From bb47c7368b32919df8fcb125e154fe763b65256e Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 14 Sep 2024 12:13:16 +0200 Subject: [PATCH 01/11] CMake: support "make programs" Signed-off-by: Gilles Peskine --- programs/CMakeLists.txt | 3 +++ programs/aes/CMakeLists.txt | 1 + programs/cipher/CMakeLists.txt | 1 + programs/fuzz/CMakeLists.txt | 2 ++ programs/hash/CMakeLists.txt | 1 + programs/pkey/CMakeLists.txt | 2 ++ programs/psa/CMakeLists.txt | 1 + programs/random/CMakeLists.txt | 1 + programs/ssl/CMakeLists.txt | 1 + programs/test/CMakeLists.txt | 2 ++ programs/util/CMakeLists.txt | 1 + programs/x509/CMakeLists.txt | 1 + 12 files changed, 17 insertions(+) diff --git a/programs/CMakeLists.txt b/programs/CMakeLists.txt index 0633aa6499..aaf93ba38d 100644 --- a/programs/CMakeLists.txt +++ b/programs/CMakeLists.txt @@ -1,3 +1,6 @@ +set(programs_target "${MBEDTLS_TARGET_PREFIX}programs") +add_custom_target(${programs_target}) + add_subdirectory(aes) add_subdirectory(cipher) if (NOT WIN32) diff --git a/programs/aes/CMakeLists.txt b/programs/aes/CMakeLists.txt index ccb8db564f..4d4c890fbf 100644 --- a/programs/aes/CMakeLists.txt +++ b/programs/aes/CMakeLists.txt @@ -1,6 +1,7 @@ set(executables crypt_and_hash ) +add_dependencies(${programs_target} ${executables}) foreach(exe IN LISTS executables) add_executable(${exe} ${exe}.c $) diff --git a/programs/cipher/CMakeLists.txt b/programs/cipher/CMakeLists.txt index e925524f68..effaf8a931 100644 --- a/programs/cipher/CMakeLists.txt +++ b/programs/cipher/CMakeLists.txt @@ -1,6 +1,7 @@ set(executables cipher_aead_demo ) +add_dependencies(${programs_target} ${executables}) foreach(exe IN LISTS executables) add_executable(${exe} ${exe}.c $) diff --git a/programs/fuzz/CMakeLists.txt b/programs/fuzz/CMakeLists.txt index c389029bca..f5358ffff6 100644 --- a/programs/fuzz/CMakeLists.txt +++ b/programs/fuzz/CMakeLists.txt @@ -15,6 +15,7 @@ set(executables_no_common_c fuzz_x509csr fuzz_pkcs7 ) +add_dependencies(${programs_target} ${executables_no_common_c}) set(executables_with_common_c fuzz_privkey @@ -23,6 +24,7 @@ set(executables_with_common_c fuzz_dtlsserver fuzz_server ) +add_dependencies(${programs_target} ${executables_with_common_c}) foreach(exe IN LISTS executables_no_common_c executables_with_common_c) diff --git a/programs/hash/CMakeLists.txt b/programs/hash/CMakeLists.txt index fcacf3ba4f..0ad974d9a9 100644 --- a/programs/hash/CMakeLists.txt +++ b/programs/hash/CMakeLists.txt @@ -3,6 +3,7 @@ set(executables hello md_hmac_demo ) +add_dependencies(${programs_target} ${executables}) foreach(exe IN LISTS executables) add_executable(${exe} ${exe}.c $) diff --git a/programs/pkey/CMakeLists.txt b/programs/pkey/CMakeLists.txt index cd0387a882..defbe281d9 100644 --- a/programs/pkey/CMakeLists.txt +++ b/programs/pkey/CMakeLists.txt @@ -2,6 +2,7 @@ set(executables_mbedtls dh_client dh_server ) +add_dependencies(${programs_target} ${executables_mbedtls}) foreach(exe IN LISTS executables_mbedtls) add_executable(${exe} ${exe}.c $) @@ -29,6 +30,7 @@ set(executables_mbedcrypto rsa_verify rsa_verify_pss ) +add_dependencies(${programs_target} ${executables_mbedcrypto}) foreach(exe IN LISTS executables_mbedcrypto) add_executable(${exe} ${exe}.c $) diff --git a/programs/psa/CMakeLists.txt b/programs/psa/CMakeLists.txt index a8e4b0e372..a6933a6e2b 100644 --- a/programs/psa/CMakeLists.txt +++ b/programs/psa/CMakeLists.txt @@ -6,6 +6,7 @@ set(executables psa_constant_names psa_hash ) +add_dependencies(${programs_target} ${executables}) if(GEN_FILES) add_custom_command( diff --git a/programs/random/CMakeLists.txt b/programs/random/CMakeLists.txt index 5940395354..f0c78259ff 100644 --- a/programs/random/CMakeLists.txt +++ b/programs/random/CMakeLists.txt @@ -2,6 +2,7 @@ set(executables gen_entropy gen_random_ctr_drbg ) +add_dependencies(${programs_target} ${executables}) foreach(exe IN LISTS executables) add_executable(${exe} ${exe}.c $) diff --git a/programs/ssl/CMakeLists.txt b/programs/ssl/CMakeLists.txt index ec2c86fb4a..f4fb477ebf 100644 --- a/programs/ssl/CMakeLists.txt +++ b/programs/ssl/CMakeLists.txt @@ -16,6 +16,7 @@ set(executables ssl_server ssl_server2 ) +add_dependencies(${programs_target} ${executables}) if(GEN_FILES) # Inform CMake that the following file will be generated as part of the build diff --git a/programs/test/CMakeLists.txt b/programs/test/CMakeLists.txt index 0d43ffddd3..e3db8dd9bf 100644 --- a/programs/test/CMakeLists.txt +++ b/programs/test/CMakeLists.txt @@ -8,12 +8,14 @@ set(executables_libs selftest udp_proxy ) +add_dependencies(${programs_target} ${executables_libs}) set(executables_mbedcrypto benchmark query_compile_time_config zeroize ) +add_dependencies(${programs_target} ${executables_mbedcrypto}) if(TEST_CPP) set(cpp_dummy_build_cpp "${CMAKE_CURRENT_BINARY_DIR}/cpp_dummy_build.cpp") diff --git a/programs/util/CMakeLists.txt b/programs/util/CMakeLists.txt index cb6bc3d2d2..264d9416cc 100644 --- a/programs/util/CMakeLists.txt +++ b/programs/util/CMakeLists.txt @@ -6,6 +6,7 @@ set(executables pem2der strerror ) +add_dependencies(${programs_target} ${executables}) foreach(exe IN LISTS executables) add_executable(${exe} ${exe}.c $) diff --git a/programs/x509/CMakeLists.txt b/programs/x509/CMakeLists.txt index 43437f070b..a09813c917 100644 --- a/programs/x509/CMakeLists.txt +++ b/programs/x509/CMakeLists.txt @@ -10,6 +10,7 @@ set(executables load_roots req_app ) +add_dependencies(${programs_target} ${executables}) foreach(exe IN LISTS executables) add_executable(${exe} ${exe}.c $) From 7215b1e9c9752a69c8268841ccdb221b22f1560a Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 14 Sep 2024 12:18:00 +0200 Subject: [PATCH 02/11] CMake: support "make ssl-opt" to just build what ssl-opt.sh needs This also suffices for compat.sh. Include the sample programs in this build. They aren't tested by ssl-opt.sh yet, but they soon will be. Signed-off-by: Gilles Peskine --- programs/CMakeLists.txt | 3 +++ programs/ssl/CMakeLists.txt | 1 + programs/test/CMakeLists.txt | 2 ++ 3 files changed, 6 insertions(+) diff --git a/programs/CMakeLists.txt b/programs/CMakeLists.txt index aaf93ba38d..e031544a9c 100644 --- a/programs/CMakeLists.txt +++ b/programs/CMakeLists.txt @@ -1,6 +1,9 @@ set(programs_target "${MBEDTLS_TARGET_PREFIX}programs") add_custom_target(${programs_target}) +set(ssl_opt_target "${MBEDTLS_TARGET_PREFIX}ssl-opt") +add_custom_target(${ssl_opt_target}) + add_subdirectory(aes) add_subdirectory(cipher) if (NOT WIN32) diff --git a/programs/ssl/CMakeLists.txt b/programs/ssl/CMakeLists.txt index f4fb477ebf..02010d8a7f 100644 --- a/programs/ssl/CMakeLists.txt +++ b/programs/ssl/CMakeLists.txt @@ -17,6 +17,7 @@ set(executables ssl_server2 ) add_dependencies(${programs_target} ${executables}) +add_dependencies(${ssl_opt_target} ${executables}) if(GEN_FILES) # Inform CMake that the following file will be generated as part of the build diff --git a/programs/test/CMakeLists.txt b/programs/test/CMakeLists.txt index e3db8dd9bf..1670b949f4 100644 --- a/programs/test/CMakeLists.txt +++ b/programs/test/CMakeLists.txt @@ -9,6 +9,7 @@ set(executables_libs udp_proxy ) add_dependencies(${programs_target} ${executables_libs}) +add_dependencies(${ssl_opt_target} udp_proxy) set(executables_mbedcrypto benchmark @@ -16,6 +17,7 @@ set(executables_mbedcrypto zeroize ) add_dependencies(${programs_target} ${executables_mbedcrypto}) +add_dependencies(${ssl_opt_target} query_compile_time_config) if(TEST_CPP) set(cpp_dummy_build_cpp "${CMAKE_CURRENT_BINARY_DIR}/cpp_dummy_build.cpp") From b35ed4565ace7b92fbf10c9968326c75a8c2224c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 14 Sep 2024 13:05:51 +0200 Subject: [PATCH 03/11] make: support "make ssl-opt" to just build what ssl-opt.sh needs This also suffices for compat.sh. Include the sample programs in this build. They aren't tested by ssl-opt.sh yet, but they soon will be. Signed-off-by: Gilles Peskine --- Makefile | 3 +++ programs/Makefile | 6 ++++++ 2 files changed, 9 insertions(+) diff --git a/Makefile b/Makefile index fb80529efa..00de60823b 100644 --- a/Makefile +++ b/Makefile @@ -28,6 +28,9 @@ no_test: programs programs: lib mbedtls_test $(MAKE) -C programs +ssl-opt: lib mbedtls_test + $(MAKE) -C programs ssl-opt + lib: $(MAKE) -C library diff --git a/programs/Makefile b/programs/Makefile index 8d1da6dbe7..0604a68a3c 100644 --- a/programs/Makefile +++ b/programs/Makefile @@ -116,6 +116,12 @@ ifndef WINDOWS all: fuzz endif +SSL_OPT_APPS = $(filter ssl/%,$(APPS)) +SSL_OPT_APPS += test/query_compile_time_config test/udp_proxy +# Just the programs needed to run ssl-opt.sh (and compat.sh) +ssl-opt: $(patsubst %,%$(EXEXT),$(SSL_OPT_APPS)) +.PHONY: ssl-opt + fuzz: ${MBEDTLS_TEST_OBJS} $(MAKE) -C fuzz From 4d347aa4336db3ba44295b8ec6938afc8221510b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 19 Sep 2024 18:55:08 +0200 Subject: [PATCH 04/11] Move config-no-entropy.h testing to separate all.sh component Signed-off-by: Gilles Peskine --- .../components-configuration-crypto.sh | 19 +++++++++++++++++++ tests/scripts/test-ref-configs.pl | 2 -- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index da0e180801..83188aed10 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -162,6 +162,25 @@ component_test_rsa_no_crt () { tests/context-info.sh } +component_test_config_no_entropy () { + msg "build: configs/config-no-entropy.h" + cp configs/config-no-entropy.h "$CONFIG_H" + # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake + # want to re-generate generated files that depend on it, quite correctly. + # However this doesn't work as the generation script expects a specific + # format for mbedtls_config.h, which the other files don't follow. Also, + # cmake can't know this, but re-generation is actually not necessary as + # the generated files only depend on the list of available options, not + # whether they're on or off. So, disable cmake's (over-sensitive here) + # dependency resolution for generated files and just rely on them being + # present (thanks to pre_generate_files) by turning GEN_FILES off. + CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: configs/config-no-entropy.h - unit tests" + make test +} + component_test_no_ctr_drbg_classic () { msg "build: Full minus CTR_DRBG, classic crypto in TLS" scripts/config.py full diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index 5557de3276..9198293d46 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -24,8 +24,6 @@ my %configs = ( 'opt' => ' ', 'opt_needs_debug' => 1, }, - 'config-no-entropy.h' => { - }, 'config-suite-b.h' => { 'compat' => "-m tls12 -f 'ECDHE_ECDSA.*AES.*GCM' -p mbedTLS", 'opt' => ' ', From f3d501919133a904c508f6bcd0f141c6a9475e14 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 14 Sep 2024 11:10:05 +0200 Subject: [PATCH 05/11] Move config-ccm-psk-tls1_2.h testing to separate all.sh components Signed-off-by: Gilles Peskine --- tests/scripts/components-configuration-tls.sh | 46 +++++++++++++++++++ tests/scripts/test-ref-configs.pl | 3 -- 2 files changed, 46 insertions(+), 3 deletions(-) diff --git a/tests/scripts/components-configuration-tls.sh b/tests/scripts/components-configuration-tls.sh index 7debb342b0..55135062ce 100644 --- a/tests/scripts/components-configuration-tls.sh +++ b/tests/scripts/components-configuration-tls.sh @@ -224,6 +224,52 @@ component_test_tls1_2_ecjpake_compatibility () { rm s2_no_use_psa c2_no_use_psa } +component_test_tls1_2_ccm_psk_legacy () { + msg "build: configs/config-ccm-psk-tls1_2.h" + cp configs/config-ccm-psk-tls1_2.h "$CONFIG_H" + # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake + # want to re-generate generated files that depend on it, quite correctly. + # However this doesn't work as the generation script expects a specific + # format for mbedtls_config.h, which the other files don't follow. Also, + # cmake can't know this, but re-generation is actually not necessary as + # the generated files only depend on the list of available options, not + # whether they're on or off. So, disable cmake's (over-sensitive here) + # dependency resolution for generated files and just rely on them being + # present (thanks to pre_generate_files) by turning GEN_FILES off. + CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: configs/config-ccm-psk-tls1_2.h - unit tests" + make test + + msg "test: configs/config-ccm-psk-tls1_2.h - compat.sh" + tests/compat.sh -m tls12 -f '^TLS_PSK_WITH_AES_..._CCM_8' +} + +component_test_tls1_2_ccm_psk_psa () { + msg "build: configs/config-ccm-psk-tls1_2.h + USE_PSA_CRYPTO" + cp configs/config-ccm-psk-tls1_2.h "$CONFIG_H" + scripts/config.py set MBEDTLS_PSA_CRYPTO_C + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO + # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake + # want to re-generate generated files that depend on it, quite correctly. + # However this doesn't work as the generation script expects a specific + # format for mbedtls_config.h, which the other files don't follow. Also, + # cmake can't know this, but re-generation is actually not necessary as + # the generated files only depend on the list of available options, not + # whether they're on or off. So, disable cmake's (over-sensitive here) + # dependency resolution for generated files and just rely on them being + # present (thanks to pre_generate_files) by turning GEN_FILES off. + CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: configs/config-ccm-psk-tls1_2.h + USE_PSA_CRYPTO - unit tests" + make test + + msg "test: configs/config-ccm-psk-tls1_2.h + USE_PSA_CRYPTO - compat.sh" + tests/compat.sh -m tls12 -f '^TLS_PSK_WITH_AES_..._CCM_8' +} + component_test_small_ssl_out_content_len () { msg "build: small SSL_OUT_CONTENT_LEN (ASan build)" scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 16384 diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index 9198293d46..92197d7c5e 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -16,9 +16,6 @@ use warnings; use strict; my %configs = ( - 'config-ccm-psk-tls1_2.h' => { - 'compat' => '-m tls12 -f \'^TLS_PSK_WITH_AES_..._CCM_8\'', - }, 'config-ccm-psk-dtls1_2.h' => { 'compat' => '-m dtls12 -f \'^TLS_PSK_WITH_AES_..._CCM_8\'', 'opt' => ' ', From 9929237537b4c301f5a90d7688b56437a4dc7095 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 14 Sep 2024 11:19:31 +0200 Subject: [PATCH 06/11] Move config-ccm-psk-dtls1_2.h testing to separate all.sh components Signed-off-by: Gilles Peskine --- tests/scripts/components-configuration-tls.sh | 66 +++++++++++++++++++ tests/scripts/test-ref-configs.pl | 5 -- 2 files changed, 66 insertions(+), 5 deletions(-) diff --git a/tests/scripts/components-configuration-tls.sh b/tests/scripts/components-configuration-tls.sh index 55135062ce..380334cb7e 100644 --- a/tests/scripts/components-configuration-tls.sh +++ b/tests/scripts/components-configuration-tls.sh @@ -270,6 +270,72 @@ component_test_tls1_2_ccm_psk_psa () { tests/compat.sh -m tls12 -f '^TLS_PSK_WITH_AES_..._CCM_8' } +component_test_tls1_2_ccm_psk_dtls_legacy () { + msg "build: configs/config-ccm-psk-dtls1_2.h" + cp configs/config-ccm-psk-dtls1_2.h "$CONFIG_H" + # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake + # want to re-generate generated files that depend on it, quite correctly. + # However this doesn't work as the generation script expects a specific + # format for mbedtls_config.h, which the other files don't follow. Also, + # cmake can't know this, but re-generation is actually not necessary as + # the generated files only depend on the list of available options, not + # whether they're on or off. So, disable cmake's (over-sensitive here) + # dependency resolution for generated files and just rely on them being + # present (thanks to pre_generate_files) by turning GEN_FILES off. + CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: configs/config-ccm-psk-dtls1_2.h - unit tests" + make test + + msg "test: configs/config-ccm-psk-dtls1_2.h - compat.sh" + tests/compat.sh -m dtls12 -f '^TLS_PSK_WITH_AES_..._CCM_8' + + msg "build: configs/config-ccm-psk-dtls1_2.h + DEBUG" + MBEDTLS_TEST_CONFIGURATION="$MBEDTLS_TEST_CONFIGURATION+DEBUG" + make clean + scripts/config.py set MBEDTLS_DEBUG_C + scripts/config.py set MBEDTLS_ERROR_C + make ssl-opt + + msg "test: configs/config-ccm-psk-dtls1_2.h + DEBUG - ssl-opt.sh" + tests/ssl-opt.sh +} + +component_test_tls1_2_ccm_psk_dtls_psa () { + msg "build: configs/config-ccm-psk-dtls1_2.h + USE_PSA_CRYPTO" + cp configs/config-ccm-psk-dtls1_2.h "$CONFIG_H" + scripts/config.py set MBEDTLS_PSA_CRYPTO_C + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO + # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake + # want to re-generate generated files that depend on it, quite correctly. + # However this doesn't work as the generation script expects a specific + # format for mbedtls_config.h, which the other files don't follow. Also, + # cmake can't know this, but re-generation is actually not necessary as + # the generated files only depend on the list of available options, not + # whether they're on or off. So, disable cmake's (over-sensitive here) + # dependency resolution for generated files and just rely on them being + # present (thanks to pre_generate_files) by turning GEN_FILES off. + CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: configs/config-ccm-psk-dtls1_2.h + USE_PSA_CRYPTO - unit tests" + make test + + msg "test: configs/config-ccm-psk-dtls1_2.h + USE_PSA_CRYPTO - compat.sh" + tests/compat.sh -m dtls12 -f '^TLS_PSK_WITH_AES_..._CCM_8' + + msg "build: configs/config-ccm-psk-dtls1_2.h + USE_PSA_CRYPTO + DEBUG" + MBEDTLS_TEST_CONFIGURATION="$MBEDTLS_TEST_CONFIGURATION+DEBUG" + make clean + scripts/config.py set MBEDTLS_DEBUG_C + scripts/config.py set MBEDTLS_ERROR_C + make ssl-opt + + msg "test: configs/config-ccm-psk-dtls1_2.h + USE_PSA_CRYPTO + DEBUG - ssl-opt.sh" + tests/ssl-opt.sh +} + component_test_small_ssl_out_content_len () { msg "build: small SSL_OUT_CONTENT_LEN (ASan build)" scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 16384 diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index 92197d7c5e..27620b2c58 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -16,11 +16,6 @@ use warnings; use strict; my %configs = ( - 'config-ccm-psk-dtls1_2.h' => { - 'compat' => '-m dtls12 -f \'^TLS_PSK_WITH_AES_..._CCM_8\'', - 'opt' => ' ', - 'opt_needs_debug' => 1, - }, 'config-suite-b.h' => { 'compat' => "-m tls12 -f 'ECDHE_ECDSA.*AES.*GCM' -p mbedTLS", 'opt' => ' ', From e9cd6a70111855e2e0e5ab5726829227adebe5ec Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 14 Sep 2024 11:21:29 +0200 Subject: [PATCH 07/11] Move config-suite-b.h testing to separate all.sh components Signed-off-by: Gilles Peskine --- tests/scripts/components-configuration-tls.sh | 66 +++++++++++++++++++ tests/scripts/test-ref-configs.pl | 5 -- 2 files changed, 66 insertions(+), 5 deletions(-) diff --git a/tests/scripts/components-configuration-tls.sh b/tests/scripts/components-configuration-tls.sh index 380334cb7e..62a09cddce 100644 --- a/tests/scripts/components-configuration-tls.sh +++ b/tests/scripts/components-configuration-tls.sh @@ -9,6 +9,72 @@ #### Configuration Testing - TLS ################################################################ +component_test_config_suite_b_legacy () { + msg "build: configs/config-suite-b.h" + cp configs/config-suite-b.h "$CONFIG_H" + # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake + # want to re-generate generated files that depend on it, quite correctly. + # However this doesn't work as the generation script expects a specific + # format for mbedtls_config.h, which the other files don't follow. Also, + # cmake can't know this, but re-generation is actually not necessary as + # the generated files only depend on the list of available options, not + # whether they're on or off. So, disable cmake's (over-sensitive here) + # dependency resolution for generated files and just rely on them being + # present (thanks to pre_generate_files) by turning GEN_FILES off. + CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: configs/config-suite-b.h - unit tests" + make test + + msg "test: configs/config-suite-b.h - compat.sh" + tests/compat.sh -m tls12 -f 'ECDHE_ECDSA.*AES.*GCM' -p mbedTLS + + msg "build: configs/config-suite-b.h + DEBUG" + MBEDTLS_TEST_CONFIGURATION="$MBEDTLS_TEST_CONFIGURATION+DEBUG" + make clean + scripts/config.py set MBEDTLS_DEBUG_C + scripts/config.py set MBEDTLS_ERROR_C + make ssl-opt + + msg "test: configs/config-suite-b.h + DEBUG - ssl-opt.sh" + tests/ssl-opt.sh +} + +component_test_config_suite_b_psa () { + msg "build: configs/config-suite-b.h + USE_PSA_CRYPTO" + cp configs/config-suite-b.h "$CONFIG_H" + scripts/config.py set MBEDTLS_PSA_CRYPTO_C + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO + # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake + # want to re-generate generated files that depend on it, quite correctly. + # However this doesn't work as the generation script expects a specific + # format for mbedtls_config.h, which the other files don't follow. Also, + # cmake can't know this, but re-generation is actually not necessary as + # the generated files only depend on the list of available options, not + # whether they're on or off. So, disable cmake's (over-sensitive here) + # dependency resolution for generated files and just rely on them being + # present (thanks to pre_generate_files) by turning GEN_FILES off. + CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: configs/config-suite-b.h + USE_PSA_CRYPTO - unit tests" + make test + + msg "test: configs/config-suite-b.h + USE_PSA_CRYPTO - compat.sh" + tests/compat.sh -m tls12 -f 'ECDHE_ECDSA.*AES.*GCM' -p mbedTLS + + msg "build: configs/config-suite-b.h + USE_PSA_CRYPTO + DEBUG" + MBEDTLS_TEST_CONFIGURATION="$MBEDTLS_TEST_CONFIGURATION+DEBUG" + make clean + scripts/config.py set MBEDTLS_DEBUG_C + scripts/config.py set MBEDTLS_ERROR_C + make ssl-opt + + msg "test: configs/config-suite-b.h + USE_PSA_CRYPTO + DEBUG - ssl-opt.sh" + tests/ssl-opt.sh +} + component_test_no_renegotiation () { msg "build: Default + !MBEDTLS_SSL_RENEGOTIATION (ASan build)" # ~ 6 min scripts/config.py unset MBEDTLS_SSL_RENEGOTIATION diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index 27620b2c58..dbe373c59c 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -16,11 +16,6 @@ use warnings; use strict; my %configs = ( - 'config-suite-b.h' => { - 'compat' => "-m tls12 -f 'ECDHE_ECDSA.*AES.*GCM' -p mbedTLS", - 'opt' => ' ', - 'opt_needs_debug' => 1, - }, 'config-symmetric-only.h' => { }, 'config-tfm.h' => { From e62925f1e61fe7c8b6da4267e8d46dccee446128 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 14 Sep 2024 11:24:07 +0200 Subject: [PATCH 08/11] Move config-thread.h testing to separate all.sh components Signed-off-by: Gilles Peskine --- tests/scripts/components-configuration-tls.sh | 46 +++++++++++++++++++ tests/scripts/test-ref-configs.pl | 3 -- 2 files changed, 46 insertions(+), 3 deletions(-) diff --git a/tests/scripts/components-configuration-tls.sh b/tests/scripts/components-configuration-tls.sh index 62a09cddce..23c9d68b9f 100644 --- a/tests/scripts/components-configuration-tls.sh +++ b/tests/scripts/components-configuration-tls.sh @@ -257,6 +257,52 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only_use_psa () { tests/ssl-opt.sh -f "TLS 1.2" } +component_test_config_thread_legacy () { + msg "build: configs/config-thread.h" + cp configs/config-thread.h "$CONFIG_H" + # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake + # want to re-generate generated files that depend on it, quite correctly. + # However this doesn't work as the generation script expects a specific + # format for mbedtls_config.h, which the other files don't follow. Also, + # cmake can't know this, but re-generation is actually not necessary as + # the generated files only depend on the list of available options, not + # whether they're on or off. So, disable cmake's (over-sensitive here) + # dependency resolution for generated files and just rely on them being + # present (thanks to pre_generate_files) by turning GEN_FILES off. + CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: configs/config-thread.h - unit tests" + make test + + msg "test: configs/config-thread.h - ssl-opt.sh" + tests/ssl-opt.sh -f 'ECJPAKE.*nolog' +} + +component_test_config_thread_psa () { + msg "build: configs/config-thread.h + USE_PSA_CRYPTO" + cp configs/config-thread.h "$CONFIG_H" + scripts/config.py set MBEDTLS_PSA_CRYPTO_C + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO + # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake + # want to re-generate generated files that depend on it, quite correctly. + # However this doesn't work as the generation script expects a specific + # format for mbedtls_config.h, which the other files don't follow. Also, + # cmake can't know this, but re-generation is actually not necessary as + # the generated files only depend on the list of available options, not + # whether they're on or off. So, disable cmake's (over-sensitive here) + # dependency resolution for generated files and just rely on them being + # present (thanks to pre_generate_files) by turning GEN_FILES off. + CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: configs/config-thread.h + USE_PSA_CRYPTO - unit tests" + make test + + msg "test: configs/config-thread.h + USE_PSA_CRYPTO - ssl-opt.sh" + tests/ssl-opt.sh -f 'ECJPAKE.*nolog' +} + # We're not aware of any other (open source) implementation of EC J-PAKE in TLS # that we could use for interop testing. However, we now have sort of two # implementations ourselves: one using PSA, the other not. At least test that diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index dbe373c59c..269fb2130e 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -20,9 +20,6 @@ my %configs = ( }, 'config-tfm.h' => { }, - 'config-thread.h' => { - 'opt' => '-f ECJPAKE.*nolog', - }, ); # If no config-name is provided, use all known configs. From dbd0f424b0d2f91a8432ac1cc22335fd93d7436b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 14 Sep 2024 11:27:44 +0200 Subject: [PATCH 09/11] Move config-symmetric-only.h testing to separate all.sh components Signed-off-by: Gilles Peskine --- .../components-configuration-crypto.sh | 40 +++++++++++++++++++ tests/scripts/test-ref-configs.pl | 2 - 2 files changed, 40 insertions(+), 2 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 83188aed10..15b0f397d1 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -535,6 +535,46 @@ component_test_full_no_ccm_star_no_tag () { make test } +component_test_config_symmetric_only_legacy () { + msg "build: configs/config-symmetric-only.h" + cp configs/config-symmetric-only.h "$CONFIG_H" + # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake + # want to re-generate generated files that depend on it, quite correctly. + # However this doesn't work as the generation script expects a specific + # format for mbedtls_config.h, which the other files don't follow. Also, + # cmake can't know this, but re-generation is actually not necessary as + # the generated files only depend on the list of available options, not + # whether they're on or off. So, disable cmake's (over-sensitive here) + # dependency resolution for generated files and just rely on them being + # present (thanks to pre_generate_files) by turning GEN_FILES off. + CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: configs/config-symmetric-only.h - unit tests" + make test +} + +component_test_config_symmetric_only_psa () { + msg "build: configs/config-symmetric-only.h + USE_PSA_CRYPTO" + cp configs/config-symmetric-only.h "$CONFIG_H" + scripts/config.py set MBEDTLS_PSA_CRYPTO_C + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO + # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake + # want to re-generate generated files that depend on it, quite correctly. + # However this doesn't work as the generation script expects a specific + # format for mbedtls_config.h, which the other files don't follow. Also, + # cmake can't know this, but re-generation is actually not necessary as + # the generated files only depend on the list of available options, not + # whether they're on or off. So, disable cmake's (over-sensitive here) + # dependency resolution for generated files and just rely on them being + # present (thanks to pre_generate_files) by turning GEN_FILES off. + CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: configs/config-symmetric-only.h + USE_PSA_CRYPTO - unit tests" + make test +} + component_test_full_no_bignum () { msg "build: full minus bignum" scripts/config.py full diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index 269fb2130e..e6a499da9b 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -16,8 +16,6 @@ use warnings; use strict; my %configs = ( - 'config-symmetric-only.h' => { - }, 'config-tfm.h' => { }, ); From ced0edc43e01aaff4885b81960a799d3e39bb115 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 14 Sep 2024 11:35:36 +0200 Subject: [PATCH 10/11] Move config-tfm.h testing to separate all.sh component Rename the existing component_test_tfm_config which tests a modified version of config-tfm.h for the sake of driver-vs-reference comparison. Signed-off-by: Gilles Peskine --- tests/scripts/analyze_outcomes.py | 2 +- .../scripts/components-configuration-crypto.sh | 18 ++++++++++++++---- tests/scripts/test-ref-configs.pl | 2 -- 3 files changed, 15 insertions(+), 7 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 58c17831ae..e78e90c1f5 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -576,7 +576,7 @@ KNOWN_TASKS = { 'analyze_driver_vs_reference_tfm_config': { 'test_function': do_analyze_driver_vs_reference, 'args': { - 'component_ref': 'test_tfm_config', + 'component_ref': 'test_tfm_config_no_p256m', 'component_driver': 'test_tfm_config_p256m_driver_accel_ec', 'ignored_suites': [ # Modules replaced by drivers diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 15b0f397d1..459aa6fe5a 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -1640,9 +1640,19 @@ component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () { common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum "ECC_DH" } +component_test_tfm_config_as_is () { + msg "build: configs/config-tfm.h" + cp configs/config-tfm.h "$CONFIG_H" + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: configs/config-tfm.h - unit tests" + make test +} + # Helper for setting common configurations between: # - component_test_tfm_config_p256m_driver_accel_ec() -# - component_test_tfm_config() +# - component_test_tfm_config_no_p256m() common_tfm_config () { # Enable TF-M config cp configs/config-tfm.h "$CONFIG_H" @@ -1696,14 +1706,14 @@ component_test_tfm_config_p256m_driver_accel_ec () { # Keep this in sync with component_test_tfm_config_p256m_driver_accel_ec() as # they are both meant to be used in analyze_outcomes.py for driver's coverage # analysis. -component_test_tfm_config () { +component_test_tfm_config_no_p256m () { common_tfm_config # Disable P256M driver, which is on by default, so that analyze_outcomes # can compare this test with test_tfm_config_p256m_driver_accel_ec echo "#undef MBEDTLS_PSA_P256M_DRIVER_ENABLED" >> "$CONFIG_H" - msg "build: TF-M config" + msg "build: TF-M config without p256m" make CFLAGS='-Werror -Wall -Wextra -I../tests/include/spe' tests # Check that p256m was not built @@ -1713,7 +1723,7 @@ component_test_tfm_config () { # files, so we want to ensure that it has not be re-enabled accidentally. not grep mbedtls_cipher library/cipher.o - msg "test: TF-M config" + msg "test: TF-M config without p256m" make test } diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index e6a499da9b..2e97510774 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -16,8 +16,6 @@ use warnings; use strict; my %configs = ( - 'config-tfm.h' => { - }, ); # If no config-name is provided, use all known configs. From fde24b85ae066bb6d8ed517636e0cd7a82e2474b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 14 Sep 2024 11:41:36 +0200 Subject: [PATCH 11/11] Remove test-ref-configs.pl, which no longer does anything Signed-off-by: Gilles Peskine --- tests/scripts/basic-in-docker.sh | 1 - tests/scripts/components-configuration.sh | 15 --- tests/scripts/test-ref-configs.pl | 136 ---------------------- 3 files changed, 152 deletions(-) delete mode 100755 tests/scripts/test-ref-configs.pl diff --git a/tests/scripts/basic-in-docker.sh b/tests/scripts/basic-in-docker.sh index 3aca3a134d..81ee8d61e1 100755 --- a/tests/scripts/basic-in-docker.sh +++ b/tests/scripts/basic-in-docker.sh @@ -31,7 +31,6 @@ for compiler in clang gcc; do run_in_docker programs/test/selftest run_in_docker -e OSSL_NO_DTLS=1 tests/compat.sh run_in_docker tests/ssl-opt.sh -e '\(DTLS\|SCSV\).*openssl' - run_in_docker tests/scripts/test-ref-configs.pl run_in_docker tests/scripts/depends.py curves run_in_docker tests/scripts/depends.py kex done diff --git a/tests/scripts/components-configuration.sh b/tests/scripts/components-configuration.sh index 3a75c4c1e7..559f353d85 100644 --- a/tests/scripts/components-configuration.sh +++ b/tests/scripts/components-configuration.sh @@ -129,21 +129,6 @@ component_test_full_cmake_gcc_asan_new_bignum () { tests/context-info.sh } -component_test_ref_configs () { - msg "test/build: ref-configs (ASan build)" # ~ 6 min 20s - # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake - # want to re-generate generated files that depend on it, quite correctly. - # However this doesn't work as the generation script expects a specific - # format for mbedtls_config.h, which the other files don't follow. Also, - # cmake can't know this, but re-generation is actually not necessary as - # the generated files only depend on the list of available options, not - # whether they're on or off. So, disable cmake's (over-sensitive here) - # dependency resolution for generated files and just rely on them being - # present (thanks to pre_generate_files) by turning GEN_FILES off. - CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . - tests/scripts/test-ref-configs.pl -} - component_test_full_cmake_clang () { msg "build: cmake, full config, clang" # ~ 50s scripts/config.py full diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl deleted file mode 100755 index 2e97510774..0000000000 --- a/tests/scripts/test-ref-configs.pl +++ /dev/null @@ -1,136 +0,0 @@ -#!/usr/bin/env perl - -# test-ref-configs.pl -# -# Copyright The Mbed TLS Contributors -# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later -# -# Purpose -# -# For each reference configuration file in the configs directory, build the -# configuration, run the test suites and compat.sh -# -# Usage: tests/scripts/test-ref-configs.pl [config-name [...]] - -use warnings; -use strict; - -my %configs = ( -); - -# If no config-name is provided, use all known configs. -# Otherwise, use the provided names only. -my @configs_to_test = sort keys %configs; -if ($#ARGV >= 0) { - foreach my $conf_name ( @ARGV ) { - if( ! exists $configs{$conf_name} ) { - die "Unknown configuration: $conf_name\n"; - } - } - @configs_to_test = @ARGV; -} - --d 'library' && -d 'include' && -d 'tests' or die "Must be run from root\n"; - -my $config_h = 'include/mbedtls/mbedtls_config.h'; - -system( "cp $config_h $config_h.bak" ) and die; -sub abort { - system( "mv $config_h.bak $config_h" ) and warn "$config_h not restored\n"; - # use an exit code between 1 and 124 for git bisect (die returns 255) - warn $_[0]; - exit 1; -} - -# Create a seedfile for configurations that enable MBEDTLS_ENTROPY_NV_SEED. -# For test purposes, this doesn't have to be cryptographically random. -if (!-e "tests/seedfile" || -s "tests/seedfile" < 64) { - local *SEEDFILE; - open SEEDFILE, ">tests/seedfile" or die; - print SEEDFILE "*" x 64 or die; - close SEEDFILE or die; -} - -sub perform_test { - my $conf_file = $_[0]; - my $data = $_[1]; - my $test_with_psa = $_[2]; - - my $conf_name = $conf_file; - if ( $test_with_psa ) - { - $conf_name .= "+PSA"; - } - - system( "cp $config_h.bak $config_h" ) and die; - system( "make clean" ) and die; - - print "\n******************************************\n"; - print "* Testing configuration: $conf_name\n"; - print "******************************************\n"; - - $ENV{MBEDTLS_TEST_CONFIGURATION} = $conf_name; - - system( "cp configs/$conf_file $config_h" ) - and abort "Failed to activate $conf_file\n"; - - if ( $test_with_psa ) - { - system( "scripts/config.py set MBEDTLS_PSA_CRYPTO_C" ); - system( "scripts/config.py set MBEDTLS_USE_PSA_CRYPTO" ); - } - - system( "CFLAGS='-Os -Werror -Wall -Wextra' make" ) and abort "Failed to build: $conf_name\n"; - system( "make test" ) and abort "Failed test suite: $conf_name\n"; - - my $compat = $data->{'compat'}; - if( $compat ) - { - print "\nrunning compat.sh $compat ($conf_name)\n"; - system( "tests/compat.sh $compat" ) - and abort "Failed compat.sh: $conf_name\n"; - } - else - { - print "\nskipping compat.sh ($conf_name)\n"; - } - - my $opt = $data->{'opt'}; - if( $opt ) - { - if( $data->{'opt_needs_debug'} ) - { - print "\nrebuilding with debug traces for ssl-opt ($conf_name)\n"; - $conf_name .= '+DEBUG'; - $ENV{MBEDTLS_TEST_CONFIGURATION} = $conf_name; - system( "make clean" ); - system( "scripts/config.py set MBEDTLS_DEBUG_C" ); - system( "scripts/config.py set MBEDTLS_ERROR_C" ); - system( "CFLAGS='-Os -Werror -Wall -Wextra' make" ) and abort "Failed to build: $conf_name\n"; - } - - print "\nrunning ssl-opt.sh $opt ($conf_name)\n"; - system( "tests/ssl-opt.sh $opt" ) - and abort "Failed ssl-opt.sh: $conf_name\n"; - } - else - { - print "\nskipping ssl-opt.sh ($conf_name)\n"; - } -} - -foreach my $conf ( @configs_to_test ) { - system("grep '//#define MBEDTLS_USE_PSA_CRYPTO' configs/$conf > /dev/null"); - die "grep ... configs/$conf: $!" if $? != 0 && $? != 0x100; - my $test_with_psa = $? == 0; - - if ( $test_with_psa ) - { - perform_test( $conf, $configs{$conf}, $test_with_psa ); - } - perform_test( $conf, $configs{$conf}, 0 ); -} - -system( "mv $config_h.bak $config_h" ) and warn "$config_h not restored\n"; -system( "make clean" ); -exit 0;