts/config.py unset MBEDTLS_NIST_KW_C
 
     make
@@ -479,7 +476,6 @@ component_test_crypto_for_psa_service () {
   scripts/config.py unset MBEDTLS_VERSION_FEATURES
   # Crypto stuff with no PSA interface
   scripts/config.py unset MBEDTLS_BASE64_C
-  # Keep MBEDTLS_CIPHER_C because psa_crypto_cipher, CCM and GCM need it.
   scripts/config.py unset MBEDTLS_HKDF_C # PSA's HKDF is independent
   # Keep MBEDTLS_MD_C because deterministic ECDSA needs it for HMAC_DRBG.
   scripts/config.py unset MBEDTLS_NIST_KW_C
@@ -519,11 +515,6 @@ component_test_depends_py_cipher_chaining () {
     tests/scripts/depends.py cipher_chaining
 }
 
-component_test_depends_py_cipher_padding () {
-    msg "test/build: depends.py cipher_padding (gcc)"
-    tests/scripts/depends.py cipher_padding
-}
-
 component_test_depends_py_curves () {
     msg "test/build: depends.py curves (gcc)"
     tests/scripts/depends.py curves
@@ -1148,9 +1139,6 @@ config_psa_crypto_config_accel_ecc_ffdh_no_bignum () {
     # on BIGNUM_C.
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_RSA_[0-9A-Z_a-z]*"
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_ALG_RSA_[0-9A-Z_a-z]*"
-    scripts/config.py unset MBEDTLS_RSA_C
-    scripts/config.py unset MBEDTLS_PKCS1_V15
-    scripts/config.py unset MBEDTLS_PKCS1_V21
     scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
     # Also disable key exchanges that depend on RSA
     scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
@@ -1425,12 +1413,6 @@ config_psa_crypto_accel_rsa () {
     helper_libtestdriver1_adjust_config "crypto_full"
 
     if [ "$driver_only" -eq 1 ]; then
-        # Remove RSA support and its dependencies
-        scripts/config.py unset MBEDTLS_RSA_C
-        scripts/config.py unset MBEDTLS_PKCS1_V15
-        scripts/config.py unset MBEDTLS_PKCS1_V21
-        scripts/config.py unset MBEDTLS_GENPRIME
-
         # We need PEM parsing in the test library as well to support the import
         # of PEM encoded RSA keys.
         scripts/config.py -c "$CONFIG_TEST_DRIVER_H" set MBEDTLS_PEM_PARSE_C
@@ -1494,7 +1476,7 @@ component_test_psa_crypto_config_reference_rsa_crypto () {
 # This is a temporary test to verify that full RSA support is present even when
 # only one single new symbols (PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) is defined.
 component_test_new_psa_want_key_pair_symbol () {
-    msg "Build: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC"
+    msg "Build: crypto config - PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC"
 
     # Create a temporary output file unless there is already one set
     if [ "$MBEDTLS_TEST_OUTCOME_FILE" ]; then
@@ -1509,11 +1491,8 @@ component_test_new_psa_want_key_pair_symbol () {
     scripts/config.py crypto
 
     # Remove RSA support and its dependencies
-    scripts/config.py unset MBEDTLS_PKCS1_V15
-    scripts/config.py unset MBEDTLS_PKCS1_V21
     scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
     scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
-    scripts/config.py unset MBEDTLS_RSA_C
     scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
 
     # Keep only PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC enabled in order to ensure
@@ -1524,7 +1503,7 @@ component_test_new_psa_want_key_pair_symbol () {
 
     make
 
-    msg "Test: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC"
+    msg "Test: crypto config - PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC"
     make test
 
     # Parse only 1 relevant line from the outcome file, i.e. a test which is
@@ -1550,15 +1529,6 @@ component_test_psa_crypto_config_accel_hash () {
     # Start from default config (no USE_PSA)
     helper_libtestdriver1_adjust_config "default"
 
-    # Disable the things that are being accelerated
-    scripts/config.py unset MBEDTLS_MD5_C
-    scripts/config.py unset MBEDTLS_RIPEMD160_C
-    scripts/config.py unset MBEDTLS_SHA1_C
-    scripts/config.py unset MBEDTLS_SHA224_C
-    scripts/config.py unset MBEDTLS_SHA256_C
-    scripts/config.py unset MBEDTLS_SHA384_C
-    scripts/config.py unset MBEDTLS_SHA512_C
-
     # Build
     # -----
 
@@ -1588,14 +1558,7 @@ config_psa_crypto_hash_use_psa () {
     helper_libtestdriver1_adjust_config "full"
     if [ "$driver_only" -eq 1 ]; then
         # disable the built-in implementation of hashes
-        scripts/config.py unset MBEDTLS_MD5_C
-        scripts/config.py unset MBEDTLS_RIPEMD160_C
-        scripts/config.py unset MBEDTLS_SHA1_C
-        scripts/config.py unset MBEDTLS_SHA224_C
-        scripts/config.py unset MBEDTLS_SHA256_C # see external RNG below
         scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
-        scripts/config.py unset MBEDTLS_SHA384_C
-        scripts/config.py unset MBEDTLS_SHA512_C
         scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
     fi
 }
@@ -1676,11 +1639,9 @@ config_psa_crypto_hmac_use_psa () {
         # Disable MD_C in order to disable the builtin support for HMAC. MD_LIGHT
         # is still enabled though (for ENTROPY_C among others).
         scripts/config.py unset MBEDTLS_MD_C
-        # Disable also the builtin hashes since they are supported by the driver
+        # Also disable the configuration options that tune the builtin hashes,
-        # and MD module is able to perform PSA dispathing.
+        # since those hashes are disabled.
         scripts/config.py unset-all MBEDTLS_SHA
-        scripts/config.py unset MBEDTLS_MD5_C
-        scripts/config.py unset MBEDTLS_RIPEMD160_C
     fi
 
     # Direct dependencies of MD_C. We disable them also in the reference
@@ -1747,11 +1708,6 @@ component_test_psa_crypto_config_accel_aead () {
     # Start from full config
     helper_libtestdriver1_adjust_config "full"
 
-    # Disable things that are being accelerated
-    scripts/config.py unset MBEDTLS_GCM_C
-    scripts/config.py unset MBEDTLS_CCM_C
-    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
-
     # Disable CCM_STAR_NO_TAG because this re-enables CCM_C.
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG
 
@@ -1802,32 +1758,10 @@ component_test_psa_crypto_config_accel_cipher_aead_cmac () {
 
     common_psa_crypto_config_accel_cipher_aead_cmac
 
-    # Disable the things that are being accelerated
-    scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
-    scripts/config.py unset MBEDTLS_CIPHER_PADDING_PKCS7
-    scripts/config.py unset MBEDTLS_CIPHER_MODE_CTR
-    scripts/config.py unset MBEDTLS_CIPHER_MODE_CFB
-    scripts/config.py unset MBEDTLS_CIPHER_MODE_OFB
-    scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
-    scripts/config.py unset MBEDTLS_GCM_C
-    scripts/config.py unset MBEDTLS_CCM_C
-    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
-    scripts/config.py unset MBEDTLS_CMAC_C
-    scripts/config.py unset MBEDTLS_DES_C
-    scripts/config.py unset MBEDTLS_AES_C
-    scripts/config.py unset MBEDTLS_ARIA_C
-    scripts/config.py unset MBEDTLS_CHACHA20_C
-    scripts/config.py unset MBEDTLS_CAMELLIA_C
-    scripts/config.py unset MBEDTLS_POLY1305_C
-
     # Disable DES, if it still exists.
     # This can be removed once we remove DES from the library.
     scripts/config.py unset PSA_WANT_KEY_TYPE_DES
 
-    # Disable CIPHER_C entirely as all ciphers/AEADs are accelerated and PSA
-    # does not depend on it.
-    scripts/config.py unset MBEDTLS_CIPHER_C
-
     # Build
     # -----
 
@@ -1887,14 +1821,6 @@ common_block_cipher_dispatch () {
     # Start from the full config
     helper_libtestdriver1_adjust_config "full"
 
-    if [ "$TEST_WITH_DRIVER" -eq 1 ]; then
-        # Disable key types that are accelerated (there is no legacy equivalent
-        # symbol for ECB)
-        scripts/config.py unset MBEDTLS_AES_C
-        scripts/config.py unset MBEDTLS_ARIA_C
-        scripts/config.py unset MBEDTLS_CAMELLIA_C
-    fi
-
     # Disable cipher's modes that, when not accelerated, cause
     # legacy key types to be re-enabled in "config_adjust_legacy_from_psa.h".
     # Keep this also in the reference component in order to skip the same tests
@@ -1999,7 +1925,6 @@ component_test_full_block_cipher_legacy_dispatch () {
 component_test_aead_chachapoly_disabled () {
     msg "build: full minus CHACHAPOLY"
     scripts/config.py full
-    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305
     make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
 
@@ -2010,8 +1935,6 @@ component_test_aead_chachapoly_disabled () {
 component_test_aead_only_ccm () {
     msg "build: full minus CHACHAPOLY and GCM"
     scripts/config.py full
-    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
-    scripts/config.py unset MBEDTLS_GCM_C
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_GCM
     make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
@@ -2137,16 +2060,12 @@ component_build_aes_variations () {
     # manually set or unset those configurations to check
     # MBEDTLS_BLOCK_CIPHER_NO_DECRYPT with various combinations in aes.o.
     scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
-    scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
     scripts/config.py unset MBEDTLS_NIST_KW_C
 
     scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING
     scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7
     scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING
     scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES
-    # Note: The two unsets below are to be removed for Mbed TLS 4.0
-    scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
-    scripts/config.py unset MBEDTLS_DES_C
 
     build_test_config_combos ${BUILTIN_SRC_PATH}/aes.o validate_aes_config_variations \
         "MBEDTLS_AES_ROM_TABLES" \
@@ -2167,7 +2086,7 @@ END
         #define PSA_WANT_ALG_SHA3_256  1
         #define PSA_WANT_ALG_SHA3_384  1
         #define PSA_WANT_ALG_SHA3_512  1
-        #define MBEDTLS_AES_C
+        #define PSA_WANT_KEY_TYPE_AES  1
         #define MBEDTLS_CTR_DRBG_C
         #define MBEDTLS_ENTROPY_C
         #define MBEDTLS_PSA_CRYPTO_C
@@ -2350,7 +2269,6 @@ helper_block_cipher_no_decrypt_build_test () {
 # This is a configuration function used in component_test_block_cipher_no_decrypt_xxx:
 config_block_cipher_no_decrypt () {
     scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
-    scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
     scripts/config.py unset MBEDTLS_NIST_KW_C
 
     # Enable support for cryptographic mechanisms through the PSA API.
@@ -2359,9 +2277,6 @@ config_block_cipher_no_decrypt () {
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_DES
-    # Note: The two unsets below are to be removed for Mbed TLS 4.0
-    scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
-    scripts/config.py unset MBEDTLS_DES_C
 }
 
 component_test_block_cipher_no_decrypt_aesni () {
@@ -2513,7 +2428,6 @@ component_build_psa_config_file () {
     # query_compile_time_config.
     echo '#undef PSA_WANT_ALG_CMAC' >psa_user_config.h
     echo '#undef PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128' >> psa_user_config.h
-    echo '#undef MBEDTLS_CMAC_C' >> psa_user_config.h
     make CFLAGS="-I '$PWD' -DTF_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"' -DTF_PSA_CRYPTO_USER_CONFIG_FILE='\"psa_user_config.h\"'"
     not programs/test/query_compile_time_config PSA_WANT_ALG_CMAC
 

tests/scripts/components-configuration-tls.sh

@@ -54,18 +54,11 @@ component_test_tls1_2_default_stream_cipher_only () {
     scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
     scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
     scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
-    # Note: The three unsets below are to be removed for Mbed TLS 4.0
-    scripts/config.py unset MBEDTLS_GCM_C
-    scripts/config.py unset MBEDTLS_CCM_C
-    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
     #Disable TLS 1.3 (as no AEAD)
     scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
     # Disable CBC. Note: When implemented, PSA_WANT_ALG_CBC_MAC will also need to be unset here to fully disable CBC
     scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING
     scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7
-    # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia))
-    # Note: The unset below is to be removed for 4.0
-    scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
     # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
     scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
     # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
@@ -90,13 +83,9 @@ component_test_tls1_2_default_cbc_legacy_cipher_only () {
     scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
     scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
     scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
-    # Note: The three unsets below are to be removed for Mbed TLS 4.0
-    scripts/config.py unset MBEDTLS_GCM_C
-    scripts/config.py unset MBEDTLS_CCM_C
-    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
     #Disable TLS 1.3 (as no AEAD)
     scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
-    # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia))
+    # Enable CBC-legacy
     scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
     # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
     scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
@@ -123,13 +112,9 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () {
     scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
     scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
     scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
-    # Note: The three unsets below are to be removed for Mbed TLS 4.0
-    scripts/config.py unset MBEDTLS_GCM_C
-    scripts/config.py unset MBEDTLS_CCM_C
-    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
     #Disable TLS 1.3 (as no AEAD)
     scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
-    # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia))
+    # Enable CBC-legacy
     scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
     # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
     scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC
@@ -399,8 +384,6 @@ component_test_when_no_ciphersuites_have_mac () {
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
 
     scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER
-    scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
-    scripts/config.py unset MBEDTLS_CMAC_C
 
     make
 
@@ -472,7 +455,6 @@ component_test_tls13_only_psk () {
     # Note: The four unsets below are to be removed for Mbed TLS 4.0
     scripts/config.py unset MBEDTLS_ECDH_C
     scripts/config.py unset MBEDTLS_ECDSA_C
-    scripts/config.py unset MBEDTLS_PKCS1_V21
 
     make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
 
@@ -536,7 +518,6 @@ component_test_tls13_only_psk_ephemeral () {
     scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS
     # Note: The two unsets below are to be removed for Mbed TLS 4.0
     scripts/config.py unset MBEDTLS_ECDSA_C
-    scripts/config.py unset MBEDTLS_PKCS1_V21
 
     make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
 
@@ -566,7 +547,6 @@ component_test_tls13_only_psk_ephemeral_ffdh () {
     # Note: The three unsets below are to be removed for Mbed TLS 4.0
     scripts/config.py unset MBEDTLS_ECDH_C
     scripts/config.py unset MBEDTLS_ECDSA_C
-    scripts/config.py unset MBEDTLS_PKCS1_V21
 
     make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
 
@@ -593,7 +573,6 @@ component_test_tls13_only_psk_all () {
     scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS
     # Note: The two unsets below are to be removed for Mbed TLS 4.0
     scripts/config.py unset MBEDTLS_ECDSA_C
-    scripts/config.py unset MBEDTLS_PKCS1_V21
 
     make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
 

tests/scripts/depends.py

@@ -30,11 +30,11 @@ The configuration building method can be one of the three following:
   direct dependencies, but rather non-trivial results of other configs missing. Then
   look for any unset symbols and handle their reverse dependencies.
   Examples of EXCLUSIVE_GROUPS usage:
-  - MBEDTLS_SHA512_C job turns off all hashes except SHA512. MBEDTLS_SSL_COOKIE_C
+  - PSA_WANT_ALG_SHA_512 job turns off all hashes except SHA512. MBEDTLS_SSL_COOKIE_C
     requires either SHA256 or SHA384 to work, so it also has to be disabled.
-    This is not a dependency on SHA512_C, but a result of an exclusive domain
+    This is not a dependency on SHA512, but a result of an exclusive domain
     config building method. Relevant field:
-    'MBEDTLS_SHA512_C': ['-MBEDTLS_SSL_COOKIE_C'],
+    'PSA_WANT_ALG_SHA_512': ['-MBEDTLS_SSL_COOKIE_C'],
 
 - DualDomain - combination of the two above - both complementary and exclusive domain
   job generation code will be run. Currently only used for hashes.
@@ -251,34 +251,11 @@ and subsequent commands are tests that cannot run if the build failed).'''
 REVERSE_DEPENDENCIES = {
     'PSA_WANT_KEY_TYPE_AES': ['PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128',
                               'MBEDTLS_CTR_DRBG_C',
-                              'MBEDTLS_NIST_KW_C',
+                              'MBEDTLS_NIST_KW_C'],
-                              'MBEDTLS_AES_C'],
-    'PSA_WANT_KEY_TYPE_ARIA': ['MBEDTLS_ARIA_C'],
-    'PSA_WANT_KEY_TYPE_CAMELLIA': ['MBEDTLS_CAMELLIA_C'],
     'PSA_WANT_KEY_TYPE_CHACHA20': ['PSA_WANT_ALG_CHACHA20_POLY1305',
-                                   'PSA_WANT_ALG_STREAM_CIPHER',
+                                   'PSA_WANT_ALG_STREAM_CIPHER'],
-                                   'MBEDTLS_CHACHA20_C',
+    'PSA_WANT_ALG_CCM': ['PSA_WANT_ALG_CCM_STAR_NO_TAG'],
-                                   'MBEDTLS_CHACHAPOLY_C'],
+    'PSA_WANT_ALG_CMAC': ['PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128'],
-    'PSA_WANT_KEY_TYPE_DES': ['MBEDTLS_DES_C'],
-    'PSA_WANT_ALG_CCM': ['PSA_WANT_ALG_CCM_STAR_NO_TAG',
-                         'MBEDTLS_CCM_C'],
-    'PSA_WANT_ALG_CMAC': ['PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128',
-                          'MBEDTLS_CMAC_C'],
-    'PSA_WANT_ALG_GCM': ['MBEDTLS_GCM_C'],
-
-    'PSA_WANT_ALG_CBC_NO_PADDING': ['MBEDTLS_CIPHER_MODE_CBC'],
-    'PSA_WANT_ALG_CBC_PKCS7': ['MBEDTLS_CIPHER_MODE_CBC'],
-    'PSA_WANT_ALG_CFB': ['MBEDTLS_CIPHER_MODE_CFB'],
-    'PSA_WANT_ALG_CTR': ['MBEDTLS_CIPHER_MODE_CTR'],
-    'PSA_WANT_ALG_OFB': ['MBEDTLS_CIPHER_MODE_OFB'],
-    'PSA_WANT_ALG_XTS': ['MBEDTLS_CIPHER_MODE_XTS'],
-
-    'MBEDTLS_CIPHER_PADDING_PKCS7': ['MBEDTLS_PKCS5_C',
-                                     'MBEDTLS_PKCS12_C',
-                                     'PSA_WANT_ALG_CBC_PKCS7'],
-    'MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS': ['MBEDTLS_CIPHER_MODE_CBC'],
-    'MBEDTLS_CIPHER_PADDING_ZEROS': ['MBEDTLS_CIPHER_MODE_CBC'],
-    'MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN': ['MBEDTLS_CIPHER_MODE_CBC'],
 
     'PSA_WANT_ECC_BRAINPOOL_P_R1_256': ['MBEDTLS_ECP_DP_BP256R1_ENABLED'],
     'PSA_WANT_ECC_BRAINPOOL_P_R1_384': ['MBEDTLS_ECP_DP_BP384R1_ENABLED'],
@@ -319,11 +296,9 @@ REVERSE_DEPENDENCIES = {
     'PSA_WANT_ALG_JPAKE': ['MBEDTLS_ECJPAKE_C',
                            'MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'],
     'PSA_WANT_ALG_RSA_OAEP': ['PSA_WANT_ALG_RSA_PSS',
-                              'MBEDTLS_X509_RSASSA_PSS_SUPPORT',
+                              'MBEDTLS_X509_RSASSA_PSS_SUPPORT'],
-                              'MBEDTLS_PKCS1_V21'],
     'PSA_WANT_ALG_RSA_PKCS1V15_CRYPT': ['PSA_WANT_ALG_RSA_PKCS1V15_SIGN',
-                                        'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED',
+                                        'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED'],
-                                        'MBEDTLS_PKCS1_V15'],
     'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC': [
         'PSA_WANT_ALG_RSA_PKCS1V15_CRYPT',
         'PSA_WANT_ALG_RSA_OAEP',
@@ -331,29 +306,21 @@ REVERSE_DEPENDENCIES = {
         'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT',
         'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT',
         'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE',
-        'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED',
+        'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED'],
-        'MBEDTLS_RSA_C'],
 
-    'PSA_WANT_ALG_MD5': ['MBEDTLS_MD5_C'],
-    'PSA_WANT_ALG_RIPEMD160': ['MBEDTLS_RIPEMD160_C'],
-    'PSA_WANT_ALG_SHA_1': ['MBEDTLS_SHA1_C'],
     'PSA_WANT_ALG_SHA_224': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED',
                              'MBEDTLS_ENTROPY_FORCE_SHA256',
                              'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT',
-                             'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY',
+                             'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY'],
-                             'MBEDTLS_SHA224_C'],
     'PSA_WANT_ALG_SHA_256': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED',
                              'MBEDTLS_ENTROPY_FORCE_SHA256',
                              'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT',
                              'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY',
                              'MBEDTLS_LMS_C',
                              'MBEDTLS_LMS_PRIVATE',
-                             'MBEDTLS_SHA256_C',
                              'PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS'],
-    'PSA_WANT_ALG_SHA_384': ['MBEDTLS_SHA384_C'],
     'PSA_WANT_ALG_SHA_512': ['MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT',
-                             'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY',
+                             'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY'],
-                             'MBEDTLS_SHA512_C'],
     'PSA_WANT_ALG_ECB_NO_PADDING' : ['MBEDTLS_NIST_KW_C'],
 }
 
@@ -531,9 +498,6 @@ class DomainData:
         # Get cipher modes
         cipher_chaining_symbols = {algs[cipher_alg] for cipher_alg in cipher_algs}
 
-        # Find block padding mode enabling macros by name.
-        cipher_padding_symbols = self.config_symbols_matching(r'MBEDTLS_CIPHER_PADDING_\w+\Z')
-
         self.domains = {
             # Cipher key types
             'cipher_id': ExclusiveDomain(cipher_key_types, build_and_test),
@@ -544,9 +508,6 @@ class DomainData:
                                                build_and_test,
                                                exclude=r'PSA_WANT_ALG_XTS'),
 
-            'cipher_padding': ExclusiveDomain(cipher_padding_symbols,
-                                              build_and_test),
-
             # Elliptic curves. Run the test suites.
             'curves': ExclusiveDomain(curve_symbols, build_and_test),
 
@@ -639,8 +600,8 @@ def main():
             description=
             "Test Mbed TLS with a subset of algorithms.\n\n"
             "Example usage:\n"
-            r"./tests/scripts/depends.py \!MBEDTLS_SHA1_C MBEDTLS_SHA256_C""\n"
+            r"./tests/scripts/depends.py \!PSA_WANT_ALG_SHA_1 PSA_WANT_ALG_SHA_256""\n"
-            "./tests/scripts/depends.py MBEDTLS_AES_C hashes\n"
+            "./tests/scripts/depends.py PSA_WANT_KEY_TYPE_AES hashes\n"
             "./tests/scripts/depends.py cipher_id cipher_chaining\n")
         parser.add_argument('--color', metavar='WHEN',
                             help='Colorize the output (always/auto/never)',

tests/scripts/test_config_checks.py

@@ -0,0 +1,63 @@
+#!/usr/bin/env python3
+"""Test the configuration checks generated by generate_config_checks.py.
+"""
+
+## Copyright The Mbed TLS Contributors
+## SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+
+import unittest
+
+import scripts_path # pylint: disable=unused-import
+from mbedtls_framework import unittest_config_checks
+
+
+class MbedtlsTestConfigChecks(unittest_config_checks.TestConfigChecks):
+    """Mbed TLS unit tests for checks generated by config_checks_generator."""
+
+    #pylint: disable=invalid-name # uppercase letters make sense here
+
+    PROJECT_CONFIG_C = 'library/mbedtls_config.c'
+    PROJECT_SPECIFIC_INCLUDE_DIRECTORIES = [
+        'tf-psa-crypto/include',
+        'tf-psa-crypto/drivers/builtin/include',
+    ]
+
+    @unittest.skip("At this time, mbedtls does not go through crypto's check_config.h.")
+    def test_crypto_no_fs_io(self) -> None:
+        """A sample error expected from crypto's check_config.h."""
+        self.bad_case('#undef MBEDTLS_FS_IO',
+                      None,
+                      error=('MBEDTLS_PSA_ITS_FILE_C'))
+
+    def test_mbedtls_no_session_tickets_for_early_data(self) -> None:
+        """An error expected from mbedtls_check_config.h based on the TLS configuration."""
+        self.bad_case(None,
+                      '''
+                      #define MBEDTLS_SSL_EARLY_DATA
+                      #undef MBEDTLS_SSL_SESSION_TICKETS
+                      ''',
+                      error=('MBEDTLS_SSL_EARLY_DATA'))
+
+    def test_mbedtls_no_ecdsa(self) -> None:
+        """An error expected from mbedtls_check_config.h based on crypto+TLS configuration."""
+        self.bad_case('''
+                      #undef PSA_WANT_ALG_ECDSA
+                      #undef PSA_WANT_ALG_DETERMINISTIC_ECDSA
+                      #undef MBEDTLS_ECDSA_C
+                      ''',
+                      '''
+                      #if defined(PSA_WANT_ALG_ECDSA)
+                      #error PSA_WANT_ALG_ECDSA unexpected
+                      #endif
+                      #if defined(PSA_WANT_ALG_DETERMINSTIC_ECDSA)
+                      #error PSA_WANT_ALG_DETERMINSTIC_ECDSA unexpected
+                      #endif
+                      #if defined(MBEDTLS_ECDSA_C)
+                      #error MBEDTLS_ECDSA_C unexpected
+                      #endif
+                      ''',
+                      error=('MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED'))
+
+
+if __name__ == '__main__':
+    unittest.main()

tests/scripts/test_config_script.py

@@ -130,7 +130,7 @@ def run_one(options, args, stem_prefix='', input_file=None):
 ### config.py stops handling that case correctly.
 TEST_SYMBOLS = [
     'CUSTOM_SYMBOL', # does not exist
-    'MBEDTLS_AES_C', # set, no value
+    'PSA_WANT_KEY_TYPE_AES', # set, no value
     'MBEDTLS_MPI_MAX_SIZE', # unset, has a value
     'MBEDTLS_NO_UDBL_DIVISION', # unset, in "System support"
     'MBEDTLS_PLATFORM_ZEROIZE_ALT', # unset, in "Customisation configuration options"

tests/src/certs.c

@@ -5,7 +5,7 @@
  *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
-#include "common.h"
+#include "tf_psa_crypto_common.h"
 
 #include <test/certs.h>
 

tests/src/test_helpers/ssl_helpers.c

@@ -11,6 +11,8 @@
 #include <test/ssl_helpers.h>
 #include "mbedtls/psa_util.h"
 
+#include <limits.h>
+
 #if defined(MBEDTLS_SSL_TLS_C)
 int mbedtls_test_random(void *p_rng, unsigned char *output, size_t output_len)
 {
@@ -772,7 +774,7 @@ int mbedtls_test_ssl_endpoint_certificate_init(mbedtls_test_ssl_endpoint *ep,
         TEST_EQUAL(mbedtls_pk_import_into_psa(ep->pkey, &key_attr, &key_slot), 0);
         mbedtls_pk_free(ep->pkey);
         mbedtls_pk_init(ep->pkey);
-        TEST_EQUAL(mbedtls_pk_setup_opaque(ep->pkey, key_slot), 0);
+        TEST_EQUAL(mbedtls_pk_wrap_psa(ep->pkey, key_slot), 0);
     }
 #else
     (void) opaque_alg;

tests/suites/test_suite_x509write.data

@@ -47,7 +47,7 @@ depends_on:PSA_WANT_ALG_SHA_1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
 x509_csr_check:"../framework/data_files/server1.key":"../framework/data_files/server1.req.ku-ct":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0
 
 Certificate Request check Server5 ECDSA, key_usage
-depends_on:PSA_WANT_ALG_SHA_1:PSA_HAVE_ALG_ECDSA_SIGN:MBEDTLS_ECDSA_DETERMINISTIC:PSA_WANT_ECC_SECP_R1_256
+depends_on:PSA_WANT_ALG_SHA_1:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ECC_SECP_R1_256
 x509_csr_check:"../framework/data_files/server5.key":"../framework/data_files/server5.req.ku.sha1":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:1:0:0:0
 
 Certificate Request check Server1, set_extension
@@ -155,11 +155,11 @@ depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5
 x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"ffffffffffffffffffffffffffffffff":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"../framework/data_files/server1.long_serial_FF.crt":0:0:"../framework/data_files/test-ca.crt":0
 
 Certificate write check Server5 ECDSA
-depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:MBEDTLS_ECDSA_DETERMINISTIC:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256
+depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256
 x509_crt_check:"../framework/data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"../framework/data_files/server5.crt":0:0:"../framework/data_files/test-ca2.crt":0
 
 Certificate write check Server5 ECDSA, Opaque
-depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:MBEDTLS_ECDSA_DETERMINISTIC:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_USE_PSA_CRYPTO
+depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_USE_PSA_CRYPTO
 x509_crt_check:"../framework/data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"":2:0:"../framework/data_files/test-ca2.crt":0
 
 Certificate write check Server1 SHA1, SubjectAltNames
@@ -337,4 +337,3 @@ oid_from_numeric_string:"2.4294967215":0:"8FFFFFFF7F"
 
 OID from numeric string - OID with overflowing subidentifier
 oid_from_numeric_string:"2.4294967216":MBEDTLS_ERR_ASN1_INVALID_DATA:""
-

tests/suites/test_suite_x509write.function

@@ -41,7 +41,7 @@ static int x509_crt_verifycsr(const unsigned char *buf, size_t buflen)
         goto cleanup;
     }
 
-    if (mbedtls_pk_verify_ext(csr.sig_pk, NULL, &csr.pk,
+    if (mbedtls_pk_verify_new(csr.sig_pk, &csr.pk,
                               csr.sig_md, hash, mbedtls_md_get_size_from_type(csr.sig_md),
                               csr.sig.p, csr.sig.len) != 0) {
         ret = MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;
@@ -286,7 +286,7 @@ void x509_csr_check_opaque(char *key_file, int md_type, int key_usage,
     TEST_EQUAL(mbedtls_pk_import_into_psa(&key, &key_attr, &key_id), 0);
     mbedtls_pk_free(&key);
     mbedtls_pk_init(&key);
-    TEST_EQUAL(mbedtls_pk_setup_opaque(&key, key_id), 0);
+    TEST_EQUAL(mbedtls_pk_wrap_psa(&key, key_id), 0);
 
     mbedtls_x509write_csr_set_md_alg(&req, md_type);
     mbedtls_x509write_csr_set_key(&req, &key);
@@ -417,7 +417,7 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd,
         TEST_EQUAL(mbedtls_pk_import_into_psa(&issuer_key, &key_attr, &key_id), 0);
         mbedtls_pk_free(&issuer_key);
         mbedtls_pk_init(&issuer_key);
-        TEST_EQUAL(mbedtls_pk_setup_opaque(&issuer_key, key_id), 0);
+        TEST_EQUAL(mbedtls_pk_wrap_psa(&issuer_key, key_id), 0);
     }
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 

tf-psa-crypto

@@ -1 +1 @@
-Subproject commit b1c98ebee82c1056cec0f64e24f1b780a5889a0d
+Subproject commit 19edaa785dd71ec8f0c9f72235243314c3d895fa