All cipher padding methods depend on CBC. To aviod switching it off
add this dependency to all of the methods and handle it as a common dependency.
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
When elements of an exclusive group have dependencies in common turning them off
breaks the elements build. Support added to handle and ignore these dependencies
when only one of the elements is enabled.
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
Remove the configuration option MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED and all
code guarded by it. This remove support for the RSA-PSK key exchange in TLS
1.2.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Run the function on a few different curves with shorter, just-right and
larger buffer sizes. Perform some basic sanity checks on the output (which
is random).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Now that it's always on, this is no longer necessary.
Also this is a step towards no longer being able to set it, because it soon
won't be a selectable configuration option anymore.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
We no longer have two (only partially distinct) implementations of ECJ-PAKE
cipher suites in TLS, now that the non-MBEDTLS_USE_PSA_CRYPTO implementation
is being removed.
We may want to add this testing back in the future, but we'll have to use an
old Mbed TLS instead of a differently-built one.
https://github.com/Mbed-TLS/mbedtls/issues/9740
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The Thumb-1 tests are by far the slowest, so split the -O0 and -Os tests
into their own components.
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
Remove all.sh components that explicitly disable MBEDTLS_USE_PSA_CRYPTO, and
for which there is another component with MBEDTLS_USE_PSA_CRYPTO enabled
that does the same or more testing.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In order to avoid changing the CI job's definition (which fewer team
members understand, compared to shell scripts), just have a wrapper so
that all.sh does both mbedtls and tf-psa-crypto under the hood for now.
When tf-psa-crypto has its own CI running its own all.sh (with enough
components migrated to get sufficient coverage) we can remove this hack.
Rejected strategy: modify all-core.sh so that when running in mbedtls,
it also sources components-*.sh from tf-psa-crypto, remembers which
components come from Mbed TLS and which come from crypto, and magically
adjust the environment for each component it runs. Rejected because it's
hard to be confident we're adjusting everything that needs adjusting in
the environment. Having separate processes seems much safer.
The downside is we get more complexity around error handling (check for
components requested but not available, --keep-going). When using
--keep-going with failing component(s) in mbedtls and some components in
tf-psa-crypto, the output is not satisfying for humans as we don't have
a nice summary of all errors at the end like we normally would.
IMO this is acceptable since:
- this wrapper is transitional and should be removed in a few months;
- it is mainly for the benefit of the CI; humans can always invoke the
underlying commands directly.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
The existing check only took care of CONFIG_H. This was both not enough
and too much:
- not enough because config.py can also modify CRYPTO_CONFIG_H and we
want to know about it just as much as CONFIG_H;
- too much because CONFIG_H does not exist in tf-psa-crypto.
Check a list of files instead of a single one, and adjust that list.
Also update an outdated comment about Makefiles
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
