1#! /usr/bin/env bash 2 3# all.sh 4# 5# Copyright The Mbed TLS Contributors 6# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 7 8 9 10################################################################ 11#### Documentation 12################################################################ 13 14# Purpose 15# ------- 16# 17# To run all tests possible or available on the platform. 18# 19# Notes for users 20# --------------- 21# 22# Warning: the test is destructive. It includes various build modes and 23# configurations, and can and will arbitrarily change the current CMake 24# configuration. The following files must be committed into git: 25# * include/mbedtls/mbedtls_config.h 26# * Makefile, library/Makefile, programs/Makefile, tests/Makefile, 27# programs/fuzz/Makefile 28# After running this script, the CMake cache will be lost and CMake 29# will no longer be initialised. 30# 31# The script assumes the presence of a number of tools: 32# * Basic Unix tools (Windows users note: a Unix-style find must be before 33# the Windows find in the PATH) 34# * Perl 35# * GNU Make 36# * CMake 37# * GCC and Clang (recent enough for using ASan with gcc and MemSan with clang, or valgrind) 38# * G++ 39# * arm-gcc and mingw-gcc 40# * ArmCC 5 and ArmCC 6, unless invoked with --no-armcc 41# * OpenSSL and GnuTLS command line tools, recent enough for the 42# interoperability tests. If they don't support old features which we want 43# to test, then a legacy version of these tools must be present as well 44# (search for LEGACY below). 45# See the invocation of check_tools below for details. 46# 47# This script must be invoked from the toplevel directory of a git 48# working copy of Mbed TLS. 49# 50# The behavior on an error depends on whether --keep-going (alias -k) 51# is in effect. 52# * Without --keep-going: the script stops on the first error without 53# cleaning up. This lets you work in the configuration of the failing 54# component. 55# * With --keep-going: the script runs all requested components and 56# reports failures at the end. In particular the script always cleans 57# up on exit. 58# 59# Note that the output is not saved. You may want to run 60# script -c tests/scripts/all.sh 61# or 62# tests/scripts/all.sh >all.log 2>&1 63# 64# Notes for maintainers 65# --------------------- 66# 67# The bulk of the code is organized into functions that follow one of the 68# following naming conventions: 69# * pre_XXX: things to do before running the tests, in order. 70# * component_XXX: independent components. They can be run in any order. 71# * component_check_XXX: quick tests that aren't worth parallelizing. 72# * component_build_XXX: build things but don't run them. 73# * component_test_XXX: build and test. 74# * support_XXX: if support_XXX exists and returns false then 75# component_XXX is not run by default. 76# * post_XXX: things to do after running the tests. 77# * other: miscellaneous support functions. 78# 79# Each component must start by invoking `msg` with a short informative message. 80# 81# Warning: due to the way bash detects errors, the failure of a command 82# inside 'if' or '!' is not detected. Use the 'not' function instead of '!'. 83# 84# Each component is executed in a separate shell process. The component 85# fails if any command in it returns a non-zero status. 86# 87# The framework performs some cleanup tasks after each component. This 88# means that components can assume that the working directory is in a 89# cleaned-up state, and don't need to perform the cleanup themselves. 90# * Run `make clean`. 91# * Restore `include/mbedtls/mbedtls_config.h` from a backup made before running 92# the component. 93# * Check out `Makefile`, `library/Makefile`, `programs/Makefile`, 94# `tests/Makefile` and `programs/fuzz/Makefile` from git. 95# This cleans up after an in-tree use of CMake. 96# 97# The tests are roughly in order from fastest to slowest. This doesn't 98# have to be exact, but in general you should add slower tests towards 99# the end and fast checks near the beginning. 100 101 102 103################################################################ 104#### Initialization and command line parsing 105################################################################ 106 107# Abort on errors (even on the left-hand side of a pipe). 108# Treat uninitialised variables as errors. 109set -e -o pipefail -u 110 111# Enable ksh/bash extended file matching patterns 112shopt -s extglob 113 114in_mbedtls_repo () { 115 test -d include -a -d library -a -d programs -a -d tests 116} 117 118in_psa_crypto_repo () { 119 test -d include -a -d core -a -d drivers -a -d programs -a -d tests 120} 121 122pre_check_environment () { 123 if in_mbedtls_repo || in_psa_crypto_repo; then :; else 124 echo "Must be run from Mbed TLS / psa-crypto root" >&2 125 exit 1 126 fi 127} 128 129pre_initialize_variables () { 130 if in_mbedtls_repo; then 131 CONFIG_H='include/mbedtls/mbedtls_config.h' 132 else 133 CONFIG_H='drivers/builtin/include/mbedtls/mbedtls_config.h' 134 fi 135 CRYPTO_CONFIG_H='include/psa/crypto_config.h' 136 CONFIG_TEST_DRIVER_H='tests/include/test/drivers/config_test_driver.h' 137 138 # Files that are clobbered by some jobs will be backed up. Use a different 139 # suffix from auxiliary scripts so that all.sh and auxiliary scripts can 140 # independently decide when to remove the backup file. 141 backup_suffix='.all.bak' 142 # Files clobbered by config.py 143 files_to_back_up="$CONFIG_H $CRYPTO_CONFIG_H $CONFIG_TEST_DRIVER_H" 144 if in_mbedtls_repo; then 145 # Files clobbered by in-tree cmake 146 files_to_back_up="$files_to_back_up Makefile library/Makefile programs/Makefile tests/Makefile programs/fuzz/Makefile" 147 fi 148 149 append_outcome=0 150 MEMORY=0 151 FORCE=0 152 QUIET=0 153 KEEP_GOING=0 154 155 # Seed value used with the --release-test option. 156 # 157 # See also RELEASE_SEED in basic-build-test.sh. Debugging is easier if 158 # both values are kept in sync. If you change the value here because it 159 # breaks some tests, you'll definitely want to change it in 160 # basic-build-test.sh as well. 161 RELEASE_SEED=1 162 163 : ${MBEDTLS_TEST_OUTCOME_FILE=} 164 : ${MBEDTLS_TEST_PLATFORM="$(uname -s | tr -c \\n0-9A-Za-z _)-$(uname -m | tr -c \\n0-9A-Za-z _)"} 165 export MBEDTLS_TEST_OUTCOME_FILE 166 export MBEDTLS_TEST_PLATFORM 167 168 # Default commands, can be overridden by the environment 169 : ${OPENSSL:="openssl"} 170 : ${OPENSSL_LEGACY:="$OPENSSL"} 171 : ${OPENSSL_NEXT:="$OPENSSL"} 172 : ${GNUTLS_CLI:="gnutls-cli"} 173 : ${GNUTLS_SERV:="gnutls-serv"} 174 : ${GNUTLS_LEGACY_CLI:="$GNUTLS_CLI"} 175 : ${GNUTLS_LEGACY_SERV:="$GNUTLS_SERV"} 176 : ${OUT_OF_SOURCE_DIR:=./mbedtls_out_of_source_build} 177 : ${ARMC5_BIN_DIR:=/usr/bin} 178 : ${ARMC6_BIN_DIR:=/usr/bin} 179 : ${ARM_NONE_EABI_GCC_PREFIX:=arm-none-eabi-} 180 : ${ARM_LINUX_GNUEABI_GCC_PREFIX:=arm-linux-gnueabi-} 181 : ${CLANG_LATEST:="clang-latest"} 182 : ${CLANG_EARLIEST:="clang-earliest"} 183 : ${GCC_LATEST:="gcc-latest"} 184 : ${GCC_EARLIEST:="gcc-earliest"} 185 # if MAKEFLAGS is not set add the -j option to speed up invocations of make 186 if [ -z "${MAKEFLAGS+set}" ]; then 187 export MAKEFLAGS="-j$(all_sh_nproc)" 188 fi 189 190 # Include more verbose output for failing tests run by CMake or make 191 export CTEST_OUTPUT_ON_FAILURE=1 192 193 # CFLAGS and LDFLAGS for Asan builds that don't use CMake 194 # default to -O2, use -Ox _after_ this if you want another level 195 ASAN_CFLAGS='-O2 -Werror -fsanitize=address,undefined -fno-sanitize-recover=all' 196 197 # Platform tests have an allocation that returns null 198 export ASAN_OPTIONS="allocator_may_return_null=1" 199 export MSAN_OPTIONS="allocator_may_return_null=1" 200 201 # Gather the list of available components. These are the functions 202 # defined in this script whose name starts with "component_". 203 ALL_COMPONENTS=$(compgen -A function component_ | sed 's/component_//') 204 205 # Exclude components that are not supported on this platform. 206 SUPPORTED_COMPONENTS= 207 for component in $ALL_COMPONENTS; do 208 case $(type "support_$component" 2>&1) in 209 *' function'*) 210 if ! support_$component; then continue; fi;; 211 esac 212 SUPPORTED_COMPONENTS="$SUPPORTED_COMPONENTS $component" 213 done 214} 215 216# Test whether the component $1 is included in the command line patterns. 217is_component_included() 218{ 219 # Temporarily disable wildcard expansion so that $COMMAND_LINE_COMPONENTS 220 # only does word splitting. 221 set -f 222 for pattern in $COMMAND_LINE_COMPONENTS; do 223 set +f 224 case ${1#component_} in $pattern) return 0;; esac 225 done 226 set +f 227 return 1 228} 229 230usage() 231{ 232 cat <<EOF 233Usage: $0 [OPTION]... [COMPONENT]... 234Run mbedtls release validation tests. 235By default, run all tests. With one or more COMPONENT, run only those. 236COMPONENT can be the name of a component or a shell wildcard pattern. 237 238Examples: 239 $0 "check_*" 240 Run all sanity checks. 241 $0 --no-armcc --except test_memsan 242 Run everything except builds that require armcc and MemSan. 243 244Special options: 245 -h|--help Print this help and exit. 246 --list-all-components List all available test components and exit. 247 --list-components List components supported on this platform and exit. 248 249General options: 250 -q|--quiet Only output component names, and errors if any. 251 -f|--force Force the tests to overwrite any modified files. 252 -k|--keep-going Run all tests and report errors at the end. 253 -m|--memory Additional optional memory tests. 254 --append-outcome Append to the outcome file (if used). 255 --arm-none-eabi-gcc-prefix=<string> 256 Prefix for a cross-compiler for arm-none-eabi 257 (default: "${ARM_NONE_EABI_GCC_PREFIX}") 258 --arm-linux-gnueabi-gcc-prefix=<string> 259 Prefix for a cross-compiler for arm-linux-gnueabi 260 (default: "${ARM_LINUX_GNUEABI_GCC_PREFIX}") 261 --armcc Run ARM Compiler builds (on by default). 262 --restore First clean up the build tree, restoring backed up 263 files. Do not run any components unless they are 264 explicitly specified. 265 --error-test Error test mode: run a failing function in addition 266 to any specified component. May be repeated. 267 --except Exclude the COMPONENTs listed on the command line, 268 instead of running only those. 269 --no-append-outcome Write a new outcome file and analyze it (default). 270 --no-armcc Skip ARM Compiler builds. 271 --no-force Refuse to overwrite modified files (default). 272 --no-keep-going Stop at the first error (default). 273 --no-memory No additional memory tests (default). 274 --no-quiet Print full output from components. 275 --out-of-source-dir=<path> Directory used for CMake out-of-source build tests. 276 --outcome-file=<path> File where test outcomes are written (not done if 277 empty; default: \$MBEDTLS_TEST_OUTCOME_FILE). 278 --random-seed Use a random seed value for randomized tests (default). 279 -r|--release-test Run this script in release mode. This fixes the seed value to ${RELEASE_SEED}. 280 -s|--seed Integer seed value to use for this test run. 281 282Tool path options: 283 --armc5-bin-dir=<ARMC5_bin_dir_path> ARM Compiler 5 bin directory. 284 --armc6-bin-dir=<ARMC6_bin_dir_path> ARM Compiler 6 bin directory. 285 --clang-earliest=<Clang_earliest_path> Earliest version of clang available 286 --clang-latest=<Clang_latest_path> Latest version of clang available 287 --gcc-earliest=<GCC_earliest_path> Earliest version of GCC available 288 --gcc-latest=<GCC_latest_path> Latest version of GCC available 289 --gnutls-cli=<GnuTLS_cli_path> GnuTLS client executable to use for most tests. 290 --gnutls-serv=<GnuTLS_serv_path> GnuTLS server executable to use for most tests. 291 --gnutls-legacy-cli=<GnuTLS_cli_path> GnuTLS client executable to use for legacy tests. 292 --gnutls-legacy-serv=<GnuTLS_serv_path> GnuTLS server executable to use for legacy tests. 293 --openssl=<OpenSSL_path> OpenSSL executable to use for most tests. 294 --openssl-legacy=<OpenSSL_path> OpenSSL executable to use for legacy tests.. 295 --openssl-next=<OpenSSL_path> OpenSSL executable to use for recent things like ARIA 296EOF 297} 298 299# Cleanup before/after running a component. 300# Remove built files as well as the cmake cache/config. 301# Does not remove generated source files. 302cleanup() 303{ 304 if in_mbedtls_repo; then 305 command make clean 306 fi 307 308 # Remove CMake artefacts 309 find . -name .git -prune -o \ 310 -iname CMakeFiles -exec rm -rf {} \+ -o \ 311 \( -iname cmake_install.cmake -o \ 312 -iname CTestTestfile.cmake -o \ 313 -iname CMakeCache.txt -o \ 314 -path './cmake/*.cmake' \) -exec rm -f {} \+ 315 # Recover files overwritten by in-tree CMake builds 316 rm -f include/Makefile include/mbedtls/Makefile programs/!(fuzz)/Makefile 317 318 # Remove any artifacts from the component_test_cmake_as_subdirectory test. 319 rm -rf programs/test/cmake_subproject/build 320 rm -f programs/test/cmake_subproject/Makefile 321 rm -f programs/test/cmake_subproject/cmake_subproject 322 323 # Remove any artifacts from the component_test_cmake_as_package test. 324 rm -rf programs/test/cmake_package/build 325 rm -f programs/test/cmake_package/Makefile 326 rm -f programs/test/cmake_package/cmake_package 327 328 # Remove any artifacts from the component_test_cmake_as_installed_package test. 329 rm -rf programs/test/cmake_package_install/build 330 rm -f programs/test/cmake_package_install/Makefile 331 rm -f programs/test/cmake_package_install/cmake_package_install 332 333 # Restore files that may have been clobbered by the job 334 for x in $files_to_back_up; do 335 if [[ -e "$x$backup_suffix" ]]; then 336 cp -p "$x$backup_suffix" "$x" 337 fi 338 done 339} 340 341# Final cleanup when this script exits (except when exiting on a failure 342# in non-keep-going mode). 343final_cleanup () { 344 cleanup 345 346 for x in $files_to_back_up; do 347 rm -f "$x$backup_suffix" 348 done 349} 350 351# Executed on exit. May be redefined depending on command line options. 352final_report () { 353 : 354} 355 356fatal_signal () { 357 final_cleanup 358 final_report $1 359 trap - $1 360 kill -$1 $$ 361} 362 363trap 'fatal_signal HUP' HUP 364trap 'fatal_signal INT' INT 365trap 'fatal_signal TERM' TERM 366 367# Number of processors on this machine. Used as the default setting 368# for parallel make. 369all_sh_nproc () 370{ 371 { 372 nproc || # Linux 373 sysctl -n hw.ncpuonline || # NetBSD, OpenBSD 374 sysctl -n hw.ncpu || # FreeBSD 375 echo 1 376 } 2>/dev/null 377} 378 379msg() 380{ 381 if [ -n "${current_component:-}" ]; then 382 current_section="${current_component#component_}: $1" 383 else 384 current_section="$1" 385 fi 386 387 if [ $QUIET -eq 1 ]; then 388 return 389 fi 390 391 echo "" 392 echo "******************************************************************" 393 echo "* $current_section " 394 printf "* "; date 395 echo "******************************************************************" 396} 397 398armc6_build_test() 399{ 400 FLAGS="$1" 401 402 msg "build: ARM Compiler 6 ($FLAGS)" 403 ARM_TOOL_VARIANT="ult" CC="$ARMC6_CC" AR="$ARMC6_AR" CFLAGS="$FLAGS" \ 404 WARNING_CFLAGS='-Werror -xc -std=c99' make lib 405 406 msg "size: ARM Compiler 6 ($FLAGS)" 407 "$ARMC6_FROMELF" -z library/*.o 408 409 make clean 410} 411 412err_msg() 413{ 414 echo "$1" >&2 415} 416 417check_tools() 418{ 419 for tool in "$@"; do 420 if ! `type "$tool" >/dev/null 2>&1`; then 421 err_msg "$tool not found!" 422 exit 1 423 fi 424 done 425} 426 427pre_parse_command_line_for_dirs () { 428 # Make an early pass through the options given, so we can set directories 429 # for Arm compilers, before SUPPORTED_COMPONENTS is determined. 430 while [ $# -gt 0 ]; do 431 case "$1" in 432 --armc5-bin-dir) shift; ARMC5_BIN_DIR="$1";; 433 --armc6-bin-dir) shift; ARMC6_BIN_DIR="$1";; 434 esac 435 shift 436 done 437} 438 439pre_parse_command_line () { 440 COMMAND_LINE_COMPONENTS= 441 all_except=0 442 error_test=0 443 restore_first=0 444 no_armcc= 445 446 # Note that legacy options are ignored instead of being omitted from this 447 # list of options, so invocations that worked with previous version of 448 # all.sh will still run and work properly. 449 while [ $# -gt 0 ]; do 450 case "$1" in 451 --append-outcome) append_outcome=1;; 452 --arm-none-eabi-gcc-prefix) shift; ARM_NONE_EABI_GCC_PREFIX="$1";; 453 --arm-linux-gnueabi-gcc-prefix) shift; ARM_LINUX_GNUEABI_GCC_PREFIX="$1";; 454 --armcc) no_armcc=;; 455 --armc5-bin-dir) shift; ;; # assignment to ARMC5_BIN_DIR done in pre_parse_command_line_for_dirs 456 --armc6-bin-dir) shift; ;; # assignment to ARMC6_BIN_DIR done in pre_parse_command_line_for_dirs 457 --clang-earliest) shift; CLANG_EARLIEST="$1";; 458 --clang-latest) shift; CLANG_LATEST="$1";; 459 --error-test) error_test=$((error_test + 1));; 460 --except) all_except=1;; 461 --force|-f) FORCE=1;; 462 --gcc-earliest) shift; GCC_EARLIEST="$1";; 463 --gcc-latest) shift; GCC_LATEST="$1";; 464 --gnutls-cli) shift; GNUTLS_CLI="$1";; 465 --gnutls-legacy-cli) shift; GNUTLS_LEGACY_CLI="$1";; 466 --gnutls-legacy-serv) shift; GNUTLS_LEGACY_SERV="$1";; 467 --gnutls-serv) shift; GNUTLS_SERV="$1";; 468 --help|-h) usage; exit;; 469 --keep-going|-k) KEEP_GOING=1;; 470 --list-all-components) printf '%s\n' $ALL_COMPONENTS; exit;; 471 --list-components) printf '%s\n' $SUPPORTED_COMPONENTS; exit;; 472 --memory|-m) MEMORY=1;; 473 --no-append-outcome) append_outcome=0;; 474 --no-armcc) no_armcc=1;; 475 --no-force) FORCE=0;; 476 --no-keep-going) KEEP_GOING=0;; 477 --no-memory) MEMORY=0;; 478 --no-quiet) QUIET=0;; 479 --openssl) shift; OPENSSL="$1";; 480 --openssl-legacy) shift; OPENSSL_LEGACY="$1";; 481 --openssl-next) shift; OPENSSL_NEXT="$1";; 482 --outcome-file) shift; MBEDTLS_TEST_OUTCOME_FILE="$1";; 483 --out-of-source-dir) shift; OUT_OF_SOURCE_DIR="$1";; 484 --quiet|-q) QUIET=1;; 485 --random-seed) unset SEED;; 486 --release-test|-r) SEED=$RELEASE_SEED;; 487 --restore) restore_first=1;; 488 --seed|-s) shift; SEED="$1";; 489 -*) 490 echo >&2 "Unknown option: $1" 491 echo >&2 "Run $0 --help for usage." 492 exit 120 493 ;; 494 *) COMMAND_LINE_COMPONENTS="$COMMAND_LINE_COMPONENTS $1";; 495 esac 496 shift 497 done 498 499 # With no list of components, run everything. 500 if [ -z "$COMMAND_LINE_COMPONENTS" ] && [ $restore_first -eq 0 ]; then 501 all_except=1 502 fi 503 504 # --no-armcc is a legacy option. The modern way is --except '*_armcc*'. 505 # Ignore it if components are listed explicitly on the command line. 506 if [ -n "$no_armcc" ] && [ $all_except -eq 1 ]; then 507 COMMAND_LINE_COMPONENTS="$COMMAND_LINE_COMPONENTS *_armcc*" 508 fi 509 510 # Error out if an explicitly requested component doesn't exist. 511 if [ $all_except -eq 0 ]; then 512 unsupported=0 513 # Temporarily disable wildcard expansion so that $COMMAND_LINE_COMPONENTS 514 # only does word splitting. 515 set -f 516 for component in $COMMAND_LINE_COMPONENTS; do 517 set +f 518 # If the requested name includes a wildcard character, don't 519 # check it. Accept wildcard patterns that don't match anything. 520 case $component in 521 *[*?\[]*) continue;; 522 esac 523 case " $SUPPORTED_COMPONENTS " in 524 *" $component "*) :;; 525 *) 526 echo >&2 "Component $component was explicitly requested, but is not known or not supported." 527 unsupported=$((unsupported + 1));; 528 esac 529 done 530 set +f 531 if [ $unsupported -ne 0 ]; then 532 exit 2 533 fi 534 fi 535 536 # Build the list of components to run. 537 RUN_COMPONENTS= 538 for component in $SUPPORTED_COMPONENTS; do 539 if is_component_included "$component"; [ $? -eq $all_except ]; then 540 RUN_COMPONENTS="$RUN_COMPONENTS $component" 541 fi 542 done 543 544 unset all_except 545 unset no_armcc 546} 547 548pre_check_git () { 549 if [ $FORCE -eq 1 ]; then 550 rm -rf "$OUT_OF_SOURCE_DIR" 551 git checkout-index -f -q $CONFIG_H 552 cleanup 553 else 554 555 if [ -d "$OUT_OF_SOURCE_DIR" ]; then 556 echo "Warning - there is an existing directory at '$OUT_OF_SOURCE_DIR'" >&2 557 echo "You can either delete this directory manually, or force the test by rerunning" 558 echo "the script as: $0 --force --out-of-source-dir $OUT_OF_SOURCE_DIR" 559 exit 1 560 fi 561 562 if ! git diff --quiet "$CONFIG_H"; then 563 err_msg "Warning - the configuration file '$CONFIG_H' has been edited. " 564 echo "You can either delete or preserve your work, or force the test by rerunning the" 565 echo "script as: $0 --force" 566 exit 1 567 fi 568 fi 569} 570 571pre_restore_files () { 572 # If the makefiles have been generated by a framework such as cmake, 573 # restore them from git. If the makefiles look like modifications from 574 # the ones checked into git, take care not to modify them. Whatever 575 # this function leaves behind is what the script will restore before 576 # each component. 577 case "$(head -n1 Makefile)" in 578 *[Gg]enerated*) 579 git update-index --no-skip-worktree Makefile library/Makefile programs/Makefile tests/Makefile programs/fuzz/Makefile 580 git checkout -- Makefile library/Makefile programs/Makefile tests/Makefile programs/fuzz/Makefile 581 ;; 582 esac 583} 584 585pre_back_up () { 586 for x in $files_to_back_up; do 587 cp -p "$x" "$x$backup_suffix" 588 done 589} 590 591pre_setup_keep_going () { 592 failure_count=0 # Number of failed components 593 last_failure_status=0 # Last failure status in this component 594 595 # See err_trap 596 previous_failure_status=0 597 previous_failed_command= 598 previous_failure_funcall_depth=0 599 unset report_failed_command 600 601 start_red= 602 end_color= 603 if [ -t 1 ]; then 604 case "${TERM:-}" in 605 *color*|cygwin|linux|rxvt*|screen|[Eex]term*) 606 start_red=$(printf '\033[31m') 607 end_color=$(printf '\033[0m') 608 ;; 609 esac 610 fi 611 612 # Keep a summary of failures in a file. We'll print it out at the end. 613 failure_summary_file=$PWD/all-sh-failures-$$.log 614 : >"$failure_summary_file" 615 616 # Whether it makes sense to keep a component going after the specified 617 # command fails (test command) or not (configure or build). 618 # This function normally receives the failing simple command 619 # ($BASH_COMMAND) as an argument, but if $report_failed_command is set, 620 # this is passed instead. 621 # This doesn't have to be 100% accurate: all failures are recorded anyway. 622 # False positives result in running things that can't be expected to 623 # work. False negatives result in things not running after something else 624 # failed even though they might have given useful feedback. 625 can_keep_going_after_failure () { 626 case "$1" in 627 "msg "*) false;; 628 "cd "*) false;; 629 *make*[\ /]tests*) false;; # make tests, make CFLAGS=-I../tests, ... 630 *test*) true;; # make test, tests/stuff, env V=v tests/stuff, ... 631 *make*check*) true;; 632 "grep "*) true;; 633 "[ "*) true;; 634 "! "*) true;; 635 *) false;; 636 esac 637 } 638 639 # This function runs if there is any error in a component. 640 # It must either exit with a nonzero status, or set 641 # last_failure_status to a nonzero value. 642 err_trap () { 643 # Save $? (status of the failing command). This must be the very 644 # first thing, before $? is overridden. 645 last_failure_status=$? 646 failed_command=${report_failed_command-$BASH_COMMAND} 647 648 if [[ $last_failure_status -eq $previous_failure_status && 649 "$failed_command" == "$previous_failed_command" && 650 ${#FUNCNAME[@]} == $((previous_failure_funcall_depth - 1)) ]] 651 then 652 # The same command failed twice in a row, but this time one level 653 # less deep in the function call stack. This happens when the last 654 # command of a function returns a nonzero status, and the function 655 # returns that same status. Ignore the second failure. 656 previous_failure_funcall_depth=${#FUNCNAME[@]} 657 return 658 fi 659 previous_failure_status=$last_failure_status 660 previous_failed_command=$failed_command 661 previous_failure_funcall_depth=${#FUNCNAME[@]} 662 663 text="$current_section: $failed_command -> $last_failure_status" 664 echo "${start_red}^^^^$text^^^^${end_color}" >&2 665 echo "$text" >>"$failure_summary_file" 666 667 # If the command is fatal (configure or build command), stop this 668 # component. Otherwise (test command) keep the component running 669 # (run more tests from the same build). 670 if ! can_keep_going_after_failure "$failed_command"; then 671 exit $last_failure_status 672 fi 673 } 674 675 final_report () { 676 if [ $failure_count -gt 0 ]; then 677 echo 678 echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" 679 echo "${start_red}FAILED: $failure_count components${end_color}" 680 cat "$failure_summary_file" 681 echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" 682 elif [ -z "${1-}" ]; then 683 echo "SUCCESS :)" 684 fi 685 if [ -n "${1-}" ]; then 686 echo "Killed by SIG$1." 687 fi 688 rm -f "$failure_summary_file" 689 if [ $failure_count -gt 0 ]; then 690 exit 1 691 fi 692 } 693} 694 695# record_status() and if_build_succeeded() are kept temporarily for backward 696# compatibility. Don't use them in new components. 697record_status () { 698 "$@" 699} 700if_build_succeeded () { 701 "$@" 702} 703 704# '! true' does not trigger the ERR trap. Arrange to trigger it, with 705# a reasonably informative error message (not just "$@"). 706not () { 707 if "$@"; then 708 report_failed_command="! $*" 709 false 710 unset report_failed_command 711 fi 712} 713 714pre_prepare_outcome_file () { 715 case "$MBEDTLS_TEST_OUTCOME_FILE" in 716 [!/]*) MBEDTLS_TEST_OUTCOME_FILE="$PWD/$MBEDTLS_TEST_OUTCOME_FILE";; 717 esac 718 if [ -n "$MBEDTLS_TEST_OUTCOME_FILE" ] && [ "$append_outcome" -eq 0 ]; then 719 rm -f "$MBEDTLS_TEST_OUTCOME_FILE" 720 fi 721} 722 723pre_print_configuration () { 724 if [ $QUIET -eq 1 ]; then 725 return 726 fi 727 728 msg "info: $0 configuration" 729 echo "MEMORY: $MEMORY" 730 echo "FORCE: $FORCE" 731 echo "MBEDTLS_TEST_OUTCOME_FILE: ${MBEDTLS_TEST_OUTCOME_FILE:-(none)}" 732 echo "SEED: ${SEED-"UNSET"}" 733 echo 734 echo "OPENSSL: $OPENSSL" 735 echo "OPENSSL_LEGACY: $OPENSSL_LEGACY" 736 echo "OPENSSL_NEXT: $OPENSSL_NEXT" 737 echo "GNUTLS_CLI: $GNUTLS_CLI" 738 echo "GNUTLS_SERV: $GNUTLS_SERV" 739 echo "GNUTLS_LEGACY_CLI: $GNUTLS_LEGACY_CLI" 740 echo "GNUTLS_LEGACY_SERV: $GNUTLS_LEGACY_SERV" 741 echo "ARMC5_BIN_DIR: $ARMC5_BIN_DIR" 742 echo "ARMC6_BIN_DIR: $ARMC6_BIN_DIR" 743} 744 745# Make sure the tools we need are available. 746pre_check_tools () { 747 # Build the list of variables to pass to output_env.sh. 748 set env 749 750 case " $RUN_COMPONENTS " in 751 # Require OpenSSL and GnuTLS if running any tests (as opposed to 752 # only doing builds). Not all tests run OpenSSL and GnuTLS, but this 753 # is a good enough approximation in practice. 754 *" test_"*) 755 # To avoid setting OpenSSL and GnuTLS for each call to compat.sh 756 # and ssl-opt.sh, we just export the variables they require. 757 export OPENSSL="$OPENSSL" 758 export GNUTLS_CLI="$GNUTLS_CLI" 759 export GNUTLS_SERV="$GNUTLS_SERV" 760 # Avoid passing --seed flag in every call to ssl-opt.sh 761 if [ -n "${SEED-}" ]; then 762 export SEED 763 fi 764 set "$@" OPENSSL="$OPENSSL" OPENSSL_LEGACY="$OPENSSL_LEGACY" 765 set "$@" GNUTLS_CLI="$GNUTLS_CLI" GNUTLS_SERV="$GNUTLS_SERV" 766 set "$@" GNUTLS_LEGACY_CLI="$GNUTLS_LEGACY_CLI" 767 set "$@" GNUTLS_LEGACY_SERV="$GNUTLS_LEGACY_SERV" 768 check_tools "$OPENSSL" "$OPENSSL_LEGACY" "$OPENSSL_NEXT" \ 769 "$GNUTLS_CLI" "$GNUTLS_SERV" \ 770 "$GNUTLS_LEGACY_CLI" "$GNUTLS_LEGACY_SERV" 771 ;; 772 esac 773 774 case " $RUN_COMPONENTS " in 775 *_doxygen[_\ ]*) check_tools "doxygen" "dot";; 776 esac 777 778 case " $RUN_COMPONENTS " in 779 *_arm_none_eabi_gcc[_\ ]*) check_tools "${ARM_NONE_EABI_GCC_PREFIX}gcc";; 780 esac 781 782 case " $RUN_COMPONENTS " in 783 *_mingw[_\ ]*) check_tools "i686-w64-mingw32-gcc";; 784 esac 785 786 case " $RUN_COMPONENTS " in 787 *" test_zeroize "*) check_tools "gdb";; 788 esac 789 790 case " $RUN_COMPONENTS " in 791 *_armcc*) 792 ARMC5_CC="$ARMC5_BIN_DIR/armcc" 793 ARMC5_AR="$ARMC5_BIN_DIR/armar" 794 ARMC5_FROMELF="$ARMC5_BIN_DIR/fromelf" 795 ARMC6_CC="$ARMC6_BIN_DIR/armclang" 796 ARMC6_AR="$ARMC6_BIN_DIR/armar" 797 ARMC6_FROMELF="$ARMC6_BIN_DIR/fromelf" 798 check_tools "$ARMC5_CC" "$ARMC5_AR" "$ARMC5_FROMELF" \ 799 "$ARMC6_CC" "$ARMC6_AR" "$ARMC6_FROMELF";; 800 esac 801 802 # past this point, no call to check_tool, only printing output 803 if [ $QUIET -eq 1 ]; then 804 return 805 fi 806 807 msg "info: output_env.sh" 808 case $RUN_COMPONENTS in 809 *_armcc*) 810 set "$@" ARMC5_CC="$ARMC5_CC" ARMC6_CC="$ARMC6_CC" RUN_ARMCC=1;; 811 *) set "$@" RUN_ARMCC=0;; 812 esac 813 "$@" scripts/output_env.sh 814} 815 816pre_generate_files() { 817 # since make doesn't have proper dependencies, remove any possibly outdate 818 # file that might be around before generating fresh ones 819 make neat 820 if [ $QUIET -eq 1 ]; then 821 make generated_files >/dev/null 822 else 823 make generated_files 824 fi 825} 826 827################################################################ 828#### Helpers for components using libtestdriver1 829################################################################ 830 831# How to use libtestdriver1 832# ------------------------- 833# 834# 1. Define the list algorithms and key types to accelerate, 835# designated the same way as PSA_WANT_ macros but without PSA_WANT_. 836# Examples: 837# - loc_accel_list="ALG_JPAKE" 838# - loc_accel_list="ALG_FFDH KEY_TYPE_DH_KEY_PAIR KEY_TYPE_DH_PUBLIC_KEY" 839# 2. Make configurations changes for the driver and/or main libraries. 840# 2a. Call helper_libtestdriver1_adjust_config <base>, where the argument 841# can be either "default" to start with the default config, or a name 842# supported by scripts/config.py (for example, "full"). This selects 843# the base to use, and makes common adjustments. 844# 2b. If desired, adjust the PSA_WANT symbols in psa/crypto_config.h. 845# These changes affect both the driver and the main libraries. 846# (Note: they need to have the same set of PSA_WANT symbols, as that 847# determines the ABI between them.) 848# 2c. Adjust MBEDTLS_ symbols in mbedtls_config.h. This only affects the 849# main libraries. Typically, you want to disable the module(s) that are 850# being accelerated. You may need to also disable modules that depend 851# on them or options that are not supported with drivers. 852# 2d. On top of psa/crypto_config.h, the driver library uses its own config 853# file: tests/include/test/drivers/config_test_driver.h. You usually 854# don't need to edit it: using loc_extra_list (see below) is preferred. 855# However, when there's no PSA symbol for what you want to enable, 856# calling scripts/config.py on this file remains the only option. 857# 3. Build the driver library, then the main libraries, test, and programs. 858# 3a. Call helper_libtestdriver1_make_drivers "$loc_accel_list". You may 859# need to enable more algorithms here, typically hash algorithms when 860# accelerating some signature algorithms (ECDSA, RSAv2). This is done 861# by passing a 2nd argument listing the extra algorithms. 862# Example: 863# loc_extra_list="ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512" 864# helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" 865# 4b. Call helper_libtestdriver1_make_main "$loc_accel_list". Any 866# additional arguments will be passed to make: this can be useful if 867# you don't want to build everything when iterating during development. 868# Example: 869# helper_libtestdriver1_make_main "$loc_accel_list" -C tests test_suite_foo 870# 4. Run the tests you want. 871 872# Adjust the configuration - for both libtestdriver1 and main library, 873# as they should have the same PSA_WANT macros. 874helper_libtestdriver1_adjust_config() { 875 base_config=$1 876 # Select the base configuration 877 if [ "$base_config" != "default" ]; then 878 scripts/config.py "$base_config" 879 fi 880 881 # Enable PSA-based config (necessary to use drivers) 882 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG 883 884 # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having 885 # partial support for cipher operations in the driver test library. 886 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_STREAM_CIPHER 887 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING 888 889 # Dynamic secure element support is a deprecated feature and needs to be disabled here. 890 # This is done to have the same form of psa_key_attributes_s for libdriver and library. 891 scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C 892} 893 894# When called with no parameter this function disables all builtin curves. 895# The function optionally accepts 1 parameter: a space-separated list of the 896# curves that should be kept enabled. 897helper_disable_builtin_curves() { 898 allowed_list="${1:-}" 899 scripts/config.py unset-all "MBEDTLS_ECP_DP_[0-9A-Z_a-z]*_ENABLED" 900 901 for curve in $allowed_list; do 902 scripts/config.py set $curve 903 done 904} 905 906# Helper returning the list of supported elliptic curves from CRYPTO_CONFIG_H, 907# without the "PSA_WANT_" prefix. This becomes handy for accelerating curves 908# in the following helpers. 909helper_get_psa_curve_list () { 910 loc_list="" 911 for item in $(sed -n 's/^#define PSA_WANT_\(ECC_[0-9A-Z_a-z]*\).*/\1/p' <"$CRYPTO_CONFIG_H"); do 912 loc_list="$loc_list $item" 913 done 914 915 echo "$loc_list" 916} 917 918# Get the list of uncommented PSA_WANT_KEY_TYPE_xxx_ from CRYPTO_CONFIG_H. This 919# is useful to easily get a list of key type symbols to accelerate. 920# The function accepts a single argument which is the key type: ECC, DH, RSA. 921helper_get_psa_key_type_list() { 922 key_type="$1" 923 loc_list="" 924 for item in $(sed -n "s/^#define PSA_WANT_\(KEY_TYPE_${key_type}_[0-9A-Z_a-z]*\).*/\1/p" <"$CRYPTO_CONFIG_H"); do 925 # Skip DERIVE for elliptic keys since there is no driver dispatch for 926 # it so it cannot be accelerated. 927 if [ "$item" != "KEY_TYPE_ECC_KEY_PAIR_DERIVE" ]; then 928 loc_list="$loc_list $item" 929 fi 930 done 931 932 echo "$loc_list" 933} 934 935# Build the drivers library libtestdriver1.a (with ASan). 936# 937# Parameters: 938# 1. a space-separated list of things to accelerate; 939# 2. optional: a space-separate list of things to also support. 940# Here "things" are PSA_WANT_ symbols but with PSA_WANT_ removed. 941helper_libtestdriver1_make_drivers() { 942 loc_accel_flags=$( echo "$1 ${2-}" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) 943 make -C tests libtestdriver1.a CFLAGS=" $ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" 944} 945 946# Build the main libraries, programs and tests, 947# linking to the drivers library (with ASan). 948# 949# Parameters: 950# 1. a space-separated list of things to accelerate; 951# *. remaining arguments if any are passed directly to make 952# (examples: lib, -C tests test_suite_xxx, etc.) 953# Here "things" are PSA_WANT_ symbols but with PSA_WANT_ removed. 954helper_libtestdriver1_make_main() { 955 loc_accel_list=$1 956 shift 957 958 # we need flags both with and without the LIBTESTDRIVER1_ prefix 959 loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) 960 loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" 961 make CFLAGS="$ASAN_CFLAGS -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" "$@" 962} 963 964################################################################ 965#### Basic checks 966################################################################ 967 968# 969# Test Suites to be executed 970# 971# The test ordering tries to optimize for the following criteria: 972# 1. Catch possible problems early, by running first tests that run quickly 973# and/or are more likely to fail than others (eg I use Clang most of the 974# time, so start with a GCC build). 975# 2. Minimize total running time, by avoiding useless rebuilds 976# 977# Indicative running times are given for reference. 978 979component_check_recursion () { 980 msg "Check: recursion.pl" # < 1s 981 tests/scripts/recursion.pl library/*.c 982} 983 984component_check_generated_files () { 985 msg "Check: check-generated-files, files generated with make" # 2s 986 make generated_files 987 tests/scripts/check-generated-files.sh 988 989 msg "Check: check-generated-files -u, files present" # 2s 990 tests/scripts/check-generated-files.sh -u 991 # Check that the generated files are considered up to date. 992 tests/scripts/check-generated-files.sh 993 994 msg "Check: check-generated-files -u, files absent" # 2s 995 command make neat 996 tests/scripts/check-generated-files.sh -u 997 # Check that the generated files are considered up to date. 998 tests/scripts/check-generated-files.sh 999 1000 # This component ends with the generated files present in the source tree. 1001 # This is necessary for subsequent components! 1002} 1003 1004component_check_doxy_blocks () { 1005 msg "Check: doxygen markup outside doxygen blocks" # < 1s 1006 tests/scripts/check-doxy-blocks.pl 1007} 1008 1009component_check_files () { 1010 msg "Check: file sanity checks (permissions, encodings)" # < 1s 1011 tests/scripts/check_files.py 1012} 1013 1014component_check_changelog () { 1015 msg "Check: changelog entries" # < 1s 1016 rm -f ChangeLog.new 1017 scripts/assemble_changelog.py -o ChangeLog.new 1018 if [ -e ChangeLog.new ]; then 1019 # Show the diff for information. It isn't an error if the diff is 1020 # non-empty. 1021 diff -u ChangeLog ChangeLog.new || true 1022 rm ChangeLog.new 1023 fi 1024} 1025 1026component_check_names () { 1027 msg "Check: declared and exported names (builds the library)" # < 3s 1028 tests/scripts/check_names.py -v 1029} 1030 1031component_check_test_cases () { 1032 msg "Check: test case descriptions" # < 1s 1033 if [ $QUIET -eq 1 ]; then 1034 opt='--quiet' 1035 else 1036 opt='' 1037 fi 1038 tests/scripts/check_test_cases.py -q $opt 1039 unset opt 1040} 1041 1042component_check_doxygen_warnings () { 1043 msg "Check: doxygen warnings (builds the documentation)" # ~ 3s 1044 tests/scripts/doxygen.sh 1045} 1046 1047 1048 1049################################################################ 1050#### Build and test many configurations and targets 1051################################################################ 1052 1053component_test_default_out_of_box () { 1054 msg "build: make, default config (out-of-box)" # ~1min 1055 make 1056 # Disable fancy stuff 1057 unset MBEDTLS_TEST_OUTCOME_FILE 1058 1059 msg "test: main suites make, default config (out-of-box)" # ~10s 1060 make test 1061 1062 msg "selftest: make, default config (out-of-box)" # ~10s 1063 programs/test/selftest 1064} 1065 1066component_test_default_cmake_gcc_asan () { 1067 msg "build: cmake, gcc, ASan" # ~ 1 min 50s 1068 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 1069 make 1070 1071 msg "test: main suites (inc. selftests) (ASan build)" # ~ 50s 1072 make test 1073 1074 msg "test: selftest (ASan build)" # ~ 10s 1075 programs/test/selftest 1076 1077 msg "test: ssl-opt.sh (ASan build)" # ~ 1 min 1078 tests/ssl-opt.sh 1079 1080 msg "test: compat.sh (ASan build)" # ~ 6 min 1081 tests/compat.sh 1082 1083 msg "test: context-info.sh (ASan build)" # ~ 15 sec 1084 tests/context-info.sh 1085} 1086 1087component_test_default_cmake_gcc_asan_new_bignum () { 1088 msg "build: cmake, gcc, ASan" # ~ 1 min 50s 1089 scripts/config.py set MBEDTLS_ECP_WITH_MPI_UINT 1090 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 1091 make 1092 1093 msg "test: main suites (inc. selftests) (ASan build)" # ~ 50s 1094 make test 1095 1096 msg "test: selftest (ASan build)" # ~ 10s 1097 programs/test/selftest 1098 1099 msg "test: ssl-opt.sh (ASan build)" # ~ 1 min 1100 tests/ssl-opt.sh 1101 1102 msg "test: compat.sh (ASan build)" # ~ 6 min 1103 tests/compat.sh 1104 1105 msg "test: context-info.sh (ASan build)" # ~ 15 sec 1106 tests/context-info.sh 1107} 1108 1109component_test_full_cmake_gcc_asan () { 1110 msg "build: full config, cmake, gcc, ASan" 1111 scripts/config.py full 1112 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 1113 make 1114 1115 msg "test: main suites (inc. selftests) (full config, ASan build)" 1116 make test 1117 1118 msg "test: selftest (ASan build)" # ~ 10s 1119 programs/test/selftest 1120 1121 msg "test: ssl-opt.sh (full config, ASan build)" 1122 tests/ssl-opt.sh 1123 1124 msg "test: compat.sh (full config, ASan build)" 1125 tests/compat.sh 1126 1127 msg "test: context-info.sh (full config, ASan build)" # ~ 15 sec 1128 tests/context-info.sh 1129} 1130 1131 1132component_test_full_cmake_gcc_asan_new_bignum () { 1133 msg "build: full config, cmake, gcc, ASan" 1134 scripts/config.py full 1135 scripts/config.py set MBEDTLS_ECP_WITH_MPI_UINT 1136 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 1137 make 1138 1139 msg "test: main suites (inc. selftests) (full config, ASan build)" 1140 make test 1141 1142 msg "test: selftest (ASan build)" # ~ 10s 1143 programs/test/selftest 1144 1145 msg "test: ssl-opt.sh (full config, ASan build)" 1146 tests/ssl-opt.sh 1147 1148 msg "test: compat.sh (full config, ASan build)" 1149 tests/compat.sh 1150 1151 msg "test: context-info.sh (full config, ASan build)" # ~ 15 sec 1152 tests/context-info.sh 1153} 1154 1155component_test_full_cmake_gcc_asan_new_bignum_test_hooks () { 1156 msg "build: full config, cmake, gcc, ASan" 1157 scripts/config.py full 1158 scripts/config.py set MBEDTLS_TEST_HOOKS 1159 scripts/config.py set MBEDTLS_ECP_WITH_MPI_UINT 1160 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 1161 make 1162 1163 msg "test: main suites (inc. selftests) (full config, ASan build)" 1164 make test 1165 1166 msg "test: selftest (ASan build)" # ~ 10s 1167 programs/test/selftest 1168} 1169 1170component_test_psa_crypto_key_id_encodes_owner () { 1171 msg "build: full config + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan" 1172 scripts/config.py full 1173 scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER 1174 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 1175 make 1176 1177 msg "test: full config - USE_PSA_CRYPTO + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan" 1178 make test 1179} 1180 1181# check_renamed_symbols HEADER LIB 1182# Check that if HEADER contains '#define MACRO ...' then MACRO is not a symbol 1183# name is LIB. 1184check_renamed_symbols () { 1185 ! nm "$2" | sed 's/.* //' | 1186 grep -x -F "$(sed -n 's/^ *# *define *\([A-Z_a-z][0-9A-Z_a-z]*\)..*/\1/p' "$1")" 1187} 1188 1189component_build_psa_crypto_spm () { 1190 msg "build: full config + PSA_CRYPTO_KEY_ID_ENCODES_OWNER + PSA_CRYPTO_SPM, make, gcc" 1191 scripts/config.py full 1192 scripts/config.py unset MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS 1193 scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER 1194 scripts/config.py set MBEDTLS_PSA_CRYPTO_SPM 1195 # We can only compile, not link, since our test and sample programs 1196 # aren't equipped for the modified names used when MBEDTLS_PSA_CRYPTO_SPM 1197 # is active. 1198 make CC=gcc CFLAGS='-Werror -Wall -Wextra -I../tests/include/spe' lib 1199 1200 # Check that if a symbol is renamed by crypto_spe.h, the non-renamed 1201 # version is not present. 1202 echo "Checking for renamed symbols in the library" 1203 check_renamed_symbols tests/include/spe/crypto_spe.h library/libmbedcrypto.a 1204} 1205 1206component_test_psa_crypto_client () { 1207 msg "build: default config - PSA_CRYPTO_C + PSA_CRYPTO_CLIENT, make" 1208 scripts/config.py unset MBEDTLS_PSA_CRYPTO_C 1209 scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C 1210 scripts/config.py set MBEDTLS_PSA_CRYPTO_CLIENT 1211 scripts/config.py unset MBEDTLS_LMS_C 1212 scripts/config.py unset MBEDTLS_LMS_PRIVATE 1213 make 1214 1215 msg "test: default config - PSA_CRYPTO_C + PSA_CRYPTO_CLIENT, make" 1216 make test 1217} 1218 1219component_test_psa_crypto_rsa_no_genprime() { 1220 msg "build: default config minus MBEDTLS_GENPRIME" 1221 scripts/config.py unset MBEDTLS_GENPRIME 1222 make 1223 1224 msg "test: default config minus MBEDTLS_GENPRIME" 1225 make test 1226} 1227 1228component_test_ref_configs () { 1229 msg "test/build: ref-configs (ASan build)" # ~ 6 min 20s 1230 # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake 1231 # want to re-generate generated files that depend on it, quite correctly. 1232 # However this doesn't work as the generation script expects a specific 1233 # format for mbedtls_config.h, which the other files don't follow. Also, 1234 # cmake can't know this, but re-generation is actually not necessary as 1235 # the generated files only depend on the list of available options, not 1236 # whether they're on or off. So, disable cmake's (over-sensitive here) 1237 # dependency resolution for generated files and just rely on them being 1238 # present (thanks to pre_generate_files) by turning GEN_FILES off. 1239 CC=gcc cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . 1240 tests/scripts/test-ref-configs.pl 1241} 1242 1243component_test_no_renegotiation () { 1244 msg "build: Default + !MBEDTLS_SSL_RENEGOTIATION (ASan build)" # ~ 6 min 1245 scripts/config.py unset MBEDTLS_SSL_RENEGOTIATION 1246 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 1247 make 1248 1249 msg "test: !MBEDTLS_SSL_RENEGOTIATION - main suites (inc. selftests) (ASan build)" # ~ 50s 1250 make test 1251 1252 msg "test: !MBEDTLS_SSL_RENEGOTIATION - ssl-opt.sh (ASan build)" # ~ 6 min 1253 tests/ssl-opt.sh 1254} 1255 1256component_test_no_pem_no_fs () { 1257 msg "build: Default + !MBEDTLS_PEM_PARSE_C + !MBEDTLS_FS_IO (ASan build)" 1258 scripts/config.py unset MBEDTLS_PEM_PARSE_C 1259 scripts/config.py unset MBEDTLS_FS_IO 1260 scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C # requires a filesystem 1261 scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C # requires PSA ITS 1262 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 1263 make 1264 1265 msg "test: !MBEDTLS_PEM_PARSE_C !MBEDTLS_FS_IO - main suites (inc. selftests) (ASan build)" # ~ 50s 1266 make test 1267 1268 msg "test: !MBEDTLS_PEM_PARSE_C !MBEDTLS_FS_IO - ssl-opt.sh (ASan build)" # ~ 6 min 1269 tests/ssl-opt.sh 1270} 1271 1272component_test_rsa_no_crt () { 1273 msg "build: Default + RSA_NO_CRT (ASan build)" # ~ 6 min 1274 scripts/config.py set MBEDTLS_RSA_NO_CRT 1275 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 1276 make 1277 1278 msg "test: RSA_NO_CRT - main suites (inc. selftests) (ASan build)" # ~ 50s 1279 make test 1280 1281 msg "test: RSA_NO_CRT - RSA-related part of ssl-opt.sh (ASan build)" # ~ 5s 1282 tests/ssl-opt.sh -f RSA 1283 1284 msg "test: RSA_NO_CRT - RSA-related part of compat.sh (ASan build)" # ~ 3 min 1285 tests/compat.sh -t RSA 1286 1287 msg "test: RSA_NO_CRT - RSA-related part of context-info.sh (ASan build)" # ~ 15 sec 1288 tests/context-info.sh 1289} 1290 1291component_test_no_ctr_drbg_classic () { 1292 msg "build: Full minus CTR_DRBG, classic crypto in TLS" 1293 scripts/config.py full 1294 scripts/config.py unset MBEDTLS_CTR_DRBG_C 1295 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 1296 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 1297 1298 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 1299 make 1300 1301 msg "test: Full minus CTR_DRBG, classic crypto - main suites" 1302 make test 1303 1304 # In this configuration, the TLS test programs use HMAC_DRBG. 1305 # The SSL tests are slow, so run a small subset, just enough to get 1306 # confidence that the SSL code copes with HMAC_DRBG. 1307 msg "test: Full minus CTR_DRBG, classic crypto - ssl-opt.sh (subset)" 1308 tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server' 1309 1310 msg "test: Full minus CTR_DRBG, classic crypto - compat.sh (subset)" 1311 tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL 1312} 1313 1314component_test_no_ctr_drbg_use_psa () { 1315 msg "build: Full minus CTR_DRBG, PSA crypto in TLS" 1316 scripts/config.py full 1317 scripts/config.py unset MBEDTLS_CTR_DRBG_C 1318 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO 1319 1320 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 1321 make 1322 1323 msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - main suites" 1324 make test 1325 1326 # In this configuration, the TLS test programs use HMAC_DRBG. 1327 # The SSL tests are slow, so run a small subset, just enough to get 1328 # confidence that the SSL code copes with HMAC_DRBG. 1329 msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)" 1330 tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server' 1331 1332 msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - compat.sh (subset)" 1333 tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL 1334} 1335 1336component_test_no_hmac_drbg_classic () { 1337 msg "build: Full minus HMAC_DRBG, classic crypto in TLS" 1338 scripts/config.py full 1339 scripts/config.py unset MBEDTLS_HMAC_DRBG_C 1340 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG 1341 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 1342 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 1343 1344 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 1345 make 1346 1347 msg "test: Full minus HMAC_DRBG, classic crypto - main suites" 1348 make test 1349 1350 # Normally our ECDSA implementation uses deterministic ECDSA. But since 1351 # HMAC_DRBG is disabled in this configuration, randomized ECDSA is used 1352 # instead. 1353 # Test SSL with non-deterministic ECDSA. Only test features that 1354 # might be affected by how ECDSA signature is performed. 1355 msg "test: Full minus HMAC_DRBG, classic crypto - ssl-opt.sh (subset)" 1356 tests/ssl-opt.sh -f 'Default\|SSL async private: sign' 1357 1358 # To save time, only test one protocol version, since this part of 1359 # the protocol is identical in (D)TLS up to 1.2. 1360 msg "test: Full minus HMAC_DRBG, classic crypto - compat.sh (ECDSA)" 1361 tests/compat.sh -m tls12 -t 'ECDSA' 1362} 1363 1364component_test_no_hmac_drbg_use_psa () { 1365 msg "build: Full minus HMAC_DRBG, PSA crypto in TLS" 1366 scripts/config.py full 1367 scripts/config.py unset MBEDTLS_HMAC_DRBG_C 1368 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG 1369 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO 1370 1371 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 1372 make 1373 1374 msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - main suites" 1375 make test 1376 1377 # Normally our ECDSA implementation uses deterministic ECDSA. But since 1378 # HMAC_DRBG is disabled in this configuration, randomized ECDSA is used 1379 # instead. 1380 # Test SSL with non-deterministic ECDSA. Only test features that 1381 # might be affected by how ECDSA signature is performed. 1382 msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)" 1383 tests/ssl-opt.sh -f 'Default\|SSL async private: sign' 1384 1385 # To save time, only test one protocol version, since this part of 1386 # the protocol is identical in (D)TLS up to 1.2. 1387 msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - compat.sh (ECDSA)" 1388 tests/compat.sh -m tls12 -t 'ECDSA' 1389} 1390 1391component_test_psa_external_rng_no_drbg_classic () { 1392 msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto in TLS" 1393 scripts/config.py full 1394 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 1395 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 1396 scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG 1397 scripts/config.py unset MBEDTLS_ENTROPY_C 1398 scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED 1399 scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT 1400 scripts/config.py unset MBEDTLS_CTR_DRBG_C 1401 scripts/config.py unset MBEDTLS_HMAC_DRBG_C 1402 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG 1403 # When MBEDTLS_USE_PSA_CRYPTO is disabled and there is no DRBG, 1404 # the SSL test programs don't have an RNG and can't work. Explicitly 1405 # make them use the PSA RNG with -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG. 1406 make CFLAGS="$ASAN_CFLAGS -O2 -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG" LDFLAGS="$ASAN_CFLAGS" 1407 1408 msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - main suites" 1409 make test 1410 1411 msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - ssl-opt.sh (subset)" 1412 tests/ssl-opt.sh -f 'Default' 1413} 1414 1415component_test_psa_external_rng_no_drbg_use_psa () { 1416 msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto in TLS" 1417 scripts/config.py full 1418 scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG 1419 scripts/config.py unset MBEDTLS_ENTROPY_C 1420 scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED 1421 scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT 1422 scripts/config.py unset MBEDTLS_CTR_DRBG_C 1423 scripts/config.py unset MBEDTLS_HMAC_DRBG_C 1424 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG 1425 make CFLAGS="$ASAN_CFLAGS -O2" LDFLAGS="$ASAN_CFLAGS" 1426 1427 msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - main suites" 1428 make test 1429 1430 msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - ssl-opt.sh (subset)" 1431 tests/ssl-opt.sh -f 'Default\|opaque' 1432} 1433 1434component_test_psa_external_rng_use_psa_crypto () { 1435 msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" 1436 scripts/config.py full 1437 scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG 1438 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO 1439 scripts/config.py unset MBEDTLS_CTR_DRBG_C 1440 make CFLAGS="$ASAN_CFLAGS -O2" LDFLAGS="$ASAN_CFLAGS" 1441 1442 msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" 1443 make test 1444 1445 msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" 1446 tests/ssl-opt.sh -f 'Default\|opaque' 1447} 1448 1449component_test_psa_inject_entropy () { 1450 msg "build: full + MBEDTLS_PSA_INJECT_ENTROPY" 1451 scripts/config.py full 1452 scripts/config.py set MBEDTLS_PSA_INJECT_ENTROPY 1453 scripts/config.py set MBEDTLS_ENTROPY_NV_SEED 1454 scripts/config.py set MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES 1455 scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT 1456 scripts/config.py unset MBEDTLS_PLATFORM_STD_NV_SEED_READ 1457 scripts/config.py unset MBEDTLS_PLATFORM_STD_NV_SEED_WRITE 1458 make CFLAGS="$ASAN_CFLAGS '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'" LDFLAGS="$ASAN_CFLAGS" 1459 1460 msg "test: full + MBEDTLS_PSA_INJECT_ENTROPY" 1461 make test 1462} 1463 1464component_test_sw_inet_pton () { 1465 msg "build: default plus MBEDTLS_TEST_SW_INET_PTON" 1466 1467 # MBEDTLS_TEST_HOOKS required for x509_crt_parse_cn_inet_pton 1468 scripts/config.py set MBEDTLS_TEST_HOOKS 1469 make CFLAGS="-DMBEDTLS_TEST_SW_INET_PTON" 1470 1471 msg "test: default plus MBEDTLS_TEST_SW_INET_PTON" 1472 make test 1473} 1474 1475component_test_crypto_full_md_light_only () { 1476 msg "build: crypto_full with only the light subset of MD" 1477 scripts/config.py crypto_full 1478 scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG 1479 # Disable MD 1480 scripts/config.py unset MBEDTLS_MD_C 1481 # Disable direct dependencies of MD_C 1482 scripts/config.py unset MBEDTLS_HKDF_C 1483 scripts/config.py unset MBEDTLS_HMAC_DRBG_C 1484 scripts/config.py unset MBEDTLS_PKCS7_C 1485 # Disable indirect dependencies of MD_C 1486 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # needs HMAC_DRBG 1487 # Disable things that would auto-enable MD_C 1488 scripts/config.py unset MBEDTLS_PKCS5_C 1489 1490 # Note: MD-light is auto-enabled in build_info.h by modules that need it, 1491 # which we haven't disabled, so no need to explicitly enable it. 1492 make CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" 1493 1494 # Make sure we don't have the HMAC functions, but the hashing functions 1495 not grep mbedtls_md_hmac library/md.o 1496 grep mbedtls_md library/md.o 1497 1498 msg "test: crypto_full with only the light subset of MD" 1499 make test 1500} 1501 1502component_test_full_no_cipher () { 1503 msg "build: full minus CIPHER" 1504 scripts/config.py full 1505 scripts/config.py unset MBEDTLS_CIPHER_C 1506 # Don't pull in cipher via PSA mechanisms 1507 # (currently ignored anyway because we completely disable PSA) 1508 scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG 1509 # Direct dependencies 1510 scripts/config.py unset MBEDTLS_CCM_C 1511 scripts/config.py unset MBEDTLS_CMAC_C 1512 scripts/config.py unset MBEDTLS_GCM_C 1513 scripts/config.py unset MBEDTLS_NIST_KW_C 1514 scripts/config.py unset MBEDTLS_PKCS12_C 1515 scripts/config.py unset MBEDTLS_PKCS5_C 1516 scripts/config.py unset MBEDTLS_PSA_CRYPTO_C 1517 scripts/config.py unset MBEDTLS_SSL_TLS_C 1518 scripts/config.py unset MBEDTLS_SSL_TICKET_C 1519 # Indirect dependencies 1520 scripts/config.py unset MBEDTLS_SSL_CLI_C 1521 scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C 1522 scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C 1523 scripts/config.py unset MBEDTLS_SSL_DTLS_ANTI_REPLAY 1524 scripts/config.py unset MBEDTLS_SSL_DTLS_CONNECTION_ID 1525 scripts/config.py unset MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 1526 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 1527 scripts/config.py unset MBEDTLS_SSL_SRV_C 1528 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 1529 scripts/config.py unset MBEDTLS_LMS_C 1530 scripts/config.py unset MBEDTLS_LMS_PRIVATE 1531 make 1532 1533 msg "test: full minus CIPHER" 1534 make test 1535} 1536 1537component_test_full_no_bignum () { 1538 msg "build: full minus bignum" 1539 scripts/config.py full 1540 scripts/config.py unset MBEDTLS_BIGNUM_C 1541 # Direct dependencies of bignum 1542 scripts/config.py unset MBEDTLS_ECP_C 1543 scripts/config.py unset MBEDTLS_RSA_C 1544 scripts/config.py unset MBEDTLS_DHM_C 1545 # Direct dependencies of ECP 1546 scripts/config.py unset MBEDTLS_ECDH_C 1547 scripts/config.py unset MBEDTLS_ECDSA_C 1548 scripts/config.py unset MBEDTLS_ECJPAKE_C 1549 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE 1550 # Disable what auto-enables ECP_LIGHT 1551 scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED 1552 scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED 1553 # Indirect dependencies of ECP 1554 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 1555 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 1556 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 1557 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 1558 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 1559 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 1560 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED 1561 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED 1562 # Direct dependencies of DHM 1563 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 1564 # Direct dependencies of RSA 1565 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 1566 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 1567 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 1568 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT 1569 # PK and its dependencies 1570 scripts/config.py unset MBEDTLS_PK_C 1571 scripts/config.py unset MBEDTLS_PK_PARSE_C 1572 scripts/config.py unset MBEDTLS_PK_WRITE_C 1573 scripts/config.py unset MBEDTLS_X509_USE_C 1574 scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C 1575 scripts/config.py unset MBEDTLS_X509_CRL_PARSE_C 1576 scripts/config.py unset MBEDTLS_X509_CSR_PARSE_C 1577 scripts/config.py unset MBEDTLS_X509_CREATE_C 1578 scripts/config.py unset MBEDTLS_X509_CRT_WRITE_C 1579 scripts/config.py unset MBEDTLS_X509_CSR_WRITE_C 1580 scripts/config.py unset MBEDTLS_PKCS7_C 1581 scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION 1582 scripts/config.py unset MBEDTLS_SSL_ASYNC_PRIVATE 1583 scripts/config.py unset MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK 1584 1585 make 1586 1587 msg "test: full minus bignum" 1588 make test 1589} 1590 1591component_test_tls1_2_default_stream_cipher_only () { 1592 msg "build: default with only stream cipher" 1593 1594 # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C 1595 scripts/config.py unset MBEDTLS_GCM_C 1596 scripts/config.py unset MBEDTLS_CCM_C 1597 scripts/config.py unset MBEDTLS_CHACHAPOLY_C 1598 # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) 1599 scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC 1600 # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) 1601 scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC 1602 # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) 1603 scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER 1604 # Modules that depend on AEAD 1605 scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION 1606 scripts/config.py unset MBEDTLS_SSL_TICKET_C 1607 1608 make 1609 1610 msg "test: default with only stream cipher" 1611 make test 1612 1613 # Not running ssl-opt.sh because most tests require a non-NULL ciphersuite. 1614} 1615 1616component_test_tls1_2_default_stream_cipher_only_use_psa () { 1617 msg "build: default with only stream cipher use psa" 1618 1619 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO 1620 # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) 1621 scripts/config.py unset MBEDTLS_GCM_C 1622 scripts/config.py unset MBEDTLS_CCM_C 1623 scripts/config.py unset MBEDTLS_CHACHAPOLY_C 1624 # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) 1625 scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC 1626 # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) 1627 scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC 1628 # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) 1629 scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER 1630 # Modules that depend on AEAD 1631 scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION 1632 scripts/config.py unset MBEDTLS_SSL_TICKET_C 1633 1634 make 1635 1636 msg "test: default with only stream cipher use psa" 1637 make test 1638 1639 # Not running ssl-opt.sh because most tests require a non-NULL ciphersuite. 1640} 1641 1642component_test_tls1_2_default_cbc_legacy_cipher_only () { 1643 msg "build: default with only CBC-legacy cipher" 1644 1645 # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) 1646 scripts/config.py unset MBEDTLS_GCM_C 1647 scripts/config.py unset MBEDTLS_CCM_C 1648 scripts/config.py unset MBEDTLS_CHACHAPOLY_C 1649 # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) 1650 scripts/config.py set MBEDTLS_CIPHER_MODE_CBC 1651 # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) 1652 scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC 1653 # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) 1654 scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER 1655 # Modules that depend on AEAD 1656 scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION 1657 scripts/config.py unset MBEDTLS_SSL_TICKET_C 1658 1659 make 1660 1661 msg "test: default with only CBC-legacy cipher" 1662 make test 1663 1664 msg "test: default with only CBC-legacy cipher - ssl-opt.sh (subset)" 1665 tests/ssl-opt.sh -f "TLS 1.2" 1666} 1667 1668component_test_tls1_2_deafult_cbc_legacy_cipher_only_use_psa () { 1669 msg "build: default with only CBC-legacy cipher use psa" 1670 1671 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO 1672 # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) 1673 scripts/config.py unset MBEDTLS_GCM_C 1674 scripts/config.py unset MBEDTLS_CCM_C 1675 scripts/config.py unset MBEDTLS_CHACHAPOLY_C 1676 # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) 1677 scripts/config.py set MBEDTLS_CIPHER_MODE_CBC 1678 # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) 1679 scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC 1680 # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) 1681 scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER 1682 # Modules that depend on AEAD 1683 scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION 1684 scripts/config.py unset MBEDTLS_SSL_TICKET_C 1685 1686 make 1687 1688 msg "test: default with only CBC-legacy cipher use psa" 1689 make test 1690 1691 msg "test: default with only CBC-legacy cipher use psa - ssl-opt.sh (subset)" 1692 tests/ssl-opt.sh -f "TLS 1.2" 1693} 1694 1695component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () { 1696 msg "build: default with only CBC-legacy and CBC-EtM ciphers" 1697 1698 # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) 1699 scripts/config.py unset MBEDTLS_GCM_C 1700 scripts/config.py unset MBEDTLS_CCM_C 1701 scripts/config.py unset MBEDTLS_CHACHAPOLY_C 1702 # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) 1703 scripts/config.py set MBEDTLS_CIPHER_MODE_CBC 1704 # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) 1705 scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC 1706 # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) 1707 scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER 1708 # Modules that depend on AEAD 1709 scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION 1710 scripts/config.py unset MBEDTLS_SSL_TICKET_C 1711 1712 make 1713 1714 msg "test: default with only CBC-legacy and CBC-EtM ciphers" 1715 make test 1716 1717 msg "test: default with only CBC-legacy and CBC-EtM ciphers - ssl-opt.sh (subset)" 1718 tests/ssl-opt.sh -f "TLS 1.2" 1719} 1720 1721component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only_use_psa () { 1722 msg "build: default with only CBC-legacy and CBC-EtM ciphers use psa" 1723 1724 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO 1725 # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) 1726 scripts/config.py unset MBEDTLS_GCM_C 1727 scripts/config.py unset MBEDTLS_CCM_C 1728 scripts/config.py unset MBEDTLS_CHACHAPOLY_C 1729 # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) 1730 scripts/config.py set MBEDTLS_CIPHER_MODE_CBC 1731 # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) 1732 scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC 1733 # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) 1734 scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER 1735 # Modules that depend on AEAD 1736 scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION 1737 scripts/config.py unset MBEDTLS_SSL_TICKET_C 1738 1739 make 1740 1741 msg "test: default with only CBC-legacy and CBC-EtM ciphers use psa" 1742 make test 1743 1744 msg "test: default with only CBC-legacy and CBC-EtM ciphers use psa - ssl-opt.sh (subset)" 1745 tests/ssl-opt.sh -f "TLS 1.2" 1746} 1747 1748# We're not aware of any other (open source) implementation of EC J-PAKE in TLS 1749# that we could use for interop testing. However, we now have sort of two 1750# implementations ourselves: one using PSA, the other not. At least test that 1751# these two interoperate with each other. 1752component_test_tls1_2_ecjpake_compatibility() { 1753 msg "build: TLS1.2 server+client w/ EC-JPAKE w/o USE_PSA" 1754 scripts/config.py set MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 1755 # Explicitly make lib first to avoid a race condition: 1756 # https://github.com/Mbed-TLS/mbedtls/issues/8229 1757 make lib 1758 make -C programs ssl/ssl_server2 ssl/ssl_client2 1759 cp programs/ssl/ssl_server2 s2_no_use_psa 1760 cp programs/ssl/ssl_client2 c2_no_use_psa 1761 1762 msg "build: TLS1.2 server+client w/ EC-JPAKE w/ USE_PSA" 1763 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO 1764 make clean 1765 make lib 1766 make -C programs ssl/ssl_server2 ssl/ssl_client2 1767 make -C programs test/udp_proxy test/query_compile_time_config 1768 1769 msg "test: server w/o USE_PSA - client w/ USE_PSA, text password" 1770 P_SRV=../s2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: working, TLS" 1771 msg "test: server w/o USE_PSA - client w/ USE_PSA, opaque password" 1772 P_SRV=../s2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: opaque password client only, working, TLS" 1773 msg "test: client w/o USE_PSA - server w/ USE_PSA, text password" 1774 P_CLI=../c2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: working, TLS" 1775 msg "test: client w/o USE_PSA - server w/ USE_PSA, opaque password" 1776 P_CLI=../c2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: opaque password server only, working, TLS" 1777 1778 rm s2_no_use_psa c2_no_use_psa 1779} 1780 1781component_test_everest () { 1782 msg "build: Everest ECDH context (ASan build)" # ~ 6 min 1783 scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED 1784 CC=clang cmake -D CMAKE_BUILD_TYPE:String=Asan . 1785 make 1786 1787 msg "test: Everest ECDH context - main suites (inc. selftests) (ASan build)" # ~ 50s 1788 make test 1789 1790 msg "test: Everest ECDH context - ECDH-related part of ssl-opt.sh (ASan build)" # ~ 5s 1791 tests/ssl-opt.sh -f ECDH 1792 1793 msg "test: Everest ECDH context - compat.sh with some ECDH ciphersuites (ASan build)" # ~ 3 min 1794 # Exclude some symmetric ciphers that are redundant here to gain time. 1795 tests/compat.sh -f ECDH -V NO -e 'ARIA\|CAMELLIA\|CHACHA' 1796} 1797 1798component_test_everest_curve25519_only () { 1799 msg "build: Everest ECDH context, only Curve25519" # ~ 6 min 1800 scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED 1801 scripts/config.py unset MBEDTLS_ECDSA_C 1802 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 1803 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 1804 scripts/config.py unset MBEDTLS_ECJPAKE_C 1805 # Disable all curves 1806 scripts/config.py unset-all "MBEDTLS_ECP_DP_[0-9A-Z_a-z]*_ENABLED" 1807 scripts/config.py set MBEDTLS_ECP_DP_CURVE25519_ENABLED 1808 1809 make CFLAGS="$ASAN_CFLAGS -O2" LDFLAGS="$ASAN_CFLAGS" 1810 1811 msg "test: Everest ECDH context, only Curve25519" # ~ 50s 1812 make test 1813} 1814 1815component_test_small_ssl_out_content_len () { 1816 msg "build: small SSL_OUT_CONTENT_LEN (ASan build)" 1817 scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 16384 1818 scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 4096 1819 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 1820 make 1821 1822 msg "test: small SSL_OUT_CONTENT_LEN - ssl-opt.sh MFL and large packet tests" 1823 tests/ssl-opt.sh -f "Max fragment\|Large packet" 1824} 1825 1826component_test_small_ssl_in_content_len () { 1827 msg "build: small SSL_IN_CONTENT_LEN (ASan build)" 1828 scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 4096 1829 scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 16384 1830 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 1831 make 1832 1833 msg "test: small SSL_IN_CONTENT_LEN - ssl-opt.sh MFL tests" 1834 tests/ssl-opt.sh -f "Max fragment" 1835} 1836 1837component_test_small_ssl_dtls_max_buffering () { 1838 msg "build: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #0" 1839 scripts/config.py set MBEDTLS_SSL_DTLS_MAX_BUFFERING 1000 1840 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 1841 make 1842 1843 msg "test: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #0 - ssl-opt.sh specific reordering test" 1844 tests/ssl-opt.sh -f "DTLS reordering: Buffer out-of-order hs msg before reassembling next, free buffered msg" 1845} 1846 1847component_test_small_mbedtls_ssl_dtls_max_buffering () { 1848 msg "build: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #1" 1849 scripts/config.py set MBEDTLS_SSL_DTLS_MAX_BUFFERING 190 1850 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 1851 make 1852 1853 msg "test: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #1 - ssl-opt.sh specific reordering test" 1854 tests/ssl-opt.sh -f "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket" 1855} 1856 1857component_test_psa_collect_statuses () { 1858 msg "build+test: psa_collect_statuses" # ~30s 1859 scripts/config.py full 1860 tests/scripts/psa_collect_statuses.py 1861 # Check that psa_crypto_init() succeeded at least once 1862 grep -q '^0:psa_crypto_init:' tests/statuses.log 1863 rm -f tests/statuses.log 1864} 1865 1866component_test_full_cmake_clang () { 1867 msg "build: cmake, full config, clang" # ~ 50s 1868 scripts/config.py full 1869 CC=clang CXX=clang cmake -D CMAKE_BUILD_TYPE:String=Release -D ENABLE_TESTING=On -D TEST_CPP=1 . 1870 make 1871 1872 msg "test: main suites (full config, clang)" # ~ 5s 1873 make test 1874 1875 msg "test: cpp_dummy_build (full config, clang)" # ~ 1s 1876 programs/test/cpp_dummy_build 1877 1878 msg "test: psa_constant_names (full config, clang)" # ~ 1s 1879 tests/scripts/test_psa_constant_names.py 1880 1881 msg "test: ssl-opt.sh default, ECJPAKE, SSL async (full config)" # ~ 1s 1882 tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private' 1883 1884 msg "test: compat.sh NULL (full config)" # ~ 2 min 1885 env OPENSSL="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '^$' -f 'NULL' 1886 1887 msg "test: compat.sh ARIA + ChachaPoly" 1888 env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' 1889} 1890 1891skip_suites_without_constant_flow () { 1892 # Skip the test suites that don't have any constant-flow annotations. 1893 # This will need to be adjusted if we ever start declaring things as 1894 # secret from macros or functions inside tests/include or tests/src. 1895 SKIP_TEST_SUITES=$( 1896 git -C tests/suites grep -L TEST_CF_ 'test_suite_*.function' | 1897 sed 's/test_suite_//; s/\.function$//' | 1898 tr '\n' ,) 1899 export SKIP_TEST_SUITES 1900} 1901 1902skip_all_except_given_suite () { 1903 # Skip all but the given test suite 1904 SKIP_TEST_SUITES=$( 1905 ls -1 tests/suites/test_suite_*.function | 1906 grep -v $1.function | 1907 sed 's/tests.suites.test_suite_//; s/\.function$//' | 1908 tr '\n' ,) 1909 export SKIP_TEST_SUITES 1910} 1911 1912component_test_memsan_constant_flow () { 1913 # This tests both (1) accesses to undefined memory, and (2) branches or 1914 # memory access depending on secret values. To distinguish between those: 1915 # - unset MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN - does the failure persist? 1916 # - or alternatively, change the build type to MemSanDbg, which enables 1917 # origin tracking and nicer stack traces (which are useful for debugging 1918 # anyway), and check if the origin was TEST_CF_SECRET() or something else. 1919 msg "build: cmake MSan (clang), full config minus MBEDTLS_USE_PSA_CRYPTO with constant flow testing" 1920 scripts/config.py full 1921 scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN 1922 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 1923 scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm 1924 CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan . 1925 make 1926 1927 msg "test: main suites (full minus MBEDTLS_USE_PSA_CRYPTO, Msan + constant flow)" 1928 make test 1929} 1930 1931component_test_memsan_constant_flow_psa () { 1932 # This tests both (1) accesses to undefined memory, and (2) branches or 1933 # memory access depending on secret values. To distinguish between those: 1934 # - unset MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN - does the failure persist? 1935 # - or alternatively, change the build type to MemSanDbg, which enables 1936 # origin tracking and nicer stack traces (which are useful for debugging 1937 # anyway), and check if the origin was TEST_CF_SECRET() or something else. 1938 msg "build: cmake MSan (clang), full config with constant flow testing" 1939 scripts/config.py full 1940 scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN 1941 scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm 1942 CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan . 1943 make 1944 1945 msg "test: main suites (Msan + constant flow)" 1946 make test 1947} 1948 1949component_test_valgrind_constant_flow () { 1950 # This tests both (1) everything that valgrind's memcheck usually checks 1951 # (heap buffer overflows, use of uninitialized memory, use-after-free, 1952 # etc.) and (2) branches or memory access depending on secret values, 1953 # which will be reported as uninitialized memory. To distinguish between 1954 # secret and actually uninitialized: 1955 # - unset MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND - does the failure persist? 1956 # - or alternatively, build with debug info and manually run the offending 1957 # test suite with valgrind --track-origins=yes, then check if the origin 1958 # was TEST_CF_SECRET() or something else. 1959 msg "build: cmake release GCC, full config minus MBEDTLS_USE_PSA_CRYPTO with constant flow testing" 1960 scripts/config.py full 1961 scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND 1962 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 1963 skip_suites_without_constant_flow 1964 cmake -D CMAKE_BUILD_TYPE:String=Release . 1965 make 1966 1967 # this only shows a summary of the results (how many of each type) 1968 # details are left in Testing/<date>/DynamicAnalysis.xml 1969 msg "test: some suites (full minus MBEDTLS_USE_PSA_CRYPTO, valgrind + constant flow)" 1970 make memcheck 1971 1972 # Test asm path in constant time module - by default, it will test the plain C 1973 # path under Valgrind or Memsan. Running only the constant_time tests is fast (<1s) 1974 msg "test: valgrind asm constant_time" 1975 scripts/config.py --force set MBEDTLS_TEST_CONSTANT_FLOW_ASM 1976 skip_all_except_given_suite test_suite_constant_time 1977 cmake -D CMAKE_BUILD_TYPE:String=Release . 1978 make clean 1979 make 1980 make memcheck 1981} 1982 1983component_test_valgrind_constant_flow_psa () { 1984 # This tests both (1) everything that valgrind's memcheck usually checks 1985 # (heap buffer overflows, use of uninitialized memory, use-after-free, 1986 # etc.) and (2) branches or memory access depending on secret values, 1987 # which will be reported as uninitialized memory. To distinguish between 1988 # secret and actually uninitialized: 1989 # - unset MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND - does the failure persist? 1990 # - or alternatively, build with debug info and manually run the offending 1991 # test suite with valgrind --track-origins=yes, then check if the origin 1992 # was TEST_CF_SECRET() or something else. 1993 msg "build: cmake release GCC, full config with constant flow testing" 1994 scripts/config.py full 1995 scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND 1996 skip_suites_without_constant_flow 1997 cmake -D CMAKE_BUILD_TYPE:String=Release . 1998 make 1999 2000 # this only shows a summary of the results (how many of each type) 2001 # details are left in Testing/<date>/DynamicAnalysis.xml 2002 msg "test: some suites (valgrind + constant flow)" 2003 make memcheck 2004} 2005 2006component_test_default_no_deprecated () { 2007 # Test that removing the deprecated features from the default 2008 # configuration leaves something consistent. 2009 msg "build: make, default + MBEDTLS_DEPRECATED_REMOVED" # ~ 30s 2010 scripts/config.py set MBEDTLS_DEPRECATED_REMOVED 2011 make CC=gcc CFLAGS='-O -Werror -Wall -Wextra' 2012 2013 msg "test: make, default + MBEDTLS_DEPRECATED_REMOVED" # ~ 5s 2014 make test 2015} 2016 2017component_test_full_no_deprecated () { 2018 msg "build: make, full_no_deprecated config" # ~ 30s 2019 scripts/config.py full_no_deprecated 2020 make CC=gcc CFLAGS='-O -Werror -Wall -Wextra' 2021 2022 msg "test: make, full_no_deprecated config" # ~ 5s 2023 make test 2024 2025 msg "test: ensure that X509 has no direct dependency on BIGNUM_C" 2026 not grep mbedtls_mpi library/libmbedx509.a 2027} 2028 2029component_test_full_no_deprecated_deprecated_warning () { 2030 # Test that there is nothing deprecated in "full_no_deprecated". 2031 # A deprecated feature would trigger a warning (made fatal) from 2032 # MBEDTLS_DEPRECATED_WARNING. 2033 msg "build: make, full_no_deprecated config, MBEDTLS_DEPRECATED_WARNING" # ~ 30s 2034 scripts/config.py full_no_deprecated 2035 scripts/config.py unset MBEDTLS_DEPRECATED_REMOVED 2036 scripts/config.py set MBEDTLS_DEPRECATED_WARNING 2037 make CC=gcc CFLAGS='-O -Werror -Wall -Wextra' 2038 2039 msg "test: make, full_no_deprecated config, MBEDTLS_DEPRECATED_WARNING" # ~ 5s 2040 make test 2041} 2042 2043component_test_full_deprecated_warning () { 2044 # Test that when MBEDTLS_DEPRECATED_WARNING is enabled, the build passes 2045 # with only certain whitelisted types of warnings. 2046 msg "build: make, full config + MBEDTLS_DEPRECATED_WARNING, expect warnings" # ~ 30s 2047 scripts/config.py full 2048 scripts/config.py set MBEDTLS_DEPRECATED_WARNING 2049 # Expect warnings from '#warning' directives in check_config.h. 2050 make CC=gcc CFLAGS='-O -Werror -Wall -Wextra -Wno-error=cpp' lib programs 2051 2052 msg "build: make tests, full config + MBEDTLS_DEPRECATED_WARNING, expect warnings" # ~ 30s 2053 # Set MBEDTLS_TEST_DEPRECATED to enable tests for deprecated features. 2054 # By default those are disabled when MBEDTLS_DEPRECATED_WARNING is set. 2055 # Expect warnings from '#warning' directives in check_config.h and 2056 # from the use of deprecated functions in test suites. 2057 make CC=gcc CFLAGS='-O -Werror -Wall -Wextra -Wno-error=deprecated-declarations -Wno-error=cpp -DMBEDTLS_TEST_DEPRECATED' tests 2058 2059 msg "test: full config + MBEDTLS_TEST_DEPRECATED" # ~ 30s 2060 make test 2061} 2062 2063# Check that the specified libraries exist and are empty. 2064are_empty_libraries () { 2065 nm "$@" >/dev/null 2>/dev/null 2066 ! nm "$@" 2>/dev/null | grep -v ':$' | grep . 2067} 2068 2069component_build_crypto_default () { 2070 msg "build: make, crypto only" 2071 scripts/config.py crypto 2072 make CFLAGS='-O1 -Werror' 2073 are_empty_libraries library/libmbedx509.* library/libmbedtls.* 2074} 2075 2076component_build_crypto_full () { 2077 msg "build: make, crypto only, full config" 2078 scripts/config.py crypto_full 2079 make CFLAGS='-O1 -Werror' 2080 are_empty_libraries library/libmbedx509.* library/libmbedtls.* 2081} 2082 2083component_test_crypto_for_psa_service () { 2084 msg "build: make, config for PSA crypto service" 2085 scripts/config.py crypto 2086 scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER 2087 # Disable things that are not needed for just cryptography, to 2088 # reach a configuration that would be typical for a PSA cryptography 2089 # service providing all implemented PSA algorithms. 2090 # System stuff 2091 scripts/config.py unset MBEDTLS_ERROR_C 2092 scripts/config.py unset MBEDTLS_TIMING_C 2093 scripts/config.py unset MBEDTLS_VERSION_FEATURES 2094 # Crypto stuff with no PSA interface 2095 scripts/config.py unset MBEDTLS_BASE64_C 2096 # Keep MBEDTLS_CIPHER_C because psa_crypto_cipher, CCM and GCM need it. 2097 scripts/config.py unset MBEDTLS_HKDF_C # PSA's HKDF is independent 2098 # Keep MBEDTLS_MD_C because deterministic ECDSA needs it for HMAC_DRBG. 2099 scripts/config.py unset MBEDTLS_NIST_KW_C 2100 scripts/config.py unset MBEDTLS_PEM_PARSE_C 2101 scripts/config.py unset MBEDTLS_PEM_WRITE_C 2102 scripts/config.py unset MBEDTLS_PKCS12_C 2103 scripts/config.py unset MBEDTLS_PKCS5_C 2104 # MBEDTLS_PK_PARSE_C and MBEDTLS_PK_WRITE_C are actually currently needed 2105 # in PSA code to work with RSA keys. We don't require users to set those: 2106 # they will be reenabled in build_info.h. 2107 scripts/config.py unset MBEDTLS_PK_C 2108 scripts/config.py unset MBEDTLS_PK_PARSE_C 2109 scripts/config.py unset MBEDTLS_PK_WRITE_C 2110 make CFLAGS='-O1 -Werror' all test 2111 are_empty_libraries library/libmbedx509.* library/libmbedtls.* 2112} 2113 2114component_build_crypto_baremetal () { 2115 msg "build: make, crypto only, baremetal config" 2116 scripts/config.py crypto_baremetal 2117 make CFLAGS="-O1 -Werror -I$PWD/tests/include/baremetal-override/" 2118 are_empty_libraries library/libmbedx509.* library/libmbedtls.* 2119} 2120support_build_crypto_baremetal () { 2121 support_build_baremetal "$@" 2122} 2123 2124component_build_baremetal () { 2125 msg "build: make, baremetal config" 2126 scripts/config.py baremetal 2127 make CFLAGS="-O1 -Werror -I$PWD/tests/include/baremetal-override/" 2128} 2129support_build_baremetal () { 2130 # Older Glibc versions include time.h from other headers such as stdlib.h, 2131 # which makes the no-time.h-in-baremetal check fail. Ubuntu 16.04 has this 2132 # problem, Ubuntu 18.04 is ok. 2133 ! grep -q -F time.h /usr/include/x86_64-linux-gnu/sys/types.h 2134} 2135 2136# depends.py family of tests 2137component_test_depends_py_cipher_id () { 2138 msg "test/build: depends.py cipher_id (gcc)" 2139 tests/scripts/depends.py cipher_id --unset-use-psa 2140} 2141 2142component_test_depends_py_cipher_chaining () { 2143 msg "test/build: depends.py cipher_chaining (gcc)" 2144 tests/scripts/depends.py cipher_chaining --unset-use-psa 2145} 2146 2147component_test_depends_py_cipher_padding () { 2148 msg "test/build: depends.py cipher_padding (gcc)" 2149 tests/scripts/depends.py cipher_padding --unset-use-psa 2150} 2151 2152component_test_depends_py_curves () { 2153 msg "test/build: depends.py curves (gcc)" 2154 tests/scripts/depends.py curves --unset-use-psa 2155} 2156 2157component_test_depends_py_hashes () { 2158 msg "test/build: depends.py hashes (gcc)" 2159 tests/scripts/depends.py hashes --unset-use-psa 2160} 2161 2162component_test_depends_py_kex () { 2163 msg "test/build: depends.py kex (gcc)" 2164 tests/scripts/depends.py kex --unset-use-psa 2165} 2166 2167component_test_depends_py_pkalgs () { 2168 msg "test/build: depends.py pkalgs (gcc)" 2169 tests/scripts/depends.py pkalgs --unset-use-psa 2170} 2171 2172# PSA equivalents of the depends.py tests 2173component_test_depends_py_cipher_id_psa () { 2174 msg "test/build: depends.py cipher_id (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" 2175 tests/scripts/depends.py cipher_id 2176} 2177 2178component_test_depends_py_cipher_chaining_psa () { 2179 msg "test/build: depends.py cipher_chaining (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" 2180 tests/scripts/depends.py cipher_chaining 2181} 2182 2183component_test_depends_py_cipher_padding_psa () { 2184 msg "test/build: depends.py cipher_padding (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" 2185 tests/scripts/depends.py cipher_padding 2186} 2187 2188component_test_depends_py_curves_psa () { 2189 msg "test/build: depends.py curves (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" 2190 tests/scripts/depends.py curves 2191} 2192 2193component_test_depends_py_hashes_psa () { 2194 msg "test/build: depends.py hashes (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" 2195 tests/scripts/depends.py hashes 2196} 2197 2198component_test_depends_py_kex_psa () { 2199 msg "test/build: depends.py kex (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" 2200 tests/scripts/depends.py kex 2201} 2202 2203component_test_depends_py_pkalgs_psa () { 2204 msg "test/build: depends.py pkalgs (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" 2205 tests/scripts/depends.py pkalgs 2206} 2207 2208component_build_no_pk_rsa_alt_support () { 2209 msg "build: !MBEDTLS_PK_RSA_ALT_SUPPORT" # ~30s 2210 2211 scripts/config.py full 2212 scripts/config.py unset MBEDTLS_PK_RSA_ALT_SUPPORT 2213 scripts/config.py set MBEDTLS_RSA_C 2214 scripts/config.py set MBEDTLS_X509_CRT_WRITE_C 2215 2216 # Only compile - this is primarily to test for compile issues 2217 make CC=gcc CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy' 2218} 2219 2220component_build_module_alt () { 2221 msg "build: MBEDTLS_XXX_ALT" # ~30s 2222 scripts/config.py full 2223 2224 # Disable options that are incompatible with some ALT implementations: 2225 # aesni.c and padlock.c reference mbedtls_aes_context fields directly. 2226 scripts/config.py unset MBEDTLS_AESNI_C 2227 scripts/config.py unset MBEDTLS_PADLOCK_C 2228 scripts/config.py unset MBEDTLS_AESCE_C 2229 # MBEDTLS_ECP_RESTARTABLE is documented as incompatible. 2230 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE 2231 # You can only have one threading implementation: alt or pthread, not both. 2232 scripts/config.py unset MBEDTLS_THREADING_PTHREAD 2233 # The SpecifiedECDomain parsing code accesses mbedtls_ecp_group fields 2234 # directly and assumes the implementation works with partial groups. 2235 scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED 2236 # MBEDTLS_SHA256_*ALT can't be used with MBEDTLS_SHA256_USE_A64_CRYPTO_* 2237 scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT 2238 scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY 2239 # MBEDTLS_SHA512_*ALT can't be used with MBEDTLS_SHA512_USE_A64_CRYPTO_* 2240 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT 2241 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY 2242 2243 # Enable all MBEDTLS_XXX_ALT for whole modules. Do not enable 2244 # MBEDTLS_XXX_YYY_ALT which are for single functions. 2245 scripts/config.py set-all 'MBEDTLS_([A-Z0-9]*|NIST_KW)_ALT' 2246 scripts/config.py unset MBEDTLS_DHM_ALT #incompatible with MBEDTLS_DEBUG_C 2247 2248 # We can only compile, not link, since we don't have any implementations 2249 # suitable for testing with the dummy alt headers. 2250 make CC=gcc CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy' lib 2251} 2252 2253component_build_dhm_alt () { 2254 msg "build: MBEDTLS_DHM_ALT" # ~30s 2255 scripts/config.py full 2256 scripts/config.py set MBEDTLS_DHM_ALT 2257 # debug.c currently references mbedtls_dhm_context fields directly. 2258 scripts/config.py unset MBEDTLS_DEBUG_C 2259 # We can only compile, not link, since we don't have any implementations 2260 # suitable for testing with the dummy alt headers. 2261 make CC=gcc CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy' lib 2262} 2263 2264component_test_no_use_psa_crypto_full_cmake_asan() { 2265 # full minus MBEDTLS_USE_PSA_CRYPTO: run the same set of tests as basic-build-test.sh 2266 msg "build: cmake, full config minus MBEDTLS_USE_PSA_CRYPTO, ASan" 2267 scripts/config.py full 2268 scripts/config.py unset MBEDTLS_PSA_CRYPTO_C 2269 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 2270 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 2271 scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C 2272 scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C 2273 scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C 2274 scripts/config.py unset MBEDTLS_LMS_C 2275 scripts/config.py unset MBEDTLS_LMS_PRIVATE 2276 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 2277 make 2278 2279 msg "test: main suites (full minus MBEDTLS_USE_PSA_CRYPTO)" 2280 make test 2281 2282 # Note: ssl-opt.sh has some test cases that depend on 2283 # MBEDTLS_ECP_RESTARTABLE && !MBEDTLS_USE_PSA_CRYPTO 2284 # This is the only component where those tests are not skipped. 2285 msg "test: ssl-opt.sh (full minus MBEDTLS_USE_PSA_CRYPTO)" 2286 tests/ssl-opt.sh 2287 2288 msg "test: compat.sh default (full minus MBEDTLS_USE_PSA_CRYPTO)" 2289 tests/compat.sh 2290 2291 msg "test: compat.sh NULL (full minus MBEDTLS_USE_PSA_CRYPTO)" 2292 env OPENSSL="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -f 'NULL' 2293 2294 msg "test: compat.sh ARIA + ChachaPoly (full minus MBEDTLS_USE_PSA_CRYPTO)" 2295 env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' 2296} 2297 2298component_test_psa_crypto_config_accel_ecdsa () { 2299 msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA" 2300 2301 # Algorithms and key types to accelerate 2302 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ 2303 $(helper_get_psa_key_type_list "ECC")" 2304 2305 # Note: Those are handled in a special way by the libtestdriver machinery, 2306 # so we only want to include them in the accel list when building the main 2307 # libraries, hence the use of a separate variable. 2308 loc_curve_list="$(helper_get_psa_curve_list)" 2309 2310 # Configure 2311 # --------- 2312 2313 # Start from default config (no USE_PSA) + TLS 1.3 2314 helper_libtestdriver1_adjust_config "default" 2315 scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3 2316 2317 # Disable the module that's accelerated 2318 scripts/config.py unset MBEDTLS_ECDSA_C 2319 2320 # Disable things that depend on it 2321 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 2322 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 2323 2324 # Build 2325 # ----- 2326 2327 # These hashes are needed for some ECDSA signature tests. 2328 loc_extra_list="ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 2329 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 2330 2331 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" 2332 2333 helper_libtestdriver1_make_main "$loc_accel_list $loc_curve_list" 2334 2335 # Make sure this was not re-enabled by accident (additive config) 2336 not grep mbedtls_ecdsa_ library/ecdsa.o 2337 2338 # Run the tests 2339 # ------------- 2340 2341 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA" 2342 make test 2343} 2344 2345component_test_psa_crypto_config_accel_ecdh () { 2346 msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH" 2347 2348 # Algorithms and key types to accelerate 2349 loc_accel_list="ALG_ECDH \ 2350 $(helper_get_psa_key_type_list "ECC")" 2351 2352 # Note: Those are handled in a special way by the libtestdriver machinery, 2353 # so we only want to include them in the accel list when building the main 2354 # libraries, hence the use of a separate variable. 2355 loc_curve_list="$(helper_get_psa_curve_list)" 2356 2357 # Configure 2358 # --------- 2359 2360 # Start from default config (no TLS 1.3, no USE_PSA) 2361 helper_libtestdriver1_adjust_config "default" 2362 2363 # Disable the module that's accelerated 2364 scripts/config.py unset MBEDTLS_ECDH_C 2365 2366 # Disable things that depend on it 2367 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 2368 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 2369 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 2370 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 2371 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 2372 2373 # Build 2374 # ----- 2375 2376 helper_libtestdriver1_make_drivers "$loc_accel_list" 2377 2378 helper_libtestdriver1_make_main "$loc_accel_list $loc_curve_list" 2379 2380 # Make sure this was not re-enabled by accident (additive config) 2381 not grep mbedtls_ecdh_ library/ecdh.o 2382 2383 # Run the tests 2384 # ------------- 2385 2386 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH" 2387 make test 2388} 2389 2390component_test_psa_crypto_config_accel_ffdh () { 2391 msg "build: full with accelerated FFDH" 2392 2393 # Algorithms and key types to accelerate 2394 loc_accel_list="ALG_FFDH \ 2395 $(helper_get_psa_key_type_list "DH")" 2396 2397 # Configure 2398 # --------- 2399 2400 # start with full (USE_PSA and TLS 1.3) 2401 helper_libtestdriver1_adjust_config "full" 2402 2403 # Disable the module that's accelerated 2404 scripts/config.py unset MBEDTLS_DHM_C 2405 2406 # Disable things that depend on it 2407 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 2408 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 2409 2410 # Build 2411 # ----- 2412 2413 helper_libtestdriver1_make_drivers "$loc_accel_list" 2414 2415 helper_libtestdriver1_make_main "$loc_accel_list" 2416 2417 # Make sure this was not re-enabled by accident (additive config) 2418 not grep mbedtls_dhm_ library/dhm.o 2419 2420 # Run the tests 2421 # ------------- 2422 2423 msg "test: full with accelerated FFDH" 2424 make test 2425 2426 msg "ssl-opt: full with accelerated FFDH alg" 2427 tests/ssl-opt.sh -f "ffdh" 2428} 2429 2430component_test_psa_crypto_config_reference_ffdh () { 2431 msg "build: full with non-accelerated FFDH" 2432 2433 # Start with full (USE_PSA and TLS 1.3) 2434 helper_libtestdriver1_adjust_config "full" 2435 2436 # Disable things that are not supported 2437 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 2438 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 2439 make 2440 2441 msg "test suites: full with non-accelerated FFDH alg" 2442 make test 2443 2444 msg "ssl-opt: full with non-accelerated FFDH alg" 2445 tests/ssl-opt.sh -f "ffdh" 2446} 2447 2448component_test_psa_crypto_config_accel_pake() { 2449 msg "build: full with accelerated PAKE" 2450 2451 loc_accel_list="ALG_JPAKE \ 2452 $(helper_get_psa_key_type_list "ECC")" 2453 2454 # Note: Those are handled in a special way by the libtestdriver machinery, 2455 # so we only want to include them in the accel list when building the main 2456 # libraries, hence the use of a separate variable. 2457 loc_curve_list="$(helper_get_psa_curve_list)" 2458 2459 # Configure 2460 # --------- 2461 2462 helper_libtestdriver1_adjust_config "full" 2463 2464 # Make built-in fallback not available 2465 scripts/config.py unset MBEDTLS_ECJPAKE_C 2466 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 2467 2468 # Build 2469 # ----- 2470 2471 helper_libtestdriver1_make_drivers "$loc_accel_list" 2472 2473 helper_libtestdriver1_make_main "$loc_accel_list $loc_curve_list" 2474 2475 # Make sure this was not re-enabled by accident (additive config) 2476 not grep mbedtls_ecjpake_init library/ecjpake.o 2477 2478 # Run the tests 2479 # ------------- 2480 2481 msg "test: full with accelerated PAKE" 2482 make test 2483} 2484 2485component_test_psa_crypto_config_accel_ecc_some_key_types () { 2486 msg "build: full with accelerated EC algs and some key types" 2487 2488 # Algorithms and key types to accelerate 2489 # For key types, use an explicitly list to omit GENERATE (and DERIVE) 2490 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ 2491 ALG_ECDH \ 2492 ALG_JPAKE \ 2493 KEY_TYPE_ECC_PUBLIC_KEY \ 2494 KEY_TYPE_ECC_KEY_PAIR_BASIC \ 2495 KEY_TYPE_ECC_KEY_PAIR_IMPORT \ 2496 KEY_TYPE_ECC_KEY_PAIR_EXPORT" 2497 2498 # Note: Curves are handled in a special way by the libtestdriver machinery, 2499 # so we only want to include them in the accel list when building the main 2500 # libraries, hence the use of a separate variable. 2501 loc_curve_list="$(helper_get_psa_curve_list)" 2502 2503 # Configure 2504 # --------- 2505 2506 # start with config full for maximum coverage (also enables USE_PSA) 2507 helper_libtestdriver1_adjust_config "full" 2508 2509 # Disable modules that are accelerated - some will be re-enabled 2510 scripts/config.py unset MBEDTLS_ECDSA_C 2511 scripts/config.py unset MBEDTLS_ECDH_C 2512 scripts/config.py unset MBEDTLS_ECJPAKE_C 2513 scripts/config.py unset MBEDTLS_ECP_C 2514 2515 # Disable all curves - those that aren't accelerated should be re-enabled 2516 helper_disable_builtin_curves 2517 2518 # Restartable feature is not yet supported by PSA. Once it will in 2519 # the future, the following line could be removed (see issues 2520 # 6061, 6332 and following ones) 2521 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE 2522 2523 # this is not supported by the driver API yet 2524 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 2525 2526 # Build 2527 # ----- 2528 2529 # These hashes are needed for some ECDSA signature tests. 2530 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 2531 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 2532 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" 2533 2534 helper_libtestdriver1_make_main "$loc_accel_list $loc_curve_list" 2535 2536 # ECP should be re-enabled but not the others 2537 not grep mbedtls_ecdh_ library/ecdh.o 2538 not grep mbedtls_ecdsa library/ecdsa.o 2539 not grep mbedtls_ecjpake library/ecjpake.o 2540 grep mbedtls_ecp library/ecp.o 2541 2542 # Run the tests 2543 # ------------- 2544 2545 msg "test suites: full with accelerated EC algs and some key types" 2546 make test 2547} 2548 2549# Run tests with only (non-)Weierstrass accelerated 2550# Common code used in: 2551# - component_test_psa_crypto_config_accel_ecc_weierstrass_curves 2552# - component_test_psa_crypto_config_accel_ecc_non_weierstrass_curves 2553common_test_psa_crypto_config_accel_ecc_some_curves () { 2554 weierstrass=$1 2555 if [ $weierstrass -eq 1 ]; then 2556 desc="Weierstrass" 2557 else 2558 desc="non-Weierstrass" 2559 fi 2560 2561 msg "build: crypto_full minus PK with accelerated EC algs and $desc curves" 2562 2563 # Algorithms and key types to accelerate 2564 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ 2565 ALG_ECDH \ 2566 ALG_JPAKE \ 2567 $(helper_get_psa_key_type_list "ECC")" 2568 2569 # Note: Curves are handled in a special way by the libtestdriver machinery, 2570 # so we only want to include them in the accel list when building the main 2571 # libraries, hence the use of a separate variable. 2572 # Note: the following loop is a modified version of 2573 # helper_get_psa_curve_list that only keeps Weierstrass families. 2574 loc_weierstrass_list="" 2575 loc_non_weierstrass_list="" 2576 for item in $(sed -n 's/^#define PSA_WANT_\(ECC_[0-9A-Z_a-z]*\).*/\1/p' <"$CRYPTO_CONFIG_H"); do 2577 case $item in 2578 ECC_BRAINPOOL*|ECC_SECP*) 2579 loc_weierstrass_list="$loc_weierstrass_list $item" 2580 ;; 2581 *) 2582 loc_non_weierstrass_list="$loc_non_weierstrass_list $item" 2583 ;; 2584 esac 2585 done 2586 if [ $weierstrass -eq 1 ]; then 2587 loc_curve_list=$loc_weierstrass_list 2588 else 2589 loc_curve_list=$loc_non_weierstrass_list 2590 fi 2591 2592 # Configure 2593 # --------- 2594 2595 # Start with config crypto_full and remove PK_C: 2596 # that's what's supported now, see docs/driver-only-builds.md. 2597 helper_libtestdriver1_adjust_config "crypto_full" 2598 scripts/config.py unset MBEDTLS_PK_C 2599 scripts/config.py unset MBEDTLS_PK_PARSE_C 2600 scripts/config.py unset MBEDTLS_PK_WRITE_C 2601 # We need to disable RSA too or PK will be re-enabled. 2602 scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_RSA_[0-9A-Z_a-z]*" 2603 scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_ALG_RSA_[0-9A-Z_a-z]*" 2604 scripts/config.py unset MBEDTLS_RSA_C 2605 scripts/config.py unset MBEDTLS_PKCS1_V15 2606 scripts/config.py unset MBEDTLS_PKCS1_V21 2607 2608 # Disable modules that are accelerated - some will be re-enabled 2609 scripts/config.py unset MBEDTLS_ECDSA_C 2610 scripts/config.py unset MBEDTLS_ECDH_C 2611 scripts/config.py unset MBEDTLS_ECJPAKE_C 2612 scripts/config.py unset MBEDTLS_ECP_C 2613 2614 # Disable all curves - those that aren't accelerated should be re-enabled 2615 helper_disable_builtin_curves 2616 2617 # Restartable feature is not yet supported by PSA. Once it will in 2618 # the future, the following line could be removed (see issues 2619 # 6061, 6332 and following ones) 2620 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE 2621 2622 # this is not supported by the driver API yet 2623 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 2624 2625 # Build 2626 # ----- 2627 2628 # These hashes are needed for some ECDSA signature tests. 2629 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 2630 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 2631 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" 2632 2633 helper_libtestdriver1_make_main "$loc_accel_list $loc_curve_list" 2634 2635 # We expect ECDH to be re-enabled for the missing curves 2636 grep mbedtls_ecdh_ library/ecdh.o 2637 # We expect ECP to be re-enabled, however the parts specific to the 2638 # families of curves that are accelerated should be ommited. 2639 # - functions with mxz in the name are specific to Montgomery curves 2640 # - ecp_muladd is specific to Weierstrass curves 2641 ##nm library/ecp.o | tee ecp.syms 2642 if [ $weierstrass -eq 1 ]; then 2643 not grep mbedtls_ecp_muladd library/ecp.o 2644 grep mxz library/ecp.o 2645 else 2646 grep mbedtls_ecp_muladd library/ecp.o 2647 not grep mxz library/ecp.o 2648 fi 2649 # We expect ECDSA and ECJPAKE to be re-enabled only when 2650 # Weierstrass curves are not accelerated 2651 if [ $weierstrass -eq 1 ]; then 2652 not grep mbedtls_ecdsa library/ecdsa.o 2653 not grep mbedtls_ecjpake library/ecjpake.o 2654 else 2655 grep mbedtls_ecdsa library/ecdsa.o 2656 grep mbedtls_ecjpake library/ecjpake.o 2657 fi 2658 2659 # Run the tests 2660 # ------------- 2661 2662 msg "test suites: crypto_full minus PK with accelerated EC algs and $desc curves" 2663 make test 2664} 2665 2666component_test_psa_crypto_config_accel_ecc_weierstrass_curves () { 2667 common_test_psa_crypto_config_accel_ecc_some_curves 1 2668} 2669 2670component_test_psa_crypto_config_accel_ecc_non_weierstrass_curves () { 2671 common_test_psa_crypto_config_accel_ecc_some_curves 0 2672} 2673 2674# Auxiliary function to build config for all EC based algorithms (EC-JPAKE, 2675# ECDH, ECDSA) with and without drivers. 2676# The input parameter is a boolean value which indicates: 2677# - 0 keep built-in EC algs, 2678# - 1 exclude built-in EC algs (driver only). 2679# 2680# This is used by the two following components to ensure they always use the 2681# same config, except for the use of driver or built-in EC algorithms: 2682# - component_test_psa_crypto_config_accel_ecc_ecp_light_only; 2683# - component_test_psa_crypto_config_reference_ecc_ecp_light_only. 2684# This supports comparing their test coverage with analyze_outcomes.py. 2685config_psa_crypto_config_ecp_light_only () { 2686 driver_only="$1" 2687 # start with config full for maximum coverage (also enables USE_PSA) 2688 helper_libtestdriver1_adjust_config "full" 2689 if [ "$driver_only" -eq 1 ]; then 2690 # Disable modules that are accelerated 2691 scripts/config.py unset MBEDTLS_ECDSA_C 2692 scripts/config.py unset MBEDTLS_ECDH_C 2693 scripts/config.py unset MBEDTLS_ECJPAKE_C 2694 scripts/config.py unset MBEDTLS_ECP_C 2695 fi 2696 2697 # Restartable feature is not yet supported by PSA. Once it will in 2698 # the future, the following line could be removed (see issues 2699 # 6061, 6332 and following ones) 2700 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE 2701} 2702 2703# Keep in sync with component_test_psa_crypto_config_reference_ecc_ecp_light_only 2704component_test_psa_crypto_config_accel_ecc_ecp_light_only () { 2705 msg "build: full with accelerated EC algs" 2706 2707 # Algorithms and key types to accelerate 2708 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ 2709 ALG_ECDH \ 2710 ALG_JPAKE \ 2711 $(helper_get_psa_key_type_list "ECC")" 2712 2713 # Note: Those are handled in a special way by the libtestdriver machinery, 2714 # so we only want to include them in the accel list when building the main 2715 # libraries, hence the use of a separate variable. 2716 loc_curve_list="$(helper_get_psa_curve_list)" 2717 2718 # Configure 2719 # --------- 2720 2721 # Use the same config as reference, only without built-in EC algs 2722 config_psa_crypto_config_ecp_light_only 1 2723 2724 # Do not disable builtin curves because that support is required for: 2725 # - MBEDTLS_PK_PARSE_EC_EXTENDED 2726 # - MBEDTLS_PK_PARSE_EC_COMPRESSED 2727 2728 # Build 2729 # ----- 2730 2731 # These hashes are needed for some ECDSA signature tests. 2732 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 2733 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 2734 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" 2735 2736 helper_libtestdriver1_make_main "$loc_accel_list $loc_curve_list" 2737 2738 # Make sure any built-in EC alg was not re-enabled by accident (additive config) 2739 not grep mbedtls_ecdsa_ library/ecdsa.o 2740 not grep mbedtls_ecdh_ library/ecdh.o 2741 not grep mbedtls_ecjpake_ library/ecjpake.o 2742 not grep mbedtls_ecp_mul library/ecp.o 2743 2744 # Run the tests 2745 # ------------- 2746 2747 msg "test suites: full with accelerated EC algs" 2748 make test 2749 2750 msg "ssl-opt: full with accelerated EC algs" 2751 tests/ssl-opt.sh 2752} 2753 2754# Keep in sync with component_test_psa_crypto_config_accel_ecc_ecp_light_only 2755component_test_psa_crypto_config_reference_ecc_ecp_light_only () { 2756 msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with non-accelerated EC algs" 2757 2758 config_psa_crypto_config_ecp_light_only 0 2759 2760 make 2761 2762 msg "test suites: full with non-accelerated EC algs" 2763 make test 2764 2765 msg "ssl-opt: full with non-accelerated EC algs" 2766 tests/ssl-opt.sh 2767} 2768 2769# This helper function is used by: 2770# - component_test_psa_crypto_config_accel_ecc_no_ecp_at_all() 2771# - component_test_psa_crypto_config_reference_ecc_no_ecp_at_all() 2772# to ensure that both tests use the same underlying configuration when testing 2773# driver's coverage with analyze_outcomes.py. 2774# 2775# This functions accepts 1 boolean parameter as follows: 2776# - 1: building with accelerated EC algorithms (ECDSA, ECDH, ECJPAKE), therefore 2777# excluding their built-in implementation as well as ECP_C & ECP_LIGHT 2778# - 0: include built-in implementation of EC algorithms. 2779# 2780# PK_C and RSA_C are always disabled to ensure there is no remaining dependency 2781# on the ECP module. 2782config_psa_crypto_no_ecp_at_all () { 2783 driver_only="$1" 2784 # start with full config for maximum coverage (also enables USE_PSA) 2785 helper_libtestdriver1_adjust_config "full" 2786 2787 if [ "$driver_only" -eq 1 ]; then 2788 # Disable modules that are accelerated 2789 scripts/config.py unset MBEDTLS_ECDSA_C 2790 scripts/config.py unset MBEDTLS_ECDH_C 2791 scripts/config.py unset MBEDTLS_ECJPAKE_C 2792 # Disable ECP module (entirely) 2793 scripts/config.py unset MBEDTLS_ECP_C 2794 fi 2795 2796 # Disable all the features that auto-enable ECP_LIGHT (see build_info.h) 2797 scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED 2798 scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED 2799 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 2800 2801 # Restartable feature is not yet supported by PSA. Once it will in 2802 # the future, the following line could be removed (see issues 2803 # 6061, 6332 and following ones) 2804 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE 2805} 2806 2807# Build and test a configuration where driver accelerates all EC algs while 2808# all support and dependencies from ECP and ECP_LIGHT are removed on the library 2809# side. 2810# 2811# Keep in sync with component_test_psa_crypto_config_reference_ecc_no_ecp_at_all() 2812component_test_psa_crypto_config_accel_ecc_no_ecp_at_all () { 2813 msg "build: full + accelerated EC algs - ECP" 2814 2815 # Algorithms and key types to accelerate 2816 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ 2817 ALG_ECDH \ 2818 ALG_JPAKE \ 2819 $(helper_get_psa_key_type_list "ECC")" 2820 2821 # Note: Those are handled in a special way by the libtestdriver machinery, 2822 # so we only want to include them in the accel list when building the main 2823 # libraries, hence the use of a separate variable. 2824 loc_curve_list="$(helper_get_psa_curve_list)" 2825 2826 # Configure 2827 # --------- 2828 2829 # Set common configurations between library's and driver's builds 2830 config_psa_crypto_no_ecp_at_all 1 2831 # Disable all the builtin curves. All the required algs are accelerated. 2832 helper_disable_builtin_curves 2833 2834 # Build 2835 # ----- 2836 2837 # Things we wanted supported in libtestdriver1, but not accelerated in the main library: 2838 # SHA-1 and all SHA-2/3 variants, as they are used by ECDSA deterministic. 2839 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 2840 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 2841 2842 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" 2843 2844 helper_libtestdriver1_make_main "$loc_accel_list $loc_curve_list" 2845 2846 # Make sure any built-in EC alg was not re-enabled by accident (additive config) 2847 not grep mbedtls_ecdsa_ library/ecdsa.o 2848 not grep mbedtls_ecdh_ library/ecdh.o 2849 not grep mbedtls_ecjpake_ library/ecjpake.o 2850 # Also ensure that ECP module was not re-enabled 2851 not grep mbedtls_ecp_ library/ecp.o 2852 2853 # Run the tests 2854 # ------------- 2855 2856 msg "test: full + accelerated EC algs - ECP" 2857 make test 2858 2859 msg "ssl-opt: full + accelerated EC algs - ECP" 2860 tests/ssl-opt.sh 2861} 2862 2863# Reference function used for driver's coverage analysis in analyze_outcomes.py 2864# in conjunction with component_test_psa_crypto_config_accel_ecc_no_ecp_at_all(). 2865# Keep in sync with its accelerated counterpart. 2866component_test_psa_crypto_config_reference_ecc_no_ecp_at_all () { 2867 msg "build: full + non accelerated EC algs" 2868 2869 config_psa_crypto_no_ecp_at_all 0 2870 2871 make 2872 2873 msg "test: full + non accelerated EC algs" 2874 make test 2875 2876 msg "ssl-opt: full + non accelerated EC algs" 2877 tests/ssl-opt.sh 2878} 2879 2880# This is a common configuration helper used directly from: 2881# - common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum 2882# - common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum 2883# and indirectly from: 2884# - component_test_psa_crypto_config_accel_ecc_no_bignum 2885# - accelerate all EC algs, disable RSA and FFDH 2886# - component_test_psa_crypto_config_reference_ecc_no_bignum 2887# - this is the reference component of the above 2888# - it still disables RSA and FFDH, but it uses builtin EC algs 2889# - component_test_psa_crypto_config_accel_ecc_ffdh_no_bignum 2890# - accelerate all EC and FFDH algs, disable only RSA 2891# - component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum 2892# - this is the reference component of the above 2893# - it still disables RSA, but it uses builtin EC and FFDH algs 2894# 2895# This function accepts 2 parameters: 2896# $1: a boolean value which states if we are testing an accelerated scenario 2897# or not. 2898# $2: a string value which states which components are tested. Allowed values 2899# are "ECC" or "ECC_DH". 2900config_psa_crypto_config_accel_ecc_ffdh_no_bignum() { 2901 driver_only="$1" 2902 test_target="$2" 2903 # start with full config for maximum coverage (also enables USE_PSA) 2904 helper_libtestdriver1_adjust_config "full" 2905 2906 if [ "$driver_only" -eq 1 ]; then 2907 # Disable modules that are accelerated 2908 scripts/config.py unset MBEDTLS_ECDSA_C 2909 scripts/config.py unset MBEDTLS_ECDH_C 2910 scripts/config.py unset MBEDTLS_ECJPAKE_C 2911 # Disable ECP module (entirely) 2912 scripts/config.py unset MBEDTLS_ECP_C 2913 # Also disable bignum 2914 scripts/config.py unset MBEDTLS_BIGNUM_C 2915 fi 2916 2917 # Disable all the features that auto-enable ECP_LIGHT (see build_info.h) 2918 scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED 2919 scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED 2920 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 2921 2922 # RSA support is intentionally disabled on this test because RSA_C depends 2923 # on BIGNUM_C. 2924 scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_RSA_[0-9A-Z_a-z]*" 2925 scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_ALG_RSA_[0-9A-Z_a-z]*" 2926 scripts/config.py unset MBEDTLS_RSA_C 2927 scripts/config.py unset MBEDTLS_PKCS1_V15 2928 scripts/config.py unset MBEDTLS_PKCS1_V21 2929 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT 2930 # Also disable key exchanges that depend on RSA 2931 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 2932 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 2933 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 2934 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 2935 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 2936 2937 if [ "$test_target" = "ECC" ]; then 2938 # When testing ECC only, we disable FFDH support, both from builtin and 2939 # PSA sides, and also disable the key exchanges that depend on DHM. 2940 scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_FFDH 2941 scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_DH_[0-9A-Z_a-z]*" 2942 scripts/config.py unset MBEDTLS_DHM_C 2943 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 2944 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 2945 else 2946 # When testing ECC and DH instead, we disable DHM and depending key 2947 # exchanges only in the accelerated build 2948 if [ "$driver_only" -eq 1 ]; then 2949 scripts/config.py unset MBEDTLS_DHM_C 2950 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 2951 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 2952 fi 2953 fi 2954 2955 # Restartable feature is not yet supported by PSA. Once it will in 2956 # the future, the following line could be removed (see issues 2957 # 6061, 6332 and following ones) 2958 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE 2959} 2960 2961# Common helper used by: 2962# - component_test_psa_crypto_config_accel_ecc_no_bignum 2963# - component_test_psa_crypto_config_accel_ecc_ffdh_no_bignum 2964# 2965# The goal is to build and test accelerating either: 2966# - ECC only or 2967# - both ECC and FFDH 2968# 2969# It is meant to be used in conjunction with 2970# common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum() for drivers 2971# coverage analysis in the "analyze_outcomes.py" script. 2972common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () { 2973 test_target="$1" 2974 2975 # This is an internal helper to simplify text message handling 2976 if [ "$test_target" = "ECC_DH" ]; then 2977 accel_text="ECC/FFDH" 2978 removed_text="ECP - DH" 2979 else 2980 accel_text="ECC" 2981 removed_text="ECP" 2982 fi 2983 2984 msg "build: full + accelerated $accel_text algs + USE_PSA - $removed_text - BIGNUM" 2985 2986 # By default we accelerate all EC keys/algs 2987 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ 2988 ALG_ECDH \ 2989 ALG_JPAKE \ 2990 $(helper_get_psa_key_type_list "ECC")" 2991 # Optionally we can also add DH to the list of accelerated items 2992 if [ "$test_target" = "ECC_DH" ]; then 2993 loc_accel_list="$loc_accel_list \ 2994 ALG_FFDH \ 2995 $(helper_get_psa_key_type_list "DH")" 2996 fi 2997 2998 # Note: Those are handled in a special way by the libtestdriver machinery, 2999 # so we only want to include them in the accel list when building the main 3000 # libraries, hence the use of a separate variable. 3001 loc_curve_list="$(helper_get_psa_curve_list)" 3002 3003 # Configure 3004 # --------- 3005 3006 # Set common configurations between library's and driver's builds 3007 config_psa_crypto_config_accel_ecc_ffdh_no_bignum 1 "$test_target" 3008 # Disable all the builtin curves. All the required algs are accelerated. 3009 helper_disable_builtin_curves 3010 3011 # Build 3012 # ----- 3013 3014 # Things we wanted supported in libtestdriver1, but not accelerated in the main library: 3015 # SHA-1 and all SHA-2/3 variants, as they are used by ECDSA deterministic. 3016 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 3017 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 3018 3019 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" 3020 3021 helper_libtestdriver1_make_main "$loc_accel_list $loc_curve_list" 3022 3023 # Make sure any built-in EC alg was not re-enabled by accident (additive config) 3024 not grep mbedtls_ecdsa_ library/ecdsa.o 3025 not grep mbedtls_ecdh_ library/ecdh.o 3026 not grep mbedtls_ecjpake_ library/ecjpake.o 3027 # Also ensure that ECP, RSA, [DHM] or BIGNUM modules were not re-enabled 3028 not grep mbedtls_ecp_ library/ecp.o 3029 not grep mbedtls_rsa_ library/rsa.o 3030 not grep mbedtls_mpi_ library/bignum.o 3031 not grep mbedtls_dhm_ library/dhm.o 3032 3033 # Run the tests 3034 # ------------- 3035 3036 msg "test suites: full + accelerated $accel_text algs + USE_PSA - $removed_text - DHM - BIGNUM" 3037 3038 make test 3039 3040 msg "ssl-opt: full + accelerated $accel_text algs + USE_PSA - $removed_text - BIGNUM" 3041 tests/ssl-opt.sh 3042} 3043 3044# Common helper used by: 3045# - component_test_psa_crypto_config_reference_ecc_no_bignum 3046# - component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum 3047# 3048# The goal is to build and test a reference scenario (i.e. with builtin 3049# components) compared to the ones used in 3050# common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum() above. 3051# 3052# It is meant to be used in conjunction with 3053# common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum() for drivers' 3054# coverage analysis in "analyze_outcomes.py" script. 3055common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () { 3056 test_target="$1" 3057 3058 # This is an internal helper to simplify text message handling 3059 if [ "$test_target" = "ECC_DH" ]; then 3060 accel_text="ECC/FFDH" 3061 else 3062 accel_text="ECC" 3063 fi 3064 3065 msg "build: full + non accelerated $accel_text algs + USE_PSA" 3066 3067 config_psa_crypto_config_accel_ecc_ffdh_no_bignum 0 "$test_target" 3068 3069 make 3070 3071 msg "test suites: full + non accelerated EC algs + USE_PSA" 3072 make test 3073 3074 msg "ssl-opt: full + non accelerated $accel_text algs + USE_PSA" 3075 tests/ssl-opt.sh 3076} 3077 3078component_test_psa_crypto_config_accel_ecc_no_bignum () { 3079 common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum "ECC" 3080} 3081 3082component_test_psa_crypto_config_reference_ecc_no_bignum () { 3083 common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum "ECC" 3084} 3085 3086component_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () { 3087 common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum "ECC_DH" 3088} 3089 3090component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () { 3091 common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum "ECC_DH" 3092} 3093 3094# Helper for setting common configurations between: 3095# - component_test_tfm_config_p256m_driver_accel_ec() 3096# - component_test_tfm_config() 3097common_tfm_config () { 3098 # Enable TF-M config 3099 cp configs/tfm_mbedcrypto_config_profile_medium.h "$CONFIG_H" 3100 cp configs/crypto_config_profile_medium.h "$CRYPTO_CONFIG_H" 3101 3102 # Adjust for the fact that we're building outside the TF-M environment. 3103 # 3104 # TF-M has separation, our build doesn't 3105 scripts/config.py unset MBEDTLS_PSA_CRYPTO_SPM 3106 scripts/config.py unset MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER 3107 # TF-M provdes its own (dummy) implemenation, from their tree 3108 scripts/config.py unset MBEDTLS_AES_DECRYPT_ALT 3109 scripts/config.py unset MBEDTLS_AES_SETKEY_DEC_ALT 3110 # We have an OS that provides entropy, use it 3111 scripts/config.py unset MBEDTLS_NO_PLATFORM_ENTROPY 3112 3113 # Other config adjustments to make the tests pass. 3114 # Those should probably be adopted upstream. 3115 # 3116 # - USE_PSA_CRYPTO for PK_HAVE_ECC_KEYS 3117 echo "#define MBEDTLS_USE_PSA_CRYPTO" >> "$CONFIG_H" 3118 # pkparse.c and pkwrite.c fail to link without this 3119 echo "#define MBEDTLS_OID_C" >> "$CONFIG_H" 3120 # - ASN1_[PARSE/WRITE]_C found by check_config.h for pkparse/pkwrite 3121 echo "#define MBEDTLS_ASN1_PARSE_C" >> "$CONFIG_H" 3122 echo "#define MBEDTLS_ASN1_WRITE_C" >> "$CONFIG_H" 3123 # - MD_C for HKDF_C 3124 echo "#define MBEDTLS_MD_C" >> "$CONFIG_H" 3125 3126 # Config adjustments for better test coverage in our environment. 3127 # These are not needed just to build and pass tests. 3128 # 3129 # Enable filesystem I/O for the benefit of PK parse/write tests. 3130 echo "#define MBEDTLS_FS_IO" >> "$CONFIG_H" 3131 # Disable this for maximal ASan efficiency 3132 scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C 3133 3134 # Config adjustments for features that are not supported 3135 # when using only drivers / by p256-m 3136 # 3137 # Disable all the features that auto-enable ECP_LIGHT (see build_info.h) 3138 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 3139 # Disable deterministic ECDSA as p256-m only does randomized 3140 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_DETERMINISTIC_ECDSA 3141 3142} 3143 3144# Keep this in sync with component_test_tfm_config() as they are both meant 3145# to be used in analyze_outcomes.py for driver's coverage analysis. 3146component_test_tfm_config_p256m_driver_accel_ec () { 3147 msg "build: TF-M config + p256m driver + accel ECDH(E)/ECDSA" 3148 3149 common_tfm_config 3150 3151 # Build crypto library specifying we want to use P256M code for EC operations 3152 make CFLAGS="$ASAN_CFLAGS -DMBEDTLS_PSA_P256M_DRIVER_ENABLED -I../tests/include/spe" LDFLAGS="$ASAN_CFLAGS" 3153 3154 # Make sure any built-in EC alg was not re-enabled by accident (additive config) 3155 not grep mbedtls_ecdsa_ library/ecdsa.o 3156 not grep mbedtls_ecdh_ library/ecdh.o 3157 not grep mbedtls_ecjpake_ library/ecjpake.o 3158 # Also ensure that ECP, RSA, DHM or BIGNUM modules were not re-enabled 3159 not grep mbedtls_ecp_ library/ecp.o 3160 not grep mbedtls_rsa_ library/rsa.o 3161 not grep mbedtls_dhm_ library/dhm.o 3162 not grep mbedtls_mpi_ library/bignum.o 3163 3164 # Run the tests 3165 msg "test: TF-M config + p256m driver + accel ECDH(E)/ECDSA" 3166 make test 3167} 3168 3169# Keep this in sync with component_test_tfm_config_p256m_driver_accel_ec() as 3170# they are both meant to be used in analyze_outcomes.py for driver's coverage 3171# analysis. 3172component_test_tfm_config() { 3173 common_tfm_config 3174 3175 msg "build: TF-M config" 3176 make CFLAGS='-Werror -Wall -Wextra -I../tests/include/spe' tests 3177 3178 msg "test: TF-M config" 3179 make test 3180} 3181 3182# Common helper for component_full_without_ecdhe_ecdsa() and 3183# component_full_without_ecdhe_ecdsa_and_tls13() which: 3184# - starts from the "full" configuration minus the list of symbols passed in 3185# as 1st parameter 3186# - build 3187# - test only TLS (i.e. test_suite_tls and ssl-opt) 3188build_full_minus_something_and_test_tls () { 3189 symbols_to_disable="$1" 3190 3191 msg "build: full minus something, test TLS" 3192 3193 scripts/config.py full 3194 for sym in $symbols_to_disable; do 3195 echo "Disabling $sym" 3196 scripts/config.py unset $sym 3197 done 3198 3199 make 3200 3201 msg "test: full minus something, test TLS" 3202 ( cd tests; ./test_suite_ssl ) 3203 3204 msg "ssl-opt: full minus something, test TLS" 3205 tests/ssl-opt.sh 3206} 3207 3208component_full_without_ecdhe_ecdsa () { 3209 build_full_minus_something_and_test_tls "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED" 3210} 3211 3212component_full_without_ecdhe_ecdsa_and_tls13 () { 3213 build_full_minus_something_and_test_tls "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 3214 MBEDTLS_SSL_PROTO_TLS1_3" 3215} 3216 3217# This is an helper used by: 3218# - component_test_psa_ecc_key_pair_no_derive 3219# - component_test_psa_ecc_key_pair_no_generate 3220# The goal is to test with all PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy symbols 3221# enabled, but one. Input arguments are as follows: 3222# - $1 is the key type under test, i.e. ECC/RSA/DH 3223# - $2 is the key option to be unset (i.e. generate, derive, etc) 3224build_and_test_psa_want_key_pair_partial() { 3225 key_type=$1 3226 unset_option=$2 3227 disabled_psa_want="PSA_WANT_KEY_TYPE_${key_type}_KEY_PAIR_${unset_option}" 3228 3229 msg "build: full - MBEDTLS_USE_PSA_CRYPTO - ${disabled_psa_want}" 3230 scripts/config.py full 3231 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 3232 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 3233 3234 # All the PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy are enabled by default in 3235 # crypto_config.h so we just disable the one we don't want. 3236 scripts/config.py -f "$CRYPTO_CONFIG_H" unset "$disabled_psa_want" 3237 3238 make CC=gcc CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" 3239 3240 msg "test: full - MBEDTLS_USE_PSA_CRYPTO - ${disabled_psa_want}" 3241 make test 3242} 3243 3244component_test_psa_ecc_key_pair_no_derive() { 3245 build_and_test_psa_want_key_pair_partial "ECC" "DERIVE" 3246} 3247 3248component_test_psa_ecc_key_pair_no_generate() { 3249 build_and_test_psa_want_key_pair_partial "ECC" "GENERATE" 3250} 3251 3252component_test_psa_crypto_config_accel_rsa_signature () { 3253 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated RSA signature" 3254 3255 loc_accel_list="ALG_RSA_PKCS1V15_SIGN ALG_RSA_PSS KEY_TYPE_RSA_KEY_PAIR KEY_TYPE_RSA_PUBLIC_KEY" 3256 3257 # Configure 3258 # --------- 3259 3260 # Start from default config (no TLS 1.3, no USE_PSA) 3261 helper_libtestdriver1_adjust_config "default" 3262 3263 # It seems it is not possible to remove only the support for RSA signature 3264 # in the library. Thus we have to remove all RSA support (signature and 3265 # encryption/decryption). AS there is no driver support for asymmetric 3266 # encryption/decryption so far remove RSA encryption/decryption from the 3267 # application algorithm list. 3268 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_OAEP 3269 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 3270 3271 # Remove RSA support and its dependencies 3272 scripts/config.py unset MBEDTLS_RSA_C 3273 scripts/config.py unset MBEDTLS_PKCS1_V15 3274 scripts/config.py unset MBEDTLS_PKCS1_V21 3275 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT 3276 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 3277 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 3278 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 3279 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 3280 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 3281 3282 # Make sure both the library and the test library support the SHA hash 3283 # algorithms and only those ones (SHA256 is included by default). That way: 3284 # - the test library can compute the RSA signatures even in the case of a 3285 # composite RSA signature algorithm based on a SHA hash (no other hash 3286 # used in the unit tests). 3287 # - the dependency of RSA signature tests on PSA_WANT_ALG_SHA_xyz is 3288 # fulfilled as the hash SHA algorithm is supported by the library, and 3289 # thus the tests are run, not skipped. 3290 # - when testing a signature key with an algorithm wildcard built from 3291 # PSA_ALG_ANY_HASH as algorithm to test with the key, the chosen hash 3292 # algorithm based on the hashes supported by the library is also 3293 # supported by the test library. 3294 # Disable unwanted hashes here, we'll enable hashes we want in loc_extra_list. 3295 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 3296 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160_C 3297 scripts/config.py unset MBEDTLS_MD5_C 3298 scripts/config.py unset MBEDTLS_RIPEMD160_C 3299 3300 # We need PEM parsing in the test library as well to support the import 3301 # of PEM encoded RSA keys. 3302 scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_PEM_PARSE_C 3303 scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_BASE64_C 3304 3305 # Build 3306 # ----- 3307 3308 # These hashes are needed for some RSA-PSS signature tests. 3309 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 3310 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 3311 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" 3312 3313 helper_libtestdriver1_make_main "$loc_accel_list" 3314 3315 # Make sure this was not re-enabled by accident (additive config) 3316 not grep mbedtls_rsa_rsassa_pkcs1_v15_sign library/rsa.o 3317 not grep mbedtls_rsa_rsassa_pss_sign_ext library/rsa.o 3318 3319 # Run the tests 3320 # ------------- 3321 3322 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated RSA signature" 3323 make test 3324} 3325 3326# This is a temporary test to verify that full RSA support is present even when 3327# only one single new symbols (PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) is defined. 3328component_test_new_psa_want_key_pair_symbol() { 3329 msg "Build: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" 3330 3331 # Create a temporary output file unless there is already one set 3332 if [ "$MBEDTLS_TEST_OUTCOME_FILE" ]; then 3333 REMOVE_OUTCOME_ON_EXIT="no" 3334 else 3335 REMOVE_OUTCOME_ON_EXIT="yes" 3336 MBEDTLS_TEST_OUTCOME_FILE="$PWD/out.csv" 3337 export MBEDTLS_TEST_OUTCOME_FILE 3338 fi 3339 3340 # Start from crypto configuration 3341 scripts/config.py crypto 3342 3343 # Remove RSA support and its dependencies 3344 scripts/config.py unset MBEDTLS_PKCS1_V15 3345 scripts/config.py unset MBEDTLS_PKCS1_V21 3346 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 3347 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 3348 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 3349 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 3350 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 3351 scripts/config.py unset MBEDTLS_RSA_C 3352 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT 3353 3354 # Enable PSA support 3355 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG 3356 3357 # Keep only PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC enabled in order to ensure 3358 # that proper translations is done in crypto_legacy.h. 3359 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT 3360 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT 3361 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE 3362 3363 make 3364 3365 msg "Test: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" 3366 make test 3367 3368 # Parse only 1 relevant line from the outcome file, i.e. a test which is 3369 # performing RSA signature. 3370 msg "Verify that 'RSA PKCS1 Sign #1 (SHA512, 1536 bits RSA)' is PASS" 3371 cat $MBEDTLS_TEST_OUTCOME_FILE | grep 'RSA PKCS1 Sign #1 (SHA512, 1536 bits RSA)' | grep -q "PASS" 3372 3373 if [ "$REMOVE_OUTCOME_ON_EXIT" == "yes" ]; then 3374 rm $MBEDTLS_TEST_OUTCOME_FILE 3375 fi 3376} 3377 3378component_test_psa_crypto_config_accel_hash () { 3379 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash" 3380 3381 loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \ 3382 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 3383 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 3384 3385 # Configure 3386 # --------- 3387 3388 # Start from default config (no TLS 1.3, no USE_PSA) 3389 helper_libtestdriver1_adjust_config "default" 3390 3391 # Disable the things that are being accelerated 3392 scripts/config.py unset MBEDTLS_MD5_C 3393 scripts/config.py unset MBEDTLS_RIPEMD160_C 3394 scripts/config.py unset MBEDTLS_SHA1_C 3395 scripts/config.py unset MBEDTLS_SHA224_C 3396 scripts/config.py unset MBEDTLS_SHA256_C 3397 scripts/config.py unset MBEDTLS_SHA384_C 3398 scripts/config.py unset MBEDTLS_SHA512_C 3399 scripts/config.py unset MBEDTLS_SHA3_C 3400 3401 # Build 3402 # ----- 3403 3404 helper_libtestdriver1_make_drivers "$loc_accel_list" 3405 3406 helper_libtestdriver1_make_main "$loc_accel_list" 3407 3408 # There's a risk of something getting re-enabled via config_psa.h; 3409 # make sure it did not happen. Note: it's OK for MD_C to be enabled. 3410 not grep mbedtls_md5 library/md5.o 3411 not grep mbedtls_sha1 library/sha1.o 3412 not grep mbedtls_sha256 library/sha256.o 3413 not grep mbedtls_sha512 library/sha512.o 3414 not grep mbedtls_ripemd160 library/ripemd160.o 3415 3416 # Run the tests 3417 # ------------- 3418 3419 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash" 3420 make test 3421} 3422 3423component_test_psa_crypto_config_accel_hash_keep_builtins () { 3424 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated+builtin hash" 3425 # This component ensures that all the test cases for 3426 # md_psa_dynamic_dispatch with legacy+driver in test_suite_md are run. 3427 3428 loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \ 3429 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 3430 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 3431 3432 # Start from default config (no TLS 1.3, no USE_PSA) 3433 helper_libtestdriver1_adjust_config "default" 3434 3435 helper_libtestdriver1_make_drivers "$loc_accel_list" 3436 3437 helper_libtestdriver1_make_main "$loc_accel_list" 3438 3439 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated+builtin hash" 3440 make test 3441} 3442 3443# Auxiliary function to build config for hashes with and without drivers 3444config_psa_crypto_hash_use_psa () { 3445 driver_only="$1" 3446 # start with config full for maximum coverage (also enables USE_PSA) 3447 helper_libtestdriver1_adjust_config "full" 3448 if [ "$driver_only" -eq 1 ]; then 3449 # disable the built-in implementation of hashes 3450 scripts/config.py unset MBEDTLS_MD5_C 3451 scripts/config.py unset MBEDTLS_RIPEMD160_C 3452 scripts/config.py unset MBEDTLS_SHA1_C 3453 scripts/config.py unset MBEDTLS_SHA224_C 3454 scripts/config.py unset MBEDTLS_SHA256_C # see external RNG below 3455 scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT 3456 scripts/config.py unset MBEDTLS_SHA384_C 3457 scripts/config.py unset MBEDTLS_SHA512_C 3458 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT 3459 scripts/config.py unset MBEDTLS_SHA3_C 3460 fi 3461} 3462 3463# Note that component_test_psa_crypto_config_reference_hash_use_psa 3464# is related to this component and both components need to be kept in sync. 3465# For details please see comments for component_test_psa_crypto_config_reference_hash_use_psa. 3466component_test_psa_crypto_config_accel_hash_use_psa () { 3467 msg "test: full with accelerated hashes" 3468 3469 loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \ 3470 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 3471 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 3472 3473 # Configure 3474 # --------- 3475 3476 config_psa_crypto_hash_use_psa 1 3477 3478 # Build 3479 # ----- 3480 3481 helper_libtestdriver1_make_drivers "$loc_accel_list" 3482 3483 helper_libtestdriver1_make_main "$loc_accel_list" 3484 3485 # There's a risk of something getting re-enabled via config_psa.h; 3486 # make sure it did not happen. Note: it's OK for MD_C to be enabled. 3487 not grep mbedtls_md5 library/md5.o 3488 not grep mbedtls_sha1 library/sha1.o 3489 not grep mbedtls_sha256 library/sha256.o 3490 not grep mbedtls_sha512 library/sha512.o 3491 not grep mbedtls_ripemd160 library/ripemd160.o 3492 3493 # Run the tests 3494 # ------------- 3495 3496 msg "test: full with accelerated hashes" 3497 make test 3498 3499 # This is mostly useful so that we can later compare outcome files with 3500 # the reference config in analyze_outcomes.py, to check that the 3501 # dependency declarations in ssl-opt.sh and in TLS code are correct. 3502 msg "test: ssl-opt.sh, full with accelerated hashes" 3503 tests/ssl-opt.sh 3504 3505 # This is to make sure all ciphersuites are exercised, but we don't need 3506 # interop testing (besides, we already got some from ssl-opt.sh). 3507 msg "test: compat.sh, full with accelerated hashes" 3508 tests/compat.sh -p mbedTLS -V YES 3509} 3510 3511# This component provides reference configuration for test_psa_crypto_config_accel_hash_use_psa 3512# without accelerated hash. The outcome from both components are used by the analyze_outcomes.py 3513# script to find regression in test coverage when accelerated hash is used (tests and ssl-opt). 3514# Both components need to be kept in sync. 3515component_test_psa_crypto_config_reference_hash_use_psa() { 3516 msg "test: full without accelerated hashes" 3517 3518 config_psa_crypto_hash_use_psa 0 3519 3520 make 3521 3522 msg "test: full without accelerated hashes" 3523 make test 3524 3525 msg "test: ssl-opt.sh, full without accelerated hashes" 3526 tests/ssl-opt.sh 3527} 3528 3529component_test_psa_crypto_config_accel_cipher () { 3530 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated cipher" 3531 3532 loc_accel_list="ALG_CBC_NO_PADDING ALG_CBC_PKCS7 ALG_CTR ALG_CFB ALG_OFB ALG_XTS KEY_TYPE_DES" 3533 3534 # Configure 3535 # --------- 3536 3537 # Start from the default config (no TLS 1.3, no USE_PSA) 3538 helper_libtestdriver1_adjust_config "default" 3539 3540 # There is no intended accelerator support for ALG CMAC. Therefore, asking 3541 # for it in the build implies the inclusion of the Mbed TLS cipher 3542 # operations. As we want to test here with cipher operations solely 3543 # supported by accelerators, disabled this PSA configuration option. 3544 # (Note: the same applies to STREAM_CIPHER and ECB_NO_PADDING, which are 3545 # already disabled by helper_libtestdriver1_adjust_config above.) 3546 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC 3547 3548 # Disable the things that are being accelerated 3549 scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC 3550 scripts/config.py unset MBEDTLS_CIPHER_PADDING_PKCS7 3551 scripts/config.py unset MBEDTLS_CIPHER_MODE_CTR 3552 scripts/config.py unset MBEDTLS_CIPHER_MODE_CFB 3553 scripts/config.py unset MBEDTLS_CIPHER_MODE_OFB 3554 scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS 3555 scripts/config.py unset MBEDTLS_DES_C 3556 3557 # Build 3558 # ----- 3559 3560 helper_libtestdriver1_make_drivers "$loc_accel_list" 3561 3562 helper_libtestdriver1_make_main "$loc_accel_list" 3563 3564 # Make sure this was not re-enabled by accident (additive config) 3565 not grep mbedtls_des* library/des.o 3566 3567 # Run the tests 3568 # ------------- 3569 3570 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated cipher" 3571 make test 3572} 3573 3574component_test_psa_crypto_config_accel_aead () { 3575 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated AEAD" 3576 3577 loc_accel_list="ALG_GCM ALG_CCM ALG_CHACHA20_POLY1305 KEY_TYPE_AES KEY_TYPE_CHACHA20 KEY_TYPE_ARIA KEY_TYPE_CAMELLIA" 3578 3579 # Configure 3580 # --------- 3581 3582 # Start from default config (no TLS 1.3, no USE_PSA) 3583 helper_libtestdriver1_adjust_config "default" 3584 3585 # Disable things that are being accelerated 3586 scripts/config.py unset MBEDTLS_GCM_C 3587 scripts/config.py unset MBEDTLS_CCM_C 3588 scripts/config.py unset MBEDTLS_CHACHAPOLY_C 3589 # Features that depend on AEAD 3590 scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION 3591 scripts/config.py unset MBEDTLS_SSL_TICKET_C 3592 3593 # Build 3594 # ----- 3595 3596 helper_libtestdriver1_make_drivers "$loc_accel_list" 3597 3598 helper_libtestdriver1_make_main "$loc_accel_list" 3599 3600 # Make sure this was not re-enabled by accident (additive config) 3601 not grep mbedtls_ccm library/ccm.o 3602 not grep mbedtls_gcm library/gcm.o 3603 not grep mbedtls_chachapoly library/chachapoly.o 3604 3605 # Run the tests 3606 # ------------- 3607 3608 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated AEAD" 3609 make test 3610} 3611 3612component_test_aead_chachapoly_disabled() { 3613 msg "build: full minus CHACHAPOLY" 3614 scripts/config.py full 3615 scripts/config.py unset MBEDTLS_CHACHAPOLY_C 3616 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305 3617 make CC=gcc CFLAGS="$ASAN_CFLAGS -O2" LDFLAGS="$ASAN_CFLAGS" 3618 3619 msg "test: full minus CHACHAPOLY" 3620 make test 3621} 3622 3623component_test_aead_only_ccm() { 3624 msg "build: full minus CHACHAPOLY and GCM" 3625 scripts/config.py full 3626 scripts/config.py unset MBEDTLS_CHACHAPOLY_C 3627 scripts/config.py unset MBEDTLS_GCM_C 3628 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305 3629 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_GCM 3630 make CC=gcc CFLAGS="$ASAN_CFLAGS -O2" LDFLAGS="$ASAN_CFLAGS" 3631 3632 msg "test: full minus CHACHAPOLY and GCM" 3633 make test 3634} 3635 3636component_test_ccm_aes_sha256() { 3637 msg "build: CCM + AES + SHA256 configuration" 3638 3639 cp "$CONFIG_TEST_DRIVER_H" "$CONFIG_H" 3640 cp configs/crypto-config-ccm-aes-sha256.h "$CRYPTO_CONFIG_H" 3641 3642 make CC=gcc 3643 3644 msg "test: CCM + AES + SHA256 configuration" 3645 make test 3646} 3647 3648# This should be renamed to test and updated once the accelerator ECDH code is in place and ready to test. 3649component_build_psa_accel_alg_ecdh() { 3650 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_ECDH without MBEDTLS_ECDH_C" 3651 scripts/config.py full 3652 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 3653 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 3654 scripts/config.py unset MBEDTLS_ECDH_C 3655 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 3656 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 3657 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 3658 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 3659 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 3660 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 3661 make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_ECDH -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" 3662} 3663 3664# This should be renamed to test and updated once the accelerator HMAC code is in place and ready to test. 3665component_build_psa_accel_alg_hmac() { 3666 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_HMAC" 3667 scripts/config.py full 3668 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 3669 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 3670 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 3671 make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_HMAC -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" 3672} 3673 3674# This should be renamed to test and updated once the accelerator HKDF code is in place and ready to test. 3675component_build_psa_accel_alg_hkdf() { 3676 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_HKDF without MBEDTLS_HKDF_C" 3677 scripts/config.py full 3678 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 3679 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 3680 scripts/config.py unset MBEDTLS_HKDF_C 3681 # Make sure to unset TLS1_3 since it requires HKDF_C and will not build properly without it. 3682 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 3683 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 3684 make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_HKDF -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" 3685} 3686 3687# This should be renamed to test and updated once the accelerator MD5 code is in place and ready to test. 3688component_build_psa_accel_alg_md5() { 3689 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_MD5 - other hashes" 3690 scripts/config.py full 3691 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 3692 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 3693 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 3694 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 3695 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 3696 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256 3697 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 3698 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512 3699 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 3700 scripts/config.py unset MBEDTLS_LMS_C 3701 scripts/config.py unset MBEDTLS_LMS_PRIVATE 3702 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 3703 make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_MD5 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" 3704} 3705 3706# This should be renamed to test and updated once the accelerator RIPEMD160 code is in place and ready to test. 3707component_build_psa_accel_alg_ripemd160() { 3708 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RIPEMD160 - other hashes" 3709 scripts/config.py full 3710 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 3711 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 3712 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 3713 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 3714 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 3715 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256 3716 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 3717 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512 3718 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 3719 scripts/config.py unset MBEDTLS_LMS_C 3720 scripts/config.py unset MBEDTLS_LMS_PRIVATE 3721 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 3722 make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RIPEMD160 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" 3723} 3724 3725# This should be renamed to test and updated once the accelerator SHA1 code is in place and ready to test. 3726component_build_psa_accel_alg_sha1() { 3727 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_1 - other hashes" 3728 scripts/config.py full 3729 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 3730 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 3731 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 3732 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 3733 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 3734 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256 3735 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 3736 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512 3737 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 3738 scripts/config.py unset MBEDTLS_LMS_C 3739 scripts/config.py unset MBEDTLS_LMS_PRIVATE 3740 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 3741 make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_1 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" 3742} 3743 3744# This should be renamed to test and updated once the accelerator SHA224 code is in place and ready to test. 3745component_build_psa_accel_alg_sha224() { 3746 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_224 - other hashes" 3747 scripts/config.py full 3748 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 3749 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 3750 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 3751 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 3752 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 3753 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 3754 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512 3755 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 3756 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 3757 make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_224 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" 3758} 3759 3760# This should be renamed to test and updated once the accelerator SHA256 code is in place and ready to test. 3761component_build_psa_accel_alg_sha256() { 3762 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_256 - other hashes" 3763 scripts/config.py full 3764 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 3765 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 3766 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 3767 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 3768 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 3769 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 3770 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 3771 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512 3772 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 3773 make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_256 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" 3774} 3775 3776# This should be renamed to test and updated once the accelerator SHA384 code is in place and ready to test. 3777component_build_psa_accel_alg_sha384() { 3778 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_384 - other hashes" 3779 scripts/config.py full 3780 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 3781 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 3782 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 3783 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 3784 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 3785 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 3786 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256 3787 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 3788 scripts/config.py unset MBEDTLS_LMS_C 3789 scripts/config.py unset MBEDTLS_LMS_PRIVATE 3790 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 3791 make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_384 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" 3792} 3793 3794# This should be renamed to test and updated once the accelerator SHA512 code is in place and ready to test. 3795component_build_psa_accel_alg_sha512() { 3796 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_512 - other hashes" 3797 scripts/config.py full 3798 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 3799 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 3800 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 3801 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 3802 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 3803 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 3804 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256 3805 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 3806 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 3807 scripts/config.py unset MBEDTLS_LMS_C 3808 scripts/config.py unset MBEDTLS_LMS_PRIVATE 3809 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 3810 make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_512 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" 3811} 3812 3813# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. 3814component_build_psa_accel_alg_rsa_pkcs1v15_crypt() { 3815 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_PKCS1V15_CRYPT + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" 3816 scripts/config.py full 3817 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 3818 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 3819 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 1 3820 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_SIGN 3821 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_OAEP 3822 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PSS 3823 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 3824 make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" 3825} 3826 3827# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. 3828component_build_psa_accel_alg_rsa_pkcs1v15_sign() { 3829 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_PKCS1V15_SIGN + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" 3830 scripts/config.py full 3831 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 3832 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 3833 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PKCS1V15_SIGN 1 3834 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 3835 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_OAEP 3836 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PSS 3837 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 3838 make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" 3839} 3840 3841# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. 3842component_build_psa_accel_alg_rsa_oaep() { 3843 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_OAEP + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" 3844 scripts/config.py full 3845 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 3846 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 3847 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_OAEP 1 3848 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 3849 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_SIGN 3850 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PSS 3851 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 3852 make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_OAEP -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" 3853} 3854 3855# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. 3856component_build_psa_accel_alg_rsa_pss() { 3857 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_PSS + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" 3858 scripts/config.py full 3859 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 3860 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 3861 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PSS 1 3862 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 3863 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_SIGN 3864 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_OAEP 3865 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 3866 make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PSS -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" 3867} 3868 3869# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. 3870component_build_psa_accel_key_type_rsa_key_pair() { 3871 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_xxx + PSA_WANT_ALG_RSA_PSS" 3872 scripts/config.py full 3873 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 3874 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 3875 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PSS 1 3876 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC 1 3877 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT 1 3878 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT 1 3879 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE 1 3880 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 3881 make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" 3882} 3883 3884# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. 3885component_build_psa_accel_key_type_rsa_public_key() { 3886 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY + PSA_WANT_ALG_RSA_PSS" 3887 scripts/config.py full 3888 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 3889 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 3890 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PSS 1 3891 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1 3892 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 3893 make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" 3894} 3895 3896 3897support_build_tfm_armcc () { 3898 armc6_cc="$ARMC6_BIN_DIR/armclang" 3899 (check_tools "$armc6_cc" > /dev/null 2>&1) 3900} 3901 3902component_build_tfm_armcc() { 3903 # test the TF-M configuration can build cleanly with various warning flags enabled 3904 cp configs/tfm_mbedcrypto_config_profile_medium.h "$CONFIG_H" 3905 cp configs/crypto_config_profile_medium.h "$CRYPTO_CONFIG_H" 3906 3907 msg "build: TF-M config, armclang armv7-m thumb2" 3908 make clean 3909 armc6_build_test "--target=arm-arm-none-eabi -march=armv7-m -mthumb -Os -std=c99 -Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wasm-operand-widths -Wunused -I../tests/include/spe" 3910} 3911 3912component_build_tfm() { 3913 # test the TF-M configuration can build cleanly with various warning flags enabled 3914 cp configs/tfm_mbedcrypto_config_profile_medium.h "$CONFIG_H" 3915 cp configs/crypto_config_profile_medium.h "$CRYPTO_CONFIG_H" 3916 3917 msg "build: TF-M config, clang, armv7-m thumb2" 3918 make lib CC="clang" CFLAGS="--target=arm-linux-gnueabihf -march=armv7-m -mthumb -Os -std=c99 -Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wasm-operand-widths -Wunused -I../tests/include/spe" 3919 3920 msg "build: TF-M config, gcc native build" 3921 make clean 3922 make lib CC="gcc" CFLAGS="-Os -std=c99 -Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wformat-signedness -Wlogical-op -I../tests/include/spe" 3923} 3924 3925component_build_aes_variations() { # ~45s 3926 # aes.o has many #if defined(...) guards that intersect in complex ways. 3927 # Test that all the combinations build cleanly. The most common issue is 3928 # unused variables/functions, so ensure -Wunused is set. 3929 3930 msg "build: aes.o for all combinations of relevant config options" 3931 3932 for a in set unset; do 3933 for b in set unset; do 3934 for c in set unset; do 3935 for d in set unset; do 3936 for e in set unset; do 3937 for f in set unset; do 3938 for g in set unset; do 3939 echo ./scripts/config.py $a MBEDTLS_AES_SETKEY_ENC_ALT 3940 echo ./scripts/config.py $b MBEDTLS_AES_DECRYPT_ALT 3941 echo ./scripts/config.py $c MBEDTLS_AES_ROM_TABLES 3942 echo ./scripts/config.py $d MBEDTLS_AES_ENCRYPT_ALT 3943 echo ./scripts/config.py $e MBEDTLS_AES_SETKEY_DEC_ALT 3944 echo ./scripts/config.py $f MBEDTLS_AES_FEWER_TABLES 3945 echo ./scripts/config.py $g MBEDTLS_PADLOCK_C 3946 3947 ./scripts/config.py $a MBEDTLS_AES_SETKEY_ENC_ALT 3948 ./scripts/config.py $b MBEDTLS_AES_DECRYPT_ALT 3949 ./scripts/config.py $c MBEDTLS_AES_ROM_TABLES 3950 ./scripts/config.py $d MBEDTLS_AES_ENCRYPT_ALT 3951 ./scripts/config.py $e MBEDTLS_AES_SETKEY_DEC_ALT 3952 ./scripts/config.py $f MBEDTLS_AES_FEWER_TABLES 3953 ./scripts/config.py $g MBEDTLS_PADLOCK_C 3954 3955 rm -f library/aes.o 3956 make -C library aes.o CC="clang" CFLAGS="-O0 -std=c99 -Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wasm-operand-widths -Wunused" 3957 done 3958 done 3959 done 3960 done 3961 done 3962 done 3963 done 3964} 3965 3966component_test_no_platform () { 3967 # Full configuration build, without platform support, file IO and net sockets. 3968 # This should catch missing mbedtls_printf definitions, and by disabling file 3969 # IO, it should catch missing '#include <stdio.h>' 3970 msg "build: full config except platform/fsio/net, make, gcc, C99" # ~ 30s 3971 scripts/config.py full 3972 scripts/config.py unset MBEDTLS_PLATFORM_C 3973 scripts/config.py unset MBEDTLS_NET_C 3974 scripts/config.py unset MBEDTLS_PLATFORM_MEMORY 3975 scripts/config.py unset MBEDTLS_PLATFORM_PRINTF_ALT 3976 scripts/config.py unset MBEDTLS_PLATFORM_FPRINTF_ALT 3977 scripts/config.py unset MBEDTLS_PLATFORM_SNPRINTF_ALT 3978 scripts/config.py unset MBEDTLS_PLATFORM_VSNPRINTF_ALT 3979 scripts/config.py unset MBEDTLS_PLATFORM_TIME_ALT 3980 scripts/config.py unset MBEDTLS_PLATFORM_EXIT_ALT 3981 scripts/config.py unset MBEDTLS_PLATFORM_SETBUF_ALT 3982 scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT 3983 scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED 3984 scripts/config.py unset MBEDTLS_FS_IO 3985 scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C 3986 scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C 3987 scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C 3988 # Note, _DEFAULT_SOURCE needs to be defined for platforms using glibc version >2.19, 3989 # to re-enable platform integration features otherwise disabled in C99 builds 3990 make CC=gcc CFLAGS='-Werror -Wall -Wextra -std=c99 -pedantic -Os -D_DEFAULT_SOURCE' lib programs 3991 make CC=gcc CFLAGS='-Werror -Wall -Wextra -Os' test 3992} 3993 3994component_build_no_std_function () { 3995 # catch compile bugs in _uninit functions 3996 msg "build: full config with NO_STD_FUNCTION, make, gcc" # ~ 30s 3997 scripts/config.py full 3998 scripts/config.py set MBEDTLS_PLATFORM_NO_STD_FUNCTIONS 3999 scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED 4000 scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT 4001 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Check . 4002 make 4003} 4004 4005component_build_no_ssl_srv () { 4006 msg "build: full config except SSL server, make, gcc" # ~ 30s 4007 scripts/config.py full 4008 scripts/config.py unset MBEDTLS_SSL_SRV_C 4009 make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1' 4010} 4011 4012component_build_no_ssl_cli () { 4013 msg "build: full config except SSL client, make, gcc" # ~ 30s 4014 scripts/config.py full 4015 scripts/config.py unset MBEDTLS_SSL_CLI_C 4016 make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1' 4017} 4018 4019component_build_no_sockets () { 4020 # Note, C99 compliance can also be tested with the sockets support disabled, 4021 # as that requires a POSIX platform (which isn't the same as C99). 4022 msg "build: full config except net_sockets.c, make, gcc -std=c99 -pedantic" # ~ 30s 4023 scripts/config.py full 4024 scripts/config.py unset MBEDTLS_NET_C # getaddrinfo() undeclared, etc. 4025 scripts/config.py set MBEDTLS_NO_PLATFORM_ENTROPY # uses syscall() on GNU/Linux 4026 make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1 -std=c99 -pedantic' lib 4027} 4028 4029component_test_memory_buffer_allocator_backtrace () { 4030 msg "build: default config with memory buffer allocator and backtrace enabled" 4031 scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C 4032 scripts/config.py set MBEDTLS_PLATFORM_MEMORY 4033 scripts/config.py set MBEDTLS_MEMORY_BACKTRACE 4034 scripts/config.py set MBEDTLS_MEMORY_DEBUG 4035 CC=gcc cmake -DCMAKE_BUILD_TYPE:String=Release . 4036 make 4037 4038 msg "test: MBEDTLS_MEMORY_BUFFER_ALLOC_C and MBEDTLS_MEMORY_BACKTRACE" 4039 make test 4040} 4041 4042component_test_memory_buffer_allocator () { 4043 msg "build: default config with memory buffer allocator" 4044 scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C 4045 scripts/config.py set MBEDTLS_PLATFORM_MEMORY 4046 CC=gcc cmake -DCMAKE_BUILD_TYPE:String=Release . 4047 make 4048 4049 msg "test: MBEDTLS_MEMORY_BUFFER_ALLOC_C" 4050 make test 4051 4052 msg "test: ssl-opt.sh, MBEDTLS_MEMORY_BUFFER_ALLOC_C" 4053 # MBEDTLS_MEMORY_BUFFER_ALLOC is slow. Skip tests that tend to time out. 4054 tests/ssl-opt.sh -e '^DTLS proxy' 4055} 4056 4057component_test_no_max_fragment_length () { 4058 # Run max fragment length tests with MFL disabled 4059 msg "build: default config except MFL extension (ASan build)" # ~ 30s 4060 scripts/config.py unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH 4061 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 4062 make 4063 4064 msg "test: ssl-opt.sh, MFL-related tests" 4065 tests/ssl-opt.sh -f "Max fragment length" 4066} 4067 4068component_test_asan_remove_peer_certificate () { 4069 msg "build: default config with MBEDTLS_SSL_KEEP_PEER_CERTIFICATE disabled (ASan build)" 4070 scripts/config.py unset MBEDTLS_SSL_KEEP_PEER_CERTIFICATE 4071 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 4072 make 4073 4074 msg "test: !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" 4075 make test 4076 4077 msg "test: ssl-opt.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" 4078 tests/ssl-opt.sh 4079 4080 msg "test: compat.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" 4081 tests/compat.sh 4082 4083 msg "test: context-info.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" 4084 tests/context-info.sh 4085} 4086 4087component_test_no_max_fragment_length_small_ssl_out_content_len () { 4088 msg "build: no MFL extension, small SSL_OUT_CONTENT_LEN (ASan build)" 4089 scripts/config.py unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH 4090 scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 16384 4091 scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 4096 4092 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 4093 make 4094 4095 msg "test: MFL tests (disabled MFL extension case) & large packet tests" 4096 tests/ssl-opt.sh -f "Max fragment length\|Large buffer" 4097 4098 msg "test: context-info.sh (disabled MFL extension case)" 4099 tests/context-info.sh 4100} 4101 4102component_test_variable_ssl_in_out_buffer_len () { 4103 msg "build: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled (ASan build)" 4104 scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH 4105 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 4106 make 4107 4108 msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled" 4109 make test 4110 4111 msg "test: ssl-opt.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled" 4112 tests/ssl-opt.sh 4113 4114 msg "test: compat.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled" 4115 tests/compat.sh 4116} 4117 4118component_test_dtls_cid_legacy () { 4119 msg "build: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled (ASan build)" 4120 scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 1 4121 4122 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 4123 make 4124 4125 msg "test: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy)" 4126 make test 4127 4128 msg "test: ssl-opt.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled" 4129 tests/ssl-opt.sh 4130 4131 msg "test: compat.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled" 4132 tests/compat.sh 4133} 4134 4135component_test_ssl_alloc_buffer_and_mfl () { 4136 msg "build: default config with memory buffer allocator and MFL extension" 4137 scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C 4138 scripts/config.py set MBEDTLS_PLATFORM_MEMORY 4139 scripts/config.py set MBEDTLS_MEMORY_DEBUG 4140 scripts/config.py set MBEDTLS_SSL_MAX_FRAGMENT_LENGTH 4141 scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH 4142 CC=gcc cmake -DCMAKE_BUILD_TYPE:String=Release . 4143 make 4144 4145 msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH, MBEDTLS_MEMORY_BUFFER_ALLOC_C, MBEDTLS_MEMORY_DEBUG and MBEDTLS_SSL_MAX_FRAGMENT_LENGTH" 4146 make test 4147 4148 msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH, MBEDTLS_MEMORY_BUFFER_ALLOC_C, MBEDTLS_MEMORY_DEBUG and MBEDTLS_SSL_MAX_FRAGMENT_LENGTH" 4149 tests/ssl-opt.sh -f "Handshake memory usage" 4150} 4151 4152component_test_when_no_ciphersuites_have_mac () { 4153 msg "build: when no ciphersuites have MAC" 4154 scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER 4155 scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC 4156 scripts/config.py unset MBEDTLS_CMAC_C 4157 make 4158 4159 msg "test: !MBEDTLS_SSL_SOME_MODES_USE_MAC" 4160 make test 4161 4162 msg "test ssl-opt.sh: !MBEDTLS_SSL_SOME_MODES_USE_MAC" 4163 tests/ssl-opt.sh -f 'Default\|EtM' -e 'without EtM' 4164} 4165 4166component_test_no_date_time () { 4167 msg "build: default config without MBEDTLS_HAVE_TIME_DATE" 4168 scripts/config.py unset MBEDTLS_HAVE_TIME_DATE 4169 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Check . 4170 make 4171 4172 msg "test: !MBEDTLS_HAVE_TIME_DATE - main suites" 4173 make test 4174} 4175 4176component_test_platform_calloc_macro () { 4177 msg "build: MBEDTLS_PLATFORM_{CALLOC/FREE}_MACRO enabled (ASan build)" 4178 scripts/config.py set MBEDTLS_PLATFORM_MEMORY 4179 scripts/config.py set MBEDTLS_PLATFORM_CALLOC_MACRO calloc 4180 scripts/config.py set MBEDTLS_PLATFORM_FREE_MACRO free 4181 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 4182 make 4183 4184 msg "test: MBEDTLS_PLATFORM_{CALLOC/FREE}_MACRO enabled (ASan build)" 4185 make test 4186} 4187 4188component_test_malloc_0_null () { 4189 msg "build: malloc(0) returns NULL (ASan+UBSan build)" 4190 scripts/config.py full 4191 make CC=gcc CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"$PWD/tests/configs/user-config-malloc-0-null.h\"' $ASAN_CFLAGS -O" LDFLAGS="$ASAN_CFLAGS" 4192 4193 msg "test: malloc(0) returns NULL (ASan+UBSan build)" 4194 make test 4195 4196 msg "selftest: malloc(0) returns NULL (ASan+UBSan build)" 4197 # Just the calloc selftest. "make test" ran the others as part of the 4198 # test suites. 4199 programs/test/selftest calloc 4200 4201 msg "test ssl-opt.sh: malloc(0) returns NULL (ASan+UBSan build)" 4202 # Run a subset of the tests. The choice is a balance between coverage 4203 # and time (including time indirectly wasted due to flaky tests). 4204 # The current choice is to skip tests whose description includes 4205 # "proxy", which is an approximation of skipping tests that use the 4206 # UDP proxy, which tend to be slower and flakier. 4207 tests/ssl-opt.sh -e 'proxy' 4208} 4209 4210support_test_aesni() { 4211 # Check that gcc targets x86_64 (we can build AESNI), and check for 4212 # AESNI support on the host (we can run AESNI). 4213 # 4214 # The name of this function is possibly slightly misleading, but needs to align 4215 # with the name of the corresponding test, component_test_aesni. 4216 # 4217 # In principle 32-bit x86 can support AESNI, but our implementation does not 4218 # support 32-bit x86, so we check for x86-64. 4219 # We can only grep /proc/cpuinfo on Linux, so this also checks for Linux 4220 (gcc -v 2>&1 | grep Target | grep -q x86_64) && 4221 [[ "$HOSTTYPE" == "x86_64" && "$OSTYPE" == "linux-gnu" ]] && 4222 (lscpu | grep -qw aes) 4223} 4224 4225component_test_aesni () { # ~ 60s 4226 # This tests the two AESNI implementations (intrinsics and assembly), and also the plain C 4227 # fallback. It also tests the logic that is used to select which implementation(s) to build. 4228 # 4229 # This test does not require the host to have support for AESNI (if it doesn't, the run-time 4230 # AESNI detection will fallback to the plain C implementation, so the tests will instead 4231 # exercise the plain C impl). 4232 4233 msg "build: default config with different AES implementations" 4234 scripts/config.py set MBEDTLS_AESNI_C 4235 scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY 4236 scripts/config.py set MBEDTLS_HAVE_ASM 4237 4238 # test the intrinsics implementation 4239 msg "AES tests, test intrinsics" 4240 make clean 4241 make CC=gcc CFLAGS='-Werror -Wall -Wextra -mpclmul -msse2 -maes' 4242 # check that we built intrinsics - this should be used by default when supported by the compiler 4243 ./programs/test/selftest aes | grep "AESNI code" | grep -q "intrinsics" 4244 4245 # test the asm implementation 4246 msg "AES tests, test assembly" 4247 make clean 4248 make CC=gcc CFLAGS='-Werror -Wall -Wextra -mno-pclmul -mno-sse2 -mno-aes' 4249 # check that we built assembly - this should be built if the compiler does not support intrinsics 4250 ./programs/test/selftest aes | grep "AESNI code" | grep -q "assembly" 4251 4252 # test the plain C implementation 4253 scripts/config.py unset MBEDTLS_AESNI_C 4254 scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY 4255 msg "AES tests, plain C" 4256 make clean 4257 make CC=gcc CFLAGS='-O2 -Werror' 4258 # check that there is no AESNI code present 4259 ./programs/test/selftest aes | not grep -q "AESNI code" 4260 not grep -q "AES note: using AESNI" ./programs/test/selftest 4261 grep -q "AES note: built-in implementation." ./programs/test/selftest 4262 4263 # test the intrinsics implementation 4264 scripts/config.py set MBEDTLS_AESNI_C 4265 scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY 4266 msg "AES tests, test AESNI only" 4267 make clean 4268 make CC=gcc CFLAGS='-Werror -Wall -Wextra -mpclmul -msse2 -maes' 4269 ./programs/test/selftest aes | grep -q "AES note: using AESNI" 4270 ./programs/test/selftest aes | not grep -q "AES note: built-in implementation." 4271 grep -q "AES note: using AESNI" ./programs/test/selftest 4272 not grep -q "AES note: built-in implementation." ./programs/test/selftest 4273} 4274 4275 4276 4277support_test_aesni_m32() { 4278 support_test_m32_o0 && (lscpu | grep -qw aes) 4279} 4280 4281component_test_aesni_m32 () { # ~ 60s 4282 # This tests are duplicated from component_test_aesni for i386 target 4283 # 4284 # AESNI intrinsic code supports i386 and assembly code does not support it. 4285 4286 msg "build: default config with different AES implementations" 4287 scripts/config.py set MBEDTLS_AESNI_C 4288 scripts/config.py set MBEDTLS_PADLOCK_C 4289 scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY 4290 scripts/config.py set MBEDTLS_HAVE_ASM 4291 4292 # test the intrinsics implementation 4293 msg "AES tests, test intrinsics" 4294 make clean 4295 make CC=gcc CFLAGS='-m32 -Werror -Wall -Wextra -mpclmul -msse2 -maes' LDFLAGS='-m32' 4296 # check that we built intrinsics - this should be used by default when supported by the compiler 4297 ./programs/test/selftest aes | grep "AESNI code" | grep -q "intrinsics" 4298 grep -q "AES note: using AESNI" ./programs/test/selftest 4299 grep -q "AES note: built-in implementation." ./programs/test/selftest 4300 grep -q "AES note: using VIA Padlock" ./programs/test/selftest 4301 grep -q mbedtls_aesni_has_support ./programs/test/selftest 4302 4303 scripts/config.py set MBEDTLS_AESNI_C 4304 scripts/config.py unset MBEDTLS_PADLOCK_C 4305 scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY 4306 msg "AES tests, test AESNI only" 4307 make clean 4308 make CC=gcc CFLAGS='-m32 -Werror -Wall -Wextra -mpclmul -msse2 -maes' LDFLAGS='-m32' 4309 ./programs/test/selftest aes | grep -q "AES note: using AESNI" 4310 ./programs/test/selftest aes | not grep -q "AES note: built-in implementation." 4311 grep -q "AES note: using AESNI" ./programs/test/selftest 4312 not grep -q "AES note: built-in implementation." ./programs/test/selftest 4313 not grep -q "AES note: using VIA Padlock" ./programs/test/selftest 4314 not grep -q mbedtls_aesni_has_support ./programs/test/selftest 4315} 4316 4317# For timebeing, no aarch64 gcc available in CI and no arm64 CI node. 4318component_build_aes_aesce_armcc () { 4319 msg "Build: AESCE test on arm64 platform without plain C." 4320 scripts/config.py baremetal 4321 4322 # armc[56] don't support SHA-512 intrinsics 4323 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT 4324 4325 # Stop armclang warning about feature detection for A64_CRYPTO. 4326 # With this enabled, the library does build correctly under armclang, 4327 # but in baremetal builds (as tested here), feature detection is 4328 # unavailable, and the user is notified via a #warning. So enabling 4329 # this feature would prevent us from building with -Werror on 4330 # armclang. Tracked in #7198. 4331 scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT 4332 scripts/config.py set MBEDTLS_HAVE_ASM 4333 4334 msg "AESCE, build with default configuration." 4335 scripts/config.py set MBEDTLS_AESCE_C 4336 scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY 4337 armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto" 4338 4339 msg "AESCE, build AESCE only" 4340 scripts/config.py set MBEDTLS_AESCE_C 4341 scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY 4342 armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto" 4343} 4344 4345# For timebeing, no VIA Padlock platform available. 4346component_build_aes_via_padlock () { 4347 4348 msg "AES:VIA PadLock, build with default configuration." 4349 scripts/config.py unset MBEDTLS_AESNI_C 4350 scripts/config.py set MBEDTLS_PADLOCK_C 4351 scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY 4352 make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O2" LDFLAGS="-m32 $ASAN_CFLAGS" 4353 grep -q mbedtls_padlock_has_support ./programs/test/selftest 4354 4355} 4356 4357support_build_aes_via_padlock_only () { 4358 ( [ "$MBEDTLS_TEST_PLATFORM" == "Linux-x86_64" ] || \ 4359 [ "$MBEDTLS_TEST_PLATFORM" == "Linux-amd64" ] ) && \ 4360 [ "`dpkg --print-foreign-architectures`" == "i386" ] 4361} 4362 4363support_build_aes_aesce_armcc () { 4364 support_build_armcc 4365} 4366 4367component_test_aes_only_128_bit_keys () { 4368 msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH" 4369 scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH 4370 scripts/config.py unset MBEDTLS_PADLOCK_C 4371 4372 make CC=gcc CFLAGS='-Werror -Wall -Wextra' 4373 4374 msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH" 4375 make test 4376} 4377 4378component_test_no_ctr_drbg_aes_only_128_bit_keys () { 4379 msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH - CTR_DRBG_C" 4380 scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH 4381 scripts/config.py unset MBEDTLS_CTR_DRBG_C 4382 scripts/config.py unset MBEDTLS_PADLOCK_C 4383 4384 make CC=clang CFLAGS='-Werror -Wall -Wextra' 4385 4386 msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH - CTR_DRBG_C" 4387 make test 4388} 4389 4390component_test_aes_only_128_bit_keys_have_builtins () { 4391 msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C" 4392 scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH 4393 scripts/config.py unset MBEDTLS_PADLOCK_C 4394 scripts/config.py unset MBEDTLS_AESNI_C 4395 scripts/config.py unset MBEDTLS_AESCE_C 4396 4397 make CC=gcc CFLAGS='-Werror -Wall -Wextra' 4398 4399 msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C" 4400 make test 4401 4402 msg "selftest: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C" 4403 programs/test/selftest 4404} 4405 4406component_test_aes_fewer_tables () { 4407 msg "build: default config with AES_FEWER_TABLES enabled" 4408 scripts/config.py set MBEDTLS_AES_FEWER_TABLES 4409 make CC=gcc CFLAGS='-Werror -Wall -Wextra' 4410 4411 msg "test: AES_FEWER_TABLES" 4412 make test 4413} 4414 4415component_test_aes_rom_tables () { 4416 msg "build: default config with AES_ROM_TABLES enabled" 4417 scripts/config.py set MBEDTLS_AES_ROM_TABLES 4418 make CC=gcc CFLAGS='-Werror -Wall -Wextra' 4419 4420 msg "test: AES_ROM_TABLES" 4421 make test 4422} 4423 4424component_test_aes_fewer_tables_and_rom_tables () { 4425 msg "build: default config with AES_ROM_TABLES and AES_FEWER_TABLES enabled" 4426 scripts/config.py set MBEDTLS_AES_FEWER_TABLES 4427 scripts/config.py set MBEDTLS_AES_ROM_TABLES 4428 make CC=gcc CFLAGS='-Werror -Wall -Wextra' 4429 4430 msg "test: AES_FEWER_TABLES + AES_ROM_TABLES" 4431 make test 4432} 4433 4434component_test_ctr_drbg_aes_256_sha_256 () { 4435 msg "build: full + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)" 4436 scripts/config.py full 4437 scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C 4438 scripts/config.py set MBEDTLS_ENTROPY_FORCE_SHA256 4439 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 4440 make 4441 4442 msg "test: full + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)" 4443 make test 4444} 4445 4446component_test_ctr_drbg_aes_128_sha_512 () { 4447 msg "build: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY (ASan build)" 4448 scripts/config.py full 4449 scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C 4450 scripts/config.py set MBEDTLS_CTR_DRBG_USE_128_BIT_KEY 4451 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 4452 make 4453 4454 msg "test: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY (ASan build)" 4455 make test 4456} 4457 4458component_test_ctr_drbg_aes_128_sha_256 () { 4459 msg "build: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)" 4460 scripts/config.py full 4461 scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C 4462 scripts/config.py set MBEDTLS_CTR_DRBG_USE_128_BIT_KEY 4463 scripts/config.py set MBEDTLS_ENTROPY_FORCE_SHA256 4464 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 4465 make 4466 4467 msg "test: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)" 4468 make test 4469} 4470 4471component_test_se_default () { 4472 msg "build: default config + MBEDTLS_PSA_CRYPTO_SE_C" 4473 scripts/config.py set MBEDTLS_PSA_CRYPTO_SE_C 4474 make CC=clang CFLAGS="$ASAN_CFLAGS -Os" LDFLAGS="$ASAN_CFLAGS" 4475 4476 msg "test: default config + MBEDTLS_PSA_CRYPTO_SE_C" 4477 make test 4478} 4479 4480component_test_psa_crypto_drivers () { 4481 msg "build: full + test drivers dispatching to builtins" 4482 scripts/config.py full 4483 scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG 4484 loc_cflags="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST_ALL" 4485 loc_cflags="${loc_cflags} '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'" 4486 loc_cflags="${loc_cflags} -I../tests/include -O2" 4487 4488 make CC=gcc CFLAGS="${loc_cflags}" LDFLAGS="$ASAN_CFLAGS" 4489 4490 msg "test: full + test drivers dispatching to builtins" 4491 make test 4492} 4493 4494component_test_make_shared () { 4495 msg "build/test: make shared" # ~ 40s 4496 make SHARED=1 all check 4497 ldd programs/util/strerror | grep libmbedcrypto 4498 programs/test/dlopen_demo.sh 4499} 4500 4501component_test_cmake_shared () { 4502 msg "build/test: cmake shared" # ~ 2min 4503 cmake -DUSE_SHARED_MBEDTLS_LIBRARY=On . 4504 make 4505 ldd programs/util/strerror | grep libmbedcrypto 4506 make test 4507 programs/test/dlopen_demo.sh 4508} 4509 4510test_build_opt () { 4511 info=$1 cc=$2; shift 2 4512 $cc --version 4513 for opt in "$@"; do 4514 msg "build/test: $cc $opt, $info" # ~ 30s 4515 make CC="$cc" CFLAGS="$opt -std=c99 -pedantic -Wall -Wextra -Werror" 4516 # We're confident enough in compilers to not run _all_ the tests, 4517 # but at least run the unit tests. In particular, runs with 4518 # optimizations use inline assembly whereas runs with -O0 4519 # skip inline assembly. 4520 make test # ~30s 4521 make clean 4522 done 4523} 4524 4525# For FreeBSD we invoke the function by name so this condition is added 4526# to disable the existing test_clang_opt function for linux. 4527if [[ $(uname) != "Linux" ]]; then 4528 component_test_clang_opt () { 4529 scripts/config.py full 4530 test_build_opt 'full config' clang -O0 -Os -O2 4531 } 4532fi 4533 4534component_test_clang_latest_opt () { 4535 scripts/config.py full 4536 test_build_opt 'full config' "$CLANG_LATEST" -O0 -Os -O2 4537} 4538support_test_clang_latest_opt () { 4539 type "$CLANG_LATEST" >/dev/null 2>/dev/null 4540} 4541 4542component_test_clang_earliest_opt () { 4543 scripts/config.py full 4544 test_build_opt 'full config' "$CLANG_EARLIEST" -O0 4545} 4546support_test_clang_earliest_opt () { 4547 type "$CLANG_EARLIEST" >/dev/null 2>/dev/null 4548} 4549 4550component_test_gcc_latest_opt () { 4551 scripts/config.py full 4552 test_build_opt 'full config' "$GCC_LATEST" -O0 -Os -O2 4553} 4554support_test_gcc_latest_opt () { 4555 type "$GCC_LATEST" >/dev/null 2>/dev/null 4556} 4557 4558component_test_gcc_earliest_opt () { 4559 scripts/config.py full 4560 test_build_opt 'full config' "$GCC_EARLIEST" -O0 4561} 4562support_test_gcc_earliest_opt () { 4563 type "$GCC_EARLIEST" >/dev/null 2>/dev/null 4564} 4565 4566component_build_mbedtls_config_file () { 4567 msg "build: make with MBEDTLS_CONFIG_FILE" # ~40s 4568 scripts/config.py -w full_config.h full 4569 echo '#error "MBEDTLS_CONFIG_FILE is not working"' >"$CONFIG_H" 4570 make CFLAGS="-I '$PWD' -DMBEDTLS_CONFIG_FILE='\"full_config.h\"'" 4571 # Make sure this feature is enabled. We'll disable it in the next phase. 4572 programs/test/query_compile_time_config MBEDTLS_NIST_KW_C 4573 make clean 4574 4575 msg "build: make with MBEDTLS_CONFIG_FILE + MBEDTLS_USER_CONFIG_FILE" 4576 # In the user config, disable one feature (for simplicity, pick a feature 4577 # that nothing else depends on). 4578 echo '#undef MBEDTLS_NIST_KW_C' >user_config.h 4579 make CFLAGS="-I '$PWD' -DMBEDTLS_CONFIG_FILE='\"full_config.h\"' -DMBEDTLS_USER_CONFIG_FILE='\"user_config.h\"'" 4580 not programs/test/query_compile_time_config MBEDTLS_NIST_KW_C 4581 4582 rm -f user_config.h full_config.h 4583} 4584 4585component_build_psa_config_file () { 4586 msg "build: make with MBEDTLS_PSA_CRYPTO_CONFIG_FILE" # ~40s 4587 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG 4588 cp "$CRYPTO_CONFIG_H" psa_test_config.h 4589 echo '#error "MBEDTLS_PSA_CRYPTO_CONFIG_FILE is not working"' >"$CRYPTO_CONFIG_H" 4590 make CFLAGS="-I '$PWD' -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"'" 4591 # Make sure this feature is enabled. We'll disable it in the next phase. 4592 programs/test/query_compile_time_config MBEDTLS_CMAC_C 4593 make clean 4594 4595 msg "build: make with MBEDTLS_PSA_CRYPTO_CONFIG_FILE + MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE" # ~40s 4596 # In the user config, disable one feature, which will reflect on the 4597 # mbedtls configuration so we can query it with query_compile_time_config. 4598 echo '#undef PSA_WANT_ALG_CMAC' >psa_user_config.h 4599 scripts/config.py unset MBEDTLS_CMAC_C 4600 make CFLAGS="-I '$PWD' -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"' -DMBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE='\"psa_user_config.h\"'" 4601 not programs/test/query_compile_time_config MBEDTLS_CMAC_C 4602 4603 rm -f psa_test_config.h psa_user_config.h 4604} 4605 4606component_build_psa_alt_headers () { 4607 msg "build: make with PSA alt headers" # ~20s 4608 4609 # Generate alternative versions of the substitutable headers with the 4610 # same content except different include guards. 4611 make -C tests include/alt-extra/psa/crypto_platform_alt.h include/alt-extra/psa/crypto_struct_alt.h 4612 4613 # Build the library and some programs. 4614 # Don't build the fuzzers to avoid having to go through hoops to set 4615 # a correct include path for programs/fuzz/Makefile. 4616 make CFLAGS="-I ../tests/include/alt-extra -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'" lib 4617 make -C programs -o fuzz CFLAGS="-I ../tests/include/alt-extra -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'" 4618 4619 # Check that we're getting the alternative include guards and not the 4620 # original include guards. 4621 programs/test/query_included_headers | grep -x PSA_CRYPTO_PLATFORM_ALT_H 4622 programs/test/query_included_headers | grep -x PSA_CRYPTO_STRUCT_ALT_H 4623 programs/test/query_included_headers | not grep -x PSA_CRYPTO_PLATFORM_H 4624 programs/test/query_included_headers | not grep -x PSA_CRYPTO_STRUCT_H 4625} 4626 4627component_test_m32_o0 () { 4628 # Build without optimization, so as to use portable C code (in a 32-bit 4629 # build) and not the i386-specific inline assembly. 4630 msg "build: i386, make, gcc -O0 (ASan build)" # ~ 30s 4631 scripts/config.py full 4632 scripts/config.py unset MBEDTLS_AESNI_C # AESNI depends on cpu modifiers 4633 make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O0" LDFLAGS="-m32 $ASAN_CFLAGS" 4634 4635 msg "test: i386, make, gcc -O0 (ASan build)" 4636 make test 4637} 4638support_test_m32_o0 () { 4639 case $(uname -m) in 4640 amd64|x86_64) true;; 4641 *) false;; 4642 esac 4643} 4644 4645component_test_m32_o2 () { 4646 # Build with optimization, to use the i386 specific inline assembly 4647 # and go faster for tests. 4648 msg "build: i386, make, gcc -O2 (ASan build)" # ~ 30s 4649 scripts/config.py full 4650 scripts/config.py unset MBEDTLS_AESNI_C # AESNI depends on cpu modifiers 4651 make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O2" LDFLAGS="-m32 $ASAN_CFLAGS" 4652 4653 msg "test: i386, make, gcc -O2 (ASan build)" 4654 make test 4655 4656 msg "test ssl-opt.sh, i386, make, gcc-O2" 4657 tests/ssl-opt.sh 4658} 4659support_test_m32_o2 () { 4660 support_test_m32_o0 "$@" 4661} 4662 4663component_test_m32_everest () { 4664 msg "build: i386, Everest ECDH context (ASan build)" # ~ 6 min 4665 scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED 4666 scripts/config.py unset MBEDTLS_AESNI_C # AESNI depends on cpu modifiers 4667 make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O2" LDFLAGS="-m32 $ASAN_CFLAGS" 4668 4669 msg "test: i386, Everest ECDH context - main suites (inc. selftests) (ASan build)" # ~ 50s 4670 make test 4671 4672 msg "test: i386, Everest ECDH context - ECDH-related part of ssl-opt.sh (ASan build)" # ~ 5s 4673 tests/ssl-opt.sh -f ECDH 4674 4675 msg "test: i386, Everest ECDH context - compat.sh with some ECDH ciphersuites (ASan build)" # ~ 3 min 4676 # Exclude some symmetric ciphers that are redundant here to gain time. 4677 tests/compat.sh -f ECDH -V NO -e 'ARIA\|CAMELLIA\|CHACHA' 4678} 4679support_test_m32_everest () { 4680 support_test_m32_o0 "$@" 4681} 4682 4683component_test_mx32 () { 4684 msg "build: 64-bit ILP32, make, gcc" # ~ 30s 4685 scripts/config.py full 4686 make CC=gcc CFLAGS='-Werror -Wall -Wextra -mx32' LDFLAGS='-mx32' 4687 4688 msg "test: 64-bit ILP32, make, gcc" 4689 make test 4690} 4691support_test_mx32 () { 4692 case $(uname -m) in 4693 amd64|x86_64) true;; 4694 *) false;; 4695 esac 4696} 4697 4698component_test_min_mpi_window_size () { 4699 msg "build: Default + MBEDTLS_MPI_WINDOW_SIZE=1 (ASan build)" # ~ 10s 4700 scripts/config.py set MBEDTLS_MPI_WINDOW_SIZE 1 4701 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 4702 make 4703 4704 msg "test: MBEDTLS_MPI_WINDOW_SIZE=1 - main suites (inc. selftests) (ASan build)" # ~ 10s 4705 make test 4706} 4707 4708component_test_have_int32 () { 4709 msg "build: gcc, force 32-bit bignum limbs" 4710 scripts/config.py unset MBEDTLS_HAVE_ASM 4711 scripts/config.py unset MBEDTLS_AESNI_C 4712 scripts/config.py unset MBEDTLS_PADLOCK_C 4713 scripts/config.py unset MBEDTLS_AESCE_C 4714 make CC=gcc CFLAGS='-Werror -Wall -Wextra -DMBEDTLS_HAVE_INT32' 4715 4716 msg "test: gcc, force 32-bit bignum limbs" 4717 make test 4718} 4719 4720component_test_have_int64 () { 4721 msg "build: gcc, force 64-bit bignum limbs" 4722 scripts/config.py unset MBEDTLS_HAVE_ASM 4723 scripts/config.py unset MBEDTLS_AESNI_C 4724 scripts/config.py unset MBEDTLS_PADLOCK_C 4725 scripts/config.py unset MBEDTLS_AESCE_C 4726 make CC=gcc CFLAGS='-Werror -Wall -Wextra -DMBEDTLS_HAVE_INT64' 4727 4728 msg "test: gcc, force 64-bit bignum limbs" 4729 make test 4730} 4731 4732component_test_have_int32_cmake_new_bignum () { 4733 msg "build: gcc, force 32-bit bignum limbs, new bignum interface, test hooks (ASan build)" 4734 scripts/config.py unset MBEDTLS_HAVE_ASM 4735 scripts/config.py unset MBEDTLS_AESNI_C 4736 scripts/config.py unset MBEDTLS_PADLOCK_C 4737 scripts/config.py unset MBEDTLS_AESCE_C 4738 scripts/config.py set MBEDTLS_TEST_HOOKS 4739 scripts/config.py set MBEDTLS_ECP_WITH_MPI_UINT 4740 make CC=gcc CFLAGS="$ASAN_CFLAGS -Werror -Wall -Wextra -DMBEDTLS_HAVE_INT32" LDFLAGS="$ASAN_CFLAGS" 4741 4742 msg "test: gcc, force 32-bit bignum limbs, new bignum interface, test hooks (ASan build)" 4743 make test 4744} 4745 4746component_test_no_udbl_division () { 4747 msg "build: MBEDTLS_NO_UDBL_DIVISION native" # ~ 10s 4748 scripts/config.py full 4749 scripts/config.py set MBEDTLS_NO_UDBL_DIVISION 4750 make CFLAGS='-Werror -O1' 4751 4752 msg "test: MBEDTLS_NO_UDBL_DIVISION native" # ~ 10s 4753 make test 4754} 4755 4756component_test_no_64bit_multiplication () { 4757 msg "build: MBEDTLS_NO_64BIT_MULTIPLICATION native" # ~ 10s 4758 scripts/config.py full 4759 scripts/config.py set MBEDTLS_NO_64BIT_MULTIPLICATION 4760 make CFLAGS='-Werror -O1' 4761 4762 msg "test: MBEDTLS_NO_64BIT_MULTIPLICATION native" # ~ 10s 4763 make test 4764} 4765 4766component_test_no_strings () { 4767 msg "build: no strings" # ~10s 4768 scripts/config.py full 4769 # Disable options that activate a large amount of string constants. 4770 scripts/config.py unset MBEDTLS_DEBUG_C 4771 scripts/config.py unset MBEDTLS_ERROR_C 4772 scripts/config.py set MBEDTLS_ERROR_STRERROR_DUMMY 4773 scripts/config.py unset MBEDTLS_VERSION_FEATURES 4774 make CFLAGS='-Werror -Os' 4775 4776 msg "test: no strings" # ~ 10s 4777 make test 4778} 4779 4780component_test_no_x509_info () { 4781 msg "build: full + MBEDTLS_X509_REMOVE_INFO" # ~ 10s 4782 scripts/config.pl full 4783 scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests 4784 scripts/config.pl set MBEDTLS_X509_REMOVE_INFO 4785 make CFLAGS='-Werror -O2' 4786 4787 msg "test: full + MBEDTLS_X509_REMOVE_INFO" # ~ 10s 4788 make test 4789 4790 msg "test: ssl-opt.sh, full + MBEDTLS_X509_REMOVE_INFO" # ~ 1 min 4791 tests/ssl-opt.sh 4792} 4793 4794component_build_arm_none_eabi_gcc () { 4795 msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc -O1, baremetal+debug" # ~ 10s 4796 scripts/config.py baremetal 4797 make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -Wall -Wextra -O1' lib 4798 4799 msg "size: ${ARM_NONE_EABI_GCC_PREFIX}gcc -O1, baremetal+debug" 4800 ${ARM_NONE_EABI_GCC_PREFIX}size -t library/*.o 4801} 4802 4803component_build_arm_linux_gnueabi_gcc_arm5vte () { 4804 msg "build: ${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc -march=arm5vte, baremetal+debug" # ~ 10s 4805 scripts/config.py baremetal 4806 # Build for a target platform that's close to what Debian uses 4807 # for its "armel" distribution (https://wiki.debian.org/ArmEabiPort). 4808 # See https://github.com/Mbed-TLS/mbedtls/pull/2169 and comments. 4809 # Build everything including programs, see for example 4810 # https://github.com/Mbed-TLS/mbedtls/pull/3449#issuecomment-675313720 4811 make CC="${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc" AR="${ARM_LINUX_GNUEABI_GCC_PREFIX}ar" CFLAGS='-Werror -Wall -Wextra -march=armv5te -O1' LDFLAGS='-march=armv5te' 4812 4813 msg "size: ${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc -march=armv5te -O1, baremetal+debug" 4814 ${ARM_LINUX_GNUEABI_GCC_PREFIX}size -t library/*.o 4815} 4816support_build_arm_linux_gnueabi_gcc_arm5vte () { 4817 type ${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc >/dev/null 2>&1 4818} 4819 4820component_build_arm_none_eabi_gcc_arm5vte () { 4821 msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc -march=arm5vte, baremetal+debug" # ~ 10s 4822 scripts/config.py baremetal 4823 # This is an imperfect substitute for 4824 # component_build_arm_linux_gnueabi_gcc_arm5vte 4825 # in case the gcc-arm-linux-gnueabi toolchain is not available 4826 make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" CFLAGS='-std=c99 -Werror -Wall -Wextra -march=armv5te -O1' LDFLAGS='-march=armv5te' SHELL='sh -x' lib 4827 4828 msg "size: ${ARM_NONE_EABI_GCC_PREFIX}gcc -march=armv5te -O1, baremetal+debug" 4829 ${ARM_NONE_EABI_GCC_PREFIX}size -t library/*.o 4830} 4831 4832component_build_arm_none_eabi_gcc_m0plus () { 4833 msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc -mthumb -mcpu=cortex-m0plus, baremetal_size" # ~ 10s 4834 scripts/config.py baremetal_size 4835 make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -Wall -Wextra -mthumb -mcpu=cortex-m0plus -Os' lib 4836 4837 msg "size: ${ARM_NONE_EABI_GCC_PREFIX}gcc -mthumb -mcpu=cortex-m0plus -Os, baremetal_size" 4838 ${ARM_NONE_EABI_GCC_PREFIX}size -t library/*.o 4839 for lib in library/*.a; do 4840 echo "$lib:" 4841 ${ARM_NONE_EABI_GCC_PREFIX}size -t $lib | grep TOTALS 4842 done 4843} 4844 4845component_build_arm_none_eabi_gcc_no_udbl_division () { 4846 msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc -DMBEDTLS_NO_UDBL_DIVISION, make" # ~ 10s 4847 scripts/config.py baremetal 4848 scripts/config.py set MBEDTLS_NO_UDBL_DIVISION 4849 make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -Wall -Wextra' lib 4850 echo "Checking that software 64-bit division is not required" 4851 not grep __aeabi_uldiv library/*.o 4852} 4853 4854component_build_arm_none_eabi_gcc_no_64bit_multiplication () { 4855 msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc MBEDTLS_NO_64BIT_MULTIPLICATION, make" # ~ 10s 4856 scripts/config.py baremetal 4857 scripts/config.py set MBEDTLS_NO_64BIT_MULTIPLICATION 4858 make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -O1 -march=armv6-m -mthumb' lib 4859 echo "Checking that software 64-bit multiplication is not required" 4860 not grep __aeabi_lmul library/*.o 4861} 4862 4863component_build_arm_clang_thumb () { 4864 # ~ 30s 4865 4866 scripts/config.py baremetal 4867 4868 msg "build: clang thumb 2, make" 4869 make clean 4870 make CC="clang" CFLAGS='-std=c99 -Werror -Os --target=arm-linux-gnueabihf -march=armv7-m -mthumb' lib 4871 4872 # Some Thumb 1 asm is sensitive to optimisation level, so test both -O0 and -Os 4873 msg "build: clang thumb 1 -O0, make" 4874 make clean 4875 make CC="clang" CFLAGS='-std=c99 -Werror -O0 --target=arm-linux-gnueabihf -mcpu=arm1136j-s -mthumb' lib 4876 4877 msg "build: clang thumb 1 -Os, make" 4878 make clean 4879 make CC="clang" CFLAGS='-std=c99 -Werror -Os --target=arm-linux-gnueabihf -mcpu=arm1136j-s -mthumb' lib 4880} 4881 4882component_build_armcc () { 4883 msg "build: ARM Compiler 5" 4884 scripts/config.py baremetal 4885 # armc[56] don't support SHA-512 intrinsics 4886 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT 4887 4888 # Stop armclang warning about feature detection for A64_CRYPTO. 4889 # With this enabled, the library does build correctly under armclang, 4890 # but in baremetal builds (as tested here), feature detection is 4891 # unavailable, and the user is notified via a #warning. So enabling 4892 # this feature would prevent us from building with -Werror on 4893 # armclang. Tracked in #7198. 4894 scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT 4895 4896 scripts/config.py set MBEDTLS_HAVE_ASM 4897 4898 make CC="$ARMC5_CC" AR="$ARMC5_AR" WARNING_CFLAGS='--strict --c99' lib 4899 4900 msg "size: ARM Compiler 5" 4901 "$ARMC5_FROMELF" -z library/*.o 4902 4903 make clean 4904 4905 # Compile mostly with -O1 since some Arm inline assembly is disabled for -O0. 4906 4907 # ARM Compiler 6 - Target ARMv7-A 4908 armc6_build_test "-O1 --target=arm-arm-none-eabi -march=armv7-a" 4909 4910 # ARM Compiler 6 - Target ARMv7-M 4911 armc6_build_test "-O1 --target=arm-arm-none-eabi -march=armv7-m" 4912 4913 # ARM Compiler 6 - Target ARMv7-M+DSP 4914 armc6_build_test "-O1 --target=arm-arm-none-eabi -march=armv7-m+dsp" 4915 4916 # ARM Compiler 6 - Target ARMv8-A - AArch32 4917 armc6_build_test "-O1 --target=arm-arm-none-eabi -march=armv8.2-a" 4918 4919 # ARM Compiler 6 - Target ARMv8-M 4920 armc6_build_test "-O1 --target=arm-arm-none-eabi -march=armv8-m.main" 4921 4922 # ARM Compiler 6 - Target ARMv8.2-A - AArch64 4923 armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8.2-a+crypto" 4924 4925 # ARM Compiler 6 - Target Cortex-M0 - no optimisation 4926 armc6_build_test "-O0 --target=arm-arm-none-eabi -mcpu=cortex-m0" 4927 4928 # ARM Compiler 6 - Target Cortex-M0 4929 armc6_build_test "-Os --target=arm-arm-none-eabi -mcpu=cortex-m0" 4930} 4931 4932support_build_armcc () { 4933 armc5_cc="$ARMC5_BIN_DIR/armcc" 4934 armc6_cc="$ARMC6_BIN_DIR/armclang" 4935 (check_tools "$armc5_cc" "$armc6_cc" > /dev/null 2>&1) 4936} 4937 4938component_test_tls13_only () { 4939 msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3, without MBEDTLS_SSL_PROTO_TLS1_2" 4940 scripts/config.py set MBEDTLS_SSL_EARLY_DATA 4941 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" 4942 4943 msg "test: TLS 1.3 only, all key exchange modes enabled" 4944 make test 4945 4946 msg "ssl-opt.sh: TLS 1.3 only, all key exchange modes enabled" 4947 tests/ssl-opt.sh 4948} 4949 4950component_test_tls13_only_psk () { 4951 msg "build: TLS 1.3 only from default, only PSK key exchange mode" 4952 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED 4953 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED 4954 scripts/config.py unset MBEDTLS_ECDH_C 4955 scripts/config.py unset MBEDTLS_DHM_C 4956 scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C 4957 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT 4958 scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION 4959 scripts/config.py unset MBEDTLS_ECDSA_C 4960 scripts/config.py unset MBEDTLS_PKCS1_V21 4961 scripts/config.py unset MBEDTLS_PKCS7_C 4962 scripts/config.py set MBEDTLS_SSL_EARLY_DATA 4963 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" 4964 4965 msg "test_suite_ssl: TLS 1.3 only, only PSK key exchange mode enabled" 4966 cd tests; ./test_suite_ssl; cd .. 4967 4968 msg "ssl-opt.sh: TLS 1.3 only, only PSK key exchange mode enabled" 4969 tests/ssl-opt.sh 4970} 4971 4972component_test_tls13_only_ephemeral () { 4973 msg "build: TLS 1.3 only from default, only ephemeral key exchange mode" 4974 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED 4975 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED 4976 scripts/config.py unset MBEDTLS_SSL_EARLY_DATA 4977 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" 4978 4979 msg "test_suite_ssl: TLS 1.3 only, only ephemeral key exchange mode" 4980 cd tests; ./test_suite_ssl; cd .. 4981 4982 msg "ssl-opt.sh: TLS 1.3 only, only ephemeral key exchange mode" 4983 tests/ssl-opt.sh 4984} 4985 4986component_test_tls13_only_ephemeral_ffdh () { 4987 msg "build: TLS 1.3 only from default, only ephemeral ffdh key exchange mode" 4988 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED 4989 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED 4990 scripts/config.py unset MBEDTLS_SSL_EARLY_DATA 4991 scripts/config.py unset MBEDTLS_ECDH_C 4992 4993 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" 4994 4995 msg "test_suite_ssl: TLS 1.3 only, only ephemeral ffdh key exchange mode" 4996 cd tests; ./test_suite_ssl; cd .. 4997 4998 msg "ssl-opt.sh: TLS 1.3 only, only ephemeral ffdh key exchange mode" 4999 tests/ssl-opt.sh 5000} 5001 5002component_test_tls13_only_psk_ephemeral () { 5003 msg "build: TLS 1.3 only from default, only PSK ephemeral key exchange mode" 5004 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED 5005 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED 5006 scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C 5007 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT 5008 scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION 5009 scripts/config.py unset MBEDTLS_ECDSA_C 5010 scripts/config.py unset MBEDTLS_PKCS1_V21 5011 scripts/config.py unset MBEDTLS_PKCS7_C 5012 scripts/config.py set MBEDTLS_SSL_EARLY_DATA 5013 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" 5014 5015 msg "test_suite_ssl: TLS 1.3 only, only PSK ephemeral key exchange mode" 5016 cd tests; ./test_suite_ssl; cd .. 5017 5018 msg "ssl-opt.sh: TLS 1.3 only, only PSK ephemeral key exchange mode" 5019 tests/ssl-opt.sh 5020} 5021 5022component_test_tls13_only_psk_ephemeral_ffdh () { 5023 msg "build: TLS 1.3 only from default, only PSK ephemeral ffdh key exchange mode" 5024 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED 5025 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED 5026 scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C 5027 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT 5028 scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION 5029 scripts/config.py unset MBEDTLS_ECDSA_C 5030 scripts/config.py unset MBEDTLS_PKCS1_V21 5031 scripts/config.py unset MBEDTLS_PKCS7_C 5032 scripts/config.py set MBEDTLS_SSL_EARLY_DATA 5033 scripts/config.py unset MBEDTLS_ECDH_C 5034 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" 5035 5036 msg "test_suite_ssl: TLS 1.3 only, only PSK ephemeral ffdh key exchange mode" 5037 cd tests; ./test_suite_ssl; cd .. 5038 5039 msg "ssl-opt.sh: TLS 1.3 only, only PSK ephemeral ffdh key exchange mode" 5040 tests/ssl-opt.sh 5041} 5042 5043component_test_tls13_only_psk_all () { 5044 msg "build: TLS 1.3 only from default, without ephemeral key exchange mode" 5045 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED 5046 scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C 5047 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT 5048 scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION 5049 scripts/config.py unset MBEDTLS_ECDSA_C 5050 scripts/config.py unset MBEDTLS_PKCS1_V21 5051 scripts/config.py unset MBEDTLS_PKCS7_C 5052 scripts/config.py set MBEDTLS_SSL_EARLY_DATA 5053 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" 5054 5055 msg "test_suite_ssl: TLS 1.3 only, PSK and PSK ephemeral key exchange modes" 5056 cd tests; ./test_suite_ssl; cd .. 5057 5058 msg "ssl-opt.sh: TLS 1.3 only, PSK and PSK ephemeral key exchange modes" 5059 tests/ssl-opt.sh 5060} 5061 5062component_test_tls13_only_ephemeral_all () { 5063 msg "build: TLS 1.3 only from default, without PSK key exchange mode" 5064 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED 5065 scripts/config.py set MBEDTLS_SSL_EARLY_DATA 5066 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" 5067 5068 msg "test_suite_ssl: TLS 1.3 only, ephemeral and PSK ephemeral key exchange modes" 5069 cd tests; ./test_suite_ssl; cd .. 5070 5071 msg "ssl-opt.sh: TLS 1.3 only, ephemeral and PSK ephemeral key exchange modes" 5072 tests/ssl-opt.sh 5073} 5074 5075component_test_tls13 () { 5076 msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3 enabled, without padding" 5077 scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3 5078 scripts/config.py set MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE 5079 scripts/config.py set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1 5080 scripts/config.py set MBEDTLS_SSL_EARLY_DATA 5081 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 5082 make 5083 msg "test: default config with MBEDTLS_SSL_PROTO_TLS1_3 enabled, without padding" 5084 make test 5085 msg "ssl-opt.sh (TLS 1.3)" 5086 tests/ssl-opt.sh 5087} 5088 5089component_test_tls13_no_compatibility_mode () { 5090 msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3 enabled, without padding" 5091 scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3 5092 scripts/config.py unset MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE 5093 scripts/config.py set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1 5094 scripts/config.py set MBEDTLS_SSL_EARLY_DATA 5095 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 5096 make 5097 msg "test: default config with MBEDTLS_SSL_PROTO_TLS1_3 enabled, without padding" 5098 make test 5099 msg "ssl-opt.sh (TLS 1.3 no compatibility mode)" 5100 tests/ssl-opt.sh 5101} 5102 5103component_test_tls13_only_record_size_limit () { 5104 msg "build: TLS 1.3 only from default, record size limit extension enabled" 5105 scripts/config.py set MBEDTLS_SSL_RECORD_SIZE_LIMIT 5106 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" 5107 5108 msg "test_suite_ssl: TLS 1.3 only, record size limit extension enabled" 5109 cd tests; ./test_suite_ssl; cd .. 5110 5111 msg "ssl-opt.sh: (TLS 1.3 only, record size limit extension tests only)" 5112 # Both the server and the client will currently abort the handshake when they encounter the 5113 # record size limit extension. There is no way to prevent gnutls-cli from sending the extension 5114 # which makes all G_NEXT_CLI + P_SRV tests fail. Thus, run only the tests for the this extension. 5115 tests/ssl-opt.sh -f "Record Size Limit" 5116} 5117 5118component_build_mingw () { 5119 msg "build: Windows cross build - mingw64, make (Link Library)" # ~ 30s 5120 scripts/config.py unset MBEDTLS_AESNI_C # AESNI depends on cpu modifiers 5121 make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 lib programs 5122 5123 # note Make tests only builds the tests, but doesn't run them 5124 make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror' WINDOWS_BUILD=1 tests 5125 make WINDOWS_BUILD=1 clean 5126 5127 msg "build: Windows cross build - mingw64, make (DLL)" # ~ 30s 5128 make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 SHARED=1 lib programs 5129 make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 SHARED=1 tests 5130 make WINDOWS_BUILD=1 clean 5131} 5132support_build_mingw() { 5133 case $(i686-w64-mingw32-gcc -dumpversion 2>/dev/null) in 5134 [0-5]*|"") false;; 5135 *) true;; 5136 esac 5137} 5138 5139component_test_memsan () { 5140 msg "build: MSan (clang)" # ~ 1 min 20s 5141 scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm 5142 CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan . 5143 make 5144 5145 msg "test: main suites (MSan)" # ~ 10s 5146 make test 5147 5148 msg "test: ssl-opt.sh (MSan)" # ~ 1 min 5149 tests/ssl-opt.sh 5150 5151 # Optional part(s) 5152 5153 if [ "$MEMORY" -gt 0 ]; then 5154 msg "test: compat.sh (MSan)" # ~ 6 min 20s 5155 tests/compat.sh 5156 fi 5157} 5158 5159component_test_valgrind () { 5160 msg "build: Release (clang)" 5161 # default config, in particular without MBEDTLS_USE_PSA_CRYPTO 5162 CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release . 5163 make 5164 5165 msg "test: main suites, Valgrind (default config)" 5166 make memcheck 5167 5168 # Optional parts (slow; currently broken on OS X because programs don't 5169 # seem to receive signals under valgrind on OS X). 5170 # These optional parts don't run on the CI. 5171 if [ "$MEMORY" -gt 0 ]; then 5172 msg "test: ssl-opt.sh --memcheck (default config)" 5173 tests/ssl-opt.sh --memcheck 5174 fi 5175 5176 if [ "$MEMORY" -gt 1 ]; then 5177 msg "test: compat.sh --memcheck (default config)" 5178 tests/compat.sh --memcheck 5179 fi 5180 5181 if [ "$MEMORY" -gt 0 ]; then 5182 msg "test: context-info.sh --memcheck (default config)" 5183 tests/context-info.sh --memcheck 5184 fi 5185} 5186 5187component_test_valgrind_psa () { 5188 msg "build: Release, full (clang)" 5189 # full config, in particular with MBEDTLS_USE_PSA_CRYPTO 5190 scripts/config.py full 5191 CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release . 5192 make 5193 5194 msg "test: main suites, Valgrind (full config)" 5195 make memcheck 5196} 5197 5198support_test_cmake_out_of_source () { 5199 distrib_id="" 5200 distrib_ver="" 5201 distrib_ver_minor="" 5202 distrib_ver_major="" 5203 5204 # Attempt to parse lsb-release to find out distribution and version. If not 5205 # found this should fail safe (test is supported). 5206 if [[ -f /etc/lsb-release ]]; then 5207 5208 while read -r lsb_line; do 5209 case "$lsb_line" in 5210 "DISTRIB_ID"*) distrib_id=${lsb_line/#DISTRIB_ID=};; 5211 "DISTRIB_RELEASE"*) distrib_ver=${lsb_line/#DISTRIB_RELEASE=};; 5212 esac 5213 done < /etc/lsb-release 5214 5215 distrib_ver_major="${distrib_ver%%.*}" 5216 distrib_ver="${distrib_ver#*.}" 5217 distrib_ver_minor="${distrib_ver%%.*}" 5218 fi 5219 5220 # Running the out of source CMake test on Ubuntu 16.04 using more than one 5221 # processor (as the CI does) can create a race condition whereby the build 5222 # fails to see a generated file, despite that file actually having been 5223 # generated. This problem appears to go away with 18.04 or newer, so make 5224 # the out of source tests unsupported on Ubuntu 16.04. 5225 [ "$distrib_id" != "Ubuntu" ] || [ "$distrib_ver_major" -gt 16 ] 5226} 5227 5228component_test_cmake_out_of_source () { 5229 # Remove existing generated files so that we use the ones cmake 5230 # generates 5231 make neat 5232 5233 msg "build: cmake 'out-of-source' build" 5234 MBEDTLS_ROOT_DIR="$PWD" 5235 mkdir "$OUT_OF_SOURCE_DIR" 5236 cd "$OUT_OF_SOURCE_DIR" 5237 # Note: Explicitly generate files as these are turned off in releases 5238 cmake -D CMAKE_BUILD_TYPE:String=Check -D GEN_FILES=ON "$MBEDTLS_ROOT_DIR" 5239 make 5240 5241 msg "test: cmake 'out-of-source' build" 5242 make test 5243 # Check that ssl-opt.sh can find the test programs. 5244 # Also ensure that there are no error messages such as 5245 # "No such file or directory", which would indicate that some required 5246 # file is missing (ssl-opt.sh tolerates the absence of some files so 5247 # may exit with status 0 but emit errors). 5248 ./tests/ssl-opt.sh -f 'Default' >ssl-opt.out 2>ssl-opt.err 5249 grep PASS ssl-opt.out 5250 cat ssl-opt.err >&2 5251 # If ssl-opt.err is non-empty, record an error and keep going. 5252 [ ! -s ssl-opt.err ] 5253 rm ssl-opt.out ssl-opt.err 5254 cd "$MBEDTLS_ROOT_DIR" 5255 rm -rf "$OUT_OF_SOURCE_DIR" 5256} 5257 5258component_test_cmake_as_subdirectory () { 5259 # Remove existing generated files so that we use the ones CMake 5260 # generates 5261 make neat 5262 5263 msg "build: cmake 'as-subdirectory' build" 5264 cd programs/test/cmake_subproject 5265 # Note: Explicitly generate files as these are turned off in releases 5266 cmake -D GEN_FILES=ON . 5267 make 5268 ./cmake_subproject 5269} 5270support_test_cmake_as_subdirectory () { 5271 support_test_cmake_out_of_source 5272} 5273 5274component_test_cmake_as_package () { 5275 # Remove existing generated files so that we use the ones CMake 5276 # generates 5277 make neat 5278 5279 msg "build: cmake 'as-package' build" 5280 cd programs/test/cmake_package 5281 cmake . 5282 make 5283 ./cmake_package 5284} 5285support_test_cmake_as_package () { 5286 support_test_cmake_out_of_source 5287} 5288 5289component_test_cmake_as_package_install () { 5290 # Remove existing generated files so that we use the ones CMake 5291 # generates 5292 make neat 5293 5294 msg "build: cmake 'as-installed-package' build" 5295 cd programs/test/cmake_package_install 5296 cmake . 5297 make 5298 ./cmake_package_install 5299} 5300support_test_cmake_as_package_install () { 5301 support_test_cmake_out_of_source 5302} 5303 5304component_build_cmake_custom_config_file () { 5305 # Make a copy of config file to use for the in-tree test 5306 cp "$CONFIG_H" include/mbedtls_config_in_tree_copy.h 5307 5308 MBEDTLS_ROOT_DIR="$PWD" 5309 mkdir "$OUT_OF_SOURCE_DIR" 5310 cd "$OUT_OF_SOURCE_DIR" 5311 5312 # Build once to get the generated files (which need an intact config file) 5313 cmake "$MBEDTLS_ROOT_DIR" 5314 make 5315 5316 msg "build: cmake with -DMBEDTLS_CONFIG_FILE" 5317 scripts/config.py -w full_config.h full 5318 echo '#error "cmake -DMBEDTLS_CONFIG_FILE is not working."' > "$MBEDTLS_ROOT_DIR/$CONFIG_H" 5319 cmake -DGEN_FILES=OFF -DMBEDTLS_CONFIG_FILE=full_config.h "$MBEDTLS_ROOT_DIR" 5320 make 5321 5322 msg "build: cmake with -DMBEDTLS_CONFIG_FILE + -DMBEDTLS_USER_CONFIG_FILE" 5323 # In the user config, disable one feature (for simplicity, pick a feature 5324 # that nothing else depends on). 5325 echo '#undef MBEDTLS_NIST_KW_C' >user_config.h 5326 5327 cmake -DGEN_FILES=OFF -DMBEDTLS_CONFIG_FILE=full_config.h -DMBEDTLS_USER_CONFIG_FILE=user_config.h "$MBEDTLS_ROOT_DIR" 5328 make 5329 not programs/test/query_compile_time_config MBEDTLS_NIST_KW_C 5330 5331 rm -f user_config.h full_config.h 5332 5333 cd "$MBEDTLS_ROOT_DIR" 5334 rm -rf "$OUT_OF_SOURCE_DIR" 5335 5336 # Now repeat the test for an in-tree build: 5337 5338 # Restore config for the in-tree test 5339 mv include/mbedtls_config_in_tree_copy.h "$CONFIG_H" 5340 5341 # Build once to get the generated files (which need an intact config) 5342 cmake . 5343 make 5344 5345 msg "build: cmake (in-tree) with -DMBEDTLS_CONFIG_FILE" 5346 scripts/config.py -w full_config.h full 5347 echo '#error "cmake -DMBEDTLS_CONFIG_FILE is not working."' > "$MBEDTLS_ROOT_DIR/$CONFIG_H" 5348 cmake -DGEN_FILES=OFF -DMBEDTLS_CONFIG_FILE=full_config.h . 5349 make 5350 5351 msg "build: cmake (in-tree) with -DMBEDTLS_CONFIG_FILE + -DMBEDTLS_USER_CONFIG_FILE" 5352 # In the user config, disable one feature (for simplicity, pick a feature 5353 # that nothing else depends on). 5354 echo '#undef MBEDTLS_NIST_KW_C' >user_config.h 5355 5356 cmake -DGEN_FILES=OFF -DMBEDTLS_CONFIG_FILE=full_config.h -DMBEDTLS_USER_CONFIG_FILE=user_config.h . 5357 make 5358 not programs/test/query_compile_time_config MBEDTLS_NIST_KW_C 5359 5360 rm -f user_config.h full_config.h 5361} 5362support_build_cmake_custom_config_file () { 5363 support_test_cmake_out_of_source 5364} 5365 5366 5367component_build_zeroize_checks () { 5368 msg "build: check for obviously wrong calls to mbedtls_platform_zeroize()" 5369 5370 scripts/config.py full 5371 5372 # Only compile - we're looking for sizeof-pointer-memaccess warnings 5373 make CC=gcc CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-zeroize-memset.h\"' -DMBEDTLS_TEST_DEFINES_ZEROIZE -Werror -Wsizeof-pointer-memaccess" 5374} 5375 5376 5377component_test_zeroize () { 5378 # Test that the function mbedtls_platform_zeroize() is not optimized away by 5379 # different combinations of compilers and optimization flags by using an 5380 # auxiliary GDB script. Unfortunately, GDB does not return error values to the 5381 # system in all cases that the script fails, so we must manually search the 5382 # output to check whether the pass string is present and no failure strings 5383 # were printed. 5384 5385 # Don't try to disable ASLR. We don't care about ASLR here. We do care 5386 # about a spurious message if Gdb tries and fails, so suppress that. 5387 gdb_disable_aslr= 5388 if [ -z "$(gdb -batch -nw -ex 'set disable-randomization off' 2>&1)" ]; then 5389 gdb_disable_aslr='set disable-randomization off' 5390 fi 5391 5392 for optimization_flag in -O2 -O3 -Ofast -Os; do 5393 for compiler in clang gcc; do 5394 msg "test: $compiler $optimization_flag, mbedtls_platform_zeroize()" 5395 make programs CC="$compiler" DEBUG=1 CFLAGS="$optimization_flag" 5396 gdb -ex "$gdb_disable_aslr" -x tests/scripts/test_zeroize.gdb -nw -batch -nx 2>&1 | tee test_zeroize.log 5397 grep "The buffer was correctly zeroized" test_zeroize.log 5398 not grep -i "error" test_zeroize.log 5399 rm -f test_zeroize.log 5400 make clean 5401 done 5402 done 5403} 5404 5405component_test_psa_compliance () { 5406 msg "build: make, default config (out-of-box), libmbedcrypto.a only" 5407 make -C library libmbedcrypto.a 5408 5409 msg "unit test: test_psa_compliance.py" 5410 ./tests/scripts/test_psa_compliance.py 5411} 5412 5413support_test_psa_compliance () { 5414 # psa-compliance-tests only supports CMake >= 3.10.0 5415 ver="$(cmake --version)" 5416 ver="${ver#cmake version }" 5417 ver_major="${ver%%.*}" 5418 5419 ver="${ver#*.}" 5420 ver_minor="${ver%%.*}" 5421 5422 [ "$ver_major" -eq 3 ] && [ "$ver_minor" -ge 10 ] 5423} 5424 5425component_check_code_style () { 5426 msg "Check C code style" 5427 ./scripts/code_style.py 5428} 5429 5430support_check_code_style() { 5431 case $(uncrustify --version) in 5432 *0.75.1*) true;; 5433 *) false;; 5434 esac 5435} 5436 5437component_check_python_files () { 5438 msg "Lint: Python scripts" 5439 tests/scripts/check-python-files.sh 5440} 5441 5442component_check_test_helpers () { 5443 msg "unit test: generate_test_code.py" 5444 # unittest writes out mundane stuff like number or tests run on stderr. 5445 # Our convention is to reserve stderr for actual errors, and write 5446 # harmless info on stdout so it can be suppress with --quiet. 5447 ./tests/scripts/test_generate_test_code.py 2>&1 5448 5449 msg "unit test: translate_ciphers.py" 5450 python3 -m unittest tests/scripts/translate_ciphers.py 2>&1 5451} 5452 5453 5454################################################################ 5455#### Termination 5456################################################################ 5457 5458post_report () { 5459 msg "Done, cleaning up" 5460 final_cleanup 5461 5462 final_report 5463} 5464 5465 5466 5467################################################################ 5468#### Run all the things 5469################################################################ 5470 5471# Function invoked by --error-test to test error reporting. 5472pseudo_component_error_test () { 5473 msg "Testing error reporting $error_test_i" 5474 if [ $KEEP_GOING -ne 0 ]; then 5475 echo "Expect three failing commands." 5476 fi 5477 # If the component doesn't run in a subshell, changing error_test_i to an 5478 # invalid integer will cause an error in the loop that runs this function. 5479 error_test_i=this_should_not_be_used_since_the_component_runs_in_a_subshell 5480 # Expected error: 'grep non_existent /dev/null -> 1' 5481 grep non_existent /dev/null 5482 # Expected error: '! grep -q . tests/scripts/all.sh -> 1' 5483 not grep -q . "$0" 5484 # Expected error: 'make unknown_target -> 2' 5485 make unknown_target 5486 false "this should not be executed" 5487} 5488 5489# Run one component and clean up afterwards. 5490run_component () { 5491 current_component="$1" 5492 export MBEDTLS_TEST_CONFIGURATION="$current_component" 5493 5494 # Unconditionally create a seedfile that's sufficiently long. 5495 # Do this before each component, because a previous component may 5496 # have messed it up or shortened it. 5497 local dd_cmd 5498 dd_cmd=(dd if=/dev/urandom of=./tests/seedfile bs=64 count=1) 5499 case $OSTYPE in 5500 linux*|freebsd*|openbsd*) dd_cmd+=(status=none) 5501 esac 5502 "${dd_cmd[@]}" 5503 5504 # Run the component in a subshell, with error trapping and output 5505 # redirection set up based on the relevant options. 5506 if [ $KEEP_GOING -eq 1 ]; then 5507 # We want to keep running if the subshell fails, so 'set -e' must 5508 # be off when the subshell runs. 5509 set +e 5510 fi 5511 ( 5512 if [ $QUIET -eq 1 ]; then 5513 # msg() will be silenced, so just print the component name here. 5514 echo "${current_component#component_}" 5515 exec >/dev/null 5516 fi 5517 if [ $KEEP_GOING -eq 1 ]; then 5518 # Keep "set -e" off, and run an ERR trap instead to record failures. 5519 set -E 5520 trap err_trap ERR 5521 fi 5522 # The next line is what runs the component 5523 "$@" 5524 if [ $KEEP_GOING -eq 1 ]; then 5525 trap - ERR 5526 exit $last_failure_status 5527 fi 5528 ) 5529 component_status=$? 5530 if [ $KEEP_GOING -eq 1 ]; then 5531 set -e 5532 if [ $component_status -ne 0 ]; then 5533 failure_count=$((failure_count + 1)) 5534 fi 5535 fi 5536 5537 # Restore the build tree to a clean state. 5538 cleanup 5539 unset current_component 5540} 5541 5542# Preliminary setup 5543pre_check_environment 5544pre_parse_command_line_for_dirs "$@" 5545pre_initialize_variables 5546pre_parse_command_line "$@" 5547 5548pre_check_git 5549pre_restore_files 5550pre_back_up 5551 5552build_status=0 5553if [ $KEEP_GOING -eq 1 ]; then 5554 pre_setup_keep_going 5555fi 5556pre_prepare_outcome_file 5557pre_print_configuration 5558pre_check_tools 5559cleanup 5560if in_mbedtls_repo; then 5561 pre_generate_files 5562fi 5563 5564# Run the requested tests. 5565for ((error_test_i=1; error_test_i <= error_test; error_test_i++)); do 5566 run_component pseudo_component_error_test 5567done 5568unset error_test_i 5569for component in $RUN_COMPONENTS; do 5570 run_component "component_$component" 5571done 5572 5573# We're done. 5574post_report 5575
