1# components-configuration-crypto.sh 2# 3# Copyright The Mbed TLS Contributors 4# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 5 6# This file contains test components that are executed by all.sh 7 8################################################################ 9#### Configuration Testing - Crypto 10################################################################ 11 12component_test_psa_crypto_key_id_encodes_owner () { 13 msg "build: full config + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan" 14 scripts/config.py full 15 scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER 16 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 17 make 18 19 msg "test: full config - USE_PSA_CRYPTO + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan" 20 make test 21} 22 23component_test_psa_assume_exclusive_buffers () { 24 msg "build: full config + MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS, cmake, gcc, ASan" 25 scripts/config.py full 26 scripts/config.py set MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS 27 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 28 make 29 30 msg "test: full config + MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS, cmake, gcc, ASan" 31 make test 32} 33 34# check_renamed_symbols HEADER LIB 35# Check that if HEADER contains '#define MACRO ...' then MACRO is not a symbol 36# name in LIB. 37check_renamed_symbols () { 38 ! nm "$2" | sed 's/.* //' | 39 grep -x -F "$(sed -n 's/^ *# *define *\([A-Z_a-z][0-9A-Z_a-z]*\)..*/\1/p' "$1")" 40} 41 42component_build_psa_crypto_spm () { 43 msg "build: full config + PSA_CRYPTO_KEY_ID_ENCODES_OWNER + PSA_CRYPTO_SPM, make, gcc" 44 scripts/config.py full 45 scripts/config.py unset MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS 46 scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER 47 scripts/config.py set MBEDTLS_PSA_CRYPTO_SPM 48 # We can only compile, not link, since our test and sample programs 49 # aren't equipped for the modified names used when MBEDTLS_PSA_CRYPTO_SPM 50 # is active. 51 make CC=gcc CFLAGS='-Werror -Wall -Wextra -I../tests/include/spe' lib 52 53 # Check that if a symbol is renamed by crypto_spe.h, the non-renamed 54 # version is not present. 55 echo "Checking for renamed symbols in the library" 56 check_renamed_symbols tests/include/spe/crypto_spe.h library/libmbedcrypto.a 57} 58 59# Get a list of library-wise undefined symbols and ensure that they only 60# belong to psa_xxx() functions and not to mbedtls_yyy() ones. 61# This function is a common helper used by both: 62# - component_test_default_psa_crypto_client_without_crypto_provider 63# - component_build_full_psa_crypto_client_without_crypto_provider. 64common_check_mbedtls_missing_symbols () { 65 nm library/libmbedcrypto.a | grep ' [TRrDC] ' | grep -Eo '(mbedtls_|psa_).*' | sort -u > sym_def.txt 66 nm library/libmbedcrypto.a | grep ' U ' | grep -Eo '(mbedtls_|psa_).*' | sort -u > sym_undef.txt 67 comm sym_def.txt sym_undef.txt -13 > linking_errors.txt 68 not grep mbedtls_ linking_errors.txt 69 70 rm sym_def.txt sym_undef.txt linking_errors.txt 71} 72 73component_test_default_psa_crypto_client_without_crypto_provider () { 74 msg "build: default config - PSA_CRYPTO_C + PSA_CRYPTO_CLIENT" 75 76 scripts/config.py unset MBEDTLS_PSA_CRYPTO_C 77 scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C 78 scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C 79 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 80 scripts/config.py set MBEDTLS_PSA_CRYPTO_CLIENT 81 scripts/config.py unset MBEDTLS_LMS_C 82 83 make 84 85 msg "check missing symbols: default config - PSA_CRYPTO_C + PSA_CRYPTO_CLIENT" 86 common_check_mbedtls_missing_symbols 87 88 msg "test: default config - PSA_CRYPTO_C + PSA_CRYPTO_CLIENT" 89 make test 90} 91 92component_build_full_psa_crypto_client_without_crypto_provider () { 93 msg "build: full config - PSA_CRYPTO_C" 94 95 # Use full config which includes USE_PSA and CRYPTO_CLIENT. 96 scripts/config.py full 97 98 scripts/config.py unset MBEDTLS_PSA_CRYPTO_C 99 scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C 100 # Dynamic secure element support is a deprecated feature and it is not 101 # available when CRYPTO_C and PSA_CRYPTO_STORAGE_C are disabled. 102 scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C 103 104 # Since there is no crypto provider in this build it is not possible to 105 # build all the test executables and progrems due to missing PSA functions 106 # at link time. Therefore we will just build libraries and we'll check 107 # that symbols of interest are there. 108 make lib 109 110 msg "check missing symbols: full config - PSA_CRYPTO_C" 111 112 common_check_mbedtls_missing_symbols 113 114 # Ensure that desired functions are included into the build (extend the 115 # following list as required). 116 grep mbedtls_pk_get_psa_attributes library/libmbedcrypto.a 117 grep mbedtls_pk_import_into_psa library/libmbedcrypto.a 118 grep mbedtls_pk_copy_from_psa library/libmbedcrypto.a 119} 120 121component_test_psa_crypto_rsa_no_genprime () { 122 msg "build: default config minus MBEDTLS_GENPRIME" 123 scripts/config.py unset MBEDTLS_GENPRIME 124 make 125 126 msg "test: default config minus MBEDTLS_GENPRIME" 127 make test 128} 129 130component_test_no_pem_no_fs () { 131 msg "build: Default + !MBEDTLS_PEM_PARSE_C + !MBEDTLS_FS_IO (ASan build)" 132 scripts/config.py unset MBEDTLS_PEM_PARSE_C 133 scripts/config.py unset MBEDTLS_FS_IO 134 scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C # requires a filesystem 135 scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C # requires PSA ITS 136 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 137 make 138 139 msg "test: !MBEDTLS_PEM_PARSE_C !MBEDTLS_FS_IO - main suites (inc. selftests) (ASan build)" # ~ 50s 140 make test 141 142 msg "test: !MBEDTLS_PEM_PARSE_C !MBEDTLS_FS_IO - ssl-opt.sh (ASan build)" # ~ 6 min 143 tests/ssl-opt.sh 144} 145 146component_test_rsa_no_crt () { 147 msg "build: Default + RSA_NO_CRT (ASan build)" # ~ 6 min 148 scripts/config.py set MBEDTLS_RSA_NO_CRT 149 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 150 make 151 152 msg "test: RSA_NO_CRT - main suites (inc. selftests) (ASan build)" # ~ 50s 153 make test 154 155 msg "test: RSA_NO_CRT - RSA-related part of ssl-opt.sh (ASan build)" # ~ 5s 156 tests/ssl-opt.sh -f RSA 157 158 msg "test: RSA_NO_CRT - RSA-related part of compat.sh (ASan build)" # ~ 3 min 159 tests/compat.sh -t RSA 160 161 msg "test: RSA_NO_CRT - RSA-related part of context-info.sh (ASan build)" # ~ 15 sec 162 tests/context-info.sh 163} 164 165component_test_no_ctr_drbg_classic () { 166 msg "build: Full minus CTR_DRBG, classic crypto in TLS" 167 scripts/config.py full 168 scripts/config.py unset MBEDTLS_CTR_DRBG_C 169 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 170 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 171 172 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 173 make 174 175 msg "test: Full minus CTR_DRBG, classic crypto - main suites" 176 make test 177 178 # In this configuration, the TLS test programs use HMAC_DRBG. 179 # The SSL tests are slow, so run a small subset, just enough to get 180 # confidence that the SSL code copes with HMAC_DRBG. 181 msg "test: Full minus CTR_DRBG, classic crypto - ssl-opt.sh (subset)" 182 tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server' 183 184 msg "test: Full minus CTR_DRBG, classic crypto - compat.sh (subset)" 185 tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL 186} 187 188component_test_no_ctr_drbg_use_psa () { 189 msg "build: Full minus CTR_DRBG, PSA crypto in TLS" 190 scripts/config.py full 191 scripts/config.py unset MBEDTLS_CTR_DRBG_C 192 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO 193 194 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 195 make 196 197 msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - main suites" 198 make test 199 200 # In this configuration, the TLS test programs use HMAC_DRBG. 201 # The SSL tests are slow, so run a small subset, just enough to get 202 # confidence that the SSL code copes with HMAC_DRBG. 203 msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)" 204 tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server' 205 206 msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - compat.sh (subset)" 207 tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL 208} 209 210component_test_no_hmac_drbg_classic () { 211 msg "build: Full minus HMAC_DRBG, classic crypto in TLS" 212 scripts/config.py full 213 scripts/config.py unset MBEDTLS_HMAC_DRBG_C 214 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG 215 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 216 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 217 218 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 219 make 220 221 msg "test: Full minus HMAC_DRBG, classic crypto - main suites" 222 make test 223 224 # Normally our ECDSA implementation uses deterministic ECDSA. But since 225 # HMAC_DRBG is disabled in this configuration, randomized ECDSA is used 226 # instead. 227 # Test SSL with non-deterministic ECDSA. Only test features that 228 # might be affected by how ECDSA signature is performed. 229 msg "test: Full minus HMAC_DRBG, classic crypto - ssl-opt.sh (subset)" 230 tests/ssl-opt.sh -f 'Default\|SSL async private: sign' 231 232 # To save time, only test one protocol version, since this part of 233 # the protocol is identical in (D)TLS up to 1.2. 234 msg "test: Full minus HMAC_DRBG, classic crypto - compat.sh (ECDSA)" 235 tests/compat.sh -m tls12 -t 'ECDSA' 236} 237 238component_test_no_hmac_drbg_use_psa () { 239 msg "build: Full minus HMAC_DRBG, PSA crypto in TLS" 240 scripts/config.py full 241 scripts/config.py unset MBEDTLS_HMAC_DRBG_C 242 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG 243 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO 244 245 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 246 make 247 248 msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - main suites" 249 make test 250 251 # Normally our ECDSA implementation uses deterministic ECDSA. But since 252 # HMAC_DRBG is disabled in this configuration, randomized ECDSA is used 253 # instead. 254 # Test SSL with non-deterministic ECDSA. Only test features that 255 # might be affected by how ECDSA signature is performed. 256 msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)" 257 tests/ssl-opt.sh -f 'Default\|SSL async private: sign' 258 259 # To save time, only test one protocol version, since this part of 260 # the protocol is identical in (D)TLS up to 1.2. 261 msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - compat.sh (ECDSA)" 262 tests/compat.sh -m tls12 -t 'ECDSA' 263} 264 265component_test_psa_external_rng_no_drbg_classic () { 266 msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto in TLS" 267 scripts/config.py full 268 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 269 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 270 scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG 271 scripts/config.py unset MBEDTLS_ENTROPY_C 272 scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED 273 scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT 274 scripts/config.py unset MBEDTLS_CTR_DRBG_C 275 scripts/config.py unset MBEDTLS_HMAC_DRBG_C 276 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG 277 # When MBEDTLS_USE_PSA_CRYPTO is disabled and there is no DRBG, 278 # the SSL test programs don't have an RNG and can't work. Explicitly 279 # make them use the PSA RNG with -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG. 280 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG" LDFLAGS="$ASAN_CFLAGS" 281 282 msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - main suites" 283 make test 284 285 msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - ssl-opt.sh (subset)" 286 tests/ssl-opt.sh -f 'Default' 287} 288 289component_test_psa_external_rng_no_drbg_use_psa () { 290 msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto in TLS" 291 scripts/config.py full 292 scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG 293 scripts/config.py unset MBEDTLS_ENTROPY_C 294 scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED 295 scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT 296 scripts/config.py unset MBEDTLS_CTR_DRBG_C 297 scripts/config.py unset MBEDTLS_HMAC_DRBG_C 298 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG 299 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" 300 301 msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - main suites" 302 make test 303 304 msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - ssl-opt.sh (subset)" 305 tests/ssl-opt.sh -f 'Default\|opaque' 306} 307 308component_test_psa_external_rng_use_psa_crypto () { 309 msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" 310 scripts/config.py full 311 scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG 312 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO 313 scripts/config.py unset MBEDTLS_CTR_DRBG_C 314 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" 315 316 msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" 317 make test 318 319 msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" 320 tests/ssl-opt.sh -f 'Default\|opaque' 321} 322 323component_test_psa_inject_entropy () { 324 msg "build: full + MBEDTLS_PSA_INJECT_ENTROPY" 325 scripts/config.py full 326 scripts/config.py set MBEDTLS_PSA_INJECT_ENTROPY 327 scripts/config.py set MBEDTLS_ENTROPY_NV_SEED 328 scripts/config.py set MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES 329 scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT 330 scripts/config.py unset MBEDTLS_PLATFORM_STD_NV_SEED_READ 331 scripts/config.py unset MBEDTLS_PLATFORM_STD_NV_SEED_WRITE 332 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'" LDFLAGS="$ASAN_CFLAGS" 333 334 msg "test: full + MBEDTLS_PSA_INJECT_ENTROPY" 335 make test 336} 337 338component_full_no_pkparse_pkwrite () { 339 msg "build: full without pkparse and pkwrite" 340 341 scripts/config.py crypto_full 342 scripts/config.py unset MBEDTLS_PK_PARSE_C 343 scripts/config.py unset MBEDTLS_PK_WRITE_C 344 345 make CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" 346 347 # Ensure that PK_[PARSE|WRITE]_C were not re-enabled accidentally (additive config). 348 not grep mbedtls_pk_parse_key library/pkparse.o 349 not grep mbedtls_pk_write_key_der library/pkwrite.o 350 351 msg "test: full without pkparse and pkwrite" 352 make test 353} 354 355component_test_crypto_full_md_light_only () { 356 msg "build: crypto_full with only the light subset of MD" 357 scripts/config.py crypto_full 358 scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG 359 # Disable MD 360 scripts/config.py unset MBEDTLS_MD_C 361 # Disable direct dependencies of MD_C 362 scripts/config.py unset MBEDTLS_HKDF_C 363 scripts/config.py unset MBEDTLS_HMAC_DRBG_C 364 scripts/config.py unset MBEDTLS_PKCS7_C 365 # Disable indirect dependencies of MD_C 366 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # needs HMAC_DRBG 367 # Disable things that would auto-enable MD_C 368 scripts/config.py unset MBEDTLS_PKCS5_C 369 370 # Note: MD-light is auto-enabled in build_info.h by modules that need it, 371 # which we haven't disabled, so no need to explicitly enable it. 372 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" 373 374 # Make sure we don't have the HMAC functions, but the hashing functions 375 not grep mbedtls_md_hmac library/md.o 376 grep mbedtls_md library/md.o 377 378 msg "test: crypto_full with only the light subset of MD" 379 make test 380} 381 382component_test_full_no_cipher_no_psa_crypto () { 383 msg "build: full no CIPHER no PSA_CRYPTO_C" 384 scripts/config.py full 385 scripts/config.py unset MBEDTLS_CIPHER_C 386 # Don't pull in cipher via PSA mechanisms 387 # (currently ignored anyway because we completely disable PSA) 388 scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG 389 # Disable features that depend on CIPHER_C 390 scripts/config.py unset MBEDTLS_CMAC_C 391 scripts/config.py unset MBEDTLS_NIST_KW_C 392 scripts/config.py unset MBEDTLS_PSA_CRYPTO_C 393 scripts/config.py unset MBEDTLS_PSA_CRYPTO_CLIENT 394 scripts/config.py unset MBEDTLS_SSL_TLS_C 395 scripts/config.py unset MBEDTLS_SSL_TICKET_C 396 # Disable features that depend on PSA_CRYPTO_C 397 scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C 398 scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C 399 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 400 scripts/config.py unset MBEDTLS_LMS_C 401 scripts/config.py unset MBEDTLS_LMS_PRIVATE 402 403 msg "test: full no CIPHER no PSA_CRYPTO_C" 404 make test 405} 406 407# This is a common configurator and test function that is used in: 408# - component_test_full_no_cipher_with_psa_crypto 409# - component_test_full_no_cipher_with_psa_crypto_config 410# It accepts 2 input parameters: 411# - $1: boolean value which basically reflects status of MBEDTLS_PSA_CRYPTO_CONFIG 412# - $2: a text string which describes the test component 413common_test_full_no_cipher_with_psa_crypto () { 414 USE_CRYPTO_CONFIG="$1" 415 COMPONENT_DESCRIPTION="$2" 416 417 msg "build: $COMPONENT_DESCRIPTION" 418 419 scripts/config.py full 420 scripts/config.py unset MBEDTLS_CIPHER_C 421 422 if [ "$USE_CRYPTO_CONFIG" -eq 1 ]; then 423 # The built-in implementation of the following algs/key-types depends 424 # on CIPHER_C so we disable them. 425 # This does not hold for KEY_TYPE_CHACHA20 and ALG_CHACHA20_POLY1305 426 # so we keep them enabled. 427 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG 428 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CMAC 429 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING 430 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7 431 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CFB 432 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CTR 433 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING 434 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_OFB 435 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 436 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_STREAM_CIPHER 437 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES 438 else 439 # Don't pull in cipher via PSA mechanisms 440 scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG 441 # Disable cipher modes/keys that make PSA depend on CIPHER_C. 442 # Keep CHACHA20 and CHACHAPOLY enabled since they do not depend on CIPHER_C. 443 scripts/config.py unset-all MBEDTLS_CIPHER_MODE 444 fi 445 # The following modules directly depends on CIPHER_C 446 scripts/config.py unset MBEDTLS_CMAC_C 447 scripts/config.py unset MBEDTLS_NIST_KW_C 448 449 make 450 451 # Ensure that CIPHER_C was not re-enabled 452 not grep mbedtls_cipher_init library/cipher.o 453 454 msg "test: $COMPONENT_DESCRIPTION" 455 make test 456} 457 458component_test_full_no_cipher_with_psa_crypto () { 459 common_test_full_no_cipher_with_psa_crypto 0 "full no CIPHER no CRYPTO_CONFIG" 460} 461 462component_test_full_no_cipher_with_psa_crypto_config () { 463 common_test_full_no_cipher_with_psa_crypto 1 "full no CIPHER" 464} 465 466component_test_full_no_ccm () { 467 msg "build: full no PSA_WANT_ALG_CCM" 468 469 # Full config enables: 470 # - USE_PSA_CRYPTO so that TLS code dispatches cipher/AEAD to PSA 471 # - CRYPTO_CONFIG so that PSA_WANT config symbols are evaluated 472 scripts/config.py full 473 474 # Disable PSA_WANT_ALG_CCM so that CCM is not supported in PSA. CCM_C is still 475 # enabled, but not used from TLS since USE_PSA is set. 476 # This is helpful to ensure that TLS tests below have proper dependencies. 477 # 478 # Note: also PSA_WANT_ALG_CCM_STAR_NO_TAG is enabled, but it does not cause 479 # PSA_WANT_ALG_CCM to be re-enabled. 480 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM 481 482 make 483 484 msg "test: full no PSA_WANT_ALG_CCM" 485 make test 486} 487 488component_test_full_no_ccm_star_no_tag () { 489 msg "build: full no PSA_WANT_ALG_CCM_STAR_NO_TAG" 490 491 # Full config enables CRYPTO_CONFIG so that PSA_WANT config symbols are evaluated 492 scripts/config.py full 493 494 # Disable CCM_STAR_NO_TAG, which is the target of this test, as well as all 495 # other components that enable MBEDTLS_PSA_BUILTIN_CIPHER internal symbol. 496 # This basically disables all unauthenticated ciphers on the PSA side, while 497 # keeping AEADs enabled. 498 # 499 # Note: PSA_WANT_ALG_CCM is enabled, but it does not cause 500 # PSA_WANT_ALG_CCM_STAR_NO_TAG to be re-enabled. 501 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG 502 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_STREAM_CIPHER 503 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CTR 504 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CFB 505 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_OFB 506 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING 507 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING 508 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 509 510 make 511 512 # Ensure MBEDTLS_PSA_BUILTIN_CIPHER was not enabled 513 not grep mbedtls_psa_cipher library/psa_crypto_cipher.o 514 515 msg "test: full no PSA_WANT_ALG_CCM_STAR_NO_TAG" 516 make test 517} 518 519component_test_full_no_bignum () { 520 msg "build: full minus bignum" 521 scripts/config.py full 522 scripts/config.py unset MBEDTLS_BIGNUM_C 523 # Direct dependencies of bignum 524 scripts/config.py unset MBEDTLS_ECP_C 525 scripts/config.py unset MBEDTLS_RSA_C 526 scripts/config.py unset MBEDTLS_DHM_C 527 # Direct dependencies of ECP 528 scripts/config.py unset MBEDTLS_ECDH_C 529 scripts/config.py unset MBEDTLS_ECDSA_C 530 scripts/config.py unset MBEDTLS_ECJPAKE_C 531 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE 532 # Disable what auto-enables ECP_LIGHT 533 scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED 534 scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED 535 # Indirect dependencies of ECP 536 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 537 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 538 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 539 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 540 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 541 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 542 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED 543 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED 544 # Direct dependencies of DHM 545 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 546 # Direct dependencies of RSA 547 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 548 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 549 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 550 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT 551 # PK and its dependencies 552 scripts/config.py unset MBEDTLS_PK_C 553 scripts/config.py unset MBEDTLS_PK_PARSE_C 554 scripts/config.py unset MBEDTLS_PK_WRITE_C 555 scripts/config.py unset MBEDTLS_X509_USE_C 556 scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C 557 scripts/config.py unset MBEDTLS_X509_CRL_PARSE_C 558 scripts/config.py unset MBEDTLS_X509_CSR_PARSE_C 559 scripts/config.py unset MBEDTLS_X509_CREATE_C 560 scripts/config.py unset MBEDTLS_X509_CRT_WRITE_C 561 scripts/config.py unset MBEDTLS_X509_CSR_WRITE_C 562 scripts/config.py unset MBEDTLS_PKCS7_C 563 scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION 564 scripts/config.py unset MBEDTLS_SSL_ASYNC_PRIVATE 565 scripts/config.py unset MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK 566 567 make 568 569 msg "test: full minus bignum" 570 make test 571} 572 573component_build_dhm_alt () { 574 msg "build: MBEDTLS_DHM_ALT" # ~30s 575 scripts/config.py full 576 scripts/config.py set MBEDTLS_DHM_ALT 577 # debug.c currently references mbedtls_dhm_context fields directly. 578 scripts/config.py unset MBEDTLS_DEBUG_C 579 # We can only compile, not link, since we don't have any implementations 580 # suitable for testing with the dummy alt headers. 581 make CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy' lib 582} 583 584component_test_everest () { 585 msg "build: Everest ECDH context (ASan build)" # ~ 6 min 586 scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED 587 CC=clang cmake -D CMAKE_BUILD_TYPE:String=Asan . 588 make 589 590 msg "test: Everest ECDH context - main suites (inc. selftests) (ASan build)" # ~ 50s 591 make test 592 593 msg "test: metatests (clang, ASan)" 594 tests/scripts/run-metatests.sh any asan poison 595 596 msg "test: Everest ECDH context - ECDH-related part of ssl-opt.sh (ASan build)" # ~ 5s 597 tests/ssl-opt.sh -f ECDH 598 599 msg "test: Everest ECDH context - compat.sh with some ECDH ciphersuites (ASan build)" # ~ 3 min 600 # Exclude some symmetric ciphers that are redundant here to gain time. 601 tests/compat.sh -f ECDH -V NO -e 'ARIA\|CAMELLIA\|CHACHA' 602} 603 604component_test_everest_curve25519_only () { 605 msg "build: Everest ECDH context, only Curve25519" # ~ 6 min 606 scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED 607 scripts/config.py unset MBEDTLS_ECDSA_C 608 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 609 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 610 scripts/config.py unset MBEDTLS_ECJPAKE_C 611 # Disable all curves 612 scripts/config.py unset-all "MBEDTLS_ECP_DP_[0-9A-Z_a-z]*_ENABLED" 613 scripts/config.py set MBEDTLS_ECP_DP_CURVE25519_ENABLED 614 615 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" 616 617 msg "test: Everest ECDH context, only Curve25519" # ~ 50s 618 make test 619} 620 621component_test_psa_collect_statuses () { 622 msg "build+test: psa_collect_statuses" # ~30s 623 scripts/config.py full 624 tests/scripts/psa_collect_statuses.py 625 # Check that psa_crypto_init() succeeded at least once 626 grep -q '^0:psa_crypto_init:' tests/statuses.log 627 rm -f tests/statuses.log 628} 629 630# Check that the specified libraries exist and are empty. 631are_empty_libraries () { 632 nm "$@" >/dev/null 2>/dev/null 633 ! nm "$@" 2>/dev/null | grep -v ':$' | grep . 634} 635 636component_build_crypto_default () { 637 msg "build: make, crypto only" 638 scripts/config.py crypto 639 make CFLAGS='-O1 -Werror' 640 are_empty_libraries library/libmbedx509.* library/libmbedtls.* 641} 642 643component_build_crypto_full () { 644 msg "build: make, crypto only, full config" 645 scripts/config.py crypto_full 646 make CFLAGS='-O1 -Werror' 647 are_empty_libraries library/libmbedx509.* library/libmbedtls.* 648} 649 650component_test_crypto_for_psa_service () { 651 msg "build: make, config for PSA crypto service" 652 scripts/config.py crypto 653 scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER 654 # Disable things that are not needed for just cryptography, to 655 # reach a configuration that would be typical for a PSA cryptography 656 # service providing all implemented PSA algorithms. 657 # System stuff 658 scripts/config.py unset MBEDTLS_ERROR_C 659 scripts/config.py unset MBEDTLS_TIMING_C 660 scripts/config.py unset MBEDTLS_VERSION_FEATURES 661 # Crypto stuff with no PSA interface 662 scripts/config.py unset MBEDTLS_BASE64_C 663 # Keep MBEDTLS_CIPHER_C because psa_crypto_cipher, CCM and GCM need it. 664 scripts/config.py unset MBEDTLS_HKDF_C # PSA's HKDF is independent 665 # Keep MBEDTLS_MD_C because deterministic ECDSA needs it for HMAC_DRBG. 666 scripts/config.py unset MBEDTLS_NIST_KW_C 667 scripts/config.py unset MBEDTLS_PEM_PARSE_C 668 scripts/config.py unset MBEDTLS_PEM_WRITE_C 669 scripts/config.py unset MBEDTLS_PKCS12_C 670 scripts/config.py unset MBEDTLS_PKCS5_C 671 # MBEDTLS_PK_PARSE_C and MBEDTLS_PK_WRITE_C are actually currently needed 672 # in PSA code to work with RSA keys. We don't require users to set those: 673 # they will be reenabled in build_info.h. 674 scripts/config.py unset MBEDTLS_PK_C 675 scripts/config.py unset MBEDTLS_PK_PARSE_C 676 scripts/config.py unset MBEDTLS_PK_WRITE_C 677 make CFLAGS='-O1 -Werror' all test 678 are_empty_libraries library/libmbedx509.* library/libmbedtls.* 679} 680 681component_build_crypto_baremetal () { 682 msg "build: make, crypto only, baremetal config" 683 scripts/config.py crypto_baremetal 684 make CFLAGS="-O1 -Werror -I$PWD/tests/include/baremetal-override/" 685 are_empty_libraries library/libmbedx509.* library/libmbedtls.* 686} 687 688support_build_crypto_baremetal () { 689 support_build_baremetal "$@" 690} 691 692# depends.py family of tests 693component_test_depends_py_cipher_id () { 694 msg "test/build: depends.py cipher_id (gcc)" 695 tests/scripts/depends.py cipher_id --unset-use-psa 696} 697 698component_test_depends_py_cipher_chaining () { 699 msg "test/build: depends.py cipher_chaining (gcc)" 700 tests/scripts/depends.py cipher_chaining --unset-use-psa 701} 702 703component_test_depends_py_cipher_padding () { 704 msg "test/build: depends.py cipher_padding (gcc)" 705 tests/scripts/depends.py cipher_padding --unset-use-psa 706} 707 708component_test_depends_py_curves () { 709 msg "test/build: depends.py curves (gcc)" 710 tests/scripts/depends.py curves --unset-use-psa 711} 712 713component_test_depends_py_hashes () { 714 msg "test/build: depends.py hashes (gcc)" 715 tests/scripts/depends.py hashes --unset-use-psa 716} 717 718component_test_depends_py_pkalgs () { 719 msg "test/build: depends.py pkalgs (gcc)" 720 tests/scripts/depends.py pkalgs --unset-use-psa 721} 722 723# PSA equivalents of the depends.py tests 724component_test_depends_py_cipher_id_psa () { 725 msg "test/build: depends.py cipher_id (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" 726 tests/scripts/depends.py cipher_id 727} 728 729component_test_depends_py_cipher_chaining_psa () { 730 msg "test/build: depends.py cipher_chaining (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" 731 tests/scripts/depends.py cipher_chaining 732} 733 734component_test_depends_py_cipher_padding_psa () { 735 msg "test/build: depends.py cipher_padding (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" 736 tests/scripts/depends.py cipher_padding 737} 738 739component_test_depends_py_curves_psa () { 740 msg "test/build: depends.py curves (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" 741 tests/scripts/depends.py curves 742} 743 744component_test_depends_py_hashes_psa () { 745 msg "test/build: depends.py hashes (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" 746 tests/scripts/depends.py hashes 747} 748 749component_test_depends_py_pkalgs_psa () { 750 msg "test/build: depends.py pkalgs (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" 751 tests/scripts/depends.py pkalgs 752} 753 754component_test_psa_crypto_config_ffdh_2048_only () { 755 msg "build: full config - only DH 2048" 756 757 scripts/config.py full 758 759 # Disable all DH groups other than 2048. 760 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_3072 761 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_4096 762 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_6144 763 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_8192 764 765 make CFLAGS="$ASAN_CFLAGS -Werror" LDFLAGS="$ASAN_CFLAGS" 766 767 msg "test: full config - only DH 2048" 768 make test 769 770 msg "ssl-opt: full config - only DH 2048" 771 tests/ssl-opt.sh -f "ffdh" 772} 773 774component_build_no_pk_rsa_alt_support () { 775 msg "build: !MBEDTLS_PK_RSA_ALT_SUPPORT" # ~30s 776 777 scripts/config.py full 778 scripts/config.py unset MBEDTLS_PK_RSA_ALT_SUPPORT 779 scripts/config.py set MBEDTLS_RSA_C 780 scripts/config.py set MBEDTLS_X509_CRT_WRITE_C 781 782 # Only compile - this is primarily to test for compile issues 783 make CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy' 784} 785 786component_build_module_alt () { 787 msg "build: MBEDTLS_XXX_ALT" # ~30s 788 scripts/config.py full 789 790 # Disable options that are incompatible with some ALT implementations: 791 # aesni.c and padlock.c reference mbedtls_aes_context fields directly. 792 scripts/config.py unset MBEDTLS_AESNI_C 793 scripts/config.py unset MBEDTLS_PADLOCK_C 794 scripts/config.py unset MBEDTLS_AESCE_C 795 # MBEDTLS_ECP_RESTARTABLE is documented as incompatible. 796 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE 797 # You can only have one threading implementation: alt or pthread, not both. 798 scripts/config.py unset MBEDTLS_THREADING_PTHREAD 799 # The SpecifiedECDomain parsing code accesses mbedtls_ecp_group fields 800 # directly and assumes the implementation works with partial groups. 801 scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED 802 # MBEDTLS_SHA256_*ALT can't be used with MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_* 803 scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT 804 scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY 805 # MBEDTLS_SHA512_*ALT can't be used with MBEDTLS_SHA512_USE_A64_CRYPTO_* 806 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT 807 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY 808 809 # Enable all MBEDTLS_XXX_ALT for whole modules. Do not enable 810 # MBEDTLS_XXX_YYY_ALT which are for single functions. 811 scripts/config.py set-all 'MBEDTLS_([A-Z0-9]*|NIST_KW)_ALT' 812 scripts/config.py unset MBEDTLS_DHM_ALT #incompatible with MBEDTLS_DEBUG_C 813 814 # We can only compile, not link, since we don't have any implementations 815 # suitable for testing with the dummy alt headers. 816 make CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy' lib 817} 818 819component_test_psa_crypto_config_accel_ecdsa () { 820 msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA" 821 822 # Algorithms and key types to accelerate 823 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ 824 $(helper_get_psa_key_type_list "ECC") \ 825 $(helper_get_psa_curve_list)" 826 827 # Configure 828 # --------- 829 830 # Start from default config (no USE_PSA) + TLS 1.3 831 helper_libtestdriver1_adjust_config "default" 832 833 # Disable the module that's accelerated 834 scripts/config.py unset MBEDTLS_ECDSA_C 835 836 # Disable things that depend on it 837 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 838 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 839 840 # Build 841 # ----- 842 843 # These hashes are needed for some ECDSA signature tests. 844 loc_extra_list="ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 845 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 846 847 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" 848 849 helper_libtestdriver1_make_main "$loc_accel_list" 850 851 # Make sure this was not re-enabled by accident (additive config) 852 not grep mbedtls_ecdsa_ library/ecdsa.o 853 854 # Run the tests 855 # ------------- 856 857 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA" 858 make test 859} 860 861component_test_psa_crypto_config_accel_ecdh () { 862 msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH" 863 864 # Algorithms and key types to accelerate 865 loc_accel_list="ALG_ECDH \ 866 $(helper_get_psa_key_type_list "ECC") \ 867 $(helper_get_psa_curve_list)" 868 869 # Configure 870 # --------- 871 872 # Start from default config (no USE_PSA) 873 helper_libtestdriver1_adjust_config "default" 874 875 # Disable the module that's accelerated 876 scripts/config.py unset MBEDTLS_ECDH_C 877 878 # Disable things that depend on it 879 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 880 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 881 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 882 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 883 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 884 885 # Build 886 # ----- 887 888 helper_libtestdriver1_make_drivers "$loc_accel_list" 889 890 helper_libtestdriver1_make_main "$loc_accel_list" 891 892 # Make sure this was not re-enabled by accident (additive config) 893 not grep mbedtls_ecdh_ library/ecdh.o 894 895 # Run the tests 896 # ------------- 897 898 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH" 899 make test 900} 901 902component_test_psa_crypto_config_accel_ffdh () { 903 msg "build: full with accelerated FFDH" 904 905 # Algorithms and key types to accelerate 906 loc_accel_list="ALG_FFDH \ 907 $(helper_get_psa_key_type_list "DH") \ 908 $(helper_get_psa_dh_group_list)" 909 910 # Configure 911 # --------- 912 913 # start with full (USE_PSA and TLS 1.3) 914 helper_libtestdriver1_adjust_config "full" 915 916 # Disable the module that's accelerated 917 scripts/config.py unset MBEDTLS_DHM_C 918 919 # Disable things that depend on it 920 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 921 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 922 923 # Build 924 # ----- 925 926 helper_libtestdriver1_make_drivers "$loc_accel_list" 927 928 helper_libtestdriver1_make_main "$loc_accel_list" 929 930 # Make sure this was not re-enabled by accident (additive config) 931 not grep mbedtls_dhm_ library/dhm.o 932 933 # Run the tests 934 # ------------- 935 936 msg "test: full with accelerated FFDH" 937 make test 938 939 msg "ssl-opt: full with accelerated FFDH alg" 940 tests/ssl-opt.sh -f "ffdh" 941} 942 943component_test_psa_crypto_config_reference_ffdh () { 944 msg "build: full with non-accelerated FFDH" 945 946 # Start with full (USE_PSA and TLS 1.3) 947 helper_libtestdriver1_adjust_config "full" 948 949 # Disable things that are not supported 950 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 951 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 952 make 953 954 msg "test suites: full with non-accelerated FFDH alg" 955 make test 956 957 msg "ssl-opt: full with non-accelerated FFDH alg" 958 tests/ssl-opt.sh -f "ffdh" 959} 960 961component_test_psa_crypto_config_accel_pake () { 962 msg "build: full with accelerated PAKE" 963 964 loc_accel_list="ALG_JPAKE \ 965 $(helper_get_psa_key_type_list "ECC") \ 966 $(helper_get_psa_curve_list)" 967 968 # Configure 969 # --------- 970 971 helper_libtestdriver1_adjust_config "full" 972 973 # Make built-in fallback not available 974 scripts/config.py unset MBEDTLS_ECJPAKE_C 975 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 976 977 # Build 978 # ----- 979 980 helper_libtestdriver1_make_drivers "$loc_accel_list" 981 982 helper_libtestdriver1_make_main "$loc_accel_list" 983 984 # Make sure this was not re-enabled by accident (additive config) 985 not grep mbedtls_ecjpake_init library/ecjpake.o 986 987 # Run the tests 988 # ------------- 989 990 msg "test: full with accelerated PAKE" 991 make test 992} 993 994component_test_psa_crypto_config_accel_ecc_some_key_types () { 995 msg "build: full with accelerated EC algs and some key types" 996 997 # Algorithms and key types to accelerate 998 # For key types, use an explicitly list to omit GENERATE (and DERIVE) 999 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ 1000 ALG_ECDH \ 1001 ALG_JPAKE \ 1002 KEY_TYPE_ECC_PUBLIC_KEY \ 1003 KEY_TYPE_ECC_KEY_PAIR_BASIC \ 1004 KEY_TYPE_ECC_KEY_PAIR_IMPORT \ 1005 KEY_TYPE_ECC_KEY_PAIR_EXPORT \ 1006 $(helper_get_psa_curve_list)" 1007 1008 # Configure 1009 # --------- 1010 1011 # start with config full for maximum coverage (also enables USE_PSA) 1012 helper_libtestdriver1_adjust_config "full" 1013 1014 # Disable modules that are accelerated - some will be re-enabled 1015 scripts/config.py unset MBEDTLS_ECDSA_C 1016 scripts/config.py unset MBEDTLS_ECDH_C 1017 scripts/config.py unset MBEDTLS_ECJPAKE_C 1018 scripts/config.py unset MBEDTLS_ECP_C 1019 1020 # Disable all curves - those that aren't accelerated should be re-enabled 1021 helper_disable_builtin_curves 1022 1023 # Restartable feature is not yet supported by PSA. Once it will in 1024 # the future, the following line could be removed (see issues 1025 # 6061, 6332 and following ones) 1026 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE 1027 1028 # this is not supported by the driver API yet 1029 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1030 1031 # Build 1032 # ----- 1033 1034 # These hashes are needed for some ECDSA signature tests. 1035 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 1036 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 1037 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" 1038 1039 helper_libtestdriver1_make_main "$loc_accel_list" 1040 1041 # ECP should be re-enabled but not the others 1042 not grep mbedtls_ecdh_ library/ecdh.o 1043 not grep mbedtls_ecdsa library/ecdsa.o 1044 not grep mbedtls_ecjpake library/ecjpake.o 1045 grep mbedtls_ecp library/ecp.o 1046 1047 # Run the tests 1048 # ------------- 1049 1050 msg "test suites: full with accelerated EC algs and some key types" 1051 make test 1052} 1053 1054# Run tests with only (non-)Weierstrass accelerated 1055# Common code used in: 1056# - component_test_psa_crypto_config_accel_ecc_weierstrass_curves 1057# - component_test_psa_crypto_config_accel_ecc_non_weierstrass_curves 1058common_test_psa_crypto_config_accel_ecc_some_curves () { 1059 weierstrass=$1 1060 if [ $weierstrass -eq 1 ]; then 1061 desc="Weierstrass" 1062 else 1063 desc="non-Weierstrass" 1064 fi 1065 1066 msg "build: crypto_full minus PK with accelerated EC algs and $desc curves" 1067 1068 # Note: Curves are handled in a special way by the libtestdriver machinery, 1069 # so we only want to include them in the accel list when building the main 1070 # libraries, hence the use of a separate variable. 1071 # Note: the following loop is a modified version of 1072 # helper_get_psa_curve_list that only keeps Weierstrass families. 1073 loc_weierstrass_list="" 1074 loc_non_weierstrass_list="" 1075 for item in $(sed -n 's/^#define PSA_WANT_\(ECC_[0-9A-Z_a-z]*\).*/\1/p' <"$CRYPTO_CONFIG_H"); do 1076 case $item in 1077 ECC_BRAINPOOL*|ECC_SECP*) 1078 loc_weierstrass_list="$loc_weierstrass_list $item" 1079 ;; 1080 *) 1081 loc_non_weierstrass_list="$loc_non_weierstrass_list $item" 1082 ;; 1083 esac 1084 done 1085 if [ $weierstrass -eq 1 ]; then 1086 loc_curve_list=$loc_weierstrass_list 1087 else 1088 loc_curve_list=$loc_non_weierstrass_list 1089 fi 1090 1091 # Algorithms and key types to accelerate 1092 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ 1093 ALG_ECDH \ 1094 ALG_JPAKE \ 1095 $(helper_get_psa_key_type_list "ECC") \ 1096 $loc_curve_list" 1097 1098 # Configure 1099 # --------- 1100 1101 # Start with config crypto_full and remove PK_C: 1102 # that's what's supported now, see docs/driver-only-builds.md. 1103 helper_libtestdriver1_adjust_config "crypto_full" 1104 scripts/config.py unset MBEDTLS_PK_C 1105 scripts/config.py unset MBEDTLS_PK_PARSE_C 1106 scripts/config.py unset MBEDTLS_PK_WRITE_C 1107 1108 # Disable modules that are accelerated - some will be re-enabled 1109 scripts/config.py unset MBEDTLS_ECDSA_C 1110 scripts/config.py unset MBEDTLS_ECDH_C 1111 scripts/config.py unset MBEDTLS_ECJPAKE_C 1112 scripts/config.py unset MBEDTLS_ECP_C 1113 1114 # Disable all curves - those that aren't accelerated should be re-enabled 1115 helper_disable_builtin_curves 1116 1117 # Restartable feature is not yet supported by PSA. Once it will in 1118 # the future, the following line could be removed (see issues 1119 # 6061, 6332 and following ones) 1120 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE 1121 1122 # this is not supported by the driver API yet 1123 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1124 1125 # Build 1126 # ----- 1127 1128 # These hashes are needed for some ECDSA signature tests. 1129 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 1130 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 1131 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" 1132 1133 helper_libtestdriver1_make_main "$loc_accel_list" 1134 1135 # We expect ECDH to be re-enabled for the missing curves 1136 grep mbedtls_ecdh_ library/ecdh.o 1137 # We expect ECP to be re-enabled, however the parts specific to the 1138 # families of curves that are accelerated should be ommited. 1139 # - functions with mxz in the name are specific to Montgomery curves 1140 # - ecp_muladd is specific to Weierstrass curves 1141 ##nm library/ecp.o | tee ecp.syms 1142 if [ $weierstrass -eq 1 ]; then 1143 not grep mbedtls_ecp_muladd library/ecp.o 1144 grep mxz library/ecp.o 1145 else 1146 grep mbedtls_ecp_muladd library/ecp.o 1147 not grep mxz library/ecp.o 1148 fi 1149 # We expect ECDSA and ECJPAKE to be re-enabled only when 1150 # Weierstrass curves are not accelerated 1151 if [ $weierstrass -eq 1 ]; then 1152 not grep mbedtls_ecdsa library/ecdsa.o 1153 not grep mbedtls_ecjpake library/ecjpake.o 1154 else 1155 grep mbedtls_ecdsa library/ecdsa.o 1156 grep mbedtls_ecjpake library/ecjpake.o 1157 fi 1158 1159 # Run the tests 1160 # ------------- 1161 1162 msg "test suites: crypto_full minus PK with accelerated EC algs and $desc curves" 1163 make test 1164} 1165 1166component_test_psa_crypto_config_accel_ecc_weierstrass_curves () { 1167 common_test_psa_crypto_config_accel_ecc_some_curves 1 1168} 1169 1170component_test_psa_crypto_config_accel_ecc_non_weierstrass_curves () { 1171 common_test_psa_crypto_config_accel_ecc_some_curves 0 1172} 1173 1174# Auxiliary function to build config for all EC based algorithms (EC-JPAKE, 1175# ECDH, ECDSA) with and without drivers. 1176# The input parameter is a boolean value which indicates: 1177# - 0 keep built-in EC algs, 1178# - 1 exclude built-in EC algs (driver only). 1179# 1180# This is used by the two following components to ensure they always use the 1181# same config, except for the use of driver or built-in EC algorithms: 1182# - component_test_psa_crypto_config_accel_ecc_ecp_light_only; 1183# - component_test_psa_crypto_config_reference_ecc_ecp_light_only. 1184# This supports comparing their test coverage with analyze_outcomes.py. 1185config_psa_crypto_config_ecp_light_only () { 1186 driver_only="$1" 1187 # start with config full for maximum coverage (also enables USE_PSA) 1188 helper_libtestdriver1_adjust_config "full" 1189 if [ "$driver_only" -eq 1 ]; then 1190 # Disable modules that are accelerated 1191 scripts/config.py unset MBEDTLS_ECDSA_C 1192 scripts/config.py unset MBEDTLS_ECDH_C 1193 scripts/config.py unset MBEDTLS_ECJPAKE_C 1194 scripts/config.py unset MBEDTLS_ECP_C 1195 fi 1196 1197 # Restartable feature is not yet supported by PSA. Once it will in 1198 # the future, the following line could be removed (see issues 1199 # 6061, 6332 and following ones) 1200 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE 1201} 1202 1203# Keep in sync with component_test_psa_crypto_config_reference_ecc_ecp_light_only 1204component_test_psa_crypto_config_accel_ecc_ecp_light_only () { 1205 msg "build: full with accelerated EC algs" 1206 1207 # Algorithms and key types to accelerate 1208 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ 1209 ALG_ECDH \ 1210 ALG_JPAKE \ 1211 $(helper_get_psa_key_type_list "ECC") \ 1212 $(helper_get_psa_curve_list)" 1213 1214 # Configure 1215 # --------- 1216 1217 # Use the same config as reference, only without built-in EC algs 1218 config_psa_crypto_config_ecp_light_only 1 1219 1220 # Do not disable builtin curves because that support is required for: 1221 # - MBEDTLS_PK_PARSE_EC_EXTENDED 1222 # - MBEDTLS_PK_PARSE_EC_COMPRESSED 1223 1224 # Build 1225 # ----- 1226 1227 # These hashes are needed for some ECDSA signature tests. 1228 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 1229 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 1230 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" 1231 1232 helper_libtestdriver1_make_main "$loc_accel_list" 1233 1234 # Make sure any built-in EC alg was not re-enabled by accident (additive config) 1235 not grep mbedtls_ecdsa_ library/ecdsa.o 1236 not grep mbedtls_ecdh_ library/ecdh.o 1237 not grep mbedtls_ecjpake_ library/ecjpake.o 1238 not grep mbedtls_ecp_mul library/ecp.o 1239 1240 # Run the tests 1241 # ------------- 1242 1243 msg "test suites: full with accelerated EC algs" 1244 make test 1245 1246 msg "ssl-opt: full with accelerated EC algs" 1247 tests/ssl-opt.sh 1248} 1249 1250# Keep in sync with component_test_psa_crypto_config_accel_ecc_ecp_light_only 1251component_test_psa_crypto_config_reference_ecc_ecp_light_only () { 1252 msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with non-accelerated EC algs" 1253 1254 config_psa_crypto_config_ecp_light_only 0 1255 1256 make 1257 1258 msg "test suites: full with non-accelerated EC algs" 1259 make test 1260 1261 msg "ssl-opt: full with non-accelerated EC algs" 1262 tests/ssl-opt.sh 1263} 1264 1265# This helper function is used by: 1266# - component_test_psa_crypto_config_accel_ecc_no_ecp_at_all() 1267# - component_test_psa_crypto_config_reference_ecc_no_ecp_at_all() 1268# to ensure that both tests use the same underlying configuration when testing 1269# driver's coverage with analyze_outcomes.py. 1270# 1271# This functions accepts 1 boolean parameter as follows: 1272# - 1: building with accelerated EC algorithms (ECDSA, ECDH, ECJPAKE), therefore 1273# excluding their built-in implementation as well as ECP_C & ECP_LIGHT 1274# - 0: include built-in implementation of EC algorithms. 1275# 1276# PK_C and RSA_C are always disabled to ensure there is no remaining dependency 1277# on the ECP module. 1278config_psa_crypto_no_ecp_at_all () { 1279 driver_only="$1" 1280 # start with full config for maximum coverage (also enables USE_PSA) 1281 helper_libtestdriver1_adjust_config "full" 1282 1283 if [ "$driver_only" -eq 1 ]; then 1284 # Disable modules that are accelerated 1285 scripts/config.py unset MBEDTLS_ECDSA_C 1286 scripts/config.py unset MBEDTLS_ECDH_C 1287 scripts/config.py unset MBEDTLS_ECJPAKE_C 1288 # Disable ECP module (entirely) 1289 scripts/config.py unset MBEDTLS_ECP_C 1290 fi 1291 1292 # Disable all the features that auto-enable ECP_LIGHT (see build_info.h) 1293 scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED 1294 scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED 1295 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1296 1297 # Restartable feature is not yet supported by PSA. Once it will in 1298 # the future, the following line could be removed (see issues 1299 # 6061, 6332 and following ones) 1300 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE 1301} 1302 1303# Build and test a configuration where driver accelerates all EC algs while 1304# all support and dependencies from ECP and ECP_LIGHT are removed on the library 1305# side. 1306# 1307# Keep in sync with component_test_psa_crypto_config_reference_ecc_no_ecp_at_all() 1308component_test_psa_crypto_config_accel_ecc_no_ecp_at_all () { 1309 msg "build: full + accelerated EC algs - ECP" 1310 1311 # Algorithms and key types to accelerate 1312 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ 1313 ALG_ECDH \ 1314 ALG_JPAKE \ 1315 $(helper_get_psa_key_type_list "ECC") \ 1316 $(helper_get_psa_curve_list)" 1317 1318 # Configure 1319 # --------- 1320 1321 # Set common configurations between library's and driver's builds 1322 config_psa_crypto_no_ecp_at_all 1 1323 # Disable all the builtin curves. All the required algs are accelerated. 1324 helper_disable_builtin_curves 1325 1326 # Build 1327 # ----- 1328 1329 # Things we wanted supported in libtestdriver1, but not accelerated in the main library: 1330 # SHA-1 and all SHA-2/3 variants, as they are used by ECDSA deterministic. 1331 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 1332 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 1333 1334 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" 1335 1336 helper_libtestdriver1_make_main "$loc_accel_list" 1337 1338 # Make sure any built-in EC alg was not re-enabled by accident (additive config) 1339 not grep mbedtls_ecdsa_ library/ecdsa.o 1340 not grep mbedtls_ecdh_ library/ecdh.o 1341 not grep mbedtls_ecjpake_ library/ecjpake.o 1342 # Also ensure that ECP module was not re-enabled 1343 not grep mbedtls_ecp_ library/ecp.o 1344 1345 # Run the tests 1346 # ------------- 1347 1348 msg "test: full + accelerated EC algs - ECP" 1349 make test 1350 1351 msg "ssl-opt: full + accelerated EC algs - ECP" 1352 tests/ssl-opt.sh 1353} 1354 1355# Reference function used for driver's coverage analysis in analyze_outcomes.py 1356# in conjunction with component_test_psa_crypto_config_accel_ecc_no_ecp_at_all(). 1357# Keep in sync with its accelerated counterpart. 1358component_test_psa_crypto_config_reference_ecc_no_ecp_at_all () { 1359 msg "build: full + non accelerated EC algs" 1360 1361 config_psa_crypto_no_ecp_at_all 0 1362 1363 make 1364 1365 msg "test: full + non accelerated EC algs" 1366 make test 1367 1368 msg "ssl-opt: full + non accelerated EC algs" 1369 tests/ssl-opt.sh 1370} 1371 1372# This is a common configuration helper used directly from: 1373# - common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum 1374# - common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum 1375# and indirectly from: 1376# - component_test_psa_crypto_config_accel_ecc_no_bignum 1377# - accelerate all EC algs, disable RSA and FFDH 1378# - component_test_psa_crypto_config_reference_ecc_no_bignum 1379# - this is the reference component of the above 1380# - it still disables RSA and FFDH, but it uses builtin EC algs 1381# - component_test_psa_crypto_config_accel_ecc_ffdh_no_bignum 1382# - accelerate all EC and FFDH algs, disable only RSA 1383# - component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum 1384# - this is the reference component of the above 1385# - it still disables RSA, but it uses builtin EC and FFDH algs 1386# 1387# This function accepts 2 parameters: 1388# $1: a boolean value which states if we are testing an accelerated scenario 1389# or not. 1390# $2: a string value which states which components are tested. Allowed values 1391# are "ECC" or "ECC_DH". 1392config_psa_crypto_config_accel_ecc_ffdh_no_bignum () { 1393 driver_only="$1" 1394 test_target="$2" 1395 # start with full config for maximum coverage (also enables USE_PSA) 1396 helper_libtestdriver1_adjust_config "full" 1397 1398 if [ "$driver_only" -eq 1 ]; then 1399 # Disable modules that are accelerated 1400 scripts/config.py unset MBEDTLS_ECDSA_C 1401 scripts/config.py unset MBEDTLS_ECDH_C 1402 scripts/config.py unset MBEDTLS_ECJPAKE_C 1403 # Disable ECP module (entirely) 1404 scripts/config.py unset MBEDTLS_ECP_C 1405 # Also disable bignum 1406 scripts/config.py unset MBEDTLS_BIGNUM_C 1407 fi 1408 1409 # Disable all the features that auto-enable ECP_LIGHT (see build_info.h) 1410 scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED 1411 scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED 1412 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1413 1414 # RSA support is intentionally disabled on this test because RSA_C depends 1415 # on BIGNUM_C. 1416 scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_RSA_[0-9A-Z_a-z]*" 1417 scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_ALG_RSA_[0-9A-Z_a-z]*" 1418 scripts/config.py unset MBEDTLS_RSA_C 1419 scripts/config.py unset MBEDTLS_PKCS1_V15 1420 scripts/config.py unset MBEDTLS_PKCS1_V21 1421 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT 1422 # Also disable key exchanges that depend on RSA 1423 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 1424 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 1425 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 1426 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 1427 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 1428 1429 if [ "$test_target" = "ECC" ]; then 1430 # When testing ECC only, we disable FFDH support, both from builtin and 1431 # PSA sides, and also disable the key exchanges that depend on DHM. 1432 scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_FFDH 1433 scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_DH_[0-9A-Z_a-z]*" 1434 scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_DH_RFC7919_[0-9]*" 1435 scripts/config.py unset MBEDTLS_DHM_C 1436 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 1437 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 1438 else 1439 # When testing ECC and DH instead, we disable DHM and depending key 1440 # exchanges only in the accelerated build 1441 if [ "$driver_only" -eq 1 ]; then 1442 scripts/config.py unset MBEDTLS_DHM_C 1443 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 1444 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 1445 fi 1446 fi 1447 1448 # Restartable feature is not yet supported by PSA. Once it will in 1449 # the future, the following line could be removed (see issues 1450 # 6061, 6332 and following ones) 1451 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE 1452} 1453 1454# Common helper used by: 1455# - component_test_psa_crypto_config_accel_ecc_no_bignum 1456# - component_test_psa_crypto_config_accel_ecc_ffdh_no_bignum 1457# 1458# The goal is to build and test accelerating either: 1459# - ECC only or 1460# - both ECC and FFDH 1461# 1462# It is meant to be used in conjunction with 1463# common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum() for drivers 1464# coverage analysis in the "analyze_outcomes.py" script. 1465common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () { 1466 test_target="$1" 1467 1468 # This is an internal helper to simplify text message handling 1469 if [ "$test_target" = "ECC_DH" ]; then 1470 accel_text="ECC/FFDH" 1471 removed_text="ECP - DH" 1472 else 1473 accel_text="ECC" 1474 removed_text="ECP" 1475 fi 1476 1477 msg "build: full + accelerated $accel_text algs + USE_PSA - $removed_text - BIGNUM" 1478 1479 # By default we accelerate all EC keys/algs 1480 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ 1481 ALG_ECDH \ 1482 ALG_JPAKE \ 1483 $(helper_get_psa_key_type_list "ECC") \ 1484 $(helper_get_psa_curve_list)" 1485 # Optionally we can also add DH to the list of accelerated items 1486 if [ "$test_target" = "ECC_DH" ]; then 1487 loc_accel_list="$loc_accel_list \ 1488 ALG_FFDH \ 1489 $(helper_get_psa_key_type_list "DH") \ 1490 $(helper_get_psa_dh_group_list)" 1491 fi 1492 1493 # Configure 1494 # --------- 1495 1496 # Set common configurations between library's and driver's builds 1497 config_psa_crypto_config_accel_ecc_ffdh_no_bignum 1 "$test_target" 1498 # Disable all the builtin curves. All the required algs are accelerated. 1499 helper_disable_builtin_curves 1500 1501 # Build 1502 # ----- 1503 1504 # Things we wanted supported in libtestdriver1, but not accelerated in the main library: 1505 # SHA-1 and all SHA-2/3 variants, as they are used by ECDSA deterministic. 1506 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 1507 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 1508 1509 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" 1510 1511 helper_libtestdriver1_make_main "$loc_accel_list" 1512 1513 # Make sure any built-in EC alg was not re-enabled by accident (additive config) 1514 not grep mbedtls_ecdsa_ library/ecdsa.o 1515 not grep mbedtls_ecdh_ library/ecdh.o 1516 not grep mbedtls_ecjpake_ library/ecjpake.o 1517 # Also ensure that ECP, RSA, [DHM] or BIGNUM modules were not re-enabled 1518 not grep mbedtls_ecp_ library/ecp.o 1519 not grep mbedtls_rsa_ library/rsa.o 1520 not grep mbedtls_mpi_ library/bignum.o 1521 not grep mbedtls_dhm_ library/dhm.o 1522 1523 # Run the tests 1524 # ------------- 1525 1526 msg "test suites: full + accelerated $accel_text algs + USE_PSA - $removed_text - DHM - BIGNUM" 1527 1528 make test 1529 1530 msg "ssl-opt: full + accelerated $accel_text algs + USE_PSA - $removed_text - BIGNUM" 1531 tests/ssl-opt.sh 1532} 1533 1534# Common helper used by: 1535# - component_test_psa_crypto_config_reference_ecc_no_bignum 1536# - component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum 1537# 1538# The goal is to build and test a reference scenario (i.e. with builtin 1539# components) compared to the ones used in 1540# common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum() above. 1541# 1542# It is meant to be used in conjunction with 1543# common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum() for drivers' 1544# coverage analysis in "analyze_outcomes.py" script. 1545common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () { 1546 test_target="$1" 1547 1548 # This is an internal helper to simplify text message handling 1549 if [ "$test_target" = "ECC_DH" ]; then 1550 accel_text="ECC/FFDH" 1551 else 1552 accel_text="ECC" 1553 fi 1554 1555 msg "build: full + non accelerated $accel_text algs + USE_PSA" 1556 1557 config_psa_crypto_config_accel_ecc_ffdh_no_bignum 0 "$test_target" 1558 1559 make 1560 1561 msg "test suites: full + non accelerated EC algs + USE_PSA" 1562 make test 1563 1564 msg "ssl-opt: full + non accelerated $accel_text algs + USE_PSA" 1565 tests/ssl-opt.sh 1566} 1567 1568component_test_psa_crypto_config_accel_ecc_no_bignum () { 1569 common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum "ECC" 1570} 1571 1572component_test_psa_crypto_config_reference_ecc_no_bignum () { 1573 common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum "ECC" 1574} 1575 1576component_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () { 1577 common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum "ECC_DH" 1578} 1579 1580component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () { 1581 common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum "ECC_DH" 1582} 1583 1584# Helper for setting common configurations between: 1585# - component_test_tfm_config_p256m_driver_accel_ec() 1586# - component_test_tfm_config() 1587common_tfm_config () { 1588 # Enable TF-M config 1589 cp configs/config-tfm.h "$CONFIG_H" 1590 echo "#undef MBEDTLS_PSA_CRYPTO_CONFIG_FILE" >> "$CONFIG_H" 1591 cp configs/ext/crypto_config_profile_medium.h "$CRYPTO_CONFIG_H" 1592 1593 # Other config adjustment to make the tests pass. 1594 # This should probably be adopted upstream. 1595 # 1596 # - USE_PSA_CRYPTO for PK_HAVE_ECC_KEYS 1597 echo "#define MBEDTLS_USE_PSA_CRYPTO" >> "$CONFIG_H" 1598 1599 # Config adjustment for better test coverage in our environment. 1600 # This is not needed just to build and pass tests. 1601 # 1602 # Enable filesystem I/O for the benefit of PK parse/write tests. 1603 echo "#define MBEDTLS_FS_IO" >> "$CONFIG_H" 1604} 1605 1606# Keep this in sync with component_test_tfm_config() as they are both meant 1607# to be used in analyze_outcomes.py for driver's coverage analysis. 1608component_test_tfm_config_p256m_driver_accel_ec () { 1609 msg "build: TF-M config + p256m driver + accel ECDH(E)/ECDSA" 1610 1611 common_tfm_config 1612 1613 # Build crypto library 1614 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -I../tests/include/spe" LDFLAGS="$ASAN_CFLAGS" 1615 1616 # Make sure any built-in EC alg was not re-enabled by accident (additive config) 1617 not grep mbedtls_ecdsa_ library/ecdsa.o 1618 not grep mbedtls_ecdh_ library/ecdh.o 1619 not grep mbedtls_ecjpake_ library/ecjpake.o 1620 # Also ensure that ECP, RSA, DHM or BIGNUM modules were not re-enabled 1621 not grep mbedtls_ecp_ library/ecp.o 1622 not grep mbedtls_rsa_ library/rsa.o 1623 not grep mbedtls_dhm_ library/dhm.o 1624 not grep mbedtls_mpi_ library/bignum.o 1625 # Check that p256m was built 1626 grep -q p256_ecdsa_ library/libmbedcrypto.a 1627 1628 # In "config-tfm.h" we disabled CIPHER_C tweaking TF-M's configuration 1629 # files, so we want to ensure that it has not be re-enabled accidentally. 1630 not grep mbedtls_cipher library/cipher.o 1631 1632 # Run the tests 1633 msg "test: TF-M config + p256m driver + accel ECDH(E)/ECDSA" 1634 make test 1635} 1636 1637# Keep this in sync with component_test_tfm_config_p256m_driver_accel_ec() as 1638# they are both meant to be used in analyze_outcomes.py for driver's coverage 1639# analysis. 1640component_test_tfm_config () { 1641 common_tfm_config 1642 1643 # Disable P256M driver, which is on by default, so that analyze_outcomes 1644 # can compare this test with test_tfm_config_p256m_driver_accel_ec 1645 echo "#undef MBEDTLS_PSA_P256M_DRIVER_ENABLED" >> "$CONFIG_H" 1646 1647 msg "build: TF-M config" 1648 make CFLAGS='-Werror -Wall -Wextra -I../tests/include/spe' tests 1649 1650 # Check that p256m was not built 1651 not grep p256_ecdsa_ library/libmbedcrypto.a 1652 1653 # In "config-tfm.h" we disabled CIPHER_C tweaking TF-M's configuration 1654 # files, so we want to ensure that it has not be re-enabled accidentally. 1655 not grep mbedtls_cipher library/cipher.o 1656 1657 msg "test: TF-M config" 1658 make test 1659} 1660 1661# This is an helper used by: 1662# - component_test_psa_ecc_key_pair_no_derive 1663# - component_test_psa_ecc_key_pair_no_generate 1664# The goal is to test with all PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy symbols 1665# enabled, but one. Input arguments are as follows: 1666# - $1 is the key type under test, i.e. ECC/RSA/DH 1667# - $2 is the key option to be unset (i.e. generate, derive, etc) 1668build_and_test_psa_want_key_pair_partial () { 1669 key_type=$1 1670 unset_option=$2 1671 disabled_psa_want="PSA_WANT_KEY_TYPE_${key_type}_KEY_PAIR_${unset_option}" 1672 1673 msg "build: full - MBEDTLS_USE_PSA_CRYPTO - ${disabled_psa_want}" 1674 scripts/config.py full 1675 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 1676 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 1677 1678 # All the PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy are enabled by default in 1679 # crypto_config.h so we just disable the one we don't want. 1680 scripts/config.py -f "$CRYPTO_CONFIG_H" unset "$disabled_psa_want" 1681 1682 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" 1683 1684 msg "test: full - MBEDTLS_USE_PSA_CRYPTO - ${disabled_psa_want}" 1685 make test 1686} 1687 1688component_test_psa_ecc_key_pair_no_derive () { 1689 build_and_test_psa_want_key_pair_partial "ECC" "DERIVE" 1690} 1691 1692component_test_psa_ecc_key_pair_no_generate () { 1693 build_and_test_psa_want_key_pair_partial "ECC" "GENERATE" 1694} 1695 1696config_psa_crypto_accel_rsa () { 1697 driver_only=$1 1698 1699 # Start from crypto_full config (no X.509, no TLS) 1700 helper_libtestdriver1_adjust_config "crypto_full" 1701 1702 if [ "$driver_only" -eq 1 ]; then 1703 # Remove RSA support and its dependencies 1704 scripts/config.py unset MBEDTLS_RSA_C 1705 scripts/config.py unset MBEDTLS_PKCS1_V15 1706 scripts/config.py unset MBEDTLS_PKCS1_V21 1707 1708 # We need PEM parsing in the test library as well to support the import 1709 # of PEM encoded RSA keys. 1710 scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_PEM_PARSE_C 1711 scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_BASE64_C 1712 fi 1713} 1714 1715component_test_psa_crypto_config_accel_rsa_crypto () { 1716 msg "build: crypto_full with accelerated RSA" 1717 1718 loc_accel_list="ALG_RSA_OAEP ALG_RSA_PSS \ 1719 ALG_RSA_PKCS1V15_CRYPT ALG_RSA_PKCS1V15_SIGN \ 1720 KEY_TYPE_RSA_PUBLIC_KEY \ 1721 KEY_TYPE_RSA_KEY_PAIR_BASIC \ 1722 KEY_TYPE_RSA_KEY_PAIR_GENERATE \ 1723 KEY_TYPE_RSA_KEY_PAIR_IMPORT \ 1724 KEY_TYPE_RSA_KEY_PAIR_EXPORT" 1725 1726 # Configure 1727 # --------- 1728 1729 config_psa_crypto_accel_rsa 1 1730 1731 # Build 1732 # ----- 1733 1734 # These hashes are needed for unit tests. 1735 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 1736 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512 ALG_MD5" 1737 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" 1738 1739 helper_libtestdriver1_make_main "$loc_accel_list" 1740 1741 # Make sure this was not re-enabled by accident (additive config) 1742 not grep mbedtls_rsa library/rsa.o 1743 1744 # Run the tests 1745 # ------------- 1746 1747 msg "test: crypto_full with accelerated RSA" 1748 make test 1749} 1750 1751component_test_psa_crypto_config_reference_rsa_crypto () { 1752 msg "build: crypto_full with non-accelerated RSA" 1753 1754 # Configure 1755 # --------- 1756 config_psa_crypto_accel_rsa 0 1757 1758 # Build 1759 # ----- 1760 make 1761 1762 # Run the tests 1763 # ------------- 1764 msg "test: crypto_full with non-accelerated RSA" 1765 make test 1766} 1767 1768# This is a temporary test to verify that full RSA support is present even when 1769# only one single new symbols (PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) is defined. 1770component_test_new_psa_want_key_pair_symbol () { 1771 msg "Build: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" 1772 1773 # Create a temporary output file unless there is already one set 1774 if [ "$MBEDTLS_TEST_OUTCOME_FILE" ]; then 1775 REMOVE_OUTCOME_ON_EXIT="no" 1776 else 1777 REMOVE_OUTCOME_ON_EXIT="yes" 1778 MBEDTLS_TEST_OUTCOME_FILE="$PWD/out.csv" 1779 export MBEDTLS_TEST_OUTCOME_FILE 1780 fi 1781 1782 # Start from crypto configuration 1783 scripts/config.py crypto 1784 1785 # Remove RSA support and its dependencies 1786 scripts/config.py unset MBEDTLS_PKCS1_V15 1787 scripts/config.py unset MBEDTLS_PKCS1_V21 1788 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 1789 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 1790 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 1791 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 1792 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 1793 scripts/config.py unset MBEDTLS_RSA_C 1794 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT 1795 1796 # Enable PSA support 1797 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG 1798 1799 # Keep only PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC enabled in order to ensure 1800 # that proper translations is done in crypto_legacy.h. 1801 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT 1802 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT 1803 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE 1804 1805 make 1806 1807 msg "Test: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" 1808 make test 1809 1810 # Parse only 1 relevant line from the outcome file, i.e. a test which is 1811 # performing RSA signature. 1812 msg "Verify that 'RSA PKCS1 Sign #1 (SHA512, 1536 bits RSA)' is PASS" 1813 cat $MBEDTLS_TEST_OUTCOME_FILE | grep 'RSA PKCS1 Sign #1 (SHA512, 1536 bits RSA)' | grep -q "PASS" 1814 1815 if [ "$REMOVE_OUTCOME_ON_EXIT" == "yes" ]; then 1816 rm $MBEDTLS_TEST_OUTCOME_FILE 1817 fi 1818} 1819 1820component_test_psa_crypto_config_accel_hash () { 1821 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash" 1822 1823 loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \ 1824 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 1825 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 1826 1827 # Configure 1828 # --------- 1829 1830 # Start from default config (no USE_PSA) 1831 helper_libtestdriver1_adjust_config "default" 1832 1833 # Disable the things that are being accelerated 1834 scripts/config.py unset MBEDTLS_MD5_C 1835 scripts/config.py unset MBEDTLS_RIPEMD160_C 1836 scripts/config.py unset MBEDTLS_SHA1_C 1837 scripts/config.py unset MBEDTLS_SHA224_C 1838 scripts/config.py unset MBEDTLS_SHA256_C 1839 scripts/config.py unset MBEDTLS_SHA384_C 1840 scripts/config.py unset MBEDTLS_SHA512_C 1841 scripts/config.py unset MBEDTLS_SHA3_C 1842 1843 # Build 1844 # ----- 1845 1846 helper_libtestdriver1_make_drivers "$loc_accel_list" 1847 1848 helper_libtestdriver1_make_main "$loc_accel_list" 1849 1850 # There's a risk of something getting re-enabled via config_psa.h; 1851 # make sure it did not happen. Note: it's OK for MD_C to be enabled. 1852 not grep mbedtls_md5 library/md5.o 1853 not grep mbedtls_sha1 library/sha1.o 1854 not grep mbedtls_sha256 library/sha256.o 1855 not grep mbedtls_sha512 library/sha512.o 1856 not grep mbedtls_ripemd160 library/ripemd160.o 1857 1858 # Run the tests 1859 # ------------- 1860 1861 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash" 1862 make test 1863} 1864 1865component_test_psa_crypto_config_accel_hash_keep_builtins () { 1866 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated+builtin hash" 1867 # This component ensures that all the test cases for 1868 # md_psa_dynamic_dispatch with legacy+driver in test_suite_md are run. 1869 1870 loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \ 1871 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 1872 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 1873 1874 # Start from default config (no USE_PSA) 1875 helper_libtestdriver1_adjust_config "default" 1876 1877 helper_libtestdriver1_make_drivers "$loc_accel_list" 1878 1879 helper_libtestdriver1_make_main "$loc_accel_list" 1880 1881 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated+builtin hash" 1882 make test 1883} 1884 1885# This should be renamed to test and updated once the accelerator ECDH code is in place and ready to test. 1886component_build_psa_accel_alg_ecdh () { 1887 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_ECDH without MBEDTLS_ECDH_C" 1888 scripts/config.py full 1889 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 1890 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 1891 scripts/config.py unset MBEDTLS_ECDH_C 1892 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 1893 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 1894 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 1895 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 1896 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 1897 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 1898 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_ECDH -I../tests/include" LDFLAGS="$ASAN_CFLAGS" 1899} 1900 1901# This should be renamed to test and updated once the accelerator HMAC code is in place and ready to test. 1902component_build_psa_accel_alg_hmac () { 1903 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_HMAC" 1904 scripts/config.py full 1905 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 1906 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 1907 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 1908 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_HMAC -I../tests/include" LDFLAGS="$ASAN_CFLAGS" 1909} 1910 1911# This should be renamed to test and updated once the accelerator HKDF code is in place and ready to test. 1912component_build_psa_accel_alg_hkdf () { 1913 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_HKDF without MBEDTLS_HKDF_C" 1914 scripts/config.py full 1915 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 1916 scripts/config.py unset MBEDTLS_HKDF_C 1917 # Make sure to unset TLS1_3 since it requires HKDF_C and will not build properly without it. 1918 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 1919 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 1920 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_HKDF -I../tests/include" LDFLAGS="$ASAN_CFLAGS" 1921} 1922 1923# This should be renamed to test and updated once the accelerator MD5 code is in place and ready to test. 1924component_build_psa_accel_alg_md5 () { 1925 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_MD5 - other hashes" 1926 scripts/config.py full 1927 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 1928 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 1929 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 1930 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 1931 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 1932 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256 1933 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 1934 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512 1935 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1936 scripts/config.py unset MBEDTLS_LMS_C 1937 scripts/config.py unset MBEDTLS_LMS_PRIVATE 1938 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 1939 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_MD5 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" 1940} 1941 1942# This should be renamed to test and updated once the accelerator RIPEMD160 code is in place and ready to test. 1943component_build_psa_accel_alg_ripemd160 () { 1944 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RIPEMD160 - other hashes" 1945 scripts/config.py full 1946 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 1947 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 1948 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 1949 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 1950 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 1951 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256 1952 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 1953 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512 1954 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1955 scripts/config.py unset MBEDTLS_LMS_C 1956 scripts/config.py unset MBEDTLS_LMS_PRIVATE 1957 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 1958 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RIPEMD160 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" 1959} 1960 1961# This should be renamed to test and updated once the accelerator SHA1 code is in place and ready to test. 1962component_build_psa_accel_alg_sha1 () { 1963 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_1 - other hashes" 1964 scripts/config.py full 1965 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 1966 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 1967 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 1968 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 1969 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 1970 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256 1971 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 1972 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512 1973 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1974 scripts/config.py unset MBEDTLS_LMS_C 1975 scripts/config.py unset MBEDTLS_LMS_PRIVATE 1976 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 1977 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_1 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" 1978} 1979 1980# This should be renamed to test and updated once the accelerator SHA224 code is in place and ready to test. 1981component_build_psa_accel_alg_sha224 () { 1982 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_224 - other hashes" 1983 scripts/config.py full 1984 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 1985 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 1986 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 1987 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 1988 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 1989 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 1990 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512 1991 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1992 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 1993 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_224 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" 1994} 1995 1996# This should be renamed to test and updated once the accelerator SHA256 code is in place and ready to test. 1997component_build_psa_accel_alg_sha256 () { 1998 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_256 - other hashes" 1999 scripts/config.py full 2000 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 2001 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 2002 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 2003 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 2004 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 2005 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 2006 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 2007 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512 2008 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 2009 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_256 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" 2010} 2011 2012# This should be renamed to test and updated once the accelerator SHA384 code is in place and ready to test. 2013component_build_psa_accel_alg_sha384 () { 2014 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_384 - other hashes" 2015 scripts/config.py full 2016 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 2017 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 2018 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 2019 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 2020 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 2021 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 2022 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256 2023 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 2024 scripts/config.py unset MBEDTLS_LMS_C 2025 scripts/config.py unset MBEDTLS_LMS_PRIVATE 2026 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 2027 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_384 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" 2028} 2029 2030# This should be renamed to test and updated once the accelerator SHA512 code is in place and ready to test. 2031component_build_psa_accel_alg_sha512 () { 2032 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_512 - other hashes" 2033 scripts/config.py full 2034 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 2035 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 2036 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 2037 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 2038 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 2039 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 2040 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256 2041 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 2042 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 2043 scripts/config.py unset MBEDTLS_LMS_C 2044 scripts/config.py unset MBEDTLS_LMS_PRIVATE 2045 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 2046 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_512 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" 2047} 2048 2049# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. 2050component_build_psa_accel_alg_rsa_pkcs1v15_crypt () { 2051 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_PKCS1V15_CRYPT + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" 2052 scripts/config.py full 2053 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 2054 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 2055 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 1 2056 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_SIGN 2057 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_OAEP 2058 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PSS 2059 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 2060 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT -I../tests/include" LDFLAGS="$ASAN_CFLAGS" 2061} 2062 2063# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. 2064component_build_psa_accel_alg_rsa_pkcs1v15_sign () { 2065 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_PKCS1V15_SIGN + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" 2066 scripts/config.py full 2067 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 2068 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 2069 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PKCS1V15_SIGN 1 2070 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 2071 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_OAEP 2072 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PSS 2073 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 2074 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN -I../tests/include" LDFLAGS="$ASAN_CFLAGS" 2075} 2076 2077# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. 2078component_build_psa_accel_alg_rsa_oaep () { 2079 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_OAEP + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" 2080 scripts/config.py full 2081 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 2082 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 2083 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_OAEP 1 2084 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 2085 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_SIGN 2086 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PSS 2087 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 2088 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_OAEP -I../tests/include" LDFLAGS="$ASAN_CFLAGS" 2089} 2090 2091# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. 2092component_build_psa_accel_alg_rsa_pss () { 2093 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_PSS + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" 2094 scripts/config.py full 2095 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 2096 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 2097 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PSS 1 2098 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 2099 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_SIGN 2100 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_OAEP 2101 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 2102 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PSS -I../tests/include" LDFLAGS="$ASAN_CFLAGS" 2103} 2104 2105# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. 2106component_build_psa_accel_key_type_rsa_key_pair () { 2107 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_xxx + PSA_WANT_ALG_RSA_PSS" 2108 scripts/config.py full 2109 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 2110 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 2111 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PSS 1 2112 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC 1 2113 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT 1 2114 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT 1 2115 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE 1 2116 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 2117 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR -I../tests/include" LDFLAGS="$ASAN_CFLAGS" 2118} 2119 2120# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. 2121component_build_psa_accel_key_type_rsa_public_key () { 2122 msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY + PSA_WANT_ALG_RSA_PSS" 2123 scripts/config.py full 2124 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 2125 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 2126 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PSS 1 2127 scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1 2128 # Need to define the correct symbol and include the test driver header path in order to build with the test driver 2129 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY -I../tests/include" LDFLAGS="$ASAN_CFLAGS" 2130} 2131 2132# Auxiliary function to build config for hashes with and without drivers 2133config_psa_crypto_hash_use_psa () { 2134 driver_only="$1" 2135 # start with config full for maximum coverage (also enables USE_PSA) 2136 helper_libtestdriver1_adjust_config "full" 2137 if [ "$driver_only" -eq 1 ]; then 2138 # disable the built-in implementation of hashes 2139 scripts/config.py unset MBEDTLS_MD5_C 2140 scripts/config.py unset MBEDTLS_RIPEMD160_C 2141 scripts/config.py unset MBEDTLS_SHA1_C 2142 scripts/config.py unset MBEDTLS_SHA224_C 2143 scripts/config.py unset MBEDTLS_SHA256_C # see external RNG below 2144 scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT 2145 scripts/config.py unset MBEDTLS_SHA384_C 2146 scripts/config.py unset MBEDTLS_SHA512_C 2147 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT 2148 scripts/config.py unset MBEDTLS_SHA3_C 2149 fi 2150} 2151 2152# Note that component_test_psa_crypto_config_reference_hash_use_psa 2153# is related to this component and both components need to be kept in sync. 2154# For details please see comments for component_test_psa_crypto_config_reference_hash_use_psa. 2155component_test_psa_crypto_config_accel_hash_use_psa () { 2156 msg "test: full with accelerated hashes" 2157 2158 loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \ 2159 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 2160 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 2161 2162 # Configure 2163 # --------- 2164 2165 config_psa_crypto_hash_use_psa 1 2166 2167 # Build 2168 # ----- 2169 2170 helper_libtestdriver1_make_drivers "$loc_accel_list" 2171 2172 helper_libtestdriver1_make_main "$loc_accel_list" 2173 2174 # There's a risk of something getting re-enabled via config_psa.h; 2175 # make sure it did not happen. Note: it's OK for MD_C to be enabled. 2176 not grep mbedtls_md5 library/md5.o 2177 not grep mbedtls_sha1 library/sha1.o 2178 not grep mbedtls_sha256 library/sha256.o 2179 not grep mbedtls_sha512 library/sha512.o 2180 not grep mbedtls_ripemd160 library/ripemd160.o 2181 2182 # Run the tests 2183 # ------------- 2184 2185 msg "test: full with accelerated hashes" 2186 make test 2187 2188 # This is mostly useful so that we can later compare outcome files with 2189 # the reference config in analyze_outcomes.py, to check that the 2190 # dependency declarations in ssl-opt.sh and in TLS code are correct. 2191 msg "test: ssl-opt.sh, full with accelerated hashes" 2192 tests/ssl-opt.sh 2193 2194 # This is to make sure all ciphersuites are exercised, but we don't need 2195 # interop testing (besides, we already got some from ssl-opt.sh). 2196 msg "test: compat.sh, full with accelerated hashes" 2197 tests/compat.sh -p mbedTLS -V YES 2198} 2199 2200# This component provides reference configuration for test_psa_crypto_config_accel_hash_use_psa 2201# without accelerated hash. The outcome from both components are used by the analyze_outcomes.py 2202# script to find regression in test coverage when accelerated hash is used (tests and ssl-opt). 2203# Both components need to be kept in sync. 2204component_test_psa_crypto_config_reference_hash_use_psa () { 2205 msg "test: full without accelerated hashes" 2206 2207 config_psa_crypto_hash_use_psa 0 2208 2209 make 2210 2211 msg "test: full without accelerated hashes" 2212 make test 2213 2214 msg "test: ssl-opt.sh, full without accelerated hashes" 2215 tests/ssl-opt.sh 2216} 2217 2218# Auxiliary function to build config for hashes with and without drivers 2219config_psa_crypto_hmac_use_psa () { 2220 driver_only="$1" 2221 # start with config full for maximum coverage (also enables USE_PSA) 2222 helper_libtestdriver1_adjust_config "full" 2223 2224 if [ "$driver_only" -eq 1 ]; then 2225 # Disable MD_C in order to disable the builtin support for HMAC. MD_LIGHT 2226 # is still enabled though (for ENTROPY_C among others). 2227 scripts/config.py unset MBEDTLS_MD_C 2228 # Disable also the builtin hashes since they are supported by the driver 2229 # and MD module is able to perform PSA dispathing. 2230 scripts/config.py unset-all MBEDTLS_SHA 2231 scripts/config.py unset MBEDTLS_MD5_C 2232 scripts/config.py unset MBEDTLS_RIPEMD160_C 2233 fi 2234 2235 # Direct dependencies of MD_C. We disable them also in the reference 2236 # component to work with the same set of features. 2237 scripts/config.py unset MBEDTLS_PKCS7_C 2238 scripts/config.py unset MBEDTLS_PKCS5_C 2239 scripts/config.py unset MBEDTLS_HMAC_DRBG_C 2240 scripts/config.py unset MBEDTLS_HKDF_C 2241 # Dependencies of HMAC_DRBG 2242 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC 2243 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_DETERMINISTIC_ECDSA 2244} 2245 2246component_test_psa_crypto_config_accel_hmac () { 2247 msg "test: full with accelerated hmac" 2248 2249 loc_accel_list="ALG_HMAC KEY_TYPE_HMAC \ 2250 ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \ 2251 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 2252 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 2253 2254 # Configure 2255 # --------- 2256 2257 config_psa_crypto_hmac_use_psa 1 2258 2259 # Build 2260 # ----- 2261 2262 helper_libtestdriver1_make_drivers "$loc_accel_list" 2263 2264 helper_libtestdriver1_make_main "$loc_accel_list" 2265 2266 # Ensure that built-in support for HMAC is disabled. 2267 not grep mbedtls_md_hmac library/md.o 2268 2269 # Run the tests 2270 # ------------- 2271 2272 msg "test: full with accelerated hmac" 2273 make test 2274} 2275 2276component_test_psa_crypto_config_reference_hmac () { 2277 msg "test: full without accelerated hmac" 2278 2279 config_psa_crypto_hmac_use_psa 0 2280 2281 make 2282 2283 msg "test: full without accelerated hmac" 2284 make test 2285} 2286 2287component_test_psa_crypto_config_accel_des () { 2288 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated DES" 2289 2290 # Albeit this components aims at accelerating DES which should only support 2291 # CBC and ECB modes, we need to accelerate more than that otherwise DES_C 2292 # would automatically be re-enabled by "config_adjust_legacy_from_psa.c" 2293 loc_accel_list="ALG_ECB_NO_PADDING ALG_CBC_NO_PADDING ALG_CBC_PKCS7 \ 2294 ALG_CTR ALG_CFB ALG_OFB ALG_XTS ALG_CMAC \ 2295 KEY_TYPE_DES" 2296 2297 # Note: we cannot accelerate all ciphers' key types otherwise we would also 2298 # have to either disable CCM/GCM or accelerate them, but that's out of scope 2299 # of this component. This limitation will be addressed by #8598. 2300 2301 # Configure 2302 # --------- 2303 2304 # Start from the full config 2305 helper_libtestdriver1_adjust_config "full" 2306 2307 # Disable the things that are being accelerated 2308 scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC 2309 scripts/config.py unset MBEDTLS_CIPHER_PADDING_PKCS7 2310 scripts/config.py unset MBEDTLS_CIPHER_MODE_CTR 2311 scripts/config.py unset MBEDTLS_CIPHER_MODE_CFB 2312 scripts/config.py unset MBEDTLS_CIPHER_MODE_OFB 2313 scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS 2314 scripts/config.py unset MBEDTLS_DES_C 2315 scripts/config.py unset MBEDTLS_CMAC_C 2316 2317 # Build 2318 # ----- 2319 2320 helper_libtestdriver1_make_drivers "$loc_accel_list" 2321 2322 helper_libtestdriver1_make_main "$loc_accel_list" 2323 2324 # Make sure this was not re-enabled by accident (additive config) 2325 not grep mbedtls_des* library/des.o 2326 2327 # Run the tests 2328 # ------------- 2329 2330 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated DES" 2331 make test 2332} 2333 2334component_test_psa_crypto_config_accel_aead () { 2335 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated AEAD" 2336 2337 loc_accel_list="ALG_GCM ALG_CCM ALG_CHACHA20_POLY1305 \ 2338 KEY_TYPE_AES KEY_TYPE_CHACHA20 KEY_TYPE_ARIA KEY_TYPE_CAMELLIA" 2339 2340 # Configure 2341 # --------- 2342 2343 # Start from full config 2344 helper_libtestdriver1_adjust_config "full" 2345 2346 # Disable things that are being accelerated 2347 scripts/config.py unset MBEDTLS_GCM_C 2348 scripts/config.py unset MBEDTLS_CCM_C 2349 scripts/config.py unset MBEDTLS_CHACHAPOLY_C 2350 2351 # Disable CCM_STAR_NO_TAG because this re-enables CCM_C. 2352 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG 2353 2354 # Build 2355 # ----- 2356 2357 helper_libtestdriver1_make_drivers "$loc_accel_list" 2358 2359 helper_libtestdriver1_make_main "$loc_accel_list" 2360 2361 # Make sure this was not re-enabled by accident (additive config) 2362 not grep mbedtls_ccm library/ccm.o 2363 not grep mbedtls_gcm library/gcm.o 2364 not grep mbedtls_chachapoly library/chachapoly.o 2365 2366 # Run the tests 2367 # ------------- 2368 2369 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated AEAD" 2370 make test 2371} 2372 2373# This is a common configuration function used in: 2374# - component_test_psa_crypto_config_accel_cipher_aead_cmac 2375# - component_test_psa_crypto_config_reference_cipher_aead_cmac 2376common_psa_crypto_config_accel_cipher_aead_cmac () { 2377 # Start from the full config 2378 helper_libtestdriver1_adjust_config "full" 2379 2380 scripts/config.py unset MBEDTLS_NIST_KW_C 2381} 2382 2383# The 2 following test components, i.e. 2384# - component_test_psa_crypto_config_accel_cipher_aead_cmac 2385# - component_test_psa_crypto_config_reference_cipher_aead_cmac 2386# are meant to be used together in analyze_outcomes.py script in order to test 2387# driver's coverage for ciphers and AEADs. 2388component_test_psa_crypto_config_accel_cipher_aead_cmac () { 2389 msg "build: full config with accelerated cipher inc. AEAD and CMAC" 2390 2391 loc_accel_list="ALG_ECB_NO_PADDING ALG_CBC_NO_PADDING ALG_CBC_PKCS7 ALG_CTR ALG_CFB \ 2392 ALG_OFB ALG_XTS ALG_STREAM_CIPHER ALG_CCM_STAR_NO_TAG \ 2393 ALG_GCM ALG_CCM ALG_CHACHA20_POLY1305 ALG_CMAC \ 2394 KEY_TYPE_DES KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CHACHA20 KEY_TYPE_CAMELLIA" 2395 2396 # Configure 2397 # --------- 2398 2399 common_psa_crypto_config_accel_cipher_aead_cmac 2400 2401 # Disable the things that are being accelerated 2402 scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC 2403 scripts/config.py unset MBEDTLS_CIPHER_PADDING_PKCS7 2404 scripts/config.py unset MBEDTLS_CIPHER_MODE_CTR 2405 scripts/config.py unset MBEDTLS_CIPHER_MODE_CFB 2406 scripts/config.py unset MBEDTLS_CIPHER_MODE_OFB 2407 scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS 2408 scripts/config.py unset MBEDTLS_GCM_C 2409 scripts/config.py unset MBEDTLS_CCM_C 2410 scripts/config.py unset MBEDTLS_CHACHAPOLY_C 2411 scripts/config.py unset MBEDTLS_CMAC_C 2412 scripts/config.py unset MBEDTLS_DES_C 2413 scripts/config.py unset MBEDTLS_AES_C 2414 scripts/config.py unset MBEDTLS_ARIA_C 2415 scripts/config.py unset MBEDTLS_CHACHA20_C 2416 scripts/config.py unset MBEDTLS_CAMELLIA_C 2417 2418 # Disable CIPHER_C entirely as all ciphers/AEADs are accelerated and PSA 2419 # does not depend on it. 2420 scripts/config.py unset MBEDTLS_CIPHER_C 2421 2422 # Build 2423 # ----- 2424 2425 helper_libtestdriver1_make_drivers "$loc_accel_list" 2426 2427 helper_libtestdriver1_make_main "$loc_accel_list" 2428 2429 # Make sure this was not re-enabled by accident (additive config) 2430 not grep mbedtls_cipher library/cipher.o 2431 not grep mbedtls_des library/des.o 2432 not grep mbedtls_aes library/aes.o 2433 not grep mbedtls_aria library/aria.o 2434 not grep mbedtls_camellia library/camellia.o 2435 not grep mbedtls_ccm library/ccm.o 2436 not grep mbedtls_gcm library/gcm.o 2437 not grep mbedtls_chachapoly library/chachapoly.o 2438 not grep mbedtls_cmac library/cmac.o 2439 2440 # Run the tests 2441 # ------------- 2442 2443 msg "test: full config with accelerated cipher inc. AEAD and CMAC" 2444 make test 2445 2446 msg "ssl-opt: full config with accelerated cipher inc. AEAD and CMAC" 2447 tests/ssl-opt.sh 2448 2449 msg "compat.sh: full config with accelerated cipher inc. AEAD and CMAC" 2450 tests/compat.sh -V NO -p mbedTLS 2451} 2452 2453component_test_psa_crypto_config_reference_cipher_aead_cmac () { 2454 msg "build: full config with non-accelerated cipher inc. AEAD and CMAC" 2455 common_psa_crypto_config_accel_cipher_aead_cmac 2456 2457 make 2458 2459 msg "test: full config with non-accelerated cipher inc. AEAD and CMAC" 2460 make test 2461 2462 msg "ssl-opt: full config with non-accelerated cipher inc. AEAD and CMAC" 2463 tests/ssl-opt.sh 2464 2465 msg "compat.sh: full config with non-accelerated cipher inc. AEAD and CMAC" 2466 tests/compat.sh -V NO -p mbedTLS 2467} 2468 2469common_block_cipher_dispatch () { 2470 TEST_WITH_DRIVER="$1" 2471 2472 # Start from the full config 2473 helper_libtestdriver1_adjust_config "full" 2474 2475 if [ "$TEST_WITH_DRIVER" -eq 1 ]; then 2476 # Disable key types that are accelerated (there is no legacy equivalent 2477 # symbol for ECB) 2478 scripts/config.py unset MBEDTLS_AES_C 2479 scripts/config.py unset MBEDTLS_ARIA_C 2480 scripts/config.py unset MBEDTLS_CAMELLIA_C 2481 fi 2482 2483 # Disable cipher's modes that, when not accelerated, cause 2484 # legacy key types to be re-enabled in "config_adjust_legacy_from_psa.h". 2485 # Keep this also in the reference component in order to skip the same tests 2486 # that were skipped in the accelerated one. 2487 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CTR 2488 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CFB 2489 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_OFB 2490 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING 2491 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 2492 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC 2493 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG 2494 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 2495 2496 # Disable direct dependency on AES_C 2497 scripts/config.py unset MBEDTLS_NIST_KW_C 2498 2499 # Prevent the cipher module from using deprecated PSA path. The reason is 2500 # that otherwise there will be tests relying on "aes_info" (defined in 2501 # "cipher_wrap.c") whose functions are not available when AES_C is 2502 # not defined. ARIA and Camellia are not a problem in this case because 2503 # the PSA path is not tested for these key types. 2504 scripts/config.py set MBEDTLS_DEPRECATED_REMOVED 2505} 2506 2507component_test_full_block_cipher_psa_dispatch_static_keystore () { 2508 msg "build: full + PSA dispatch in block_cipher with static keystore" 2509 # Check that the static key store works well when CTR_DRBG uses a 2510 # PSA key for AES. 2511 scripts/config.py unset MBEDTLS_PSA_KEY_STORE_DYNAMIC 2512 2513 loc_accel_list="ALG_ECB_NO_PADDING \ 2514 KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CAMELLIA" 2515 2516 # Configure 2517 # --------- 2518 2519 common_block_cipher_dispatch 1 2520 2521 # Build 2522 # ----- 2523 2524 helper_libtestdriver1_make_drivers "$loc_accel_list" 2525 2526 helper_libtestdriver1_make_main "$loc_accel_list" 2527 2528 # Make sure disabled components were not re-enabled by accident (additive 2529 # config) 2530 not grep mbedtls_aes_ library/aes.o 2531 not grep mbedtls_aria_ library/aria.o 2532 not grep mbedtls_camellia_ library/camellia.o 2533 2534 # Run the tests 2535 # ------------- 2536 2537 msg "test: full + PSA dispatch in block_cipher with static keystore" 2538 make test 2539} 2540 2541component_test_full_block_cipher_psa_dispatch () { 2542 msg "build: full + PSA dispatch in block_cipher" 2543 2544 loc_accel_list="ALG_ECB_NO_PADDING \ 2545 KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CAMELLIA" 2546 2547 # Configure 2548 # --------- 2549 2550 common_block_cipher_dispatch 1 2551 2552 # Build 2553 # ----- 2554 2555 helper_libtestdriver1_make_drivers "$loc_accel_list" 2556 2557 helper_libtestdriver1_make_main "$loc_accel_list" 2558 2559 # Make sure disabled components were not re-enabled by accident (additive 2560 # config) 2561 not grep mbedtls_aes_ library/aes.o 2562 not grep mbedtls_aria_ library/aria.o 2563 not grep mbedtls_camellia_ library/camellia.o 2564 2565 # Run the tests 2566 # ------------- 2567 2568 msg "test: full + PSA dispatch in block_cipher" 2569 make test 2570} 2571 2572# This is the reference component of component_test_full_block_cipher_psa_dispatch 2573component_test_full_block_cipher_legacy_dispatch () { 2574 msg "build: full + legacy dispatch in block_cipher" 2575 2576 common_block_cipher_dispatch 0 2577 2578 make 2579 2580 msg "test: full + legacy dispatch in block_cipher" 2581 make test 2582} 2583 2584component_test_aead_chachapoly_disabled () { 2585 msg "build: full minus CHACHAPOLY" 2586 scripts/config.py full 2587 scripts/config.py unset MBEDTLS_CHACHAPOLY_C 2588 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305 2589 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" 2590 2591 msg "test: full minus CHACHAPOLY" 2592 make test 2593} 2594 2595component_test_aead_only_ccm () { 2596 msg "build: full minus CHACHAPOLY and GCM" 2597 scripts/config.py full 2598 scripts/config.py unset MBEDTLS_CHACHAPOLY_C 2599 scripts/config.py unset MBEDTLS_GCM_C 2600 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305 2601 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_GCM 2602 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" 2603 2604 msg "test: full minus CHACHAPOLY and GCM" 2605 make test 2606} 2607 2608component_test_ccm_aes_sha256 () { 2609 msg "build: CCM + AES + SHA256 configuration" 2610 2611 cp "$CONFIG_TEST_DRIVER_H" "$CONFIG_H" 2612 cp configs/crypto-config-ccm-aes-sha256.h "$CRYPTO_CONFIG_H" 2613 2614 make 2615 2616 msg "test: CCM + AES + SHA256 configuration" 2617 make test 2618} 2619 2620# Test that the given .o file builds with all (valid) combinations of the given options. 2621# 2622# Syntax: build_test_config_combos FILE VALIDATOR_FUNCTION OPT1 OPT2 ... 2623# 2624# The validator function is the name of a function to validate the combination of options. 2625# It may be "" if all combinations are valid. 2626# It receives a string containing a combination of options, as passed to the compiler, 2627# e.g. "-DOPT1 -DOPT2 ...". It must return 0 iff the combination is valid, non-zero if invalid. 2628build_test_config_combos () { 2629 file=$1 2630 shift 2631 validate_options=$1 2632 shift 2633 options=("$@") 2634 2635 # clear all of the options so that they can be overridden on the clang commandline 2636 for opt in "${options[@]}"; do 2637 ./scripts/config.py unset ${opt} 2638 done 2639 2640 # enter the directory containing the target file & strip the dir from the filename 2641 cd $(dirname ${file}) 2642 file=$(basename ${file}) 2643 2644 # The most common issue is unused variables/functions, so ensure -Wunused is set. 2645 warning_flags="-Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wasm-operand-widths -Wunused" 2646 2647 # Extract the command generated by the Makefile to build the target file. 2648 # This ensures that we have any include paths, macro definitions, etc 2649 # that may be applied by make. 2650 # Add -fsyntax-only as we only want a syntax check and don't need to generate a file. 2651 compile_cmd="clang \$(LOCAL_CFLAGS) ${warning_flags} -fsyntax-only -c" 2652 2653 makefile=$(TMPDIR=. mktemp) 2654 deps="" 2655 2656 len=${#options[@]} 2657 source_file=${file%.o}.c 2658 2659 targets=0 2660 echo 'include Makefile' >${makefile} 2661 2662 for ((i = 0; i < $((2**${len})); i++)); do 2663 # generate each of 2^n combinations of options 2664 # each bit of $i is used to determine if options[i] will be set or not 2665 target="t" 2666 clang_args="" 2667 for ((j = 0; j < ${len}; j++)); do 2668 if (((i >> j) & 1)); then 2669 opt=-D${options[$j]} 2670 clang_args="${clang_args} ${opt}" 2671 target="${target}${opt}" 2672 fi 2673 done 2674 2675 # if combination is not known to be invalid, add it to the makefile 2676 if [[ -z $validate_options ]] || $validate_options "${clang_args}"; then 2677 cmd="${compile_cmd} ${clang_args}" 2678 echo "${target}: ${source_file}; $cmd ${source_file}" >> ${makefile} 2679 2680 deps="${deps} ${target}" 2681 ((++targets)) 2682 fi 2683 done 2684 2685 echo "build_test_config_combos: ${deps}" >> ${makefile} 2686 2687 # execute all of the commands via Make (probably in parallel) 2688 make -s -f ${makefile} build_test_config_combos 2689 echo "$targets targets checked" 2690 2691 # clean up the temporary makefile 2692 rm ${makefile} 2693} 2694 2695validate_aes_config_variations () { 2696 if [[ "$1" == *"MBEDTLS_AES_USE_HARDWARE_ONLY"* ]]; then 2697 if [[ "$1" == *"MBEDTLS_PADLOCK_C"* ]]; then 2698 return 1 2699 fi 2700 if [[ !(("$HOSTTYPE" == "aarch64" && "$1" != *"MBEDTLS_AESCE_C"*) || \ 2701 ("$HOSTTYPE" == "x86_64" && "$1" != *"MBEDTLS_AESNI_C"*)) ]]; then 2702 return 1 2703 fi 2704 fi 2705 return 0 2706} 2707 2708component_build_aes_variations () { 2709 # 18s - around 90ms per clang invocation on M1 Pro 2710 # 2711 # aes.o has many #if defined(...) guards that intersect in complex ways. 2712 # Test that all the combinations build cleanly. 2713 2714 MBEDTLS_ROOT_DIR="$PWD" 2715 msg "build: aes.o for all combinations of relevant config options" 2716 2717 build_test_config_combos library/aes.o validate_aes_config_variations \ 2718 "MBEDTLS_AES_SETKEY_ENC_ALT" "MBEDTLS_AES_DECRYPT_ALT" \ 2719 "MBEDTLS_AES_ROM_TABLES" "MBEDTLS_AES_ENCRYPT_ALT" "MBEDTLS_AES_SETKEY_DEC_ALT" \ 2720 "MBEDTLS_AES_FEWER_TABLES" "MBEDTLS_PADLOCK_C" "MBEDTLS_AES_USE_HARDWARE_ONLY" \ 2721 "MBEDTLS_AESNI_C" "MBEDTLS_AESCE_C" "MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH" 2722 2723 cd "$MBEDTLS_ROOT_DIR" 2724 msg "build: aes.o for all combinations of relevant config options + BLOCK_CIPHER_NO_DECRYPT" 2725 2726 # MBEDTLS_BLOCK_CIPHER_NO_DECRYPT is incompatible with ECB in PSA, CBC/XTS/NIST_KW/DES, 2727 # manually set or unset those configurations to check 2728 # MBEDTLS_BLOCK_CIPHER_NO_DECRYPT with various combinations in aes.o. 2729 scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT 2730 scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC 2731 scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS 2732 scripts/config.py unset MBEDTLS_DES_C 2733 scripts/config.py unset MBEDTLS_NIST_KW_C 2734 build_test_config_combos library/aes.o validate_aes_config_variations \ 2735 "MBEDTLS_AES_SETKEY_ENC_ALT" "MBEDTLS_AES_DECRYPT_ALT" \ 2736 "MBEDTLS_AES_ROM_TABLES" "MBEDTLS_AES_ENCRYPT_ALT" "MBEDTLS_AES_SETKEY_DEC_ALT" \ 2737 "MBEDTLS_AES_FEWER_TABLES" "MBEDTLS_PADLOCK_C" "MBEDTLS_AES_USE_HARDWARE_ONLY" \ 2738 "MBEDTLS_AESNI_C" "MBEDTLS_AESCE_C" "MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH" 2739} 2740 2741component_test_sha3_variations () { 2742 msg "sha3 loop unroll variations" 2743 2744 # define minimal config sufficient to test SHA3 2745 cat > include/mbedtls/mbedtls_config.h << END 2746 #define MBEDTLS_SELF_TEST 2747 #define MBEDTLS_SHA3_C 2748END 2749 2750 msg "all loops unrolled" 2751 make clean 2752 make -C tests test_suite_shax CFLAGS="-DMBEDTLS_SHA3_THETA_UNROLL=1 -DMBEDTLS_SHA3_PI_UNROLL=1 -DMBEDTLS_SHA3_CHI_UNROLL=1 -DMBEDTLS_SHA3_RHO_UNROLL=1" 2753 ./tests/test_suite_shax 2754 2755 msg "all loops rolled up" 2756 make clean 2757 make -C tests test_suite_shax CFLAGS="-DMBEDTLS_SHA3_THETA_UNROLL=0 -DMBEDTLS_SHA3_PI_UNROLL=0 -DMBEDTLS_SHA3_CHI_UNROLL=0 -DMBEDTLS_SHA3_RHO_UNROLL=0" 2758 ./tests/test_suite_shax 2759} 2760 2761# For timebeing, no aarch64 gcc available in CI and no arm64 CI node. 2762component_build_aes_aesce_armcc () { 2763 msg "Build: AESCE test on arm64 platform without plain C." 2764 scripts/config.py baremetal 2765 2766 # armc[56] don't support SHA-512 intrinsics 2767 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT 2768 2769 # Stop armclang warning about feature detection for A64_CRYPTO. 2770 # With this enabled, the library does build correctly under armclang, 2771 # but in baremetal builds (as tested here), feature detection is 2772 # unavailable, and the user is notified via a #warning. So enabling 2773 # this feature would prevent us from building with -Werror on 2774 # armclang. Tracked in #7198. 2775 scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT 2776 scripts/config.py set MBEDTLS_HAVE_ASM 2777 2778 msg "AESCE, build with default configuration." 2779 scripts/config.py set MBEDTLS_AESCE_C 2780 scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY 2781 armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto" 2782 2783 msg "AESCE, build AESCE only" 2784 scripts/config.py set MBEDTLS_AESCE_C 2785 scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY 2786 armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto" 2787} 2788 2789support_build_aes_aesce_armcc () { 2790 support_build_armcc 2791} 2792 2793component_test_aes_only_128_bit_keys () { 2794 msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH" 2795 scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH 2796 scripts/config.py unset MBEDTLS_PADLOCK_C 2797 2798 make CFLAGS='-O2 -Werror -Wall -Wextra' 2799 2800 msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH" 2801 make test 2802} 2803 2804component_test_no_ctr_drbg_aes_only_128_bit_keys () { 2805 msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH - CTR_DRBG_C" 2806 scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH 2807 scripts/config.py unset MBEDTLS_CTR_DRBG_C 2808 scripts/config.py unset MBEDTLS_PADLOCK_C 2809 2810 make CC=clang CFLAGS='-Werror -Wall -Wextra' 2811 2812 msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH - CTR_DRBG_C" 2813 make test 2814} 2815 2816component_test_aes_only_128_bit_keys_have_builtins () { 2817 msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C" 2818 scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH 2819 scripts/config.py unset MBEDTLS_PADLOCK_C 2820 scripts/config.py unset MBEDTLS_AESNI_C 2821 scripts/config.py unset MBEDTLS_AESCE_C 2822 2823 make CFLAGS='-O2 -Werror -Wall -Wextra' 2824 2825 msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C" 2826 make test 2827 2828 msg "selftest: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C" 2829 programs/test/selftest 2830} 2831 2832component_test_gcm_largetable () { 2833 msg "build: default config + GCM_LARGE_TABLE - AESNI_C - AESCE_C" 2834 scripts/config.py set MBEDTLS_GCM_LARGE_TABLE 2835 scripts/config.py unset MBEDTLS_PADLOCK_C 2836 scripts/config.py unset MBEDTLS_AESNI_C 2837 scripts/config.py unset MBEDTLS_AESCE_C 2838 2839 make CFLAGS='-O2 -Werror -Wall -Wextra' 2840 2841 msg "test: default config - GCM_LARGE_TABLE - AESNI_C - AESCE_C" 2842 make test 2843} 2844 2845component_test_aes_fewer_tables () { 2846 msg "build: default config with AES_FEWER_TABLES enabled" 2847 scripts/config.py set MBEDTLS_AES_FEWER_TABLES 2848 make CFLAGS='-O2 -Werror -Wall -Wextra' 2849 2850 msg "test: AES_FEWER_TABLES" 2851 make test 2852} 2853 2854component_test_aes_rom_tables () { 2855 msg "build: default config with AES_ROM_TABLES enabled" 2856 scripts/config.py set MBEDTLS_AES_ROM_TABLES 2857 make CFLAGS='-O2 -Werror -Wall -Wextra' 2858 2859 msg "test: AES_ROM_TABLES" 2860 make test 2861} 2862 2863component_test_aes_fewer_tables_and_rom_tables () { 2864 msg "build: default config with AES_ROM_TABLES and AES_FEWER_TABLES enabled" 2865 scripts/config.py set MBEDTLS_AES_FEWER_TABLES 2866 scripts/config.py set MBEDTLS_AES_ROM_TABLES 2867 make CFLAGS='-O2 -Werror -Wall -Wextra' 2868 2869 msg "test: AES_FEWER_TABLES + AES_ROM_TABLES" 2870 make test 2871} 2872 2873# helper for common_block_cipher_no_decrypt() which: 2874# - enable/disable the list of config options passed from -s/-u respectively. 2875# - build 2876# - test for tests_suite_xxx 2877# - selftest 2878# 2879# Usage: helper_block_cipher_no_decrypt_build_test 2880# [-s set_opts] [-u unset_opts] [-c cflags] [-l ldflags] [option [...]] 2881# Options: -s set_opts the list of config options to enable 2882# -u unset_opts the list of config options to disable 2883# -c cflags the list of options passed to CFLAGS 2884# -l ldflags the list of options passed to LDFLAGS 2885helper_block_cipher_no_decrypt_build_test () { 2886 while [ $# -gt 0 ]; do 2887 case "$1" in 2888 -s) 2889 shift; local set_opts="$1";; 2890 -u) 2891 shift; local unset_opts="$1";; 2892 -c) 2893 shift; local cflags="-Werror -Wall -Wextra $1";; 2894 -l) 2895 shift; local ldflags="$1";; 2896 esac 2897 shift 2898 done 2899 set_opts="${set_opts:-}" 2900 unset_opts="${unset_opts:-}" 2901 cflags="${cflags:-}" 2902 ldflags="${ldflags:-}" 2903 2904 [ -n "$set_opts" ] && echo "Enabling: $set_opts" && scripts/config.py set-all $set_opts 2905 [ -n "$unset_opts" ] && echo "Disabling: $unset_opts" && scripts/config.py unset-all $unset_opts 2906 2907 msg "build: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}" 2908 make clean 2909 make CFLAGS="-O2 $cflags" LDFLAGS="$ldflags" 2910 2911 # Make sure we don't have mbedtls_xxx_setkey_dec in AES/ARIA/CAMELLIA 2912 not grep mbedtls_aes_setkey_dec library/aes.o 2913 not grep mbedtls_aria_setkey_dec library/aria.o 2914 not grep mbedtls_camellia_setkey_dec library/camellia.o 2915 # Make sure we don't have mbedtls_internal_aes_decrypt in AES 2916 not grep mbedtls_internal_aes_decrypt library/aes.o 2917 # Make sure we don't have mbedtls_aesni_inverse_key in AESNI 2918 not grep mbedtls_aesni_inverse_key library/aesni.o 2919 2920 msg "test: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}" 2921 make test 2922 2923 msg "selftest: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}" 2924 programs/test/selftest 2925} 2926 2927# This is a common configuration function used in: 2928# - component_test_block_cipher_no_decrypt_aesni_legacy() 2929# - component_test_block_cipher_no_decrypt_aesni_use_psa() 2930# in order to test BLOCK_CIPHER_NO_DECRYPT with AESNI intrinsics, 2931# AESNI assembly and AES C implementation on x86_64 and with AESNI intrinsics 2932# on x86. 2933common_block_cipher_no_decrypt () { 2934 # test AESNI intrinsics 2935 helper_block_cipher_no_decrypt_build_test \ 2936 -s "MBEDTLS_AESNI_C" \ 2937 -c "-mpclmul -msse2 -maes" 2938 2939 # test AESNI assembly 2940 helper_block_cipher_no_decrypt_build_test \ 2941 -s "MBEDTLS_AESNI_C" \ 2942 -c "-mno-pclmul -mno-sse2 -mno-aes" 2943 2944 # test AES C implementation 2945 helper_block_cipher_no_decrypt_build_test \ 2946 -u "MBEDTLS_AESNI_C" 2947 2948 # test AESNI intrinsics for i386 target 2949 helper_block_cipher_no_decrypt_build_test \ 2950 -s "MBEDTLS_AESNI_C" \ 2951 -c "-m32 -mpclmul -msse2 -maes" \ 2952 -l "-m32" 2953} 2954 2955# This is a configuration function used in component_test_block_cipher_no_decrypt_xxx: 2956# usage: 0: no PSA crypto configuration 2957# 1: use PSA crypto configuration 2958config_block_cipher_no_decrypt () { 2959 use_psa=$1 2960 2961 scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT 2962 scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC 2963 scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS 2964 scripts/config.py unset MBEDTLS_DES_C 2965 scripts/config.py unset MBEDTLS_NIST_KW_C 2966 2967 if [ "$use_psa" -eq 1 ]; then 2968 # Enable support for cryptographic mechanisms through the PSA API. 2969 # Note: XTS, KW are not yet supported via the PSA API in Mbed TLS. 2970 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG 2971 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING 2972 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 2973 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING 2974 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_DES 2975 fi 2976} 2977 2978component_test_block_cipher_no_decrypt_aesni () { 2979 # This consistently causes an llvm crash on clang 3.8, so use gcc 2980 export CC=gcc 2981 config_block_cipher_no_decrypt 0 2982 common_block_cipher_no_decrypt 2983} 2984 2985component_test_block_cipher_no_decrypt_aesni_use_psa () { 2986 # This consistently causes an llvm crash on clang 3.8, so use gcc 2987 export CC=gcc 2988 config_block_cipher_no_decrypt 1 2989 common_block_cipher_no_decrypt 2990} 2991 2992support_test_block_cipher_no_decrypt_aesce_armcc () { 2993 support_build_armcc 2994} 2995 2996component_test_block_cipher_no_decrypt_aesce_armcc () { 2997 scripts/config.py baremetal 2998 2999 # armc[56] don't support SHA-512 intrinsics 3000 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT 3001 3002 # Stop armclang warning about feature detection for A64_CRYPTO. 3003 # With this enabled, the library does build correctly under armclang, 3004 # but in baremetal builds (as tested here), feature detection is 3005 # unavailable, and the user is notified via a #warning. So enabling 3006 # this feature would prevent us from building with -Werror on 3007 # armclang. Tracked in #7198. 3008 scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT 3009 scripts/config.py set MBEDTLS_HAVE_ASM 3010 3011 config_block_cipher_no_decrypt 1 3012 3013 # test AESCE baremetal build 3014 scripts/config.py set MBEDTLS_AESCE_C 3015 msg "build: default config + BLOCK_CIPHER_NO_DECRYPT with AESCE" 3016 armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto -Werror -Wall -Wextra" 3017 3018 # Make sure we don't have mbedtls_xxx_setkey_dec in AES/ARIA/CAMELLIA 3019 not grep mbedtls_aes_setkey_dec library/aes.o 3020 not grep mbedtls_aria_setkey_dec library/aria.o 3021 not grep mbedtls_camellia_setkey_dec library/camellia.o 3022 # Make sure we don't have mbedtls_internal_aes_decrypt in AES 3023 not grep mbedtls_internal_aes_decrypt library/aes.o 3024 # Make sure we don't have mbedtls_aesce_inverse_key and aesce_decrypt_block in AESCE 3025 not grep mbedtls_aesce_inverse_key library/aesce.o 3026 not grep aesce_decrypt_block library/aesce.o 3027} 3028 3029component_test_ctr_drbg_aes_256_sha_256 () { 3030 msg "build: full + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)" 3031 scripts/config.py full 3032 scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C 3033 scripts/config.py set MBEDTLS_ENTROPY_FORCE_SHA256 3034 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 3035 make 3036 3037 msg "test: full + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)" 3038 make test 3039} 3040 3041component_test_ctr_drbg_aes_128_sha_512 () { 3042 msg "build: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY (ASan build)" 3043 scripts/config.py full 3044 scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C 3045 scripts/config.py set MBEDTLS_CTR_DRBG_USE_128_BIT_KEY 3046 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 3047 make 3048 3049 msg "test: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY (ASan build)" 3050 make test 3051} 3052 3053component_test_ctr_drbg_aes_128_sha_256 () { 3054 msg "build: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)" 3055 scripts/config.py full 3056 scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C 3057 scripts/config.py set MBEDTLS_CTR_DRBG_USE_128_BIT_KEY 3058 scripts/config.py set MBEDTLS_ENTROPY_FORCE_SHA256 3059 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 3060 make 3061 3062 msg "test: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)" 3063 make test 3064} 3065 3066component_test_se_default () { 3067 msg "build: default config + MBEDTLS_PSA_CRYPTO_SE_C" 3068 scripts/config.py set MBEDTLS_PSA_CRYPTO_SE_C 3069 make CC=clang CFLAGS="$ASAN_CFLAGS -Os" LDFLAGS="$ASAN_CFLAGS" 3070 3071 msg "test: default config + MBEDTLS_PSA_CRYPTO_SE_C" 3072 make test 3073} 3074 3075component_test_full_static_keystore () { 3076 msg "build: full config - MBEDTLS_PSA_KEY_STORE_DYNAMIC" 3077 scripts/config.py full 3078 scripts/config.py unset MBEDTLS_PSA_KEY_STORE_DYNAMIC 3079 make CC=clang CFLAGS="$ASAN_CFLAGS -Os" LDFLAGS="$ASAN_CFLAGS" 3080 3081 msg "test: full config - MBEDTLS_PSA_KEY_STORE_DYNAMIC" 3082 make test 3083} 3084 3085component_test_psa_crypto_drivers () { 3086 msg "build: full + test drivers dispatching to builtins" 3087 scripts/config.py full 3088 scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG 3089 loc_cflags="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST_ALL" 3090 loc_cflags="${loc_cflags} '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'" 3091 loc_cflags="${loc_cflags} -I../tests/include -O2" 3092 3093 make CC=$ASAN_CC CFLAGS="${loc_cflags}" LDFLAGS="$ASAN_CFLAGS" 3094 3095 msg "test: full + test drivers dispatching to builtins" 3096 make test 3097} 3098 3099component_build_psa_config_file () { 3100 msg "build: make with MBEDTLS_PSA_CRYPTO_CONFIG_FILE" # ~40s 3101 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG 3102 cp "$CRYPTO_CONFIG_H" psa_test_config.h 3103 echo '#error "MBEDTLS_PSA_CRYPTO_CONFIG_FILE is not working"' >"$CRYPTO_CONFIG_H" 3104 make CFLAGS="-I '$PWD' -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"'" 3105 # Make sure this feature is enabled. We'll disable it in the next phase. 3106 programs/test/query_compile_time_config MBEDTLS_CMAC_C 3107 make clean 3108 3109 msg "build: make with MBEDTLS_PSA_CRYPTO_CONFIG_FILE + MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE" # ~40s 3110 # In the user config, disable one feature and its dependencies, which will 3111 # reflect on the mbedtls configuration so we can query it with 3112 # query_compile_time_config. 3113 echo '#undef PSA_WANT_ALG_CMAC' >psa_user_config.h 3114 echo '#undef PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128' >> psa_user_config.h 3115 scripts/config.py unset MBEDTLS_CMAC_C 3116 make CFLAGS="-I '$PWD' -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"' -DMBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE='\"psa_user_config.h\"'" 3117 not programs/test/query_compile_time_config MBEDTLS_CMAC_C 3118 3119 rm -f psa_test_config.h psa_user_config.h 3120} 3121 3122component_build_psa_alt_headers () { 3123 msg "build: make with PSA alt headers" # ~20s 3124 3125 # Generate alternative versions of the substitutable headers with the 3126 # same content except different include guards. 3127 make -C tests include/alt-extra/psa/crypto_platform_alt.h include/alt-extra/psa/crypto_struct_alt.h 3128 3129 # Build the library and some programs. 3130 # Don't build the fuzzers to avoid having to go through hoops to set 3131 # a correct include path for programs/fuzz/Makefile. 3132 make CFLAGS="-I ../tests/include/alt-extra -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'" lib 3133 make -C programs -o fuzz CFLAGS="-I ../tests/include/alt-extra -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'" 3134 3135 # Check that we're getting the alternative include guards and not the 3136 # original include guards. 3137 programs/test/query_included_headers | grep -x PSA_CRYPTO_PLATFORM_ALT_H 3138 programs/test/query_included_headers | grep -x PSA_CRYPTO_STRUCT_ALT_H 3139 programs/test/query_included_headers | not grep -x PSA_CRYPTO_PLATFORM_H 3140 programs/test/query_included_headers | not grep -x PSA_CRYPTO_STRUCT_H 3141} 3142 3143component_test_min_mpi_window_size () { 3144 msg "build: Default + MBEDTLS_MPI_WINDOW_SIZE=1 (ASan build)" # ~ 10s 3145 scripts/config.py set MBEDTLS_MPI_WINDOW_SIZE 1 3146 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 3147 make 3148 3149 msg "test: MBEDTLS_MPI_WINDOW_SIZE=1 - main suites (inc. selftests) (ASan build)" # ~ 10s 3150 make test 3151} 3152
