1# components-configuration-crypto.sh 2# 3# Copyright The Mbed TLS Contributors 4# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 5 6# This file contains test components that are executed by all.sh 7 8################################################################ 9#### Configuration Testing - Crypto 10################################################################ 11 12component_test_psa_crypto_key_id_encodes_owner () { 13 msg "build: full config + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan" 14 scripts/config.py full 15 scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER 16 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 17 make 18 19 msg "test: full config - USE_PSA_CRYPTO + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan" 20 make test 21} 22 23component_test_psa_assume_exclusive_buffers () { 24 msg "build: full config + MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS, cmake, gcc, ASan" 25 scripts/config.py full 26 scripts/config.py set MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS 27 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 28 make 29 30 msg "test: full config + MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS, cmake, gcc, ASan" 31 make test 32} 33 34component_test_crypto_with_static_key_slots() { 35 msg "build: crypto full + MBEDTLS_PSA_STATIC_KEY_SLOTS" 36 scripts/config.py crypto_full 37 scripts/config.py set MBEDTLS_PSA_STATIC_KEY_SLOTS 38 # Intentionally set MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE to a value that 39 # is enough to contain: 40 # - all RSA public keys up to 4096 bits (max of PSA_VENDOR_RSA_MAX_KEY_BITS). 41 # - RSA key pairs up to 1024 bits, but not 2048 or larger. 42 # - all FFDH key pairs and public keys up to 8192 bits (max of PSA_VENDOR_FFDH_MAX_KEY_BITS). 43 # - all EC key pairs and public keys up to 521 bits (max of PSA_VENDOR_ECC_MAX_CURVE_BITS). 44 scripts/config.py set MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE 1212 45 # Disable the fully dynamic key store (default on) since it conflicts 46 # with the static behavior that we're testing here. 47 scripts/config.py unset MBEDTLS_PSA_KEY_STORE_DYNAMIC 48 49 msg "test: crypto full + MBEDTLS_PSA_STATIC_KEY_SLOTS" 50 make CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" test 51} 52 53# check_renamed_symbols HEADER LIB 54# Check that if HEADER contains '#define MACRO ...' then MACRO is not a symbol 55# name in LIB. 56check_renamed_symbols () { 57 ! nm "$2" | sed 's/.* //' | 58 grep -x -F "$(sed -n 's/^ *# *define *\([A-Z_a-z][0-9A-Z_a-z]*\)..*/\1/p' "$1")" 59} 60 61component_build_psa_crypto_spm () { 62 msg "build: full config + PSA_CRYPTO_KEY_ID_ENCODES_OWNER + PSA_CRYPTO_SPM, make, gcc" 63 scripts/config.py full 64 scripts/config.py unset MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS 65 scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER 66 scripts/config.py set MBEDTLS_PSA_CRYPTO_SPM 67 # We can only compile, not link, since our test and sample programs 68 # aren't equipped for the modified names used when MBEDTLS_PSA_CRYPTO_SPM 69 # is active. 70 make CC=gcc CFLAGS='-Werror -Wall -Wextra -I../framework/tests/include/spe' lib 71 72 # Check that if a symbol is renamed by crypto_spe.h, the non-renamed 73 # version is not present. 74 echo "Checking for renamed symbols in the library" 75 check_renamed_symbols framework/tests/include/spe/crypto_spe.h library/libmbedcrypto.a 76} 77 78# The goal of this component is to build a configuration where: 79# - test code and libtestdriver1 can make use of calloc/free and 80# - core library (including PSA core) cannot use calloc/free. 81component_test_psa_crypto_without_heap() { 82 msg "crypto without heap: build libtestdriver1" 83 # Disable PSA features that cannot be accelerated and whose builtin support 84 # requires calloc/free. 85 scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 86 scripts/config.py -c $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_HKDF" 87 scripts/config.py -c $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_PBKDF2_" 88 scripts/config.py -c $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_TLS12_" 89 # RSA key support requires ASN1 parse/write support for testing, but ASN1 90 # is disabled below. 91 scripts/config.py -c $CRYPTO_CONFIG_H unset-all "^PSA_WANT_KEY_TYPE_RSA_" 92 scripts/config.py -c $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_RSA_" 93 # DES requires built-in support for key generation (parity check) so it 94 # cannot be accelerated 95 scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES 96 # EC-JPAKE use calloc/free in PSA core 97 scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_JPAKE 98 # Enable p192[k|r]1 curves which are disabled by default in tf-psa-crypto. 99 # This is required to get the proper test coverage otherwise there are 100 # tests in 'test_suite_psa_crypto_op_fail' that would never be executed. 101 scripts/config.py set PSA_WANT_ECC_SECP_K1_192 102 scripts/config.py set PSA_WANT_ECC_SECP_R1_192 103 104 # Accelerate all PSA features (which are still enabled in CRYPTO_CONFIG_H). 105 PSA_SYM_LIST=$(./scripts/config.py -c $CRYPTO_CONFIG_H get-all-enabled PSA_WANT) 106 loc_accel_list=$(echo $PSA_SYM_LIST | sed 's/PSA_WANT_//g') 107 108 helper_libtestdriver1_adjust_config crypto 109 helper_libtestdriver1_make_drivers "$loc_accel_list" 110 111 msg "crypto without heap: build main library" 112 # Disable all legacy MBEDTLS_xxx symbols. 113 scripts/config.py unset-all "^MBEDTLS_" 114 # Build the PSA core using the proper config file. 115 scripts/config.py set MBEDTLS_PSA_CRYPTO_C 116 # Enable fully-static key slots in PSA core. 117 scripts/config.py set MBEDTLS_PSA_STATIC_KEY_SLOTS 118 # Prevent PSA core from creating a copy of input/output buffers. 119 scripts/config.py set MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS 120 # Prevent PSA core from using CTR-DRBG or HMAC-DRBG for random generation. 121 scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG 122 # Set calloc/free as null pointer functions. Calling them would crash 123 # the program so we can use this as a "sentinel" for being sure no module 124 # is making use of these functions in the library. 125 scripts/config.py set MBEDTLS_PLATFORM_C 126 scripts/config.py set MBEDTLS_PLATFORM_MEMORY 127 scripts/config.py set MBEDTLS_PLATFORM_STD_CALLOC NULL 128 scripts/config.py set MBEDTLS_PLATFORM_STD_FREE NULL 129 130 helper_libtestdriver1_make_main "$loc_accel_list" lib 131 132 msg "crypto without heap: build test suites and helpers" 133 # Reset calloc/free functions to normal operations so that test code can 134 # freely use them. 135 scripts/config.py unset MBEDTLS_PLATFORM_MEMORY 136 scripts/config.py unset MBEDTLS_PLATFORM_STD_CALLOC 137 scripts/config.py unset MBEDTLS_PLATFORM_STD_FREE 138 helper_libtestdriver1_make_main "$loc_accel_list" tests 139 140 msg "crypto without heap: test" 141 make test 142} 143 144component_test_no_rsa_key_pair_generation () { 145 msg "build: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE" 146 scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE 147 make 148 149 msg "test: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE" 150 make test 151} 152 153component_test_no_pem_no_fs () { 154 msg "build: Default + !MBEDTLS_PEM_PARSE_C + !MBEDTLS_FS_IO (ASan build)" 155 scripts/config.py unset MBEDTLS_PEM_PARSE_C 156 scripts/config.py unset MBEDTLS_FS_IO 157 scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C # requires a filesystem 158 scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C # requires PSA ITS 159 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 160 make 161 162 msg "test: !MBEDTLS_PEM_PARSE_C !MBEDTLS_FS_IO - main suites (inc. selftests) (ASan build)" # ~ 50s 163 make test 164 165 msg "test: !MBEDTLS_PEM_PARSE_C !MBEDTLS_FS_IO - ssl-opt.sh (ASan build)" # ~ 6 min 166 tests/ssl-opt.sh 167} 168 169component_test_rsa_no_crt () { 170 msg "build: Default + RSA_NO_CRT (ASan build)" # ~ 6 min 171 scripts/config.py set MBEDTLS_RSA_NO_CRT 172 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 173 make 174 175 msg "test: RSA_NO_CRT - main suites (inc. selftests) (ASan build)" # ~ 50s 176 make test 177 178 msg "test: RSA_NO_CRT - RSA-related part of ssl-opt.sh (ASan build)" # ~ 5s 179 tests/ssl-opt.sh -f RSA 180 181 msg "test: RSA_NO_CRT - RSA-related part of compat.sh (ASan build)" # ~ 3 min 182 tests/compat.sh -t RSA 183 184 msg "test: RSA_NO_CRT - RSA-related part of context-info.sh (ASan build)" # ~ 15 sec 185 tests/context-info.sh 186} 187 188component_test_no_ctr_drbg_use_psa () { 189 msg "build: Full minus CTR_DRBG, PSA crypto in TLS" 190 scripts/config.py full 191 scripts/config.py unset MBEDTLS_CTR_DRBG_C 192 193 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 194 make 195 196 msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - main suites" 197 make test 198 199 # In this configuration, the TLS test programs use HMAC_DRBG. 200 # The SSL tests are slow, so run a small subset, just enough to get 201 # confidence that the SSL code copes with HMAC_DRBG. 202 msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)" 203 tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server' 204 205 msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - compat.sh (subset)" 206 tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL 207} 208 209component_test_no_hmac_drbg_use_psa () { 210 msg "build: Full minus HMAC_DRBG, PSA crypto in TLS" 211 scripts/config.py full 212 scripts/config.py unset MBEDTLS_HMAC_DRBG_C 213 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG 214 215 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 216 make 217 218 msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - main suites" 219 make test 220 221 # Normally our ECDSA implementation uses deterministic ECDSA. But since 222 # HMAC_DRBG is disabled in this configuration, randomized ECDSA is used 223 # instead. 224 # Test SSL with non-deterministic ECDSA. Only test features that 225 # might be affected by how ECDSA signature is performed. 226 msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)" 227 tests/ssl-opt.sh -f 'Default\|SSL async private: sign' 228 229 # To save time, only test one protocol version, since this part of 230 # the protocol is identical in (D)TLS up to 1.2. 231 msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - compat.sh (ECDSA)" 232 tests/compat.sh -m tls12 -t 'ECDSA' 233} 234 235component_test_psa_external_rng_no_drbg_use_psa () { 236 msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto in TLS" 237 scripts/config.py full 238 scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG 239 scripts/config.py unset MBEDTLS_ENTROPY_C 240 scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED 241 scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT 242 scripts/config.py unset MBEDTLS_CTR_DRBG_C 243 scripts/config.py unset MBEDTLS_HMAC_DRBG_C 244 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG 245 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" 246 247 msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - main suites" 248 make test 249 250 msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - ssl-opt.sh (subset)" 251 tests/ssl-opt.sh -f 'Default\|opaque' 252} 253 254component_test_psa_external_rng_use_psa_crypto () { 255 msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" 256 scripts/config.py full 257 scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG 258 scripts/config.py unset MBEDTLS_CTR_DRBG_C 259 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" 260 261 msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" 262 make test 263 264 msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" 265 tests/ssl-opt.sh -f 'Default\|opaque' 266} 267 268component_full_no_pkparse_pkwrite () { 269 msg "build: full without pkparse and pkwrite" 270 271 scripts/config.py crypto_full 272 scripts/config.py unset MBEDTLS_PK_PARSE_C 273 scripts/config.py unset MBEDTLS_PK_WRITE_C 274 275 make CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" 276 277 # Ensure that PK_[PARSE|WRITE]_C were not re-enabled accidentally (additive config). 278 not grep mbedtls_pk_parse_key ${BUILTIN_SRC_PATH}/pkparse.o 279 not grep mbedtls_pk_write_key_der ${BUILTIN_SRC_PATH}/pkwrite.o 280 281 msg "test: full without pkparse and pkwrite" 282 make test 283} 284 285component_test_crypto_full_md_light_only () { 286 msg "build: crypto_full with only the light subset of MD" 287 scripts/config.py crypto_full 288 289 # Disable MD 290 scripts/config.py unset MBEDTLS_MD_C 291 # Disable direct dependencies of MD_C 292 scripts/config.py unset MBEDTLS_HKDF_C 293 scripts/config.py unset MBEDTLS_HMAC_DRBG_C 294 scripts/config.py unset MBEDTLS_PKCS7_C 295 # Disable indirect dependencies of MD_C 296 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # needs HMAC_DRBG 297 scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA 298 # Disable things that would auto-enable MD_C 299 scripts/config.py unset MBEDTLS_PKCS5_C 300 301 # Note: MD-light is auto-enabled in build_info.h by modules that need it, 302 # which we haven't disabled, so no need to explicitly enable it. 303 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" 304 305 # Make sure we don't have the HMAC functions, but the hashing functions 306 not grep mbedtls_md_hmac ${BUILTIN_SRC_PATH}/md.o 307 grep mbedtls_md ${BUILTIN_SRC_PATH}/md.o 308 309 msg "test: crypto_full with only the light subset of MD" 310 make test 311} 312 313component_test_full_no_cipher () { 314 msg "build: full no CIPHER" 315 316 scripts/config.py full 317 318 # The built-in implementation of the following algs/key-types depends 319 # on CIPHER_C so we disable them. 320 # This does not hold for KEY_TYPE_CHACHA20 and ALG_CHACHA20_POLY1305 321 # so we keep them enabled. 322 scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG 323 scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CMAC 324 scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING 325 scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7 326 scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CFB 327 scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CTR 328 scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING 329 scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_OFB 330 scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 331 scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_STREAM_CIPHER 332 scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES 333 334 # The following modules directly depends on CIPHER_C 335 scripts/config.py unset MBEDTLS_NIST_KW_C 336 337 make 338 339 # Ensure that CIPHER_C was not re-enabled 340 not grep mbedtls_cipher_init ${BUILTIN_SRC_PATH}/cipher.o 341 342 msg "test: full no CIPHER" 343 make test 344} 345 346component_test_full_no_ccm () { 347 msg "build: full no PSA_WANT_ALG_CCM" 348 349 # Full config enables: 350 # - USE_PSA_CRYPTO so that TLS code dispatches cipher/AEAD to PSA 351 # - CRYPTO_CONFIG so that PSA_WANT config symbols are evaluated 352 scripts/config.py full 353 354 # Disable PSA_WANT_ALG_CCM so that CCM is not supported in PSA. CCM_C is still 355 # enabled, but not used from TLS since USE_PSA is set. 356 # This is helpful to ensure that TLS tests below have proper dependencies. 357 # 358 # Note: also PSA_WANT_ALG_CCM_STAR_NO_TAG is enabled, but it does not cause 359 # PSA_WANT_ALG_CCM to be re-enabled. 360 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM 361 362 make 363 364 msg "test: full no PSA_WANT_ALG_CCM" 365 make test 366} 367 368component_test_full_no_ccm_star_no_tag () { 369 msg "build: full no PSA_WANT_ALG_CCM_STAR_NO_TAG" 370 371 # Full config enables CRYPTO_CONFIG so that PSA_WANT config symbols are evaluated 372 scripts/config.py full 373 374 # Disable CCM_STAR_NO_TAG, which is the target of this test, as well as all 375 # other components that enable MBEDTLS_PSA_BUILTIN_CIPHER internal symbol. 376 # This basically disables all unauthenticated ciphers on the PSA side, while 377 # keeping AEADs enabled. 378 # 379 # Note: PSA_WANT_ALG_CCM is enabled, but it does not cause 380 # PSA_WANT_ALG_CCM_STAR_NO_TAG to be re-enabled. 381 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG 382 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_STREAM_CIPHER 383 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CTR 384 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CFB 385 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_OFB 386 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING 387 # NOTE unsettting PSA_WANT_ALG_ECB_NO_PADDING without unsetting NIST_KW_C will 388 # mean PSA_WANT_ALG_ECB_NO_PADDING is re-enabled, so disabling it also. 389 scripts/config.py -f "$CRYPTO_CONFIG_H" unset MBEDTLS_NIST_KW_C 390 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING 391 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 392 393 make 394 395 # Ensure MBEDTLS_PSA_BUILTIN_CIPHER was not enabled 396 not grep mbedtls_psa_cipher ${PSA_CORE_PATH}/psa_crypto_cipher.o 397 398 msg "test: full no PSA_WANT_ALG_CCM_STAR_NO_TAG" 399 make test 400} 401 402component_test_config_symmetric_only () { 403 msg "build: configs/config-symmetric-only.h" 404 MBEDTLS_CONFIG="configs/config-symmetric-only.h" 405 CRYPTO_CONFIG="tf-psa-crypto/configs/crypto-config-symmetric-only.h" 406 CC=$ASAN_CC cmake -DMBEDTLS_CONFIG_FILE="$MBEDTLS_CONFIG" -DTF_PSA_CRYPTO_CONFIG_FILE="$CRYPTO_CONFIG" -D CMAKE_BUILD_TYPE:String=Asan . 407 make 408 409 msg "test: configs/config-symmetric-only.h - unit tests" 410 make test 411} 412 413component_test_everest () { 414 msg "build: Everest ECDH context (ASan build)" # ~ 6 min 415 scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED 416 CC=clang cmake -D CMAKE_BUILD_TYPE:String=Asan . 417 make 418 419 msg "test: Everest ECDH context - main suites (inc. selftests) (ASan build)" # ~ 50s 420 make test 421 422 msg "test: metatests (clang, ASan)" 423 tests/scripts/run-metatests.sh any asan poison 424 425 msg "test: Everest ECDH context - ECDH-related part of ssl-opt.sh (ASan build)" # ~ 5s 426 tests/ssl-opt.sh -f ECDH 427 428 msg "test: Everest ECDH context - compat.sh with some ECDH ciphersuites (ASan build)" # ~ 3 min 429 # Exclude some symmetric ciphers that are redundant here to gain time. 430 tests/compat.sh -f ECDH -V NO -e 'ARIA\|CAMELLIA\|CHACHA' 431} 432 433component_test_everest_curve25519_only () { 434 msg "build: Everest ECDH context, only Curve25519" # ~ 6 min 435 scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED 436 scripts/config.py unset MBEDTLS_ECDSA_C 437 scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA 438 scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA 439 scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ALG_ECDH 440 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 441 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 442 scripts/config.py unset MBEDTLS_ECJPAKE_C 443 scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_JPAKE 444 445 # Disable all curves 446 scripts/config.py unset-all "MBEDTLS_ECP_DP_[0-9A-Z_a-z]*_ENABLED" 447 scripts/config.py -c $CRYPTO_CONFIG_H unset-all "PSA_WANT_ECC_[0-9A-Z_a-z]*$" 448 scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ECC_MONTGOMERY_255 449 450 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" 451 452 msg "test: Everest ECDH context, only Curve25519" # ~ 50s 453 make test 454} 455 456component_test_psa_collect_statuses () { 457 msg "build+test: psa_collect_statuses" # ~30s 458 scripts/config.py full 459 tests/scripts/psa_collect_statuses.py 460 # Check that psa_crypto_init() succeeded at least once 461 grep -q '^0:psa_crypto_init:' tests/statuses.log 462 rm -f tests/statuses.log 463} 464 465# Check that the specified libraries exist and are empty. 466are_empty_libraries () { 467 nm "$@" >/dev/null 2>/dev/null 468 ! nm "$@" 2>/dev/null | grep -v ':$' | grep . 469} 470 471component_test_crypto_for_psa_service () { 472 msg "build: make, config for PSA crypto service" 473 scripts/config.py crypto 474 scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER 475 # Disable things that are not needed for just cryptography, to 476 # reach a configuration that would be typical for a PSA cryptography 477 # service providing all implemented PSA algorithms. 478 # System stuff 479 scripts/config.py unset MBEDTLS_ERROR_C 480 scripts/config.py unset MBEDTLS_TIMING_C 481 scripts/config.py unset MBEDTLS_VERSION_FEATURES 482 # Crypto stuff with no PSA interface 483 scripts/config.py unset MBEDTLS_BASE64_C 484 scripts/config.py unset MBEDTLS_HKDF_C # PSA's HKDF is independent 485 # Keep MBEDTLS_MD_C because deterministic ECDSA needs it for HMAC_DRBG. 486 scripts/config.py unset MBEDTLS_NIST_KW_C 487 scripts/config.py unset MBEDTLS_PEM_PARSE_C 488 scripts/config.py unset MBEDTLS_PEM_WRITE_C 489 scripts/config.py unset MBEDTLS_PKCS12_C 490 scripts/config.py unset MBEDTLS_PKCS5_C 491 # MBEDTLS_PK_PARSE_C and MBEDTLS_PK_WRITE_C are actually currently needed 492 # in PSA code to work with RSA keys. We don't require users to set those: 493 # they will be reenabled in build_info.h. 494 scripts/config.py unset MBEDTLS_PK_C 495 scripts/config.py unset MBEDTLS_PK_PARSE_C 496 scripts/config.py unset MBEDTLS_PK_WRITE_C 497 make CFLAGS='-O1 -Werror' all test 498 are_empty_libraries library/libmbedx509.* library/libmbedtls.* 499} 500 501component_build_crypto_baremetal () { 502 msg "build: make, crypto only, baremetal config" 503 scripts/config.py crypto_baremetal 504 make CFLAGS="-O1 -Werror -I$PWD/framework/tests/include/baremetal-override/" 505 are_empty_libraries library/libmbedx509.* library/libmbedtls.* 506} 507 508support_build_crypto_baremetal () { 509 support_build_baremetal "$@" 510} 511 512# depends.py family of tests 513component_test_depends_py_cipher_id () { 514 msg "test/build: depends.py cipher_id (gcc)" 515 tests/scripts/depends.py cipher_id 516} 517 518component_test_depends_py_cipher_chaining () { 519 msg "test/build: depends.py cipher_chaining (gcc)" 520 tests/scripts/depends.py cipher_chaining 521} 522 523component_test_depends_py_curves () { 524 msg "test/build: depends.py curves (gcc)" 525 tests/scripts/depends.py curves 526} 527 528component_test_depends_py_hashes () { 529 msg "test/build: depends.py hashes (gcc)" 530 tests/scripts/depends.py hashes 531} 532 533component_test_depends_py_pkalgs () { 534 msg "test/build: depends.py pkalgs (gcc)" 535 tests/scripts/depends.py pkalgs 536} 537 538component_test_psa_crypto_config_ffdh_2048_only () { 539 msg "build: full config - only DH 2048" 540 541 scripts/config.py full 542 543 # Disable all DH groups other than 2048. 544 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_3072 545 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_4096 546 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_6144 547 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_8192 548 549 make CFLAGS="$ASAN_CFLAGS -Werror" LDFLAGS="$ASAN_CFLAGS" 550 551 msg "test: full config - only DH 2048" 552 make test 553 554 msg "ssl-opt: full config - only DH 2048" 555 tests/ssl-opt.sh -f "ffdh" 556} 557 558component_test_psa_crypto_config_accel_ecdsa () { 559 msg "build: accelerated ECDSA" 560 561 # Configure 562 # --------- 563 564 # Start from default config + TLS 1.3 565 helper_libtestdriver1_adjust_config "default" 566 567 # Algorithms and key types to accelerate 568 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ 569 $(helper_get_psa_key_type_list "ECC") \ 570 $(helper_get_psa_curve_list)" 571 572 # Disable the module that's accelerated 573 scripts/config.py unset MBEDTLS_ECDSA_C 574 575 # Disable things that depend on it 576 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 577 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 578 579 # Build 580 # ----- 581 582 # These hashes are needed for some ECDSA signature tests. 583 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 584 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 585 586 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" 587 588 helper_libtestdriver1_make_main "$loc_accel_list" 589 590 # Make sure this was not re-enabled by accident (additive config) 591 not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o 592 593 # Run the tests 594 # ------------- 595 596 msg "test: accelerated ECDSA" 597 make test 598} 599 600component_test_psa_crypto_config_accel_ecdh () { 601 msg "build: accelerated ECDH" 602 603 # Configure 604 # --------- 605 606 # Start from default config (no USE_PSA) 607 helper_libtestdriver1_adjust_config "default" 608 609 # Algorithms and key types to accelerate 610 loc_accel_list="ALG_ECDH \ 611 $(helper_get_psa_key_type_list "ECC") \ 612 $(helper_get_psa_curve_list)" 613 614 # Disable the module that's accelerated 615 scripts/config.py unset MBEDTLS_ECDH_C 616 617 # Disable things that depend on it 618 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 619 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 620 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 621 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 622 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 623 624 # Build 625 # ----- 626 627 helper_libtestdriver1_make_drivers "$loc_accel_list" 628 629 helper_libtestdriver1_make_main "$loc_accel_list" 630 631 # Make sure this was not re-enabled by accident (additive config) 632 not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o 633 634 # Run the tests 635 # ------------- 636 637 msg "test: accelerated ECDH" 638 make test 639} 640 641component_test_psa_crypto_config_accel_ffdh () { 642 msg "build: full with accelerated FFDH" 643 644 # Configure 645 # --------- 646 647 # start with full (USE_PSA and TLS 1.3) 648 helper_libtestdriver1_adjust_config "full" 649 650 # Algorithms and key types to accelerate 651 loc_accel_list="ALG_FFDH \ 652 $(helper_get_psa_key_type_list "DH") \ 653 $(helper_get_psa_dh_group_list)" 654 655 # Build 656 # ----- 657 658 helper_libtestdriver1_make_drivers "$loc_accel_list" 659 660 helper_libtestdriver1_make_main "$loc_accel_list" 661 662 # Make sure this was not re-enabled by accident (additive config) 663 not grep mbedtls_psa_ffdh_key_agreement ${BUILTIN_SRC_PATH}/psa_crypto_ffdh.o 664 665 # Run the tests 666 # ------------- 667 668 msg "test: full with accelerated FFDH" 669 make test 670 671 msg "ssl-opt: full with accelerated FFDH alg" 672 tests/ssl-opt.sh -f "ffdh" 673} 674 675component_test_psa_crypto_config_reference_ffdh () { 676 msg "build: full with non-accelerated FFDH" 677 678 # Start with full (USE_PSA and TLS 1.3) 679 helper_libtestdriver1_adjust_config "full" 680 681 make 682 683 msg "test suites: full with non-accelerated FFDH alg" 684 make test 685 686 msg "ssl-opt: full with non-accelerated FFDH alg" 687 tests/ssl-opt.sh -f "ffdh" 688} 689 690component_test_psa_crypto_config_accel_pake () { 691 msg "build: full with accelerated PAKE" 692 693 # Configure 694 # --------- 695 696 helper_libtestdriver1_adjust_config "full" 697 698 loc_accel_list="ALG_JPAKE \ 699 $(helper_get_psa_key_type_list "ECC") \ 700 $(helper_get_psa_curve_list)" 701 702 # Make built-in fallback not available 703 scripts/config.py unset MBEDTLS_ECJPAKE_C 704 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 705 706 # Build 707 # ----- 708 709 helper_libtestdriver1_make_drivers "$loc_accel_list" 710 711 helper_libtestdriver1_make_main "$loc_accel_list" 712 713 # Make sure this was not re-enabled by accident (additive config) 714 not grep mbedtls_ecjpake_init ${BUILTIN_SRC_PATH}/ecjpake.o 715 716 # Run the tests 717 # ------------- 718 719 msg "test: full with accelerated PAKE" 720 make test 721} 722 723component_test_psa_crypto_config_accel_ecc_some_key_types () { 724 msg "build: full with accelerated EC algs and some key types" 725 726 # Configure 727 # --------- 728 729 # start with config full for maximum coverage (also enables USE_PSA) 730 helper_libtestdriver1_adjust_config "full" 731 732 # Algorithms and key types to accelerate 733 # For key types, use an explicitly list to omit GENERATE (and DERIVE) 734 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ 735 ALG_ECDH \ 736 ALG_JPAKE \ 737 KEY_TYPE_ECC_PUBLIC_KEY \ 738 KEY_TYPE_ECC_KEY_PAIR_BASIC \ 739 KEY_TYPE_ECC_KEY_PAIR_IMPORT \ 740 KEY_TYPE_ECC_KEY_PAIR_EXPORT \ 741 $(helper_get_psa_curve_list)" 742 743 # Disable modules that are accelerated - some will be re-enabled 744 scripts/config.py unset MBEDTLS_ECDSA_C 745 scripts/config.py unset MBEDTLS_ECDH_C 746 scripts/config.py unset MBEDTLS_ECJPAKE_C 747 scripts/config.py unset MBEDTLS_ECP_C 748 749 # Disable all curves - those that aren't accelerated should be re-enabled 750 helper_disable_builtin_curves 751 752 # Restartable feature is not yet supported by PSA. Once it will in 753 # the future, the following line could be removed (see issues 754 # 6061, 6332 and following ones) 755 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE 756 757 # this is not supported by the driver API yet 758 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 759 760 # Build 761 # ----- 762 763 # These hashes are needed for some ECDSA signature tests. 764 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 765 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 766 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" 767 768 helper_libtestdriver1_make_main "$loc_accel_list" 769 770 # ECP should be re-enabled but not the others 771 not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o 772 not grep mbedtls_ecdsa ${BUILTIN_SRC_PATH}/ecdsa.o 773 not grep mbedtls_ecjpake ${BUILTIN_SRC_PATH}/ecjpake.o 774 grep mbedtls_ecp ${BUILTIN_SRC_PATH}/ecp.o 775 776 # Run the tests 777 # ------------- 778 779 msg "test suites: full with accelerated EC algs and some key types" 780 make test 781} 782 783# Run tests with only (non-)Weierstrass accelerated 784# Common code used in: 785# - component_test_psa_crypto_config_accel_ecc_weierstrass_curves 786# - component_test_psa_crypto_config_accel_ecc_non_weierstrass_curves 787common_test_psa_crypto_config_accel_ecc_some_curves () { 788 weierstrass=$1 789 if [ $weierstrass -eq 1 ]; then 790 desc="Weierstrass" 791 else 792 desc="non-Weierstrass" 793 fi 794 795 msg "build: crypto_full minus PK with accelerated EC algs and $desc curves" 796 797 # Configure 798 # --------- 799 800 # Start with config crypto_full and remove PK_C: 801 # that's what's supported now, see docs/driver-only-builds.md. 802 helper_libtestdriver1_adjust_config "crypto_full" 803 scripts/config.py unset MBEDTLS_PK_C 804 scripts/config.py unset MBEDTLS_PK_PARSE_C 805 scripts/config.py unset MBEDTLS_PK_WRITE_C 806 807 # Disable modules that are accelerated - some will be re-enabled 808 scripts/config.py unset MBEDTLS_ECDSA_C 809 scripts/config.py unset MBEDTLS_ECDH_C 810 scripts/config.py unset MBEDTLS_ECJPAKE_C 811 scripts/config.py unset MBEDTLS_ECP_C 812 813 # Disable all curves - those that aren't accelerated should be re-enabled 814 helper_disable_builtin_curves 815 816 # Note: Curves are handled in a special way by the libtestdriver machinery, 817 # so we only want to include them in the accel list when building the main 818 # libraries, hence the use of a separate variable. 819 # Note: the following loop is a modified version of 820 # helper_get_psa_curve_list that only keeps Weierstrass families. 821 loc_weierstrass_list="" 822 loc_non_weierstrass_list="" 823 for item in $(sed -n 's/^#define PSA_WANT_\(ECC_[0-9A-Z_a-z]*\).*/\1/p' <"$CRYPTO_CONFIG_H"); do 824 case $item in 825 ECC_BRAINPOOL*|ECC_SECP*) 826 loc_weierstrass_list="$loc_weierstrass_list $item" 827 ;; 828 *) 829 loc_non_weierstrass_list="$loc_non_weierstrass_list $item" 830 ;; 831 esac 832 done 833 if [ $weierstrass -eq 1 ]; then 834 loc_curve_list=$loc_weierstrass_list 835 else 836 loc_curve_list=$loc_non_weierstrass_list 837 fi 838 839 # Algorithms and key types to accelerate 840 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ 841 ALG_ECDH \ 842 ALG_JPAKE \ 843 $(helper_get_psa_key_type_list "ECC") \ 844 $loc_curve_list" 845 846 # Restartable feature is not yet supported by PSA. Once it will in 847 # the future, the following line could be removed (see issues 848 # 6061, 6332 and following ones) 849 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE 850 851 # this is not supported by the driver API yet 852 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 853 854 # Build 855 # ----- 856 857 # These hashes are needed for some ECDSA signature tests. 858 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 859 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 860 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" 861 862 helper_libtestdriver1_make_main "$loc_accel_list" 863 864 # We expect ECDH to be re-enabled for the missing curves 865 grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o 866 # We expect ECP to be re-enabled, however the parts specific to the 867 # families of curves that are accelerated should be ommited. 868 # - functions with mxz in the name are specific to Montgomery curves 869 # - ecp_muladd is specific to Weierstrass curves 870 ##nm ${BUILTIN_SRC_PATH}/ecp.o | tee ecp.syms 871 if [ $weierstrass -eq 1 ]; then 872 not grep mbedtls_ecp_muladd ${BUILTIN_SRC_PATH}/ecp.o 873 grep mxz ${BUILTIN_SRC_PATH}/ecp.o 874 else 875 grep mbedtls_ecp_muladd ${BUILTIN_SRC_PATH}/ecp.o 876 not grep mxz ${BUILTIN_SRC_PATH}/ecp.o 877 fi 878 # We expect ECDSA and ECJPAKE to be re-enabled only when 879 # Weierstrass curves are not accelerated 880 if [ $weierstrass -eq 1 ]; then 881 not grep mbedtls_ecdsa ${BUILTIN_SRC_PATH}/ecdsa.o 882 not grep mbedtls_ecjpake ${BUILTIN_SRC_PATH}/ecjpake.o 883 else 884 grep mbedtls_ecdsa ${BUILTIN_SRC_PATH}/ecdsa.o 885 grep mbedtls_ecjpake ${BUILTIN_SRC_PATH}/ecjpake.o 886 fi 887 888 # Run the tests 889 # ------------- 890 891 msg "test suites: crypto_full minus PK with accelerated EC algs and $desc curves" 892 make test 893} 894 895component_test_psa_crypto_config_accel_ecc_weierstrass_curves () { 896 common_test_psa_crypto_config_accel_ecc_some_curves 1 897} 898 899component_test_psa_crypto_config_accel_ecc_non_weierstrass_curves () { 900 common_test_psa_crypto_config_accel_ecc_some_curves 0 901} 902 903# Auxiliary function to build config for all EC based algorithms (EC-JPAKE, 904# ECDH, ECDSA) with and without drivers. 905# The input parameter is a boolean value which indicates: 906# - 0 keep built-in EC algs, 907# - 1 exclude built-in EC algs (driver only). 908# 909# This is used by the two following components to ensure they always use the 910# same config, except for the use of driver or built-in EC algorithms: 911# - component_test_psa_crypto_config_accel_ecc_ecp_light_only; 912# - component_test_psa_crypto_config_reference_ecc_ecp_light_only. 913# This supports comparing their test coverage with analyze_outcomes.py. 914config_psa_crypto_config_ecp_light_only () { 915 driver_only="$1" 916 # start with config full for maximum coverage (also enables USE_PSA) 917 helper_libtestdriver1_adjust_config "full" 918 if [ "$driver_only" -eq 1 ]; then 919 # Disable modules that are accelerated 920 scripts/config.py unset MBEDTLS_ECDSA_C 921 scripts/config.py unset MBEDTLS_ECDH_C 922 scripts/config.py unset MBEDTLS_ECJPAKE_C 923 scripts/config.py unset MBEDTLS_ECP_C 924 fi 925 926 # Restartable feature is not yet supported by PSA. Once it will in 927 # the future, the following line could be removed (see issues 928 # 6061, 6332 and following ones) 929 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE 930} 931 932# Keep in sync with component_test_psa_crypto_config_reference_ecc_ecp_light_only 933component_test_psa_crypto_config_accel_ecc_ecp_light_only () { 934 msg "build: full with accelerated EC algs" 935 936 # Configure 937 # --------- 938 939 # Use the same config as reference, only without built-in EC algs 940 config_psa_crypto_config_ecp_light_only 1 941 942 # Algorithms and key types to accelerate 943 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ 944 ALG_ECDH \ 945 ALG_JPAKE \ 946 $(helper_get_psa_key_type_list "ECC") \ 947 $(helper_get_psa_curve_list)" 948 949 # Do not disable builtin curves because that support is required for: 950 # - MBEDTLS_PK_PARSE_EC_EXTENDED 951 # - MBEDTLS_PK_PARSE_EC_COMPRESSED 952 953 # Build 954 # ----- 955 956 # These hashes are needed for some ECDSA signature tests. 957 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 958 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 959 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" 960 961 helper_libtestdriver1_make_main "$loc_accel_list" 962 963 # Make sure any built-in EC alg was not re-enabled by accident (additive config) 964 not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o 965 not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o 966 not grep mbedtls_ecjpake_ ${BUILTIN_SRC_PATH}/ecjpake.o 967 not grep mbedtls_ecp_mul ${BUILTIN_SRC_PATH}/ecp.o 968 969 # Run the tests 970 # ------------- 971 972 msg "test suites: full with accelerated EC algs" 973 make test 974 975 msg "ssl-opt: full with accelerated EC algs" 976 tests/ssl-opt.sh 977} 978 979# Keep in sync with component_test_psa_crypto_config_accel_ecc_ecp_light_only 980component_test_psa_crypto_config_reference_ecc_ecp_light_only () { 981 msg "build: non-accelerated EC algs" 982 983 config_psa_crypto_config_ecp_light_only 0 984 985 make 986 987 msg "test suites: full with non-accelerated EC algs" 988 make test 989 990 msg "ssl-opt: full with non-accelerated EC algs" 991 tests/ssl-opt.sh 992} 993 994# This helper function is used by: 995# - component_test_psa_crypto_config_accel_ecc_no_ecp_at_all() 996# - component_test_psa_crypto_config_reference_ecc_no_ecp_at_all() 997# to ensure that both tests use the same underlying configuration when testing 998# driver's coverage with analyze_outcomes.py. 999# 1000# This functions accepts 1 boolean parameter as follows: 1001# - 1: building with accelerated EC algorithms (ECDSA, ECDH, ECJPAKE), therefore 1002# excluding their built-in implementation as well as ECP_C & ECP_LIGHT 1003# - 0: include built-in implementation of EC algorithms. 1004# 1005# PK_C and RSA_C are always disabled to ensure there is no remaining dependency 1006# on the ECP module. 1007config_psa_crypto_no_ecp_at_all () { 1008 driver_only="$1" 1009 # start with full config for maximum coverage (also enables USE_PSA) 1010 helper_libtestdriver1_adjust_config "full" 1011 1012 if [ "$driver_only" -eq 1 ]; then 1013 # Disable modules that are accelerated 1014 scripts/config.py unset MBEDTLS_ECDSA_C 1015 scripts/config.py unset MBEDTLS_ECDH_C 1016 scripts/config.py unset MBEDTLS_ECJPAKE_C 1017 # Disable ECP module (entirely) 1018 scripts/config.py unset MBEDTLS_ECP_C 1019 fi 1020 1021 # Disable all the features that auto-enable ECP_LIGHT (see build_info.h) 1022 scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED 1023 scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED 1024 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1025 1026 # Restartable feature is not yet supported by PSA. Once it will in 1027 # the future, the following line could be removed (see issues 1028 # 6061, 6332 and following ones) 1029 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE 1030} 1031 1032# Build and test a configuration where driver accelerates all EC algs while 1033# all support and dependencies from ECP and ECP_LIGHT are removed on the library 1034# side. 1035# 1036# Keep in sync with component_test_psa_crypto_config_reference_ecc_no_ecp_at_all() 1037component_test_psa_crypto_config_accel_ecc_no_ecp_at_all () { 1038 msg "build: full + accelerated EC algs - ECP" 1039 1040 # Configure 1041 # --------- 1042 1043 # Set common configurations between library's and driver's builds 1044 config_psa_crypto_no_ecp_at_all 1 1045 # Disable all the builtin curves. All the required algs are accelerated. 1046 helper_disable_builtin_curves 1047 1048 # Algorithms and key types to accelerate 1049 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ 1050 ALG_ECDH \ 1051 ALG_JPAKE \ 1052 $(helper_get_psa_key_type_list "ECC") \ 1053 $(helper_get_psa_curve_list)" 1054 1055 # Build 1056 # ----- 1057 1058 # Things we wanted supported in libtestdriver1, but not accelerated in the main library: 1059 # SHA-1 and all SHA-2/3 variants, as they are used by ECDSA deterministic. 1060 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 1061 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 1062 1063 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" 1064 1065 helper_libtestdriver1_make_main "$loc_accel_list" 1066 1067 # Make sure any built-in EC alg was not re-enabled by accident (additive config) 1068 not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o 1069 not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o 1070 not grep mbedtls_ecjpake_ ${BUILTIN_SRC_PATH}/ecjpake.o 1071 # Also ensure that ECP module was not re-enabled 1072 not grep mbedtls_ecp_ ${BUILTIN_SRC_PATH}/ecp.o 1073 1074 # Run the tests 1075 # ------------- 1076 1077 msg "test: full + accelerated EC algs - ECP" 1078 make test 1079 1080 msg "ssl-opt: full + accelerated EC algs - ECP" 1081 tests/ssl-opt.sh 1082} 1083 1084# Reference function used for driver's coverage analysis in analyze_outcomes.py 1085# in conjunction with component_test_psa_crypto_config_accel_ecc_no_ecp_at_all(). 1086# Keep in sync with its accelerated counterpart. 1087component_test_psa_crypto_config_reference_ecc_no_ecp_at_all () { 1088 msg "build: full + non accelerated EC algs" 1089 1090 config_psa_crypto_no_ecp_at_all 0 1091 1092 make 1093 1094 msg "test: full + non accelerated EC algs" 1095 make test 1096 1097 msg "ssl-opt: full + non accelerated EC algs" 1098 tests/ssl-opt.sh 1099} 1100 1101# This is a common configuration helper used directly from: 1102# - common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum 1103# - common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum 1104# and indirectly from: 1105# - component_test_psa_crypto_config_accel_ecc_no_bignum 1106# - accelerate all EC algs, disable RSA and FFDH 1107# - component_test_psa_crypto_config_reference_ecc_no_bignum 1108# - this is the reference component of the above 1109# - it still disables RSA and FFDH, but it uses builtin EC algs 1110# - component_test_psa_crypto_config_accel_ecc_ffdh_no_bignum 1111# - accelerate all EC and FFDH algs, disable only RSA 1112# - component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum 1113# - this is the reference component of the above 1114# - it still disables RSA, but it uses builtin EC and FFDH algs 1115# 1116# This function accepts 2 parameters: 1117# $1: a boolean value which states if we are testing an accelerated scenario 1118# or not. 1119# $2: a string value which states which components are tested. Allowed values 1120# are "ECC" or "ECC_DH". 1121config_psa_crypto_config_accel_ecc_ffdh_no_bignum () { 1122 driver_only="$1" 1123 test_target="$2" 1124 # start with full config for maximum coverage (also enables USE_PSA) 1125 helper_libtestdriver1_adjust_config "full" 1126 1127 if [ "$driver_only" -eq 1 ]; then 1128 # Disable modules that are accelerated 1129 scripts/config.py unset MBEDTLS_ECDSA_C 1130 scripts/config.py unset MBEDTLS_ECDH_C 1131 scripts/config.py unset MBEDTLS_ECJPAKE_C 1132 # Disable ECP module (entirely) 1133 scripts/config.py unset MBEDTLS_ECP_C 1134 # Also disable bignum 1135 scripts/config.py unset MBEDTLS_BIGNUM_C 1136 fi 1137 1138 # Disable all the features that auto-enable ECP_LIGHT (see build_info.h) 1139 scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED 1140 scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED 1141 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1142 1143 # RSA support is intentionally disabled on this test because RSA_C depends 1144 # on BIGNUM_C. 1145 scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_RSA_[0-9A-Z_a-z]*" 1146 scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_ALG_RSA_[0-9A-Z_a-z]*" 1147 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT 1148 # Also disable key exchanges that depend on RSA 1149 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 1150 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 1151 1152 if [ "$test_target" = "ECC" ]; then 1153 # When testing ECC only, we disable FFDH support, both from builtin and 1154 # PSA sides. 1155 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_FFDH 1156 scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_DH_[0-9A-Z_a-z]*" 1157 scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_DH_RFC7919_[0-9]*" 1158 fi 1159 1160 # Restartable feature is not yet supported by PSA. Once it will in 1161 # the future, the following line could be removed (see issues 1162 # 6061, 6332 and following ones) 1163 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE 1164} 1165 1166# Common helper used by: 1167# - component_test_psa_crypto_config_accel_ecc_no_bignum 1168# - component_test_psa_crypto_config_accel_ecc_ffdh_no_bignum 1169# 1170# The goal is to build and test accelerating either: 1171# - ECC only or 1172# - both ECC and FFDH 1173# 1174# It is meant to be used in conjunction with 1175# common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum() for drivers 1176# coverage analysis in the "analyze_outcomes.py" script. 1177common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () { 1178 test_target="$1" 1179 1180 # This is an internal helper to simplify text message handling 1181 if [ "$test_target" = "ECC_DH" ]; then 1182 accel_text="ECC/FFDH" 1183 removed_text="ECP - DH" 1184 else 1185 accel_text="ECC" 1186 removed_text="ECP" 1187 fi 1188 1189 msg "build: full + accelerated $accel_text algs + USE_PSA - $removed_text - BIGNUM" 1190 1191 # Configure 1192 # --------- 1193 1194 # Set common configurations between library's and driver's builds 1195 config_psa_crypto_config_accel_ecc_ffdh_no_bignum 1 "$test_target" 1196 # Disable all the builtin curves. All the required algs are accelerated. 1197 helper_disable_builtin_curves 1198 1199 # By default we accelerate all EC keys/algs 1200 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ 1201 ALG_ECDH \ 1202 ALG_JPAKE \ 1203 $(helper_get_psa_key_type_list "ECC") \ 1204 $(helper_get_psa_curve_list)" 1205 # Optionally we can also add DH to the list of accelerated items 1206 if [ "$test_target" = "ECC_DH" ]; then 1207 loc_accel_list="$loc_accel_list \ 1208 ALG_FFDH \ 1209 $(helper_get_psa_key_type_list "DH") \ 1210 $(helper_get_psa_dh_group_list)" 1211 fi 1212 1213 # Build 1214 # ----- 1215 1216 # Things we wanted supported in libtestdriver1, but not accelerated in the main library: 1217 # SHA-1 and all SHA-2/3 variants, as they are used by ECDSA deterministic. 1218 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 1219 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 1220 1221 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" 1222 1223 helper_libtestdriver1_make_main "$loc_accel_list" 1224 1225 # Make sure any built-in EC alg was not re-enabled by accident (additive config) 1226 not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o 1227 not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o 1228 not grep mbedtls_ecjpake_ ${BUILTIN_SRC_PATH}/ecjpake.o 1229 # Also ensure that ECP, RSA or BIGNUM modules were not re-enabled 1230 not grep mbedtls_ecp_ ${BUILTIN_SRC_PATH}/ecp.o 1231 not grep mbedtls_rsa_ ${BUILTIN_SRC_PATH}/rsa.o 1232 not grep mbedtls_mpi_ ${BUILTIN_SRC_PATH}/bignum.o 1233 1234 # Run the tests 1235 # ------------- 1236 1237 msg "test suites: full + accelerated $accel_text algs + USE_PSA - $removed_text - BIGNUM" 1238 1239 make test 1240 1241 msg "ssl-opt: full + accelerated $accel_text algs + USE_PSA - $removed_text - BIGNUM" 1242 tests/ssl-opt.sh 1243} 1244 1245# Common helper used by: 1246# - component_test_psa_crypto_config_reference_ecc_no_bignum 1247# - component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum 1248# 1249# The goal is to build and test a reference scenario (i.e. with builtin 1250# components) compared to the ones used in 1251# common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum() above. 1252# 1253# It is meant to be used in conjunction with 1254# common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum() for drivers' 1255# coverage analysis in "analyze_outcomes.py" script. 1256common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () { 1257 test_target="$1" 1258 1259 # This is an internal helper to simplify text message handling 1260 if [ "$test_target" = "ECC_DH" ]; then 1261 accel_text="ECC/FFDH" 1262 else 1263 accel_text="ECC" 1264 fi 1265 1266 msg "build: full + non accelerated $accel_text algs + USE_PSA" 1267 1268 config_psa_crypto_config_accel_ecc_ffdh_no_bignum 0 "$test_target" 1269 1270 make 1271 1272 msg "test suites: full + non accelerated EC algs + USE_PSA" 1273 make test 1274 1275 msg "ssl-opt: full + non accelerated $accel_text algs + USE_PSA" 1276 tests/ssl-opt.sh 1277} 1278 1279component_test_psa_crypto_config_accel_ecc_no_bignum () { 1280 common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum "ECC" 1281} 1282 1283component_test_psa_crypto_config_reference_ecc_no_bignum () { 1284 common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum "ECC" 1285} 1286 1287component_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () { 1288 common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum "ECC_DH" 1289} 1290 1291component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () { 1292 common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum "ECC_DH" 1293} 1294 1295component_test_tfm_config_as_is () { 1296 msg "build: configs/config-tfm.h" 1297 MBEDTLS_CONFIG="configs/config-tfm.h" 1298 CRYPTO_CONFIG="tf-psa-crypto/configs/ext/crypto_config_profile_medium.h" 1299 CC=$ASAN_CC cmake -DMBEDTLS_CONFIG_FILE="$MBEDTLS_CONFIG" -DTF_PSA_CRYPTO_CONFIG_FILE="$CRYPTO_CONFIG" -D CMAKE_BUILD_TYPE:String=Asan . 1300 make 1301 1302 msg "test: configs/config-tfm.h - unit tests" 1303 make test 1304} 1305 1306# Helper for setting common configurations between: 1307# - component_test_tfm_config_p256m_driver_accel_ec() 1308# - component_test_tfm_config_no_p256m() 1309common_tfm_config () { 1310 # Enable TF-M config 1311 cp configs/config-tfm.h "$CONFIG_H" 1312 cp tf-psa-crypto/configs/ext/crypto_config_profile_medium.h "$CRYPTO_CONFIG_H" 1313 1314 # Config adjustment for better test coverage in our environment. 1315 # This is not needed just to build and pass tests. 1316 # 1317 # Enable filesystem I/O for the benefit of PK parse/write tests. 1318 sed -i '/PROFILE_M_PSA_CRYPTO_CONFIG_H/i #define MBEDTLS_FS_IO' "$CRYPTO_CONFIG_H" 1319} 1320 1321# Keep this in sync with component_test_tfm_config() as they are both meant 1322# to be used in analyze_outcomes.py for driver's coverage analysis. 1323component_test_tfm_config_p256m_driver_accel_ec () { 1324 msg "build: TF-M config + p256m driver + accel ECDH(E)/ECDSA" 1325 1326 common_tfm_config 1327 1328 # Build crypto library 1329 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -I../framework/tests/include/spe" LDFLAGS="$ASAN_CFLAGS" 1330 1331 # Make sure any built-in EC alg was not re-enabled by accident (additive config) 1332 not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o 1333 not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o 1334 not grep mbedtls_ecjpake_ ${BUILTIN_SRC_PATH}/ecjpake.o 1335 # Also ensure that ECP, RSA or BIGNUM modules were not re-enabled 1336 not grep mbedtls_ecp_ ${BUILTIN_SRC_PATH}/ecp.o 1337 not grep mbedtls_rsa_ ${BUILTIN_SRC_PATH}/rsa.o 1338 not grep mbedtls_mpi_ ${BUILTIN_SRC_PATH}/bignum.o 1339 # Check that p256m was built 1340 grep -q p256_ecdsa_ library/libmbedcrypto.a 1341 1342 # In "config-tfm.h" we disabled CIPHER_C tweaking TF-M's configuration 1343 # files, so we want to ensure that it has not be re-enabled accidentally. 1344 not grep mbedtls_cipher ${BUILTIN_SRC_PATH}/cipher.o 1345 1346 # Run the tests 1347 msg "test: TF-M config + p256m driver + accel ECDH(E)/ECDSA" 1348 make test 1349} 1350 1351# Keep this in sync with component_test_tfm_config_p256m_driver_accel_ec() as 1352# they are both meant to be used in analyze_outcomes.py for driver's coverage 1353# analysis. 1354component_test_tfm_config_no_p256m () { 1355 common_tfm_config 1356 1357 # Disable P256M driver, which is on by default, so that analyze_outcomes 1358 # can compare this test with test_tfm_config_p256m_driver_accel_ec 1359 sed -i '/PROFILE_M_PSA_CRYPTO_CONFIG_H/i #undef MBEDTLS_PSA_P256M_DRIVER_ENABLED' "$CRYPTO_CONFIG_H" 1360 1361 msg "build: TF-M config without p256m" 1362 make CFLAGS='-Werror -Wall -Wextra -I../framework/tests/include/spe' tests 1363 1364 # Check that p256m was not built 1365 not grep p256_ecdsa_ library/libmbedcrypto.a 1366 1367 # In "config-tfm.h" we disabled CIPHER_C tweaking TF-M's configuration 1368 # files, so we want to ensure that it has not be re-enabled accidentally. 1369 not grep mbedtls_cipher ${BUILTIN_SRC_PATH}/cipher.o 1370 1371 msg "test: TF-M config without p256m" 1372 make test 1373} 1374 1375# This is an helper used by: 1376# - component_test_psa_ecc_key_pair_no_derive 1377# - component_test_psa_ecc_key_pair_no_generate 1378# The goal is to test with all PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy symbols 1379# enabled, but one. Input arguments are as follows: 1380# - $1 is the configuration to start from 1381# - $2 is the key type under test, i.e. ECC/RSA/DH 1382# - $3 is the key option to be unset (i.e. generate, derive, etc) 1383build_and_test_psa_want_key_pair_partial () { 1384 base_config=$1 1385 key_type=$2 1386 unset_option=$3 1387 disabled_psa_want="PSA_WANT_KEY_TYPE_${key_type}_KEY_PAIR_${unset_option}" 1388 1389 msg "build: $base_config - ${disabled_psa_want}" 1390 scripts/config.py "$base_config" 1391 1392 # All the PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy are enabled by default in 1393 # crypto_config.h so we just disable the one we don't want. 1394 scripts/config.py -f "$CRYPTO_CONFIG_H" unset "$disabled_psa_want" 1395 1396 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" 1397 1398 msg "test: $base_config - ${disabled_psa_want}" 1399 make test 1400} 1401 1402component_test_psa_ecc_key_pair_no_derive () { 1403 build_and_test_psa_want_key_pair_partial full "ECC" "DERIVE" 1404} 1405 1406component_test_psa_ecc_key_pair_no_generate () { 1407 # TLS needs ECC key generation whenever ephemeral ECDH is enabled. 1408 # We don't have proper guards for configurations with ECC key generation 1409 # disabled (https://github.com/Mbed-TLS/mbedtls/issues/9481). Until 1410 # then (if ever), just test the crypto part of the library. 1411 build_and_test_psa_want_key_pair_partial crypto_full "ECC" "GENERATE" 1412} 1413 1414config_psa_crypto_accel_rsa () { 1415 driver_only=$1 1416 1417 # Start from crypto_full config (no X.509, no TLS) 1418 helper_libtestdriver1_adjust_config "crypto_full" 1419 1420 if [ "$driver_only" -eq 1 ]; then 1421 # We need PEM parsing in the test library as well to support the import 1422 # of PEM encoded RSA keys. 1423 scripts/config.py -c "$CONFIG_TEST_DRIVER_H" set MBEDTLS_PEM_PARSE_C 1424 scripts/config.py -c "$CONFIG_TEST_DRIVER_H" set MBEDTLS_BASE64_C 1425 fi 1426} 1427 1428component_test_psa_crypto_config_accel_rsa_crypto () { 1429 msg "build: crypto_full with accelerated RSA" 1430 1431 loc_accel_list="ALG_RSA_OAEP ALG_RSA_PSS \ 1432 ALG_RSA_PKCS1V15_CRYPT ALG_RSA_PKCS1V15_SIGN \ 1433 KEY_TYPE_RSA_PUBLIC_KEY \ 1434 KEY_TYPE_RSA_KEY_PAIR_BASIC \ 1435 KEY_TYPE_RSA_KEY_PAIR_GENERATE \ 1436 KEY_TYPE_RSA_KEY_PAIR_IMPORT \ 1437 KEY_TYPE_RSA_KEY_PAIR_EXPORT" 1438 1439 # Configure 1440 # --------- 1441 1442 config_psa_crypto_accel_rsa 1 1443 1444 # Build 1445 # ----- 1446 1447 # These hashes are needed for unit tests. 1448 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 1449 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512 ALG_MD5" 1450 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" 1451 1452 helper_libtestdriver1_make_main "$loc_accel_list" 1453 1454 # Make sure this was not re-enabled by accident (additive config) 1455 not grep mbedtls_rsa ${BUILTIN_SRC_PATH}/rsa.o 1456 1457 # Run the tests 1458 # ------------- 1459 1460 msg "test: crypto_full with accelerated RSA" 1461 make test 1462} 1463 1464component_test_psa_crypto_config_reference_rsa_crypto () { 1465 msg "build: crypto_full with non-accelerated RSA" 1466 1467 # Configure 1468 # --------- 1469 config_psa_crypto_accel_rsa 0 1470 1471 # Build 1472 # ----- 1473 make 1474 1475 # Run the tests 1476 # ------------- 1477 msg "test: crypto_full with non-accelerated RSA" 1478 make test 1479} 1480 1481# This is a temporary test to verify that full RSA support is present even when 1482# only one single new symbols (PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) is defined. 1483component_test_new_psa_want_key_pair_symbol () { 1484 msg "Build: crypto config - PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" 1485 1486 # Create a temporary output file unless there is already one set 1487 if [ "$MBEDTLS_TEST_OUTCOME_FILE" ]; then 1488 REMOVE_OUTCOME_ON_EXIT="no" 1489 else 1490 REMOVE_OUTCOME_ON_EXIT="yes" 1491 MBEDTLS_TEST_OUTCOME_FILE="$PWD/out.csv" 1492 export MBEDTLS_TEST_OUTCOME_FILE 1493 fi 1494 1495 # Start from crypto configuration 1496 scripts/config.py crypto 1497 1498 # Remove RSA support and its dependencies 1499 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 1500 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 1501 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT 1502 1503 # Keep only PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC enabled in order to ensure 1504 # that proper translations is done in crypto_legacy.h. 1505 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT 1506 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT 1507 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE 1508 1509 make 1510 1511 msg "Test: crypto config - PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" 1512 make test 1513 1514 # Parse only 1 relevant line from the outcome file, i.e. a test which is 1515 # performing RSA signature. 1516 msg "Verify that 'RSA PKCS1 Sign #1 (SHA512, 1536 bits RSA)' is PASS" 1517 cat $MBEDTLS_TEST_OUTCOME_FILE | grep 'RSA PKCS1 Sign #1 (SHA512, 1536 bits RSA)' | grep -q "PASS" 1518 1519 if [ "$REMOVE_OUTCOME_ON_EXIT" == "yes" ]; then 1520 rm $MBEDTLS_TEST_OUTCOME_FILE 1521 fi 1522} 1523 1524component_test_psa_crypto_config_accel_hash () { 1525 msg "test: accelerated hash" 1526 1527 loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \ 1528 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 1529 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 1530 1531 # Configure 1532 # --------- 1533 1534 # Start from default config (no USE_PSA) 1535 helper_libtestdriver1_adjust_config "default" 1536 1537 # Build 1538 # ----- 1539 1540 helper_libtestdriver1_make_drivers "$loc_accel_list" 1541 1542 helper_libtestdriver1_make_main "$loc_accel_list" 1543 1544 # There's a risk of something getting re-enabled via config_psa.h; 1545 # make sure it did not happen. Note: it's OK for MD_C to be enabled. 1546 not grep mbedtls_md5 ${BUILTIN_SRC_PATH}/md5.o 1547 not grep mbedtls_sha1 ${BUILTIN_SRC_PATH}/sha1.o 1548 not grep mbedtls_sha256 ${BUILTIN_SRC_PATH}/sha256.o 1549 not grep mbedtls_sha512 ${BUILTIN_SRC_PATH}/sha512.o 1550 not grep mbedtls_ripemd160 ${BUILTIN_SRC_PATH}/ripemd160.o 1551 1552 # Run the tests 1553 # ------------- 1554 1555 msg "test: accelerated hash" 1556 make test 1557} 1558 1559# Auxiliary function to build config for hashes with and without drivers 1560config_psa_crypto_hash_use_psa () { 1561 driver_only="$1" 1562 # start with config full for maximum coverage (also enables USE_PSA) 1563 helper_libtestdriver1_adjust_config "full" 1564 if [ "$driver_only" -eq 1 ]; then 1565 # disable the built-in implementation of hashes 1566 scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT 1567 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT 1568 fi 1569} 1570 1571# Note that component_test_psa_crypto_config_reference_hash_use_psa 1572# is related to this component and both components need to be kept in sync. 1573# For details please see comments for component_test_psa_crypto_config_reference_hash_use_psa. 1574component_test_psa_crypto_config_accel_hash_use_psa () { 1575 msg "test: full with accelerated hashes" 1576 1577 loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \ 1578 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 1579 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 1580 1581 # Configure 1582 # --------- 1583 1584 config_psa_crypto_hash_use_psa 1 1585 1586 # Build 1587 # ----- 1588 1589 helper_libtestdriver1_make_drivers "$loc_accel_list" 1590 1591 helper_libtestdriver1_make_main "$loc_accel_list" 1592 1593 # There's a risk of something getting re-enabled via config_psa.h; 1594 # make sure it did not happen. Note: it's OK for MD_C to be enabled. 1595 not grep mbedtls_md5 ${BUILTIN_SRC_PATH}/md5.o 1596 not grep mbedtls_sha1 ${BUILTIN_SRC_PATH}/sha1.o 1597 not grep mbedtls_sha256 ${BUILTIN_SRC_PATH}/sha256.o 1598 not grep mbedtls_sha512 ${BUILTIN_SRC_PATH}/sha512.o 1599 not grep mbedtls_ripemd160 ${BUILTIN_SRC_PATH}/ripemd160.o 1600 1601 # Run the tests 1602 # ------------- 1603 1604 msg "test: full with accelerated hashes" 1605 make test 1606 1607 # This is mostly useful so that we can later compare outcome files with 1608 # the reference config in analyze_outcomes.py, to check that the 1609 # dependency declarations in ssl-opt.sh and in TLS code are correct. 1610 msg "test: ssl-opt.sh, full with accelerated hashes" 1611 tests/ssl-opt.sh 1612 1613 # This is to make sure all ciphersuites are exercised, but we don't need 1614 # interop testing (besides, we already got some from ssl-opt.sh). 1615 msg "test: compat.sh, full with accelerated hashes" 1616 tests/compat.sh -p mbedTLS -V YES 1617} 1618 1619# This component provides reference configuration for test_psa_crypto_config_accel_hash_use_psa 1620# without accelerated hash. The outcome from both components are used by the analyze_outcomes.py 1621# script to find regression in test coverage when accelerated hash is used (tests and ssl-opt). 1622# Both components need to be kept in sync. 1623component_test_psa_crypto_config_reference_hash_use_psa () { 1624 msg "test: full without accelerated hashes" 1625 1626 config_psa_crypto_hash_use_psa 0 1627 1628 make 1629 1630 msg "test: full without accelerated hashes" 1631 make test 1632 1633 msg "test: ssl-opt.sh, full without accelerated hashes" 1634 tests/ssl-opt.sh 1635} 1636 1637# Auxiliary function to build config for hashes with and without drivers 1638config_psa_crypto_hmac_use_psa () { 1639 driver_only="$1" 1640 # start with config full for maximum coverage (also enables USE_PSA) 1641 helper_libtestdriver1_adjust_config "full" 1642 1643 if [ "$driver_only" -eq 1 ]; then 1644 # Disable MD_C in order to disable the builtin support for HMAC. MD_LIGHT 1645 # is still enabled though (for ENTROPY_C among others). 1646 scripts/config.py unset MBEDTLS_MD_C 1647 # Also disable the configuration options that tune the builtin hashes, 1648 # since those hashes are disabled. 1649 scripts/config.py unset-all MBEDTLS_SHA 1650 fi 1651 1652 # Direct dependencies of MD_C. We disable them also in the reference 1653 # component to work with the same set of features. 1654 scripts/config.py unset MBEDTLS_PKCS7_C 1655 scripts/config.py unset MBEDTLS_PKCS5_C 1656 scripts/config.py unset MBEDTLS_HMAC_DRBG_C 1657 scripts/config.py unset MBEDTLS_HKDF_C 1658 # Dependencies of HMAC_DRBG 1659 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC 1660 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_DETERMINISTIC_ECDSA 1661} 1662 1663component_test_psa_crypto_config_accel_hmac () { 1664 msg "test: full with accelerated hmac" 1665 1666 loc_accel_list="ALG_HMAC KEY_TYPE_HMAC \ 1667 ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \ 1668 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ 1669 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" 1670 1671 # Configure 1672 # --------- 1673 1674 config_psa_crypto_hmac_use_psa 1 1675 1676 # Build 1677 # ----- 1678 1679 helper_libtestdriver1_make_drivers "$loc_accel_list" 1680 1681 helper_libtestdriver1_make_main "$loc_accel_list" 1682 1683 # Ensure that built-in support for HMAC is disabled. 1684 not grep mbedtls_md_hmac ${BUILTIN_SRC_PATH}/md.o 1685 1686 # Run the tests 1687 # ------------- 1688 1689 msg "test: full with accelerated hmac" 1690 make test 1691} 1692 1693component_test_psa_crypto_config_reference_hmac () { 1694 msg "test: full without accelerated hmac" 1695 1696 config_psa_crypto_hmac_use_psa 0 1697 1698 make 1699 1700 msg "test: full without accelerated hmac" 1701 make test 1702} 1703 1704component_test_psa_crypto_config_accel_aead () { 1705 msg "test: accelerated AEAD" 1706 1707 loc_accel_list="ALG_GCM ALG_CCM ALG_CHACHA20_POLY1305 \ 1708 KEY_TYPE_AES KEY_TYPE_CHACHA20 KEY_TYPE_ARIA KEY_TYPE_CAMELLIA" 1709 1710 # Configure 1711 # --------- 1712 1713 # Start from full config 1714 helper_libtestdriver1_adjust_config "full" 1715 1716 # Disable CCM_STAR_NO_TAG because this re-enables CCM_C. 1717 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG 1718 1719 # Build 1720 # ----- 1721 1722 helper_libtestdriver1_make_drivers "$loc_accel_list" 1723 1724 helper_libtestdriver1_make_main "$loc_accel_list" 1725 1726 # Make sure this was not re-enabled by accident (additive config) 1727 not grep mbedtls_ccm ${BUILTIN_SRC_PATH}/ccm.o 1728 not grep mbedtls_gcm ${BUILTIN_SRC_PATH}/gcm.o 1729 not grep mbedtls_chachapoly ${BUILTIN_SRC_PATH}/chachapoly.o 1730 1731 # Run the tests 1732 # ------------- 1733 1734 msg "test: accelerated AEAD" 1735 make test 1736} 1737 1738# This is a common configuration function used in: 1739# - component_test_psa_crypto_config_accel_cipher_aead_cmac 1740# - component_test_psa_crypto_config_reference_cipher_aead_cmac 1741common_psa_crypto_config_accel_cipher_aead_cmac () { 1742 # Start from the full config 1743 helper_libtestdriver1_adjust_config "full" 1744 1745 scripts/config.py unset MBEDTLS_NIST_KW_C 1746} 1747 1748# The 2 following test components, i.e. 1749# - component_test_psa_crypto_config_accel_cipher_aead_cmac 1750# - component_test_psa_crypto_config_reference_cipher_aead_cmac 1751# are meant to be used together in analyze_outcomes.py script in order to test 1752# driver's coverage for ciphers and AEADs. 1753component_test_psa_crypto_config_accel_cipher_aead_cmac () { 1754 msg "build: full config with accelerated cipher inc. AEAD and CMAC" 1755 1756 loc_accel_list="ALG_ECB_NO_PADDING ALG_CBC_NO_PADDING ALG_CBC_PKCS7 ALG_CTR ALG_CFB \ 1757 ALG_OFB ALG_XTS ALG_STREAM_CIPHER ALG_CCM_STAR_NO_TAG \ 1758 ALG_GCM ALG_CCM ALG_CHACHA20_POLY1305 ALG_CMAC \ 1759 KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CHACHA20 KEY_TYPE_CAMELLIA" 1760 1761 # Configure 1762 # --------- 1763 1764 common_psa_crypto_config_accel_cipher_aead_cmac 1765 1766 # Disable DES, if it still exists. 1767 # This can be removed once we remove DES from the library. 1768 scripts/config.py unset PSA_WANT_KEY_TYPE_DES 1769 1770 # Build 1771 # ----- 1772 1773 helper_libtestdriver1_make_drivers "$loc_accel_list" 1774 1775 helper_libtestdriver1_make_main "$loc_accel_list" 1776 1777 # Make sure this was not re-enabled by accident (additive config) 1778 not grep mbedtls_cipher ${BUILTIN_SRC_PATH}/cipher.o 1779 not grep mbedtls_aes ${BUILTIN_SRC_PATH}/aes.o 1780 not grep mbedtls_aria ${BUILTIN_SRC_PATH}/aria.o 1781 not grep mbedtls_camellia ${BUILTIN_SRC_PATH}/camellia.o 1782 not grep mbedtls_ccm ${BUILTIN_SRC_PATH}/ccm.o 1783 not grep mbedtls_gcm ${BUILTIN_SRC_PATH}/gcm.o 1784 not grep mbedtls_chachapoly ${BUILTIN_SRC_PATH}/chachapoly.o 1785 not grep mbedtls_cmac ${BUILTIN_SRC_PATH}/cmac.o 1786 not grep mbedtls_poly1305 ${BUILTIN_SRC_PATH}/poly1305.o 1787 1788 # Run the tests 1789 # ------------- 1790 1791 msg "test: full config with accelerated cipher inc. AEAD and CMAC" 1792 make test 1793 1794 msg "ssl-opt: full config with accelerated cipher inc. AEAD and CMAC" 1795 # Exclude password-protected key tests — they require built-in CBC and AES. 1796 tests/ssl-opt.sh -e "TLS: password protected" 1797 1798 msg "compat.sh: full config with accelerated cipher inc. AEAD and CMAC" 1799 tests/compat.sh -V NO -p mbedTLS 1800} 1801 1802component_test_psa_crypto_config_reference_cipher_aead_cmac () { 1803 msg "build: full config with non-accelerated cipher inc. AEAD and CMAC" 1804 common_psa_crypto_config_accel_cipher_aead_cmac 1805 1806 # Disable DES, if it still exists. 1807 # This can be removed once we remove DES from the library. 1808 scripts/config.py unset PSA_WANT_KEY_TYPE_DES 1809 1810 make 1811 1812 msg "test: full config with non-accelerated cipher inc. AEAD and CMAC" 1813 make test 1814 1815 msg "ssl-opt: full config with non-accelerated cipher inc. AEAD and CMAC" 1816 # Exclude password-protected key tests as in test_psa_crypto_config_accel_cipher_aead_cmac. 1817 tests/ssl-opt.sh -e "TLS: password protected" 1818 1819 msg "compat.sh: full config with non-accelerated cipher inc. AEAD and CMAC" 1820 tests/compat.sh -V NO -p mbedTLS 1821} 1822 1823common_block_cipher_dispatch () { 1824 TEST_WITH_DRIVER="$1" 1825 1826 # Start from the full config 1827 helper_libtestdriver1_adjust_config "full" 1828 1829 # Disable cipher's modes that, when not accelerated, cause 1830 # legacy key types to be re-enabled in "config_adjust_legacy_from_psa.h". 1831 # Keep this also in the reference component in order to skip the same tests 1832 # that were skipped in the accelerated one. 1833 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CTR 1834 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CFB 1835 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_OFB 1836 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING 1837 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 1838 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC 1839 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG 1840 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 1841 1842 # Disable direct dependency on AES_C 1843 scripts/config.py unset MBEDTLS_NIST_KW_C 1844 1845 # Prevent the cipher module from using deprecated PSA path. The reason is 1846 # that otherwise there will be tests relying on "aes_info" (defined in 1847 # "cipher_wrap.c") whose functions are not available when AES_C is 1848 # not defined. ARIA and Camellia are not a problem in this case because 1849 # the PSA path is not tested for these key types. 1850 scripts/config.py set MBEDTLS_DEPRECATED_REMOVED 1851} 1852 1853component_test_full_block_cipher_psa_dispatch_static_keystore () { 1854 msg "build: full + PSA dispatch in block_cipher with static keystore" 1855 # Check that the static key store works well when CTR_DRBG uses a 1856 # PSA key for AES. 1857 scripts/config.py unset MBEDTLS_PSA_KEY_STORE_DYNAMIC 1858 1859 loc_accel_list="ALG_ECB_NO_PADDING \ 1860 KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CAMELLIA" 1861 1862 # Configure 1863 # --------- 1864 1865 common_block_cipher_dispatch 1 1866 1867 # Build 1868 # ----- 1869 1870 helper_libtestdriver1_make_drivers "$loc_accel_list" 1871 1872 helper_libtestdriver1_make_main "$loc_accel_list" 1873 1874 # Make sure disabled components were not re-enabled by accident (additive 1875 # config) 1876 not grep mbedtls_aes_ library/aes.o 1877 not grep mbedtls_aria_ library/aria.o 1878 not grep mbedtls_camellia_ library/camellia.o 1879 1880 # Run the tests 1881 # ------------- 1882 1883 msg "test: full + PSA dispatch in block_cipher with static keystore" 1884 make test 1885} 1886 1887component_test_full_block_cipher_psa_dispatch () { 1888 msg "build: full + PSA dispatch in block_cipher" 1889 1890 loc_accel_list="ALG_ECB_NO_PADDING \ 1891 KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CAMELLIA" 1892 1893 # Configure 1894 # --------- 1895 1896 common_block_cipher_dispatch 1 1897 1898 # Build 1899 # ----- 1900 1901 helper_libtestdriver1_make_drivers "$loc_accel_list" 1902 1903 helper_libtestdriver1_make_main "$loc_accel_list" 1904 1905 # Make sure disabled components were not re-enabled by accident (additive 1906 # config) 1907 not grep mbedtls_aes_ ${BUILTIN_SRC_PATH}/aes.o 1908 not grep mbedtls_aria_ ${BUILTIN_SRC_PATH}/aria.o 1909 not grep mbedtls_camellia_ ${BUILTIN_SRC_PATH}/camellia.o 1910 1911 # Run the tests 1912 # ------------- 1913 1914 msg "test: full + PSA dispatch in block_cipher" 1915 make test 1916} 1917 1918# This is the reference component of component_test_full_block_cipher_psa_dispatch 1919component_test_full_block_cipher_legacy_dispatch () { 1920 msg "build: full + legacy dispatch in block_cipher" 1921 1922 common_block_cipher_dispatch 0 1923 1924 make 1925 1926 msg "test: full + legacy dispatch in block_cipher" 1927 make test 1928} 1929 1930component_test_aead_chachapoly_disabled () { 1931 msg "build: full minus CHACHAPOLY" 1932 scripts/config.py full 1933 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305 1934 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" 1935 1936 msg "test: full minus CHACHAPOLY" 1937 make test 1938} 1939 1940component_test_aead_only_ccm () { 1941 msg "build: full minus CHACHAPOLY and GCM" 1942 scripts/config.py full 1943 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305 1944 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_GCM 1945 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" 1946 1947 msg "test: full minus CHACHAPOLY and GCM" 1948 make test 1949} 1950 1951component_test_ccm_aes_sha256 () { 1952 msg "build: CCM + AES + SHA256 configuration" 1953 1954 # Setting a blank config disables everyhing in the library side. 1955 echo '#define MBEDTLS_CONFIG_H ' >"$CONFIG_H" 1956 cp tf-psa-crypto/configs/crypto-config-ccm-aes-sha256.h "$CRYPTO_CONFIG_H" 1957 1958 make 1959 msg "test: CCM + AES + SHA256 configuration" 1960 make test 1961} 1962 1963# Test that the given .o file builds with all (valid) combinations of the given options. 1964# 1965# Syntax: build_test_config_combos FILE VALIDATOR_FUNCTION OPT1 OPT2 ... 1966# 1967# The validator function is the name of a function to validate the combination of options. 1968# It may be "" if all combinations are valid. 1969# It receives a string containing a combination of options, as passed to the compiler, 1970# e.g. "-DOPT1 -DOPT2 ...". It must return 0 iff the combination is valid, non-zero if invalid. 1971build_test_config_combos () { 1972 file=$1 1973 shift 1974 validate_options=$1 1975 shift 1976 options=("$@") 1977 1978 # clear all of the options so that they can be overridden on the clang commandline 1979 for opt in "${options[@]}"; do 1980 ./scripts/config.py unset ${opt} 1981 done 1982 1983 # enter the library directory 1984 cd library 1985 1986 # The most common issue is unused variables/functions, so ensure -Wunused is set. 1987 warning_flags="-Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wasm-operand-widths -Wunused" 1988 1989 # Extract the command generated by the Makefile to build the target file. 1990 # This ensures that we have any include paths, macro definitions, etc 1991 # that may be applied by make. 1992 # Add -fsyntax-only as we only want a syntax check and don't need to generate a file. 1993 compile_cmd="clang \$(LOCAL_CFLAGS) ${warning_flags} -fsyntax-only -c" 1994 1995 makefile=$(TMPDIR=. mktemp) 1996 deps="" 1997 1998 len=${#options[@]} 1999 source_file=../${file%.o}.c 2000 2001 targets=0 2002 echo 'include Makefile' >${makefile} 2003 2004 for ((i = 0; i < $((2**${len})); i++)); do 2005 # generate each of 2^n combinations of options 2006 # each bit of $i is used to determine if options[i] will be set or not 2007 target="t" 2008 clang_args="" 2009 for ((j = 0; j < ${len}; j++)); do 2010 if (((i >> j) & 1)); then 2011 opt=-D${options[$j]} 2012 clang_args="${clang_args} ${opt}" 2013 target="${target}${opt}" 2014 fi 2015 done 2016 2017 # if combination is not known to be invalid, add it to the makefile 2018 if [[ -z $validate_options ]] || $validate_options "${clang_args}"; then 2019 cmd="${compile_cmd} ${clang_args}" 2020 echo "${target}: ${source_file}; $cmd ${source_file}" >> ${makefile} 2021 2022 deps="${deps} ${target}" 2023 ((++targets)) 2024 fi 2025 done 2026 2027 echo "build_test_config_combos: ${deps}" >> ${makefile} 2028 2029 # execute all of the commands via Make (probably in parallel) 2030 make -s -f ${makefile} build_test_config_combos 2031 echo "$targets targets checked" 2032 2033 # clean up the temporary makefile 2034 rm ${makefile} 2035} 2036 2037validate_aes_config_variations () { 2038 if [[ "$1" == *"MBEDTLS_AES_USE_HARDWARE_ONLY"* ]]; then 2039 if [[ !(("$HOSTTYPE" == "aarch64" && "$1" != *"MBEDTLS_AESCE_C"*) || \ 2040 ("$HOSTTYPE" == "x86_64" && "$1" != *"MBEDTLS_AESNI_C"*)) ]]; then 2041 return 1 2042 fi 2043 fi 2044 return 0 2045} 2046 2047component_build_aes_variations () { 2048 # 18s - around 90ms per clang invocation on M1 Pro 2049 # 2050 # aes.o has many #if defined(...) guards that intersect in complex ways. 2051 # Test that all the combinations build cleanly. 2052 2053 MBEDTLS_ROOT_DIR="$PWD" 2054 msg "build: aes.o for all combinations of relevant config options" 2055 2056 build_test_config_combos ${BUILTIN_SRC_PATH}/aes.o validate_aes_config_variations \ 2057 "MBEDTLS_AES_ROM_TABLES" \ 2058 "MBEDTLS_AES_FEWER_TABLES" "MBEDTLS_AES_USE_HARDWARE_ONLY" \ 2059 "MBEDTLS_AESNI_C" "MBEDTLS_AESCE_C" "MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH" 2060 2061 cd "$MBEDTLS_ROOT_DIR" 2062 msg "build: aes.o for all combinations of relevant config options + BLOCK_CIPHER_NO_DECRYPT" 2063 2064 # MBEDTLS_BLOCK_CIPHER_NO_DECRYPT is incompatible with ECB in PSA, CBC/XTS/NIST_KW, 2065 # manually set or unset those configurations to check 2066 # MBEDTLS_BLOCK_CIPHER_NO_DECRYPT with various combinations in aes.o. 2067 scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT 2068 scripts/config.py unset MBEDTLS_NIST_KW_C 2069 2070 scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING 2071 scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7 2072 scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING 2073 scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES 2074 2075 build_test_config_combos ${BUILTIN_SRC_PATH}/aes.o validate_aes_config_variations \ 2076 "MBEDTLS_AES_ROM_TABLES" \ 2077 "MBEDTLS_AES_FEWER_TABLES" "MBEDTLS_AES_USE_HARDWARE_ONLY" \ 2078 "MBEDTLS_AESNI_C" "MBEDTLS_AESCE_C" "MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH" 2079} 2080 2081component_test_sha3_variations () { 2082 msg "sha3 loop unroll variations" 2083 2084 # define minimal config sufficient to test SHA3 2085 cat > include/mbedtls/mbedtls_config.h << END 2086END 2087 2088 cat > tf-psa-crypto/include/psa/crypto_config.h << END 2089 #define PSA_WANT_ALG_SHA_256 1 2090 #define PSA_WANT_ALG_SHA3_224 1 2091 #define PSA_WANT_ALG_SHA3_256 1 2092 #define PSA_WANT_ALG_SHA3_384 1 2093 #define PSA_WANT_ALG_SHA3_512 1 2094 #define PSA_WANT_KEY_TYPE_AES 1 2095 #define MBEDTLS_CTR_DRBG_C 2096 #define MBEDTLS_ENTROPY_C 2097 #define MBEDTLS_PSA_CRYPTO_C 2098 #define MBEDTLS_SELF_TEST 2099END 2100 2101 msg "all loops unrolled" 2102 make clean 2103 make -C tests ../tf-psa-crypto/tests/test_suite_shax CFLAGS="-DMBEDTLS_SHA3_THETA_UNROLL=1 -DMBEDTLS_SHA3_PI_UNROLL=1 -DMBEDTLS_SHA3_CHI_UNROLL=1 -DMBEDTLS_SHA3_RHO_UNROLL=1" 2104 ./tf-psa-crypto/tests/test_suite_shax 2105 2106 msg "all loops rolled up" 2107 make clean 2108 make -C tests ../tf-psa-crypto/tests/test_suite_shax CFLAGS="-DMBEDTLS_SHA3_THETA_UNROLL=0 -DMBEDTLS_SHA3_PI_UNROLL=0 -DMBEDTLS_SHA3_CHI_UNROLL=0 -DMBEDTLS_SHA3_RHO_UNROLL=0" 2109 ./tf-psa-crypto/tests/test_suite_shax 2110} 2111 2112support_build_aes_aesce_armcc () { 2113 support_build_armcc 2114} 2115 2116# For timebeing, no aarch64 gcc available in CI and no arm64 CI node. 2117component_build_aes_aesce_armcc () { 2118 msg "Build: AESCE test on arm64 platform without plain C." 2119 scripts/config.py baremetal 2120 2121 # armc[56] don't support SHA-512 intrinsics 2122 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT 2123 2124 # Stop armclang warning about feature detection for A64_CRYPTO. 2125 # With this enabled, the library does build correctly under armclang, 2126 # but in baremetal builds (as tested here), feature detection is 2127 # unavailable, and the user is notified via a #warning. So enabling 2128 # this feature would prevent us from building with -Werror on 2129 # armclang. Tracked in #7198. 2130 scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT 2131 scripts/config.py set MBEDTLS_HAVE_ASM 2132 2133 msg "AESCE, build with default configuration." 2134 scripts/config.py set MBEDTLS_AESCE_C 2135 scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY 2136 helper_armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto" 2137 2138 msg "AESCE, build AESCE only" 2139 scripts/config.py set MBEDTLS_AESCE_C 2140 scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY 2141 helper_armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto" 2142} 2143 2144component_test_aes_only_128_bit_keys () { 2145 msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH" 2146 scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH 2147 scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128 2148 2149 make CFLAGS='-O2 -Werror -Wall -Wextra' 2150 2151 msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH" 2152 make test 2153} 2154 2155component_test_no_ctr_drbg_aes_only_128_bit_keys () { 2156 msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH - CTR_DRBG_C" 2157 scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH 2158 scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128 2159 scripts/config.py unset MBEDTLS_CTR_DRBG_C 2160 2161 make CC=clang CFLAGS='-Werror -Wall -Wextra' 2162 2163 msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH - CTR_DRBG_C" 2164 make test 2165} 2166 2167component_test_aes_only_128_bit_keys_have_builtins () { 2168 msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C" 2169 scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH 2170 scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128 2171 scripts/config.py unset MBEDTLS_AESNI_C 2172 scripts/config.py unset MBEDTLS_AESCE_C 2173 2174 make CFLAGS='-O2 -Werror -Wall -Wextra' 2175 2176 msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C" 2177 make test 2178 2179 msg "selftest: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C" 2180 programs/test/selftest 2181} 2182 2183component_test_gcm_largetable () { 2184 msg "build: default config + GCM_LARGE_TABLE - AESNI_C - AESCE_C" 2185 scripts/config.py set MBEDTLS_GCM_LARGE_TABLE 2186 scripts/config.py unset MBEDTLS_AESNI_C 2187 scripts/config.py unset MBEDTLS_AESCE_C 2188 2189 make CFLAGS='-O2 -Werror -Wall -Wextra' 2190 2191 msg "test: default config - GCM_LARGE_TABLE - AESNI_C - AESCE_C" 2192 make test 2193} 2194 2195component_test_aes_fewer_tables () { 2196 msg "build: default config with AES_FEWER_TABLES enabled" 2197 scripts/config.py set MBEDTLS_AES_FEWER_TABLES 2198 make CFLAGS='-O2 -Werror -Wall -Wextra' 2199 2200 msg "test: AES_FEWER_TABLES" 2201 make test 2202} 2203 2204component_test_aes_rom_tables () { 2205 msg "build: default config with AES_ROM_TABLES enabled" 2206 scripts/config.py set MBEDTLS_AES_ROM_TABLES 2207 make CFLAGS='-O2 -Werror -Wall -Wextra' 2208 2209 msg "test: AES_ROM_TABLES" 2210 make test 2211} 2212 2213component_test_aes_fewer_tables_and_rom_tables () { 2214 msg "build: default config with AES_ROM_TABLES and AES_FEWER_TABLES enabled" 2215 scripts/config.py set MBEDTLS_AES_FEWER_TABLES 2216 scripts/config.py set MBEDTLS_AES_ROM_TABLES 2217 make CFLAGS='-O2 -Werror -Wall -Wextra' 2218 2219 msg "test: AES_FEWER_TABLES + AES_ROM_TABLES" 2220 make test 2221} 2222 2223# helper for component_test_block_cipher_no_decrypt_aesni() which: 2224# - enable/disable the list of config options passed from -s/-u respectively. 2225# - build 2226# - test for tests_suite_xxx 2227# - selftest 2228# 2229# Usage: helper_block_cipher_no_decrypt_build_test 2230# [-s set_opts] [-u unset_opts] [-c cflags] [-l ldflags] [option [...]] 2231# Options: -s set_opts the list of config options to enable 2232# -u unset_opts the list of config options to disable 2233# -c cflags the list of options passed to CFLAGS 2234# -l ldflags the list of options passed to LDFLAGS 2235helper_block_cipher_no_decrypt_build_test () { 2236 while [ $# -gt 0 ]; do 2237 case "$1" in 2238 -s) 2239 shift; local set_opts="$1";; 2240 -u) 2241 shift; local unset_opts="$1";; 2242 -c) 2243 shift; local cflags="-Werror -Wall -Wextra $1";; 2244 -l) 2245 shift; local ldflags="$1";; 2246 esac 2247 shift 2248 done 2249 set_opts="${set_opts:-}" 2250 unset_opts="${unset_opts:-}" 2251 cflags="${cflags:-}" 2252 ldflags="${ldflags:-}" 2253 2254 [ -n "$set_opts" ] && echo "Enabling: $set_opts" && scripts/config.py set-all $set_opts 2255 [ -n "$unset_opts" ] && echo "Disabling: $unset_opts" && scripts/config.py unset-all $unset_opts 2256 2257 msg "build: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}" 2258 make clean 2259 make CFLAGS="-O2 $cflags" LDFLAGS="$ldflags" 2260 2261 # Make sure we don't have mbedtls_xxx_setkey_dec in AES/ARIA/CAMELLIA 2262 not grep mbedtls_aes_setkey_dec ${BUILTIN_SRC_PATH}/aes.o 2263 not grep mbedtls_aria_setkey_dec ${BUILTIN_SRC_PATH}/aria.o 2264 not grep mbedtls_camellia_setkey_dec ${BUILTIN_SRC_PATH}/camellia.o 2265 # Make sure we don't have mbedtls_internal_aes_decrypt in AES 2266 not grep mbedtls_internal_aes_decrypt ${BUILTIN_SRC_PATH}/aes.o 2267 # Make sure we don't have mbedtls_aesni_inverse_key in AESNI 2268 not grep mbedtls_aesni_inverse_key ${BUILTIN_SRC_PATH}/aesni.o 2269 2270 msg "test: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}" 2271 make test 2272 2273 msg "selftest: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}" 2274 programs/test/selftest 2275} 2276 2277# This is a configuration function used in component_test_block_cipher_no_decrypt_xxx: 2278config_block_cipher_no_decrypt () { 2279 scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT 2280 scripts/config.py unset MBEDTLS_NIST_KW_C 2281 2282 # Enable support for cryptographic mechanisms through the PSA API. 2283 # Note: XTS, KW are not yet supported via the PSA API in Mbed TLS. 2284 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING 2285 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 2286 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING 2287 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_DES 2288} 2289 2290component_test_block_cipher_no_decrypt_aesni () { 2291 # Test BLOCK_CIPHER_NO_DECRYPT with AESNI intrinsics, AESNI assembly and 2292 # AES C implementation on x86_64 and with AESNI intrinsics on x86. 2293 2294 # This consistently causes an llvm crash on clang 3.8, so use gcc 2295 export CC=gcc 2296 config_block_cipher_no_decrypt 2297 2298 # test AESNI intrinsics 2299 helper_block_cipher_no_decrypt_build_test \ 2300 -s "MBEDTLS_AESNI_C" \ 2301 -c "-mpclmul -msse2 -maes" 2302 2303 # test AESNI assembly 2304 helper_block_cipher_no_decrypt_build_test \ 2305 -s "MBEDTLS_AESNI_C" \ 2306 -c "-mno-pclmul -mno-sse2 -mno-aes" 2307 2308 # test AES C implementation 2309 helper_block_cipher_no_decrypt_build_test \ 2310 -u "MBEDTLS_AESNI_C" 2311 2312 # test AESNI intrinsics for i386 target 2313 helper_block_cipher_no_decrypt_build_test \ 2314 -s "MBEDTLS_AESNI_C" \ 2315 -c "-m32 -mpclmul -msse2 -maes" \ 2316 -l "-m32" 2317} 2318 2319support_test_block_cipher_no_decrypt_aesce_armcc () { 2320 support_build_armcc 2321} 2322 2323component_test_block_cipher_no_decrypt_aesce_armcc () { 2324 scripts/config.py baremetal 2325 2326 # armc[56] don't support SHA-512 intrinsics 2327 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT 2328 2329 # Stop armclang warning about feature detection for A64_CRYPTO. 2330 # With this enabled, the library does build correctly under armclang, 2331 # but in baremetal builds (as tested here), feature detection is 2332 # unavailable, and the user is notified via a #warning. So enabling 2333 # this feature would prevent us from building with -Werror on 2334 # armclang. Tracked in #7198. 2335 scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT 2336 scripts/config.py set MBEDTLS_HAVE_ASM 2337 2338 config_block_cipher_no_decrypt 2339 2340 # test AESCE baremetal build 2341 scripts/config.py set MBEDTLS_AESCE_C 2342 msg "build: default config + BLOCK_CIPHER_NO_DECRYPT with AESCE" 2343 helper_armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto -Werror -Wall -Wextra" 2344 2345 # Make sure we don't have mbedtls_xxx_setkey_dec in AES/ARIA/CAMELLIA 2346 not grep mbedtls_aes_setkey_dec ${BUILTIN_SRC_PATH}/aes.o 2347 not grep mbedtls_aria_setkey_dec ${BUILTIN_SRC_PATH}/aria.o 2348 not grep mbedtls_camellia_setkey_dec ${BUILTIN_SRC_PATH}/camellia.o 2349 # Make sure we don't have mbedtls_internal_aes_decrypt in AES 2350 not grep mbedtls_internal_aes_decrypt ${BUILTIN_SRC_PATH}/aes.o 2351 # Make sure we don't have mbedtls_aesce_inverse_key and aesce_decrypt_block in AESCE 2352 not grep mbedtls_aesce_inverse_key ${BUILTIN_SRC_PATH}/aesce.o 2353 not grep aesce_decrypt_block ${BUILTIN_SRC_PATH}/aesce.o 2354} 2355 2356component_test_ctr_drbg_aes_256_sha_256 () { 2357 msg "build: full + MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_256 (ASan build)" 2358 scripts/config.py full 2359 scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C 2360 scripts/config.py set MBEDTLS_ENTROPY_FORCE_SHA256 2361 scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_256 2362 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 2363 make 2364 2365 msg "test: full + MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_256 (ASan build)" 2366 make test 2367} 2368 2369component_test_ctr_drbg_aes_128_sha_512 () { 2370 msg "build: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY (ASan build)" 2371 scripts/config.py full 2372 scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C 2373 scripts/config.py set MBEDTLS_CTR_DRBG_USE_128_BIT_KEY 2374 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 2375 make 2376 2377 msg "test: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY (ASan build)" 2378 make test 2379} 2380 2381component_test_ctr_drbg_aes_128_sha_256 () { 2382 msg "build: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_256 (ASan build)" 2383 scripts/config.py full 2384 scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C 2385 scripts/config.py set MBEDTLS_CTR_DRBG_USE_128_BIT_KEY 2386 scripts/config.py set MBEDTLS_ENTROPY_FORCE_SHA256 2387 scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_256 2388 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 2389 make 2390 2391 msg "test: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_256 (ASan build)" 2392 make test 2393} 2394 2395component_test_full_static_keystore () { 2396 msg "build: full config - MBEDTLS_PSA_KEY_STORE_DYNAMIC" 2397 scripts/config.py full 2398 scripts/config.py unset MBEDTLS_PSA_KEY_STORE_DYNAMIC 2399 make CC=clang CFLAGS="$ASAN_CFLAGS -Os" LDFLAGS="$ASAN_CFLAGS" 2400 2401 msg "test: full config - MBEDTLS_PSA_KEY_STORE_DYNAMIC" 2402 make test 2403} 2404 2405component_test_psa_crypto_drivers () { 2406 # Test dispatch to drivers and fallbacks with 2407 # test_suite_psa_crypto_driver_wrappers test suite. The test drivers that 2408 # are wrappers around the builtin drivers are activated by 2409 # PSA_CRYPTO_DRIVER_TEST. 2410 # 2411 # For the time being, some test cases in test_suite_block_cipher and 2412 # test_suite_md.psa rely on this component to be run at least once by the 2413 # CI. This should disappear as we progress the 4.x work. See 2414 # config_adjust_test_accelerators.h for more information. 2415 msg "build: full + test drivers dispatching to builtins" 2416 scripts/config.py full 2417 loc_cflags="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_CONFIG_ADJUST_TEST_ACCELERATORS" 2418 loc_cflags="${loc_cflags} -I../framework/tests/include" 2419 2420 make CC=$ASAN_CC CFLAGS="${loc_cflags}" LDFLAGS="$ASAN_CFLAGS" 2421 2422 msg "test: full + test drivers dispatching to builtins" 2423 make test 2424} 2425 2426component_build_psa_config_file () { 2427 msg "build: make with TF_PSA_CRYPTO_CONFIG_FILE" # ~40s 2428 cp "$CRYPTO_CONFIG_H" psa_test_config.h 2429 echo '#error "TF_PSA_CRYPTO_CONFIG_FILE is not working"' >"$CRYPTO_CONFIG_H" 2430 make CFLAGS="-I '$PWD' -DTF_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"'" 2431 # Make sure this feature is enabled. We'll disable it in the next phase. 2432 programs/test/query_compile_time_config PSA_WANT_ALG_CMAC 2433 make clean 2434 2435 msg "build: make with TF_PSA_CRYPTO_CONFIG_FILE + TF_PSA_CRYPTO_USER_CONFIG_FILE" # ~40s 2436 # In the user config, disable one feature and its dependencies, which will 2437 # reflect on the mbedtls configuration so we can query it with 2438 # query_compile_time_config. 2439 echo '#undef PSA_WANT_ALG_CMAC' >psa_user_config.h 2440 echo '#undef PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128' >> psa_user_config.h 2441 make CFLAGS="-I '$PWD' -DTF_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"' -DTF_PSA_CRYPTO_USER_CONFIG_FILE='\"psa_user_config.h\"'" 2442 not programs/test/query_compile_time_config PSA_WANT_ALG_CMAC 2443 2444 rm -f psa_test_config.h psa_user_config.h 2445} 2446 2447component_build_psa_alt_headers () { 2448 msg "build: make with PSA alt headers" # ~20s 2449 2450 # Generate alternative versions of the substitutable headers with the 2451 # same content except different include guards. 2452 make -C tests ../framework/tests/include/alt-extra/psa/crypto_platform_alt.h ../framework/tests/include/alt-extra/psa/crypto_struct_alt.h 2453 2454 # Build the library and some programs. 2455 # Don't build the fuzzers to avoid having to go through hoops to set 2456 # a correct include path for programs/fuzz/Makefile. 2457 make CFLAGS="-I ../framework/tests/include/alt-extra -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'" lib 2458 make -C programs -o fuzz CFLAGS="-I ../framework/tests/include/alt-extra -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'" 2459 2460 # Check that we're getting the alternative include guards and not the 2461 # original include guards. 2462 programs/test/query_included_headers | grep -x PSA_CRYPTO_PLATFORM_ALT_H 2463 programs/test/query_included_headers | grep -x PSA_CRYPTO_STRUCT_ALT_H 2464 programs/test/query_included_headers | not grep -x PSA_CRYPTO_PLATFORM_H 2465 programs/test/query_included_headers | not grep -x PSA_CRYPTO_STRUCT_H 2466} 2467 2468component_test_min_mpi_window_size () { 2469 msg "build: Default + MBEDTLS_MPI_WINDOW_SIZE=1 (ASan build)" # ~ 10s 2470 scripts/config.py set MBEDTLS_MPI_WINDOW_SIZE 1 2471 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 2472 make 2473 2474 msg "test: MBEDTLS_MPI_WINDOW_SIZE=1 - main suites (inc. selftests) (ASan build)" # ~ 10s 2475 make test 2476} 2477 2478component_test_xts () { 2479 # Component dedicated to run XTS unit test cases while XTS is not 2480 # supported through the PSA API. 2481 msg "build: Default + MBEDTLS_CIPHER_MODE_XTS" 2482 2483 echo "#define MBEDTLS_CIPHER_MODE_XTS" > psa_user_config.h 2484 cmake -DTF_PSA_CRYPTO_USER_CONFIG_FILE="psa_user_config.h" 2485 make 2486 2487 rm -f psa_user_config.h 2488 2489 msg "test: Default + MBEDTLS_CIPHER_MODE_XTS" 2490 make test 2491} 2492