# components-configuration-crypto.sh # # Copyright The Mbed TLS Contributors # SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later # This file contains test components that are executed by all.sh ################################################################ #### Configuration Testing - Crypto ################################################################ component_test_psa_crypto_key_id_encodes_owner () { msg "build: full config + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . make msg "test: full config - USE_PSA_CRYPTO + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan" make test } component_test_psa_assume_exclusive_buffers () { msg "build: full config + MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS, cmake, gcc, ASan" scripts/config.py full scripts/config.py set MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . make msg "test: full config + MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS, cmake, gcc, ASan" make test } # check_renamed_symbols HEADER LIB # Check that if HEADER contains '#define MACRO ...' then MACRO is not a symbol # name in LIB. check_renamed_symbols () { ! nm "$2" | sed 's/.* //' | grep -x -F "$(sed -n 's/^ *# *define *\([A-Z_a-z][0-9A-Z_a-z]*\)..*/\1/p' "$1")" } component_build_psa_crypto_spm () { msg "build: full config + PSA_CRYPTO_KEY_ID_ENCODES_OWNER + PSA_CRYPTO_SPM, make, gcc" scripts/config.py full scripts/config.py unset MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER scripts/config.py set MBEDTLS_PSA_CRYPTO_SPM # We can only compile, not link, since our test and sample programs # aren't equipped for the modified names used when MBEDTLS_PSA_CRYPTO_SPM # is active. make CC=gcc CFLAGS='-Werror -Wall -Wextra -I../tests/include/spe' lib # Check that if a symbol is renamed by crypto_spe.h, the non-renamed # version is not present. echo "Checking for renamed symbols in the library" check_renamed_symbols tests/include/spe/crypto_spe.h library/libmbedcrypto.a } component_test_no_rsa_key_pair_generation () { msg "build: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE" scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py unset MBEDTLS_GENPRIME scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE make msg "test: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE" make test } component_test_no_pem_no_fs () { msg "build: Default + !MBEDTLS_PEM_PARSE_C + !MBEDTLS_FS_IO (ASan build)" scripts/config.py unset MBEDTLS_PEM_PARSE_C scripts/config.py unset MBEDTLS_FS_IO scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C # requires a filesystem scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C # requires PSA ITS CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . make msg "test: !MBEDTLS_PEM_PARSE_C !MBEDTLS_FS_IO - main suites (inc. selftests) (ASan build)" # ~ 50s make test msg "test: !MBEDTLS_PEM_PARSE_C !MBEDTLS_FS_IO - ssl-opt.sh (ASan build)" # ~ 6 min tests/ssl-opt.sh } component_test_rsa_no_crt () { msg "build: Default + RSA_NO_CRT (ASan build)" # ~ 6 min scripts/config.py set MBEDTLS_RSA_NO_CRT CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . make msg "test: RSA_NO_CRT - main suites (inc. selftests) (ASan build)" # ~ 50s make test msg "test: RSA_NO_CRT - RSA-related part of ssl-opt.sh (ASan build)" # ~ 5s tests/ssl-opt.sh -f RSA msg "test: RSA_NO_CRT - RSA-related part of compat.sh (ASan build)" # ~ 3 min tests/compat.sh -t RSA msg "test: RSA_NO_CRT - RSA-related part of context-info.sh (ASan build)" # ~ 15 sec tests/context-info.sh } component_test_no_ctr_drbg_classic () { msg "build: Full minus CTR_DRBG, classic crypto in TLS" scripts/config.py full scripts/config.py unset MBEDTLS_CTR_DRBG_C scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . make msg "test: Full minus CTR_DRBG, classic crypto - main suites" make test # In this configuration, the TLS test programs use HMAC_DRBG. # The SSL tests are slow, so run a small subset, just enough to get # confidence that the SSL code copes with HMAC_DRBG. msg "test: Full minus CTR_DRBG, classic crypto - ssl-opt.sh (subset)" tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server' msg "test: Full minus CTR_DRBG, classic crypto - compat.sh (subset)" tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL } component_test_no_ctr_drbg_use_psa () { msg "build: Full minus CTR_DRBG, PSA crypto in TLS" scripts/config.py full scripts/config.py unset MBEDTLS_CTR_DRBG_C scripts/config.py set MBEDTLS_USE_PSA_CRYPTO CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . make msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - main suites" make test # In this configuration, the TLS test programs use HMAC_DRBG. # The SSL tests are slow, so run a small subset, just enough to get # confidence that the SSL code copes with HMAC_DRBG. msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)" tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server' msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - compat.sh (subset)" tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL } component_test_no_hmac_drbg_classic () { msg "build: Full minus HMAC_DRBG, classic crypto in TLS" scripts/config.py full scripts/config.py unset MBEDTLS_HMAC_DRBG_C scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . make msg "test: Full minus HMAC_DRBG, classic crypto - main suites" make test # Normally our ECDSA implementation uses deterministic ECDSA. But since # HMAC_DRBG is disabled in this configuration, randomized ECDSA is used # instead. # Test SSL with non-deterministic ECDSA. Only test features that # might be affected by how ECDSA signature is performed. msg "test: Full minus HMAC_DRBG, classic crypto - ssl-opt.sh (subset)" tests/ssl-opt.sh -f 'Default\|SSL async private: sign' # To save time, only test one protocol version, since this part of # the protocol is identical in (D)TLS up to 1.2. msg "test: Full minus HMAC_DRBG, classic crypto - compat.sh (ECDSA)" tests/compat.sh -m tls12 -t 'ECDSA' } component_test_no_hmac_drbg_use_psa () { msg "build: Full minus HMAC_DRBG, PSA crypto in TLS" scripts/config.py full scripts/config.py unset MBEDTLS_HMAC_DRBG_C scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG scripts/config.py set MBEDTLS_USE_PSA_CRYPTO CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . make msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - main suites" make test # Normally our ECDSA implementation uses deterministic ECDSA. But since # HMAC_DRBG is disabled in this configuration, randomized ECDSA is used # instead. # Test SSL with non-deterministic ECDSA. Only test features that # might be affected by how ECDSA signature is performed. msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)" tests/ssl-opt.sh -f 'Default\|SSL async private: sign' # To save time, only test one protocol version, since this part of # the protocol is identical in (D)TLS up to 1.2. msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - compat.sh (ECDSA)" tests/compat.sh -m tls12 -t 'ECDSA' } component_test_psa_external_rng_no_drbg_classic () { msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto in TLS" scripts/config.py full scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG scripts/config.py unset MBEDTLS_ENTROPY_C scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT scripts/config.py unset MBEDTLS_CTR_DRBG_C scripts/config.py unset MBEDTLS_HMAC_DRBG_C scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG # When MBEDTLS_USE_PSA_CRYPTO is disabled and there is no DRBG, # the SSL test programs don't have an RNG and can't work. Explicitly # make them use the PSA RNG with -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG. make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG" LDFLAGS="$ASAN_CFLAGS" msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - main suites" make test msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - ssl-opt.sh (subset)" tests/ssl-opt.sh -f 'Default' } component_test_psa_external_rng_no_drbg_use_psa () { msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto in TLS" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG scripts/config.py unset MBEDTLS_ENTROPY_C scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT scripts/config.py unset MBEDTLS_CTR_DRBG_C scripts/config.py unset MBEDTLS_HMAC_DRBG_C scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - main suites" make test msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - ssl-opt.sh (subset)" tests/ssl-opt.sh -f 'Default\|opaque' } component_test_psa_external_rng_use_psa_crypto () { msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG scripts/config.py set MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_CTR_DRBG_C make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" make test msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" tests/ssl-opt.sh -f 'Default\|opaque' } component_test_psa_inject_entropy () { msg "build: full + MBEDTLS_PSA_INJECT_ENTROPY" scripts/config.py full scripts/config.py set MBEDTLS_PSA_INJECT_ENTROPY scripts/config.py set MBEDTLS_ENTROPY_NV_SEED scripts/config.py set MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT scripts/config.py unset MBEDTLS_PLATFORM_STD_NV_SEED_READ scripts/config.py unset MBEDTLS_PLATFORM_STD_NV_SEED_WRITE make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'" LDFLAGS="$ASAN_CFLAGS" msg "test: full + MBEDTLS_PSA_INJECT_ENTROPY" make test } component_full_no_pkparse_pkwrite () { msg "build: full without pkparse and pkwrite" scripts/config.py crypto_full scripts/config.py unset MBEDTLS_PK_PARSE_C scripts/config.py unset MBEDTLS_PK_WRITE_C make CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" # Ensure that PK_[PARSE|WRITE]_C were not re-enabled accidentally (additive config). not grep mbedtls_pk_parse_key ${BUILTIN_SRC_PATH}/pkparse.o not grep mbedtls_pk_write_key_der ${BUILTIN_SRC_PATH}/pkwrite.o msg "test: full without pkparse and pkwrite" make test } component_test_crypto_full_md_light_only () { msg "build: crypto_full with only the light subset of MD" scripts/config.py crypto_full # Disable MD scripts/config.py unset MBEDTLS_MD_C # Disable direct dependencies of MD_C scripts/config.py unset MBEDTLS_HKDF_C scripts/config.py unset MBEDTLS_HMAC_DRBG_C scripts/config.py unset MBEDTLS_PKCS7_C # Disable indirect dependencies of MD_C scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # needs HMAC_DRBG scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA # Disable things that would auto-enable MD_C scripts/config.py unset MBEDTLS_PKCS5_C # Note: MD-light is auto-enabled in build_info.h by modules that need it, # which we haven't disabled, so no need to explicitly enable it. make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" # Make sure we don't have the HMAC functions, but the hashing functions not grep mbedtls_md_hmac ${BUILTIN_SRC_PATH}/md.o grep mbedtls_md ${BUILTIN_SRC_PATH}/md.o msg "test: crypto_full with only the light subset of MD" make test } component_test_full_no_cipher () { msg "build: full no CIPHER" scripts/config.py full scripts/config.py unset MBEDTLS_CIPHER_C # The built-in implementation of the following algs/key-types depends # on CIPHER_C so we disable them. # This does not hold for KEY_TYPE_CHACHA20 and ALG_CHACHA20_POLY1305 # so we keep them enabled. scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CMAC scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CFB scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CTR scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_OFB scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_STREAM_CIPHER scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES # The following modules directly depends on CIPHER_C scripts/config.py unset MBEDTLS_CMAC_C scripts/config.py unset MBEDTLS_NIST_KW_C make # Ensure that CIPHER_C was not re-enabled not grep mbedtls_cipher_init ${BUILTIN_SRC_PATH}/cipher.o msg "test: full no CIPHER" make test } component_test_full_no_ccm () { msg "build: full no PSA_WANT_ALG_CCM" # Full config enables: # - USE_PSA_CRYPTO so that TLS code dispatches cipher/AEAD to PSA # - CRYPTO_CONFIG so that PSA_WANT config symbols are evaluated scripts/config.py full # Disable PSA_WANT_ALG_CCM so that CCM is not supported in PSA. CCM_C is still # enabled, but not used from TLS since USE_PSA is set. # This is helpful to ensure that TLS tests below have proper dependencies. # # Note: also PSA_WANT_ALG_CCM_STAR_NO_TAG is enabled, but it does not cause # PSA_WANT_ALG_CCM to be re-enabled. scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM make msg "test: full no PSA_WANT_ALG_CCM" make test } component_test_full_no_ccm_star_no_tag () { msg "build: full no PSA_WANT_ALG_CCM_STAR_NO_TAG" # Full config enables CRYPTO_CONFIG so that PSA_WANT config symbols are evaluated scripts/config.py full # Disable CCM_STAR_NO_TAG, which is the target of this test, as well as all # other components that enable MBEDTLS_PSA_BUILTIN_CIPHER internal symbol. # This basically disables all unauthenticated ciphers on the PSA side, while # keeping AEADs enabled. # # Note: PSA_WANT_ALG_CCM is enabled, but it does not cause # PSA_WANT_ALG_CCM_STAR_NO_TAG to be re-enabled. scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_STREAM_CIPHER scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CTR scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CFB scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_OFB scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 make # Ensure MBEDTLS_PSA_BUILTIN_CIPHER was not enabled not grep mbedtls_psa_cipher ${PSA_CORE_PATH}/psa_crypto_cipher.o msg "test: full no PSA_WANT_ALG_CCM_STAR_NO_TAG" make test } component_test_everest () { msg "build: Everest ECDH context (ASan build)" # ~ 6 min scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED CC=clang cmake -D CMAKE_BUILD_TYPE:String=Asan . make msg "test: Everest ECDH context - main suites (inc. selftests) (ASan build)" # ~ 50s make test msg "test: metatests (clang, ASan)" tests/scripts/run-metatests.sh any asan poison msg "test: Everest ECDH context - ECDH-related part of ssl-opt.sh (ASan build)" # ~ 5s tests/ssl-opt.sh -f ECDH msg "test: Everest ECDH context - compat.sh with some ECDH ciphersuites (ASan build)" # ~ 3 min # Exclude some symmetric ciphers that are redundant here to gain time. tests/compat.sh -f ECDH -V NO -e 'ARIA\|CAMELLIA\|CHACHA' } component_test_everest_curve25519_only () { msg "build: Everest ECDH context, only Curve25519" # ~ 6 min scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED scripts/config.py unset MBEDTLS_ECDSA_C scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_ECDH scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED scripts/config.py unset MBEDTLS_ECJPAKE_C scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_JPAKE # Disable all curves scripts/config.py unset-all "MBEDTLS_ECP_DP_[0-9A-Z_a-z]*_ENABLED" scripts/config.py -f $CRYPTO_CONFIG_H unset-all "PSA_WANT_ECC_[0-9A-Z_a-z]*$" scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ECC_MONTGOMERY_255 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" msg "test: Everest ECDH context, only Curve25519" # ~ 50s make test } component_test_psa_collect_statuses () { msg "build+test: psa_collect_statuses" # ~30s scripts/config.py full tests/scripts/psa_collect_statuses.py # Check that psa_crypto_init() succeeded at least once grep -q '^0:psa_crypto_init:' tests/statuses.log rm -f tests/statuses.log } # Check that the specified libraries exist and are empty. are_empty_libraries () { nm "$@" >/dev/null 2>/dev/null ! nm "$@" 2>/dev/null | grep -v ':$' | grep . } component_build_crypto_default () { msg "build: make, crypto only" scripts/config.py crypto make CFLAGS='-O1 -Werror' are_empty_libraries library/libmbedx509.* library/libmbedtls.* } component_build_crypto_full () { msg "build: make, crypto only, full config" scripts/config.py crypto_full make CFLAGS='-O1 -Werror' are_empty_libraries library/libmbedx509.* library/libmbedtls.* } component_test_crypto_for_psa_service () { msg "build: make, config for PSA crypto service" scripts/config.py crypto scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER # Disable things that are not needed for just cryptography, to # reach a configuration that would be typical for a PSA cryptography # service providing all implemented PSA algorithms. # System stuff scripts/config.py unset MBEDTLS_ERROR_C scripts/config.py unset MBEDTLS_TIMING_C scripts/config.py unset MBEDTLS_VERSION_FEATURES # Crypto stuff with no PSA interface scripts/config.py unset MBEDTLS_BASE64_C # Keep MBEDTLS_CIPHER_C because psa_crypto_cipher, CCM and GCM need it. scripts/config.py unset MBEDTLS_HKDF_C # PSA's HKDF is independent # Keep MBEDTLS_MD_C because deterministic ECDSA needs it for HMAC_DRBG. scripts/config.py unset MBEDTLS_NIST_KW_C scripts/config.py unset MBEDTLS_PEM_PARSE_C scripts/config.py unset MBEDTLS_PEM_WRITE_C scripts/config.py unset MBEDTLS_PKCS12_C scripts/config.py unset MBEDTLS_PKCS5_C # MBEDTLS_PK_PARSE_C and MBEDTLS_PK_WRITE_C are actually currently needed # in PSA code to work with RSA keys. We don't require users to set those: # they will be reenabled in build_info.h. scripts/config.py unset MBEDTLS_PK_C scripts/config.py unset MBEDTLS_PK_PARSE_C scripts/config.py unset MBEDTLS_PK_WRITE_C make CFLAGS='-O1 -Werror' all test are_empty_libraries library/libmbedx509.* library/libmbedtls.* } component_build_crypto_baremetal () { msg "build: make, crypto only, baremetal config" scripts/config.py crypto_baremetal make CFLAGS="-O1 -Werror -I$PWD/tests/include/baremetal-override/" are_empty_libraries library/libmbedx509.* library/libmbedtls.* } support_build_crypto_baremetal () { support_build_baremetal "$@" } # depends.py family of tests component_test_depends_py_cipher_id () { msg "test/build: depends.py cipher_id (gcc)" tests/scripts/depends.py cipher_id --unset-use-psa } component_test_depends_py_cipher_chaining () { msg "test/build: depends.py cipher_chaining (gcc)" tests/scripts/depends.py cipher_chaining --unset-use-psa } component_test_depends_py_cipher_padding () { msg "test/build: depends.py cipher_padding (gcc)" tests/scripts/depends.py cipher_padding --unset-use-psa } component_test_depends_py_curves () { msg "test/build: depends.py curves (gcc)" tests/scripts/depends.py curves --unset-use-psa } component_test_depends_py_hashes () { msg "test/build: depends.py hashes (gcc)" tests/scripts/depends.py hashes --unset-use-psa } component_test_depends_py_pkalgs () { msg "test/build: depends.py pkalgs (gcc)" tests/scripts/depends.py pkalgs --unset-use-psa } # PSA equivalents of the depends.py tests component_test_depends_py_cipher_id_psa () { msg "test/build: depends.py cipher_id (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" tests/scripts/depends.py cipher_id } component_test_depends_py_cipher_chaining_psa () { msg "test/build: depends.py cipher_chaining (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" tests/scripts/depends.py cipher_chaining } component_test_depends_py_cipher_padding_psa () { msg "test/build: depends.py cipher_padding (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" tests/scripts/depends.py cipher_padding } component_test_depends_py_curves_psa () { msg "test/build: depends.py curves (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" tests/scripts/depends.py curves } component_test_depends_py_hashes_psa () { msg "test/build: depends.py hashes (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" tests/scripts/depends.py hashes } component_test_depends_py_pkalgs_psa () { msg "test/build: depends.py pkalgs (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" tests/scripts/depends.py pkalgs } component_test_psa_crypto_config_ffdh_2048_only () { msg "build: full config - only DH 2048" scripts/config.py full # Disable all DH groups other than 2048. scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_3072 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_4096 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_6144 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_8192 make CFLAGS="$ASAN_CFLAGS -Werror" LDFLAGS="$ASAN_CFLAGS" msg "test: full config - only DH 2048" make test msg "ssl-opt: full config - only DH 2048" tests/ssl-opt.sh -f "ffdh" } component_build_no_pk_rsa_alt_support () { msg "build: !MBEDTLS_PK_RSA_ALT_SUPPORT" # ~30s scripts/config.py full scripts/config.py unset MBEDTLS_PK_RSA_ALT_SUPPORT scripts/config.py set MBEDTLS_RSA_C scripts/config.py set MBEDTLS_X509_CRT_WRITE_C # Only compile - this is primarily to test for compile issues make CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy' } component_build_module_alt () { msg "build: MBEDTLS_XXX_ALT" # ~30s scripts/config.py full # Disable options that are incompatible with some ALT implementations: # aesni.c references mbedtls_aes_context fields directly. scripts/config.py unset MBEDTLS_AESNI_C scripts/config.py unset MBEDTLS_AESCE_C # MBEDTLS_ECP_RESTARTABLE is documented as incompatible. scripts/config.py unset MBEDTLS_ECP_RESTARTABLE # You can only have one threading implementation: alt or pthread, not both. scripts/config.py unset MBEDTLS_THREADING_PTHREAD # The SpecifiedECDomain parsing code accesses mbedtls_ecp_group fields # directly and assumes the implementation works with partial groups. scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED # MBEDTLS_SHA256_*ALT can't be used with MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_* scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY # MBEDTLS_SHA512_*ALT can't be used with MBEDTLS_SHA512_USE_A64_CRYPTO_* scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY # Enable all MBEDTLS_XXX_ALT for whole modules. Do not enable # MBEDTLS_XXX_YYY_ALT which are for single functions. scripts/config.py set-all 'MBEDTLS_([A-Z0-9]*|NIST_KW)_ALT' # We can only compile, not link, since we don't have any implementations # suitable for testing with the dummy alt headers. make CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy' lib } component_test_psa_crypto_config_accel_ecdsa () { msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA" # Algorithms and key types to accelerate loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ $(helper_get_psa_key_type_list "ECC") \ $(helper_get_psa_curve_list)" # Configure # --------- # Start from default config (no USE_PSA) + TLS 1.3 helper_libtestdriver1_adjust_config "default" # Disable the module that's accelerated scripts/config.py unset MBEDTLS_ECDSA_C # Disable things that depend on it scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED # Build # ----- # These hashes are needed for some ECDSA signature tests. loc_extra_list="ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" helper_libtestdriver1_make_main "$loc_accel_list" # Make sure this was not re-enabled by accident (additive config) not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o # Run the tests # ------------- msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA" make test } component_test_psa_crypto_config_accel_ecdh () { msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH" # Algorithms and key types to accelerate loc_accel_list="ALG_ECDH \ $(helper_get_psa_key_type_list "ECC") \ $(helper_get_psa_curve_list)" # Configure # --------- # Start from default config (no USE_PSA) helper_libtestdriver1_adjust_config "default" # Disable the module that's accelerated scripts/config.py unset MBEDTLS_ECDH_C # Disable things that depend on it scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED # Build # ----- helper_libtestdriver1_make_drivers "$loc_accel_list" helper_libtestdriver1_make_main "$loc_accel_list" # Make sure this was not re-enabled by accident (additive config) not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o # Run the tests # ------------- msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH" make test } component_test_psa_crypto_config_accel_ffdh () { msg "build: full with accelerated FFDH" # Algorithms and key types to accelerate loc_accel_list="ALG_FFDH \ $(helper_get_psa_key_type_list "DH") \ $(helper_get_psa_dh_group_list)" # Configure # --------- # start with full (USE_PSA and TLS 1.3) helper_libtestdriver1_adjust_config "full" # Disable the module that's accelerated scripts/config.py unset MBEDTLS_DHM_C # Disable things that depend on it scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED # Build # ----- helper_libtestdriver1_make_drivers "$loc_accel_list" helper_libtestdriver1_make_main "$loc_accel_list" # Make sure this was not re-enabled by accident (additive config) not grep mbedtls_dhm_ ${BUILTIN_SRC_PATH}/dhm.o # Run the tests # ------------- msg "test: full with accelerated FFDH" make test msg "ssl-opt: full with accelerated FFDH alg" tests/ssl-opt.sh -f "ffdh" } component_test_psa_crypto_config_reference_ffdh () { msg "build: full with non-accelerated FFDH" # Start with full (USE_PSA and TLS 1.3) helper_libtestdriver1_adjust_config "full" # Disable things that are not supported scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED make msg "test suites: full with non-accelerated FFDH alg" make test msg "ssl-opt: full with non-accelerated FFDH alg" tests/ssl-opt.sh -f "ffdh" } component_test_psa_crypto_config_accel_pake () { msg "build: full with accelerated PAKE" loc_accel_list="ALG_JPAKE \ $(helper_get_psa_key_type_list "ECC") \ $(helper_get_psa_curve_list)" # Configure # --------- helper_libtestdriver1_adjust_config "full" # Make built-in fallback not available scripts/config.py unset MBEDTLS_ECJPAKE_C scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED # Build # ----- helper_libtestdriver1_make_drivers "$loc_accel_list" helper_libtestdriver1_make_main "$loc_accel_list" # Make sure this was not re-enabled by accident (additive config) not grep mbedtls_ecjpake_init ${BUILTIN_SRC_PATH}/ecjpake.o # Run the tests # ------------- msg "test: full with accelerated PAKE" make test } component_test_psa_crypto_config_accel_ecc_some_key_types () { msg "build: full with accelerated EC algs and some key types" # Algorithms and key types to accelerate # For key types, use an explicitly list to omit GENERATE (and DERIVE) loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ ALG_ECDH \ ALG_JPAKE \ KEY_TYPE_ECC_PUBLIC_KEY \ KEY_TYPE_ECC_KEY_PAIR_BASIC \ KEY_TYPE_ECC_KEY_PAIR_IMPORT \ KEY_TYPE_ECC_KEY_PAIR_EXPORT \ $(helper_get_psa_curve_list)" # Configure # --------- # start with config full for maximum coverage (also enables USE_PSA) helper_libtestdriver1_adjust_config "full" # Disable modules that are accelerated - some will be re-enabled scripts/config.py unset MBEDTLS_ECDSA_C scripts/config.py unset MBEDTLS_ECDH_C scripts/config.py unset MBEDTLS_ECJPAKE_C scripts/config.py unset MBEDTLS_ECP_C # Disable all curves - those that aren't accelerated should be re-enabled helper_disable_builtin_curves # Restartable feature is not yet supported by PSA. Once it will in # the future, the following line could be removed (see issues # 6061, 6332 and following ones) scripts/config.py unset MBEDTLS_ECP_RESTARTABLE # this is not supported by the driver API yet scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE # Build # ----- # These hashes are needed for some ECDSA signature tests. loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" helper_libtestdriver1_make_main "$loc_accel_list" # ECP should be re-enabled but not the others not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o not grep mbedtls_ecdsa ${BUILTIN_SRC_PATH}/ecdsa.o not grep mbedtls_ecjpake ${BUILTIN_SRC_PATH}/ecjpake.o grep mbedtls_ecp ${BUILTIN_SRC_PATH}/ecp.o # Run the tests # ------------- msg "test suites: full with accelerated EC algs and some key types" make test } # Run tests with only (non-)Weierstrass accelerated # Common code used in: # - component_test_psa_crypto_config_accel_ecc_weierstrass_curves # - component_test_psa_crypto_config_accel_ecc_non_weierstrass_curves common_test_psa_crypto_config_accel_ecc_some_curves () { weierstrass=$1 if [ $weierstrass -eq 1 ]; then desc="Weierstrass" else desc="non-Weierstrass" fi msg "build: crypto_full minus PK with accelerated EC algs and $desc curves" # Note: Curves are handled in a special way by the libtestdriver machinery, # so we only want to include them in the accel list when building the main # libraries, hence the use of a separate variable. # Note: the following loop is a modified version of # helper_get_psa_curve_list that only keeps Weierstrass families. loc_weierstrass_list="" loc_non_weierstrass_list="" for item in $(sed -n 's/^#define PSA_WANT_\(ECC_[0-9A-Z_a-z]*\).*/\1/p' <"$CRYPTO_CONFIG_H"); do case $item in ECC_BRAINPOOL*|ECC_SECP*) loc_weierstrass_list="$loc_weierstrass_list $item" ;; *) loc_non_weierstrass_list="$loc_non_weierstrass_list $item" ;; esac done if [ $weierstrass -eq 1 ]; then loc_curve_list=$loc_weierstrass_list else loc_curve_list=$loc_non_weierstrass_list fi # Algorithms and key types to accelerate loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ ALG_ECDH \ ALG_JPAKE \ $(helper_get_psa_key_type_list "ECC") \ $loc_curve_list" # Configure # --------- # Start with config crypto_full and remove PK_C: # that's what's supported now, see docs/driver-only-builds.md. helper_libtestdriver1_adjust_config "crypto_full" scripts/config.py unset MBEDTLS_PK_C scripts/config.py unset MBEDTLS_PK_PARSE_C scripts/config.py unset MBEDTLS_PK_WRITE_C # Disable modules that are accelerated - some will be re-enabled scripts/config.py unset MBEDTLS_ECDSA_C scripts/config.py unset MBEDTLS_ECDH_C scripts/config.py unset MBEDTLS_ECJPAKE_C scripts/config.py unset MBEDTLS_ECP_C # Disable all curves - those that aren't accelerated should be re-enabled helper_disable_builtin_curves # Restartable feature is not yet supported by PSA. Once it will in # the future, the following line could be removed (see issues # 6061, 6332 and following ones) scripts/config.py unset MBEDTLS_ECP_RESTARTABLE # this is not supported by the driver API yet scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE # Build # ----- # These hashes are needed for some ECDSA signature tests. loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" helper_libtestdriver1_make_main "$loc_accel_list" # We expect ECDH to be re-enabled for the missing curves grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o # We expect ECP to be re-enabled, however the parts specific to the # families of curves that are accelerated should be ommited. # - functions with mxz in the name are specific to Montgomery curves # - ecp_muladd is specific to Weierstrass curves ##nm ${BUILTIN_SRC_PATH}/ecp.o | tee ecp.syms if [ $weierstrass -eq 1 ]; then not grep mbedtls_ecp_muladd ${BUILTIN_SRC_PATH}/ecp.o grep mxz ${BUILTIN_SRC_PATH}/ecp.o else grep mbedtls_ecp_muladd ${BUILTIN_SRC_PATH}/ecp.o not grep mxz ${BUILTIN_SRC_PATH}/ecp.o fi # We expect ECDSA and ECJPAKE to be re-enabled only when # Weierstrass curves are not accelerated if [ $weierstrass -eq 1 ]; then not grep mbedtls_ecdsa ${BUILTIN_SRC_PATH}/ecdsa.o not grep mbedtls_ecjpake ${BUILTIN_SRC_PATH}/ecjpake.o else grep mbedtls_ecdsa ${BUILTIN_SRC_PATH}/ecdsa.o grep mbedtls_ecjpake ${BUILTIN_SRC_PATH}/ecjpake.o fi # Run the tests # ------------- msg "test suites: crypto_full minus PK with accelerated EC algs and $desc curves" make test } component_test_psa_crypto_config_accel_ecc_weierstrass_curves () { common_test_psa_crypto_config_accel_ecc_some_curves 1 } component_test_psa_crypto_config_accel_ecc_non_weierstrass_curves () { common_test_psa_crypto_config_accel_ecc_some_curves 0 } # Auxiliary function to build config for all EC based algorithms (EC-JPAKE, # ECDH, ECDSA) with and without drivers. # The input parameter is a boolean value which indicates: # - 0 keep built-in EC algs, # - 1 exclude built-in EC algs (driver only). # # This is used by the two following components to ensure they always use the # same config, except for the use of driver or built-in EC algorithms: # - component_test_psa_crypto_config_accel_ecc_ecp_light_only; # - component_test_psa_crypto_config_reference_ecc_ecp_light_only. # This supports comparing their test coverage with analyze_outcomes.py. config_psa_crypto_config_ecp_light_only () { driver_only="$1" # start with config full for maximum coverage (also enables USE_PSA) helper_libtestdriver1_adjust_config "full" if [ "$driver_only" -eq 1 ]; then # Disable modules that are accelerated scripts/config.py unset MBEDTLS_ECDSA_C scripts/config.py unset MBEDTLS_ECDH_C scripts/config.py unset MBEDTLS_ECJPAKE_C scripts/config.py unset MBEDTLS_ECP_C fi # Restartable feature is not yet supported by PSA. Once it will in # the future, the following line could be removed (see issues # 6061, 6332 and following ones) scripts/config.py unset MBEDTLS_ECP_RESTARTABLE } # Keep in sync with component_test_psa_crypto_config_reference_ecc_ecp_light_only component_test_psa_crypto_config_accel_ecc_ecp_light_only () { msg "build: full with accelerated EC algs" # Algorithms and key types to accelerate loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ ALG_ECDH \ ALG_JPAKE \ $(helper_get_psa_key_type_list "ECC") \ $(helper_get_psa_curve_list)" # Configure # --------- # Use the same config as reference, only without built-in EC algs config_psa_crypto_config_ecp_light_only 1 # Do not disable builtin curves because that support is required for: # - MBEDTLS_PK_PARSE_EC_EXTENDED # - MBEDTLS_PK_PARSE_EC_COMPRESSED # Build # ----- # These hashes are needed for some ECDSA signature tests. loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" helper_libtestdriver1_make_main "$loc_accel_list" # Make sure any built-in EC alg was not re-enabled by accident (additive config) not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o not grep mbedtls_ecjpake_ ${BUILTIN_SRC_PATH}/ecjpake.o not grep mbedtls_ecp_mul ${BUILTIN_SRC_PATH}/ecp.o # Run the tests # ------------- msg "test suites: full with accelerated EC algs" make test msg "ssl-opt: full with accelerated EC algs" tests/ssl-opt.sh } # Keep in sync with component_test_psa_crypto_config_accel_ecc_ecp_light_only component_test_psa_crypto_config_reference_ecc_ecp_light_only () { msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with non-accelerated EC algs" config_psa_crypto_config_ecp_light_only 0 make msg "test suites: full with non-accelerated EC algs" make test msg "ssl-opt: full with non-accelerated EC algs" tests/ssl-opt.sh } # This helper function is used by: # - component_test_psa_crypto_config_accel_ecc_no_ecp_at_all() # - component_test_psa_crypto_config_reference_ecc_no_ecp_at_all() # to ensure that both tests use the same underlying configuration when testing # driver's coverage with analyze_outcomes.py. # # This functions accepts 1 boolean parameter as follows: # - 1: building with accelerated EC algorithms (ECDSA, ECDH, ECJPAKE), therefore # excluding their built-in implementation as well as ECP_C & ECP_LIGHT # - 0: include built-in implementation of EC algorithms. # # PK_C and RSA_C are always disabled to ensure there is no remaining dependency # on the ECP module. config_psa_crypto_no_ecp_at_all () { driver_only="$1" # start with full config for maximum coverage (also enables USE_PSA) helper_libtestdriver1_adjust_config "full" if [ "$driver_only" -eq 1 ]; then # Disable modules that are accelerated scripts/config.py unset MBEDTLS_ECDSA_C scripts/config.py unset MBEDTLS_ECDH_C scripts/config.py unset MBEDTLS_ECJPAKE_C # Disable ECP module (entirely) scripts/config.py unset MBEDTLS_ECP_C fi # Disable all the features that auto-enable ECP_LIGHT (see build_info.h) scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE # Restartable feature is not yet supported by PSA. Once it will in # the future, the following line could be removed (see issues # 6061, 6332 and following ones) scripts/config.py unset MBEDTLS_ECP_RESTARTABLE } # Build and test a configuration where driver accelerates all EC algs while # all support and dependencies from ECP and ECP_LIGHT are removed on the library # side. # # Keep in sync with component_test_psa_crypto_config_reference_ecc_no_ecp_at_all() component_test_psa_crypto_config_accel_ecc_no_ecp_at_all () { msg "build: full + accelerated EC algs - ECP" # Algorithms and key types to accelerate loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ ALG_ECDH \ ALG_JPAKE \ $(helper_get_psa_key_type_list "ECC") \ $(helper_get_psa_curve_list)" # Configure # --------- # Set common configurations between library's and driver's builds config_psa_crypto_no_ecp_at_all 1 # Disable all the builtin curves. All the required algs are accelerated. helper_disable_builtin_curves # Build # ----- # Things we wanted supported in libtestdriver1, but not accelerated in the main library: # SHA-1 and all SHA-2/3 variants, as they are used by ECDSA deterministic. loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" helper_libtestdriver1_make_main "$loc_accel_list" # Make sure any built-in EC alg was not re-enabled by accident (additive config) not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o not grep mbedtls_ecjpake_ ${BUILTIN_SRC_PATH}/ecjpake.o # Also ensure that ECP module was not re-enabled not grep mbedtls_ecp_ ${BUILTIN_SRC_PATH}/ecp.o # Run the tests # ------------- msg "test: full + accelerated EC algs - ECP" make test msg "ssl-opt: full + accelerated EC algs - ECP" tests/ssl-opt.sh } # Reference function used for driver's coverage analysis in analyze_outcomes.py # in conjunction with component_test_psa_crypto_config_accel_ecc_no_ecp_at_all(). # Keep in sync with its accelerated counterpart. component_test_psa_crypto_config_reference_ecc_no_ecp_at_all () { msg "build: full + non accelerated EC algs" config_psa_crypto_no_ecp_at_all 0 make msg "test: full + non accelerated EC algs" make test msg "ssl-opt: full + non accelerated EC algs" tests/ssl-opt.sh } # This is a common configuration helper used directly from: # - common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum # - common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum # and indirectly from: # - component_test_psa_crypto_config_accel_ecc_no_bignum # - accelerate all EC algs, disable RSA and FFDH # - component_test_psa_crypto_config_reference_ecc_no_bignum # - this is the reference component of the above # - it still disables RSA and FFDH, but it uses builtin EC algs # - component_test_psa_crypto_config_accel_ecc_ffdh_no_bignum # - accelerate all EC and FFDH algs, disable only RSA # - component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum # - this is the reference component of the above # - it still disables RSA, but it uses builtin EC and FFDH algs # # This function accepts 2 parameters: # $1: a boolean value which states if we are testing an accelerated scenario # or not. # $2: a string value which states which components are tested. Allowed values # are "ECC" or "ECC_DH". config_psa_crypto_config_accel_ecc_ffdh_no_bignum () { driver_only="$1" test_target="$2" # start with full config for maximum coverage (also enables USE_PSA) helper_libtestdriver1_adjust_config "full" if [ "$driver_only" -eq 1 ]; then # Disable modules that are accelerated scripts/config.py unset MBEDTLS_ECDSA_C scripts/config.py unset MBEDTLS_ECDH_C scripts/config.py unset MBEDTLS_ECJPAKE_C # Disable ECP module (entirely) scripts/config.py unset MBEDTLS_ECP_C # Also disable bignum scripts/config.py unset MBEDTLS_BIGNUM_C fi # Disable all the features that auto-enable ECP_LIGHT (see build_info.h) scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE # RSA support is intentionally disabled on this test because RSA_C depends # on BIGNUM_C. scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_RSA_[0-9A-Z_a-z]*" scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_ALG_RSA_[0-9A-Z_a-z]*" scripts/config.py unset MBEDTLS_RSA_C scripts/config.py unset MBEDTLS_PKCS1_V15 scripts/config.py unset MBEDTLS_PKCS1_V21 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT # Also disable key exchanges that depend on RSA scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED if [ "$test_target" = "ECC" ]; then # When testing ECC only, we disable FFDH support, both from builtin and # PSA sides, and also disable the key exchanges that depend on DHM. scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_FFDH scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_DH_[0-9A-Z_a-z]*" scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_DH_RFC7919_[0-9]*" scripts/config.py unset MBEDTLS_DHM_C scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED else # When testing ECC and DH instead, we disable DHM and depending key # exchanges only in the accelerated build if [ "$driver_only" -eq 1 ]; then scripts/config.py unset MBEDTLS_DHM_C scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED fi fi # Restartable feature is not yet supported by PSA. Once it will in # the future, the following line could be removed (see issues # 6061, 6332 and following ones) scripts/config.py unset MBEDTLS_ECP_RESTARTABLE } # Common helper used by: # - component_test_psa_crypto_config_accel_ecc_no_bignum # - component_test_psa_crypto_config_accel_ecc_ffdh_no_bignum # # The goal is to build and test accelerating either: # - ECC only or # - both ECC and FFDH # # It is meant to be used in conjunction with # common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum() for drivers # coverage analysis in the "analyze_outcomes.py" script. common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () { test_target="$1" # This is an internal helper to simplify text message handling if [ "$test_target" = "ECC_DH" ]; then accel_text="ECC/FFDH" removed_text="ECP - DH" else accel_text="ECC" removed_text="ECP" fi msg "build: full + accelerated $accel_text algs + USE_PSA - $removed_text - BIGNUM" # By default we accelerate all EC keys/algs loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ ALG_ECDH \ ALG_JPAKE \ $(helper_get_psa_key_type_list "ECC") \ $(helper_get_psa_curve_list)" # Optionally we can also add DH to the list of accelerated items if [ "$test_target" = "ECC_DH" ]; then loc_accel_list="$loc_accel_list \ ALG_FFDH \ $(helper_get_psa_key_type_list "DH") \ $(helper_get_psa_dh_group_list)" fi # Configure # --------- # Set common configurations between library's and driver's builds config_psa_crypto_config_accel_ecc_ffdh_no_bignum 1 "$test_target" # Disable all the builtin curves. All the required algs are accelerated. helper_disable_builtin_curves # Build # ----- # Things we wanted supported in libtestdriver1, but not accelerated in the main library: # SHA-1 and all SHA-2/3 variants, as they are used by ECDSA deterministic. loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" helper_libtestdriver1_make_main "$loc_accel_list" # Make sure any built-in EC alg was not re-enabled by accident (additive config) not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o not grep mbedtls_ecjpake_ ${BUILTIN_SRC_PATH}/ecjpake.o # Also ensure that ECP, RSA, [DHM] or BIGNUM modules were not re-enabled not grep mbedtls_ecp_ ${BUILTIN_SRC_PATH}/ecp.o not grep mbedtls_rsa_ ${BUILTIN_SRC_PATH}/rsa.o not grep mbedtls_mpi_ ${BUILTIN_SRC_PATH}/bignum.o not grep mbedtls_dhm_ ${BUILTIN_SRC_PATH}/dhm.o # Run the tests # ------------- msg "test suites: full + accelerated $accel_text algs + USE_PSA - $removed_text - DHM - BIGNUM" make test msg "ssl-opt: full + accelerated $accel_text algs + USE_PSA - $removed_text - BIGNUM" tests/ssl-opt.sh } # Common helper used by: # - component_test_psa_crypto_config_reference_ecc_no_bignum # - component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum # # The goal is to build and test a reference scenario (i.e. with builtin # components) compared to the ones used in # common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum() above. # # It is meant to be used in conjunction with # common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum() for drivers' # coverage analysis in "analyze_outcomes.py" script. common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () { test_target="$1" # This is an internal helper to simplify text message handling if [ "$test_target" = "ECC_DH" ]; then accel_text="ECC/FFDH" else accel_text="ECC" fi msg "build: full + non accelerated $accel_text algs + USE_PSA" config_psa_crypto_config_accel_ecc_ffdh_no_bignum 0 "$test_target" make msg "test suites: full + non accelerated EC algs + USE_PSA" make test msg "ssl-opt: full + non accelerated $accel_text algs + USE_PSA" tests/ssl-opt.sh } component_test_psa_crypto_config_accel_ecc_no_bignum () { common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum "ECC" } component_test_psa_crypto_config_reference_ecc_no_bignum () { common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum "ECC" } component_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () { common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum "ECC_DH" } component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () { common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum "ECC_DH" } # Helper for setting common configurations between: # - component_test_tfm_config_p256m_driver_accel_ec() # - component_test_tfm_config() common_tfm_config () { # Enable TF-M config cp configs/config-tfm.h "$CONFIG_H" echo "#undef MBEDTLS_PSA_CRYPTO_CONFIG_FILE" >> "$CONFIG_H" cp configs/ext/crypto_config_profile_medium.h "$CRYPTO_CONFIG_H" # Other config adjustment to make the tests pass. # This should probably be adopted upstream. # # - USE_PSA_CRYPTO for PK_HAVE_ECC_KEYS echo "#define MBEDTLS_USE_PSA_CRYPTO" >> "$CONFIG_H" # Config adjustment for better test coverage in our environment. # This is not needed just to build and pass tests. # # Enable filesystem I/O for the benefit of PK parse/write tests. echo "#define MBEDTLS_FS_IO" >> "$CONFIG_H" } # Keep this in sync with component_test_tfm_config() as they are both meant # to be used in analyze_outcomes.py for driver's coverage analysis. component_test_tfm_config_p256m_driver_accel_ec () { msg "build: TF-M config + p256m driver + accel ECDH(E)/ECDSA" common_tfm_config # Build crypto library make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -I../tests/include/spe" LDFLAGS="$ASAN_CFLAGS" # Make sure any built-in EC alg was not re-enabled by accident (additive config) not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o not grep mbedtls_ecjpake_ ${BUILTIN_SRC_PATH}/ecjpake.o # Also ensure that ECP, RSA, DHM or BIGNUM modules were not re-enabled not grep mbedtls_ecp_ ${BUILTIN_SRC_PATH}/ecp.o not grep mbedtls_rsa_ ${BUILTIN_SRC_PATH}/rsa.o not grep mbedtls_dhm_ ${BUILTIN_SRC_PATH}/dhm.o not grep mbedtls_mpi_ ${BUILTIN_SRC_PATH}/bignum.o # Check that p256m was built grep -q p256_ecdsa_ library/libmbedcrypto.a # In "config-tfm.h" we disabled CIPHER_C tweaking TF-M's configuration # files, so we want to ensure that it has not be re-enabled accidentally. not grep mbedtls_cipher ${BUILTIN_SRC_PATH}/cipher.o # Run the tests msg "test: TF-M config + p256m driver + accel ECDH(E)/ECDSA" make test } # Keep this in sync with component_test_tfm_config_p256m_driver_accel_ec() as # they are both meant to be used in analyze_outcomes.py for driver's coverage # analysis. component_test_tfm_config () { common_tfm_config # Disable P256M driver, which is on by default, so that analyze_outcomes # can compare this test with test_tfm_config_p256m_driver_accel_ec echo "#undef MBEDTLS_PSA_P256M_DRIVER_ENABLED" >> "$CONFIG_H" msg "build: TF-M config" make CFLAGS='-Werror -Wall -Wextra -I../tests/include/spe' tests # Check that p256m was not built not grep p256_ecdsa_ library/libmbedcrypto.a # In "config-tfm.h" we disabled CIPHER_C tweaking TF-M's configuration # files, so we want to ensure that it has not be re-enabled accidentally. not grep mbedtls_cipher ${BUILTIN_SRC_PATH}/cipher.o msg "test: TF-M config" make test } # This is an helper used by: # - component_test_psa_ecc_key_pair_no_derive # - component_test_psa_ecc_key_pair_no_generate # The goal is to test with all PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy symbols # enabled, but one. Input arguments are as follows: # - $1 is the key type under test, i.e. ECC/RSA/DH # - $2 is the key option to be unset (i.e. generate, derive, etc) build_and_test_psa_want_key_pair_partial () { key_type=$1 unset_option=$2 disabled_psa_want="PSA_WANT_KEY_TYPE_${key_type}_KEY_PAIR_${unset_option}" msg "build: full - MBEDTLS_USE_PSA_CRYPTO - ${disabled_psa_want}" scripts/config.py full scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 # All the PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy are enabled by default in # crypto_config.h so we just disable the one we don't want. scripts/config.py -f "$CRYPTO_CONFIG_H" unset "$disabled_psa_want" make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" msg "test: full - MBEDTLS_USE_PSA_CRYPTO - ${disabled_psa_want}" make test } component_test_psa_ecc_key_pair_no_derive () { build_and_test_psa_want_key_pair_partial "ECC" "DERIVE" } component_test_psa_ecc_key_pair_no_generate () { build_and_test_psa_want_key_pair_partial "ECC" "GENERATE" } config_psa_crypto_accel_rsa () { driver_only=$1 # Start from crypto_full config (no X.509, no TLS) helper_libtestdriver1_adjust_config "crypto_full" if [ "$driver_only" -eq 1 ]; then # Remove RSA support and its dependencies scripts/config.py unset MBEDTLS_RSA_C scripts/config.py unset MBEDTLS_PKCS1_V15 scripts/config.py unset MBEDTLS_PKCS1_V21 # We need PEM parsing in the test library as well to support the import # of PEM encoded RSA keys. scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_PEM_PARSE_C scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_BASE64_C fi } component_test_psa_crypto_config_accel_rsa_crypto () { msg "build: crypto_full with accelerated RSA" loc_accel_list="ALG_RSA_OAEP ALG_RSA_PSS \ ALG_RSA_PKCS1V15_CRYPT ALG_RSA_PKCS1V15_SIGN \ KEY_TYPE_RSA_PUBLIC_KEY \ KEY_TYPE_RSA_KEY_PAIR_BASIC \ KEY_TYPE_RSA_KEY_PAIR_GENERATE \ KEY_TYPE_RSA_KEY_PAIR_IMPORT \ KEY_TYPE_RSA_KEY_PAIR_EXPORT" # Configure # --------- config_psa_crypto_accel_rsa 1 # Build # ----- # These hashes are needed for unit tests. loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512 ALG_MD5" helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" helper_libtestdriver1_make_main "$loc_accel_list" # Make sure this was not re-enabled by accident (additive config) not grep mbedtls_rsa ${BUILTIN_SRC_PATH}/rsa.o # Run the tests # ------------- msg "test: crypto_full with accelerated RSA" make test } component_test_psa_crypto_config_reference_rsa_crypto () { msg "build: crypto_full with non-accelerated RSA" # Configure # --------- config_psa_crypto_accel_rsa 0 # Build # ----- make # Run the tests # ------------- msg "test: crypto_full with non-accelerated RSA" make test } # This is a temporary test to verify that full RSA support is present even when # only one single new symbols (PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) is defined. component_test_new_psa_want_key_pair_symbol () { msg "Build: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" # Create a temporary output file unless there is already one set if [ "$MBEDTLS_TEST_OUTCOME_FILE" ]; then REMOVE_OUTCOME_ON_EXIT="no" else REMOVE_OUTCOME_ON_EXIT="yes" MBEDTLS_TEST_OUTCOME_FILE="$PWD/out.csv" export MBEDTLS_TEST_OUTCOME_FILE fi # Start from crypto configuration scripts/config.py crypto # Remove RSA support and its dependencies scripts/config.py unset MBEDTLS_PKCS1_V15 scripts/config.py unset MBEDTLS_PKCS1_V21 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED scripts/config.py unset MBEDTLS_RSA_C scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT # Enable PSA support scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG # Keep only PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC enabled in order to ensure # that proper translations is done in crypto_legacy.h. scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE make msg "Test: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" make test # Parse only 1 relevant line from the outcome file, i.e. a test which is # performing RSA signature. msg "Verify that 'RSA PKCS1 Sign #1 (SHA512, 1536 bits RSA)' is PASS" cat $MBEDTLS_TEST_OUTCOME_FILE | grep 'RSA PKCS1 Sign #1 (SHA512, 1536 bits RSA)' | grep -q "PASS" if [ "$REMOVE_OUTCOME_ON_EXIT" == "yes" ]; then rm $MBEDTLS_TEST_OUTCOME_FILE fi } component_test_psa_crypto_config_accel_hash () { msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash" loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \ ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" # Configure # --------- # Start from default config (no USE_PSA) helper_libtestdriver1_adjust_config "default" # Disable the things that are being accelerated scripts/config.py unset MBEDTLS_MD5_C scripts/config.py unset MBEDTLS_RIPEMD160_C scripts/config.py unset MBEDTLS_SHA1_C scripts/config.py unset MBEDTLS_SHA224_C scripts/config.py unset MBEDTLS_SHA256_C scripts/config.py unset MBEDTLS_SHA384_C scripts/config.py unset MBEDTLS_SHA512_C scripts/config.py unset MBEDTLS_SHA3_C # Build # ----- helper_libtestdriver1_make_drivers "$loc_accel_list" helper_libtestdriver1_make_main "$loc_accel_list" # There's a risk of something getting re-enabled via config_psa.h; # make sure it did not happen. Note: it's OK for MD_C to be enabled. not grep mbedtls_md5 ${BUILTIN_SRC_PATH}/md5.o not grep mbedtls_sha1 ${BUILTIN_SRC_PATH}/sha1.o not grep mbedtls_sha256 ${BUILTIN_SRC_PATH}/sha256.o not grep mbedtls_sha512 ${BUILTIN_SRC_PATH}/sha512.o not grep mbedtls_ripemd160 ${BUILTIN_SRC_PATH}/ripemd160.o # Run the tests # ------------- msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash" make test } # Auxiliary function to build config for hashes with and without drivers config_psa_crypto_hash_use_psa () { driver_only="$1" # start with config full for maximum coverage (also enables USE_PSA) helper_libtestdriver1_adjust_config "full" if [ "$driver_only" -eq 1 ]; then # disable the built-in implementation of hashes scripts/config.py unset MBEDTLS_MD5_C scripts/config.py unset MBEDTLS_RIPEMD160_C scripts/config.py unset MBEDTLS_SHA1_C scripts/config.py unset MBEDTLS_SHA224_C scripts/config.py unset MBEDTLS_SHA256_C # see external RNG below scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT scripts/config.py unset MBEDTLS_SHA384_C scripts/config.py unset MBEDTLS_SHA512_C scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT scripts/config.py unset MBEDTLS_SHA3_C fi } # Note that component_test_psa_crypto_config_reference_hash_use_psa # is related to this component and both components need to be kept in sync. # For details please see comments for component_test_psa_crypto_config_reference_hash_use_psa. component_test_psa_crypto_config_accel_hash_use_psa () { msg "test: full with accelerated hashes" loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \ ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" # Configure # --------- config_psa_crypto_hash_use_psa 1 # Build # ----- helper_libtestdriver1_make_drivers "$loc_accel_list" helper_libtestdriver1_make_main "$loc_accel_list" # There's a risk of something getting re-enabled via config_psa.h; # make sure it did not happen. Note: it's OK for MD_C to be enabled. not grep mbedtls_md5 ${BUILTIN_SRC_PATH}/md5.o not grep mbedtls_sha1 ${BUILTIN_SRC_PATH}/sha1.o not grep mbedtls_sha256 ${BUILTIN_SRC_PATH}/sha256.o not grep mbedtls_sha512 ${BUILTIN_SRC_PATH}/sha512.o not grep mbedtls_ripemd160 ${BUILTIN_SRC_PATH}/ripemd160.o # Run the tests # ------------- msg "test: full with accelerated hashes" make test # This is mostly useful so that we can later compare outcome files with # the reference config in analyze_outcomes.py, to check that the # dependency declarations in ssl-opt.sh and in TLS code are correct. msg "test: ssl-opt.sh, full with accelerated hashes" tests/ssl-opt.sh # This is to make sure all ciphersuites are exercised, but we don't need # interop testing (besides, we already got some from ssl-opt.sh). msg "test: compat.sh, full with accelerated hashes" tests/compat.sh -p mbedTLS -V YES } # This component provides reference configuration for test_psa_crypto_config_accel_hash_use_psa # without accelerated hash. The outcome from both components are used by the analyze_outcomes.py # script to find regression in test coverage when accelerated hash is used (tests and ssl-opt). # Both components need to be kept in sync. component_test_psa_crypto_config_reference_hash_use_psa () { msg "test: full without accelerated hashes" config_psa_crypto_hash_use_psa 0 make msg "test: full without accelerated hashes" make test msg "test: ssl-opt.sh, full without accelerated hashes" tests/ssl-opt.sh } # Auxiliary function to build config for hashes with and without drivers config_psa_crypto_hmac_use_psa () { driver_only="$1" # start with config full for maximum coverage (also enables USE_PSA) helper_libtestdriver1_adjust_config "full" if [ "$driver_only" -eq 1 ]; then # Disable MD_C in order to disable the builtin support for HMAC. MD_LIGHT # is still enabled though (for ENTROPY_C among others). scripts/config.py unset MBEDTLS_MD_C # Disable also the builtin hashes since they are supported by the driver # and MD module is able to perform PSA dispathing. scripts/config.py unset-all MBEDTLS_SHA scripts/config.py unset MBEDTLS_MD5_C scripts/config.py unset MBEDTLS_RIPEMD160_C fi # Direct dependencies of MD_C. We disable them also in the reference # component to work with the same set of features. scripts/config.py unset MBEDTLS_PKCS7_C scripts/config.py unset MBEDTLS_PKCS5_C scripts/config.py unset MBEDTLS_HMAC_DRBG_C scripts/config.py unset MBEDTLS_HKDF_C # Dependencies of HMAC_DRBG scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_DETERMINISTIC_ECDSA } component_test_psa_crypto_config_accel_hmac () { msg "test: full with accelerated hmac" loc_accel_list="ALG_HMAC KEY_TYPE_HMAC \ ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \ ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" # Configure # --------- config_psa_crypto_hmac_use_psa 1 # Build # ----- helper_libtestdriver1_make_drivers "$loc_accel_list" helper_libtestdriver1_make_main "$loc_accel_list" # Ensure that built-in support for HMAC is disabled. not grep mbedtls_md_hmac ${BUILTIN_SRC_PATH}/md.o # Run the tests # ------------- msg "test: full with accelerated hmac" make test } component_test_psa_crypto_config_reference_hmac () { msg "test: full without accelerated hmac" config_psa_crypto_hmac_use_psa 0 make msg "test: full without accelerated hmac" make test } component_test_psa_crypto_config_accel_des () { msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated DES" # Albeit this components aims at accelerating DES which should only support # CBC and ECB modes, we need to accelerate more than that otherwise DES_C # would automatically be re-enabled by "config_adjust_legacy_from_psa.c" loc_accel_list="ALG_ECB_NO_PADDING ALG_CBC_NO_PADDING ALG_CBC_PKCS7 \ ALG_CTR ALG_CFB ALG_OFB ALG_XTS ALG_CMAC \ KEY_TYPE_DES" # Note: we cannot accelerate all ciphers' key types otherwise we would also # have to either disable CCM/GCM or accelerate them, but that's out of scope # of this component. This limitation will be addressed by #8598. # Configure # --------- # Start from the full config helper_libtestdriver1_adjust_config "full" # Disable the things that are being accelerated scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC scripts/config.py unset MBEDTLS_CIPHER_PADDING_PKCS7 scripts/config.py unset MBEDTLS_CIPHER_MODE_CTR scripts/config.py unset MBEDTLS_CIPHER_MODE_CFB scripts/config.py unset MBEDTLS_CIPHER_MODE_OFB scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS scripts/config.py unset MBEDTLS_DES_C scripts/config.py unset MBEDTLS_CMAC_C # Build # ----- helper_libtestdriver1_make_drivers "$loc_accel_list" helper_libtestdriver1_make_main "$loc_accel_list" # Make sure this was not re-enabled by accident (additive config) not grep mbedtls_des* ${BUILTIN_SRC_PATH}/des.o # Run the tests # ------------- msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated DES" make test } component_test_psa_crypto_config_accel_aead () { msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated AEAD" loc_accel_list="ALG_GCM ALG_CCM ALG_CHACHA20_POLY1305 \ KEY_TYPE_AES KEY_TYPE_CHACHA20 KEY_TYPE_ARIA KEY_TYPE_CAMELLIA" # Configure # --------- # Start from full config helper_libtestdriver1_adjust_config "full" # Disable things that are being accelerated scripts/config.py unset MBEDTLS_GCM_C scripts/config.py unset MBEDTLS_CCM_C scripts/config.py unset MBEDTLS_CHACHAPOLY_C # Disable CCM_STAR_NO_TAG because this re-enables CCM_C. scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG # Build # ----- helper_libtestdriver1_make_drivers "$loc_accel_list" helper_libtestdriver1_make_main "$loc_accel_list" # Make sure this was not re-enabled by accident (additive config) not grep mbedtls_ccm ${BUILTIN_SRC_PATH}/ccm.o not grep mbedtls_gcm ${BUILTIN_SRC_PATH}/gcm.o not grep mbedtls_chachapoly ${BUILTIN_SRC_PATH}/chachapoly.o # Run the tests # ------------- msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated AEAD" make test } # This is a common configuration function used in: # - component_test_psa_crypto_config_accel_cipher_aead_cmac # - component_test_psa_crypto_config_reference_cipher_aead_cmac common_psa_crypto_config_accel_cipher_aead_cmac () { # Start from the full config helper_libtestdriver1_adjust_config "full" scripts/config.py unset MBEDTLS_NIST_KW_C } # The 2 following test components, i.e. # - component_test_psa_crypto_config_accel_cipher_aead_cmac # - component_test_psa_crypto_config_reference_cipher_aead_cmac # are meant to be used together in analyze_outcomes.py script in order to test # driver's coverage for ciphers and AEADs. component_test_psa_crypto_config_accel_cipher_aead_cmac () { msg "build: full config with accelerated cipher inc. AEAD and CMAC" loc_accel_list="ALG_ECB_NO_PADDING ALG_CBC_NO_PADDING ALG_CBC_PKCS7 ALG_CTR ALG_CFB \ ALG_OFB ALG_XTS ALG_STREAM_CIPHER ALG_CCM_STAR_NO_TAG \ ALG_GCM ALG_CCM ALG_CHACHA20_POLY1305 ALG_CMAC \ KEY_TYPE_DES KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CHACHA20 KEY_TYPE_CAMELLIA" # Configure # --------- common_psa_crypto_config_accel_cipher_aead_cmac # Disable the things that are being accelerated scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC scripts/config.py unset MBEDTLS_CIPHER_PADDING_PKCS7 scripts/config.py unset MBEDTLS_CIPHER_MODE_CTR scripts/config.py unset MBEDTLS_CIPHER_MODE_CFB scripts/config.py unset MBEDTLS_CIPHER_MODE_OFB scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS scripts/config.py unset MBEDTLS_GCM_C scripts/config.py unset MBEDTLS_CCM_C scripts/config.py unset MBEDTLS_CHACHAPOLY_C scripts/config.py unset MBEDTLS_CMAC_C scripts/config.py unset MBEDTLS_DES_C scripts/config.py unset MBEDTLS_AES_C scripts/config.py unset MBEDTLS_ARIA_C scripts/config.py unset MBEDTLS_CHACHA20_C scripts/config.py unset MBEDTLS_CAMELLIA_C # Disable CIPHER_C entirely as all ciphers/AEADs are accelerated and PSA # does not depend on it. scripts/config.py unset MBEDTLS_CIPHER_C # Build # ----- helper_libtestdriver1_make_drivers "$loc_accel_list" helper_libtestdriver1_make_main "$loc_accel_list" # Make sure this was not re-enabled by accident (additive config) not grep mbedtls_cipher ${BUILTIN_SRC_PATH}/cipher.o not grep mbedtls_des ${BUILTIN_SRC_PATH}/des.o not grep mbedtls_aes ${BUILTIN_SRC_PATH}/aes.o not grep mbedtls_aria ${BUILTIN_SRC_PATH}/aria.o not grep mbedtls_camellia ${BUILTIN_SRC_PATH}/camellia.o not grep mbedtls_ccm ${BUILTIN_SRC_PATH}/ccm.o not grep mbedtls_gcm ${BUILTIN_SRC_PATH}/gcm.o not grep mbedtls_chachapoly ${BUILTIN_SRC_PATH}/chachapoly.o not grep mbedtls_cmac ${BUILTIN_SRC_PATH}/cmac.o # Run the tests # ------------- msg "test: full config with accelerated cipher inc. AEAD and CMAC" make test msg "ssl-opt: full config with accelerated cipher inc. AEAD and CMAC" tests/ssl-opt.sh msg "compat.sh: full config with accelerated cipher inc. AEAD and CMAC" tests/compat.sh -V NO -p mbedTLS } component_test_psa_crypto_config_reference_cipher_aead_cmac () { msg "build: full config with non-accelerated cipher inc. AEAD and CMAC" common_psa_crypto_config_accel_cipher_aead_cmac make msg "test: full config with non-accelerated cipher inc. AEAD and CMAC" make test msg "ssl-opt: full config with non-accelerated cipher inc. AEAD and CMAC" tests/ssl-opt.sh msg "compat.sh: full config with non-accelerated cipher inc. AEAD and CMAC" tests/compat.sh -V NO -p mbedTLS } common_block_cipher_dispatch () { TEST_WITH_DRIVER="$1" # Start from the full config helper_libtestdriver1_adjust_config "full" if [ "$TEST_WITH_DRIVER" -eq 1 ]; then # Disable key types that are accelerated (there is no legacy equivalent # symbol for ECB) scripts/config.py unset MBEDTLS_AES_C scripts/config.py unset MBEDTLS_ARIA_C scripts/config.py unset MBEDTLS_CAMELLIA_C fi # Disable cipher's modes that, when not accelerated, cause # legacy key types to be re-enabled in "config_adjust_legacy_from_psa.h". # Keep this also in the reference component in order to skip the same tests # that were skipped in the accelerated one. scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CTR scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CFB scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_OFB scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 # Disable direct dependency on AES_C scripts/config.py unset MBEDTLS_NIST_KW_C # Prevent the cipher module from using deprecated PSA path. The reason is # that otherwise there will be tests relying on "aes_info" (defined in # "cipher_wrap.c") whose functions are not available when AES_C is # not defined. ARIA and Camellia are not a problem in this case because # the PSA path is not tested for these key types. scripts/config.py set MBEDTLS_DEPRECATED_REMOVED } component_test_full_block_cipher_psa_dispatch () { msg "build: full + PSA dispatch in block_cipher" loc_accel_list="ALG_ECB_NO_PADDING \ KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CAMELLIA" # Configure # --------- common_block_cipher_dispatch 1 # Build # ----- helper_libtestdriver1_make_drivers "$loc_accel_list" helper_libtestdriver1_make_main "$loc_accel_list" # Make sure disabled components were not re-enabled by accident (additive # config) not grep mbedtls_aes_ ${BUILTIN_SRC_PATH}/aes.o not grep mbedtls_aria_ ${BUILTIN_SRC_PATH}/aria.o not grep mbedtls_camellia_ ${BUILTIN_SRC_PATH}/camellia.o # Run the tests # ------------- msg "test: full + PSA dispatch in block_cipher" make test } # This is the reference component of component_test_full_block_cipher_psa_dispatch component_test_full_block_cipher_legacy_dispatch () { msg "build: full + legacy dispatch in block_cipher" common_block_cipher_dispatch 0 make msg "test: full + legacy dispatch in block_cipher" make test } component_test_aead_chachapoly_disabled () { msg "build: full minus CHACHAPOLY" scripts/config.py full scripts/config.py unset MBEDTLS_CHACHAPOLY_C scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" msg "test: full minus CHACHAPOLY" make test } component_test_aead_only_ccm () { msg "build: full minus CHACHAPOLY and GCM" scripts/config.py full scripts/config.py unset MBEDTLS_CHACHAPOLY_C scripts/config.py unset MBEDTLS_GCM_C scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_GCM make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" msg "test: full minus CHACHAPOLY and GCM" make test } component_test_ccm_aes_sha256 () { msg "build: CCM + AES + SHA256 configuration" cp "$CONFIG_TEST_DRIVER_H" "$CONFIG_H" cp configs/crypto-config-ccm-aes-sha256.h "$CRYPTO_CONFIG_H" make msg "test: CCM + AES + SHA256 configuration" make test } # Test that the given .o file builds with all (valid) combinations of the given options. # # Syntax: build_test_config_combos FILE VALIDATOR_FUNCTION OPT1 OPT2 ... # # The validator function is the name of a function to validate the combination of options. # It may be "" if all combinations are valid. # It receives a string containing a combination of options, as passed to the compiler, # e.g. "-DOPT1 -DOPT2 ...". It must return 0 iff the combination is valid, non-zero if invalid. build_test_config_combos () { file=$1 shift validate_options=$1 shift options=("$@") # clear all of the options so that they can be overridden on the clang commandline for opt in "${options[@]}"; do ./scripts/config.py unset ${opt} done # enter the library directory cd library # The most common issue is unused variables/functions, so ensure -Wunused is set. warning_flags="-Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wasm-operand-widths -Wunused" # Extract the command generated by the Makefile to build the target file. # This ensures that we have any include paths, macro definitions, etc # that may be applied by make. # Add -fsyntax-only as we only want a syntax check and don't need to generate a file. compile_cmd="clang \$(LOCAL_CFLAGS) ${warning_flags} -fsyntax-only -c" makefile=$(TMPDIR=. mktemp) deps="" len=${#options[@]} source_file=../${file%.o}.c targets=0 echo 'include Makefile' >${makefile} for ((i = 0; i < $((2**${len})); i++)); do # generate each of 2^n combinations of options # each bit of $i is used to determine if options[i] will be set or not target="t" clang_args="" for ((j = 0; j < ${len}; j++)); do if (((i >> j) & 1)); then opt=-D${options[$j]} clang_args="${clang_args} ${opt}" target="${target}${opt}" fi done # if combination is not known to be invalid, add it to the makefile if [[ -z $validate_options ]] || $validate_options "${clang_args}"; then cmd="${compile_cmd} ${clang_args}" echo "${target}: ${source_file}; $cmd ${source_file}" >> ${makefile} deps="${deps} ${target}" ((++targets)) fi done echo "build_test_config_combos: ${deps}" >> ${makefile} # execute all of the commands via Make (probably in parallel) make -s -f ${makefile} build_test_config_combos echo "$targets targets checked" # clean up the temporary makefile rm ${makefile} } validate_aes_config_variations () { if [[ "$1" == *"MBEDTLS_AES_USE_HARDWARE_ONLY"* ]]; then if [[ !(("$HOSTTYPE" == "aarch64" && "$1" != *"MBEDTLS_AESCE_C"*) || \ ("$HOSTTYPE" == "x86_64" && "$1" != *"MBEDTLS_AESNI_C"*)) ]]; then return 1 fi fi return 0 } component_build_aes_variations () { # 18s - around 90ms per clang invocation on M1 Pro # # aes.o has many #if defined(...) guards that intersect in complex ways. # Test that all the combinations build cleanly. MBEDTLS_ROOT_DIR="$PWD" msg "build: aes.o for all combinations of relevant config options" build_test_config_combos ${BUILTIN_SRC_PATH}/aes.o validate_aes_config_variations \ "MBEDTLS_AES_SETKEY_ENC_ALT" "MBEDTLS_AES_DECRYPT_ALT" \ "MBEDTLS_AES_ROM_TABLES" "MBEDTLS_AES_ENCRYPT_ALT" "MBEDTLS_AES_SETKEY_DEC_ALT" \ "MBEDTLS_AES_FEWER_TABLES" "MBEDTLS_AES_USE_HARDWARE_ONLY" \ "MBEDTLS_AESNI_C" "MBEDTLS_AESCE_C" "MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH" cd "$MBEDTLS_ROOT_DIR" msg "build: aes.o for all combinations of relevant config options + BLOCK_CIPHER_NO_DECRYPT" # MBEDTLS_BLOCK_CIPHER_NO_DECRYPT is incompatible with ECB in PSA, CBC/XTS/NIST_KW/DES, # manually set or unset those configurations to check # MBEDTLS_BLOCK_CIPHER_NO_DECRYPT with various combinations in aes.o. scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS scripts/config.py unset MBEDTLS_DES_C scripts/config.py unset MBEDTLS_NIST_KW_C build_test_config_combos ${BUILTIN_SRC_PATH}/aes.o validate_aes_config_variations \ "MBEDTLS_AES_SETKEY_ENC_ALT" "MBEDTLS_AES_DECRYPT_ALT" \ "MBEDTLS_AES_ROM_TABLES" "MBEDTLS_AES_ENCRYPT_ALT" "MBEDTLS_AES_SETKEY_DEC_ALT" \ "MBEDTLS_AES_FEWER_TABLES" "MBEDTLS_AES_USE_HARDWARE_ONLY" \ "MBEDTLS_AESNI_C" "MBEDTLS_AESCE_C" "MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH" } component_test_sha3_variations () { msg "sha3 loop unroll variations" # define minimal config sufficient to test SHA3 cat > include/mbedtls/mbedtls_config.h << END #define MBEDTLS_SELF_TEST #define MBEDTLS_SHA3_C END msg "all loops unrolled" make clean make -C tests ../tf-psa-crypto/tests/test_suite_shax CFLAGS="-DMBEDTLS_SHA3_THETA_UNROLL=1 -DMBEDTLS_SHA3_PI_UNROLL=1 -DMBEDTLS_SHA3_CHI_UNROLL=1 -DMBEDTLS_SHA3_RHO_UNROLL=1" ./tf-psa-crypto/tests/test_suite_shax msg "all loops rolled up" make clean make -C tests ../tf-psa-crypto/tests/test_suite_shax CFLAGS="-DMBEDTLS_SHA3_THETA_UNROLL=0 -DMBEDTLS_SHA3_PI_UNROLL=0 -DMBEDTLS_SHA3_CHI_UNROLL=0 -DMBEDTLS_SHA3_RHO_UNROLL=0" ./tf-psa-crypto/tests/test_suite_shax } support_build_aes_aesce_armcc () { support_build_armcc } # For timebeing, no aarch64 gcc available in CI and no arm64 CI node. component_build_aes_aesce_armcc () { msg "Build: AESCE test on arm64 platform without plain C." scripts/config.py baremetal # armc[56] don't support SHA-512 intrinsics scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT # Stop armclang warning about feature detection for A64_CRYPTO. # With this enabled, the library does build correctly under armclang, # but in baremetal builds (as tested here), feature detection is # unavailable, and the user is notified via a #warning. So enabling # this feature would prevent us from building with -Werror on # armclang. Tracked in #7198. scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT scripts/config.py set MBEDTLS_HAVE_ASM msg "AESCE, build with default configuration." scripts/config.py set MBEDTLS_AESCE_C scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto" msg "AESCE, build AESCE only" scripts/config.py set MBEDTLS_AESCE_C scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto" } component_test_aes_only_128_bit_keys () { msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH" scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH make CFLAGS='-O2 -Werror -Wall -Wextra' msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH" make test } component_test_no_ctr_drbg_aes_only_128_bit_keys () { msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH - CTR_DRBG_C" scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH scripts/config.py unset MBEDTLS_CTR_DRBG_C make CC=clang CFLAGS='-Werror -Wall -Wextra' msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH - CTR_DRBG_C" make test } component_test_aes_only_128_bit_keys_have_builtins () { msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C" scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH scripts/config.py unset MBEDTLS_AESNI_C scripts/config.py unset MBEDTLS_AESCE_C make CFLAGS='-O2 -Werror -Wall -Wextra' msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C" make test msg "selftest: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C" programs/test/selftest } component_test_gcm_largetable () { msg "build: default config + GCM_LARGE_TABLE - AESNI_C - AESCE_C" scripts/config.py set MBEDTLS_GCM_LARGE_TABLE scripts/config.py unset MBEDTLS_AESNI_C scripts/config.py unset MBEDTLS_AESCE_C make CFLAGS='-O2 -Werror -Wall -Wextra' msg "test: default config - GCM_LARGE_TABLE - AESNI_C - AESCE_C" make test } component_test_aes_fewer_tables () { msg "build: default config with AES_FEWER_TABLES enabled" scripts/config.py set MBEDTLS_AES_FEWER_TABLES make CFLAGS='-O2 -Werror -Wall -Wextra' msg "test: AES_FEWER_TABLES" make test } component_test_aes_rom_tables () { msg "build: default config with AES_ROM_TABLES enabled" scripts/config.py set MBEDTLS_AES_ROM_TABLES make CFLAGS='-O2 -Werror -Wall -Wextra' msg "test: AES_ROM_TABLES" make test } component_test_aes_fewer_tables_and_rom_tables () { msg "build: default config with AES_ROM_TABLES and AES_FEWER_TABLES enabled" scripts/config.py set MBEDTLS_AES_FEWER_TABLES scripts/config.py set MBEDTLS_AES_ROM_TABLES make CFLAGS='-O2 -Werror -Wall -Wextra' msg "test: AES_FEWER_TABLES + AES_ROM_TABLES" make test } # helper for common_block_cipher_no_decrypt() which: # - enable/disable the list of config options passed from -s/-u respectively. # - build # - test for tests_suite_xxx # - selftest # # Usage: helper_block_cipher_no_decrypt_build_test # [-s set_opts] [-u unset_opts] [-c cflags] [-l ldflags] [option [...]] # Options: -s set_opts the list of config options to enable # -u unset_opts the list of config options to disable # -c cflags the list of options passed to CFLAGS # -l ldflags the list of options passed to LDFLAGS helper_block_cipher_no_decrypt_build_test () { while [ $# -gt 0 ]; do case "$1" in -s) shift; local set_opts="$1";; -u) shift; local unset_opts="$1";; -c) shift; local cflags="-Werror -Wall -Wextra $1";; -l) shift; local ldflags="$1";; esac shift done set_opts="${set_opts:-}" unset_opts="${unset_opts:-}" cflags="${cflags:-}" ldflags="${ldflags:-}" [ -n "$set_opts" ] && echo "Enabling: $set_opts" && scripts/config.py set-all $set_opts [ -n "$unset_opts" ] && echo "Disabling: $unset_opts" && scripts/config.py unset-all $unset_opts msg "build: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}" make clean make CFLAGS="-O2 $cflags" LDFLAGS="$ldflags" # Make sure we don't have mbedtls_xxx_setkey_dec in AES/ARIA/CAMELLIA not grep mbedtls_aes_setkey_dec ${BUILTIN_SRC_PATH}/aes.o not grep mbedtls_aria_setkey_dec ${BUILTIN_SRC_PATH}/aria.o not grep mbedtls_camellia_setkey_dec ${BUILTIN_SRC_PATH}/camellia.o # Make sure we don't have mbedtls_internal_aes_decrypt in AES not grep mbedtls_internal_aes_decrypt ${BUILTIN_SRC_PATH}/aes.o # Make sure we don't have mbedtls_aesni_inverse_key in AESNI not grep mbedtls_aesni_inverse_key ${BUILTIN_SRC_PATH}/aesni.o msg "test: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}" make test msg "selftest: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}" programs/test/selftest } # This is a common configuration function used in: # - component_test_block_cipher_no_decrypt_aesni_legacy() # - component_test_block_cipher_no_decrypt_aesni_use_psa() # in order to test BLOCK_CIPHER_NO_DECRYPT with AESNI intrinsics, # AESNI assembly and AES C implementation on x86_64 and with AESNI intrinsics # on x86. common_block_cipher_no_decrypt () { # test AESNI intrinsics helper_block_cipher_no_decrypt_build_test \ -s "MBEDTLS_AESNI_C" \ -c "-mpclmul -msse2 -maes" # test AESNI assembly helper_block_cipher_no_decrypt_build_test \ -s "MBEDTLS_AESNI_C" \ -c "-mno-pclmul -mno-sse2 -mno-aes" # test AES C implementation helper_block_cipher_no_decrypt_build_test \ -u "MBEDTLS_AESNI_C" # test AESNI intrinsics for i386 target helper_block_cipher_no_decrypt_build_test \ -s "MBEDTLS_AESNI_C" \ -c "-m32 -mpclmul -msse2 -maes" \ -l "-m32" } # This is a configuration function used in component_test_block_cipher_no_decrypt_xxx: # usage: 0: no PSA crypto configuration # 1: use PSA crypto configuration config_block_cipher_no_decrypt () { use_psa=$1 scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS scripts/config.py unset MBEDTLS_DES_C scripts/config.py unset MBEDTLS_NIST_KW_C if [ "$use_psa" -eq 1 ]; then # Enable support for cryptographic mechanisms through the PSA API. # Note: XTS, KW are not yet supported via the PSA API in Mbed TLS. scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_DES fi } component_test_block_cipher_no_decrypt_aesni () { # This consistently causes an llvm crash on clang 3.8, so use gcc export CC=gcc config_block_cipher_no_decrypt 0 common_block_cipher_no_decrypt } component_test_block_cipher_no_decrypt_aesni_use_psa () { # This consistently causes an llvm crash on clang 3.8, so use gcc export CC=gcc config_block_cipher_no_decrypt 1 common_block_cipher_no_decrypt } support_test_block_cipher_no_decrypt_aesce_armcc () { support_build_armcc } component_test_block_cipher_no_decrypt_aesce_armcc () { scripts/config.py baremetal # armc[56] don't support SHA-512 intrinsics scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT # Stop armclang warning about feature detection for A64_CRYPTO. # With this enabled, the library does build correctly under armclang, # but in baremetal builds (as tested here), feature detection is # unavailable, and the user is notified via a #warning. So enabling # this feature would prevent us from building with -Werror on # armclang. Tracked in #7198. scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT scripts/config.py set MBEDTLS_HAVE_ASM config_block_cipher_no_decrypt 1 # test AESCE baremetal build scripts/config.py set MBEDTLS_AESCE_C msg "build: default config + BLOCK_CIPHER_NO_DECRYPT with AESCE" armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto -Werror -Wall -Wextra" # Make sure we don't have mbedtls_xxx_setkey_dec in AES/ARIA/CAMELLIA not grep mbedtls_aes_setkey_dec ${BUILTIN_SRC_PATH}/aes.o not grep mbedtls_aria_setkey_dec ${BUILTIN_SRC_PATH}/aria.o not grep mbedtls_camellia_setkey_dec ${BUILTIN_SRC_PATH}/camellia.o # Make sure we don't have mbedtls_internal_aes_decrypt in AES not grep mbedtls_internal_aes_decrypt ${BUILTIN_SRC_PATH}/aes.o # Make sure we don't have mbedtls_aesce_inverse_key and aesce_decrypt_block in AESCE not grep mbedtls_aesce_inverse_key ${BUILTIN_SRC_PATH}/aesce.o not grep aesce_decrypt_block ${BUILTIN_SRC_PATH}/aesce.o } component_test_ctr_drbg_aes_256_sha_256 () { msg "build: full + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)" scripts/config.py full scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C scripts/config.py set MBEDTLS_ENTROPY_FORCE_SHA256 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . make msg "test: full + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)" make test } component_test_ctr_drbg_aes_128_sha_512 () { msg "build: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY (ASan build)" scripts/config.py full scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C scripts/config.py set MBEDTLS_CTR_DRBG_USE_128_BIT_KEY CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . make msg "test: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY (ASan build)" make test } component_test_ctr_drbg_aes_128_sha_256 () { msg "build: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)" scripts/config.py full scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C scripts/config.py set MBEDTLS_CTR_DRBG_USE_128_BIT_KEY scripts/config.py set MBEDTLS_ENTROPY_FORCE_SHA256 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . make msg "test: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)" make test } component_test_se_default () { msg "build: default config + MBEDTLS_PSA_CRYPTO_SE_C" scripts/config.py set MBEDTLS_PSA_CRYPTO_SE_C make CC=clang CFLAGS="$ASAN_CFLAGS -Os" LDFLAGS="$ASAN_CFLAGS" msg "test: default config + MBEDTLS_PSA_CRYPTO_SE_C" make test } component_test_psa_crypto_drivers () { msg "build: full + test drivers dispatching to builtins" scripts/config.py full scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG loc_cflags="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST_ALL" loc_cflags="${loc_cflags} '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'" loc_cflags="${loc_cflags} -I../tests/include -O2" make CC=$ASAN_CC CFLAGS="${loc_cflags}" LDFLAGS="$ASAN_CFLAGS" msg "test: full + test drivers dispatching to builtins" make test } component_build_psa_config_file () { msg "build: make with MBEDTLS_PSA_CRYPTO_CONFIG_FILE" # ~40s scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG cp "$CRYPTO_CONFIG_H" psa_test_config.h echo '#error "MBEDTLS_PSA_CRYPTO_CONFIG_FILE is not working"' >"$CRYPTO_CONFIG_H" make CFLAGS="-I '$PWD' -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"'" # Make sure this feature is enabled. We'll disable it in the next phase. programs/test/query_compile_time_config MBEDTLS_CMAC_C make clean msg "build: make with MBEDTLS_PSA_CRYPTO_CONFIG_FILE + MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE" # ~40s # In the user config, disable one feature and its dependencies, which will # reflect on the mbedtls configuration so we can query it with # query_compile_time_config. echo '#undef PSA_WANT_ALG_CMAC' >psa_user_config.h echo '#undef PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128' >> psa_user_config.h scripts/config.py unset MBEDTLS_CMAC_C make CFLAGS="-I '$PWD' -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"' -DMBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE='\"psa_user_config.h\"'" not programs/test/query_compile_time_config MBEDTLS_CMAC_C rm -f psa_test_config.h psa_user_config.h } component_build_psa_alt_headers () { msg "build: make with PSA alt headers" # ~20s # Generate alternative versions of the substitutable headers with the # same content except different include guards. make -C tests include/alt-extra/psa/crypto_platform_alt.h include/alt-extra/psa/crypto_struct_alt.h # Build the library and some programs. # Don't build the fuzzers to avoid having to go through hoops to set # a correct include path for programs/fuzz/Makefile. make CFLAGS="-I ../tests/include/alt-extra -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'" lib make -C programs -o fuzz CFLAGS="-I ../tests/include/alt-extra -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'" # Check that we're getting the alternative include guards and not the # original include guards. programs/test/query_included_headers | grep -x PSA_CRYPTO_PLATFORM_ALT_H programs/test/query_included_headers | grep -x PSA_CRYPTO_STRUCT_ALT_H programs/test/query_included_headers | not grep -x PSA_CRYPTO_PLATFORM_H programs/test/query_included_headers | not grep -x PSA_CRYPTO_STRUCT_H } component_test_min_mpi_window_size () { msg "build: Default + MBEDTLS_MPI_WINDOW_SIZE=1 (ASan build)" # ~ 10s scripts/config.py set MBEDTLS_MPI_WINDOW_SIZE 1 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . make msg "test: MBEDTLS_MPI_WINDOW_SIZE=1 - main suites (inc. selftests) (ASan build)" # ~ 10s make test }