Merge pull request #6479 from AndrzejKurek/depends-py-no-psa
Enable running depends.py in a configuration without MBEDTLS_USE_PSA_CRYPTO and remove perl dependency scripts
diff --git a/README.md b/README.md
index 9c9cf91..cc61da0 100644
--- a/README.md
+++ b/README.md
@@ -242,7 +242,7 @@
- `tests/ssl-opt.sh` runs integration tests for various TLS options (renegotiation, resumption, etc.) and tests interoperability of these options with other implementations.
- `tests/compat.sh` tests interoperability of every ciphersuite with other implementations.
- `tests/scripts/test-ref-configs.pl` test builds in various reduced configurations.
-- `tests/scripts/key-exchanges.pl` test builds in configurations with a single key exchange enabled
+- `tests/scripts/depends.py` test builds in configurations with a single curve, key exchange, hash, cipher, or pkalg on.
- `tests/scripts/all.sh` runs a combination of the above tests, plus some more, with various build options (such as ASan, full `mbedtls_config.h`, etc).
Porting Mbed TLS
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 0759ef9..84b3e40 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -5269,6 +5269,13 @@
#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
default:
+#if !defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \
+ !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
+ (void) ssl;
+ (void) dst;
+ (void) dst_len;
+ (void) olen;
+#endif
break;
}
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
@@ -5455,8 +5462,8 @@
return( PSA_SUCCESS );
}
-#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || \
- defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
+#if defined(PSA_WANT_ALG_SHA_384) || \
+ defined(PSA_WANT_ALG_SHA_256)
MBEDTLS_CHECK_RETURN_CRITICAL
static int tls_prf_generic( mbedtls_md_type_t md_type,
const unsigned char *secret, size_t slen,
@@ -5531,9 +5538,12 @@
return( 0 );
}
-#endif
+#endif /* PSA_WANT_ALG_SHA_256 || PSA_WANT_ALG_SHA_384 */
#else /* MBEDTLS_USE_PSA_CRYPTO */
+#if defined(MBEDTLS_MD_C) && \
+ ( defined(MBEDTLS_SHA256_C) || \
+ defined(MBEDTLS_SHA384_C) )
MBEDTLS_CHECK_RETURN_CRITICAL
static int tls_prf_generic( mbedtls_md_type_t md_type,
const unsigned char *secret, size_t slen,
@@ -5624,6 +5634,7 @@
return( ret );
}
+#endif /* MBEDTLS_MD_C && ( MBEDTLS_SHA256_C || MBEDTLS_SHA384_C ) */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index d82918f..5360b3c 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@@ -1750,10 +1750,10 @@
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
unsigned char **p,
@@ -1818,7 +1818,15 @@
return( 0 );
}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
#else
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
{
@@ -1848,6 +1856,15 @@
return( 0 );
}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
unsigned char **p,
@@ -1883,11 +1900,10 @@
return( ret );
}
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
- MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
- MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
-
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || \
+ MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \
+ MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+#endif /* !MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index c8036b4..e8f1726 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1770,76 +1770,75 @@
! grep -q -F time.h /usr/include/x86_64-linux-gnu/sys/types.h
}
-component_test_depends_curves () {
- msg "test/build: curves.pl (gcc)" # ~ 4 min
- tests/scripts/curves.pl
-}
-
-component_test_depends_curves_psa () {
- msg "test/build: curves.pl with MBEDTLS_USE_PSA_CRYPTO defined (gcc)"
- scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
- tests/scripts/curves.pl
-}
-
-component_test_depends_hashes () {
- msg "test/build: depends-hashes.pl (gcc)" # ~ 2 min
- tests/scripts/depends-hashes.pl
-}
-
-component_test_depends_hashes_psa () {
- msg "test/build: depends-hashes.pl with MBEDTLS_USE_PSA_CRYPTO defined (gcc)"
- scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
- tests/scripts/depends-hashes.pl
-}
-
-component_test_depends_pkalgs () {
- msg "test/build: depends-pkalgs.pl (gcc)" # ~ 2 min
- tests/scripts/depends-pkalgs.pl
-}
-
-component_test_depends_pkalgs_psa () {
- msg "test/build: depends-pkalgs.pl with MBEDTLS_USE_PSA_CRYPTO defined (gcc)"
- scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
- tests/scripts/depends-pkalgs.pl
-}
-
-component_build_key_exchanges () {
- msg "test/build: key-exchanges (gcc)" # ~ 1 min
- tests/scripts/key-exchanges.pl
-}
-
+# depends.py family of tests
component_test_depends_py_cipher_id () {
msg "test/build: depends.py cipher_id (gcc)"
- tests/scripts/depends.py cipher_id
+ tests/scripts/depends.py cipher_id --unset-use-psa
}
component_test_depends_py_cipher_chaining () {
msg "test/build: depends.py cipher_chaining (gcc)"
- tests/scripts/depends.py cipher_chaining
+ tests/scripts/depends.py cipher_chaining --unset-use-psa
}
component_test_depends_py_cipher_padding () {
msg "test/build: depends.py cipher_padding (gcc)"
- tests/scripts/depends.py cipher_padding
+ tests/scripts/depends.py cipher_padding --unset-use-psa
}
component_test_depends_py_curves () {
msg "test/build: depends.py curves (gcc)"
- tests/scripts/depends.py curves
+ tests/scripts/depends.py curves --unset-use-psa
}
component_test_depends_py_hashes () {
msg "test/build: depends.py hashes (gcc)"
- tests/scripts/depends.py hashes
+ tests/scripts/depends.py hashes --unset-use-psa
}
component_test_depends_py_kex () {
msg "test/build: depends.py kex (gcc)"
- tests/scripts/depends.py kex
+ tests/scripts/depends.py kex --unset-use-psa
}
component_test_depends_py_pkalgs () {
msg "test/build: depends.py pkalgs (gcc)"
+ tests/scripts/depends.py pkalgs --unset-use-psa
+}
+
+# PSA equivalents of the depends.py tests
+component_test_depends_py_cipher_id_psa () {
+ msg "test/build: depends.py cipher_id (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
+ tests/scripts/depends.py cipher_id
+}
+
+component_test_depends_py_cipher_chaining_psa () {
+ msg "test/build: depends.py cipher_chaining (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
+ tests/scripts/depends.py cipher_chaining
+}
+
+component_test_depends_py_cipher_padding_psa () {
+ msg "test/build: depends.py cipher_padding (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
+ tests/scripts/depends.py cipher_padding
+}
+
+component_test_depends_py_curves_psa () {
+ msg "test/build: depends.py curves (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
+ tests/scripts/depends.py curves
+}
+
+component_test_depends_py_hashes_psa () {
+ msg "test/build: depends.py hashes (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
+ tests/scripts/depends.py hashes
+}
+
+component_test_depends_py_kex_psa () {
+ msg "test/build: depends.py kex (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
+ tests/scripts/depends.py kex
+}
+
+component_test_depends_py_pkalgs_psa () {
+ msg "test/build: depends.py pkalgs (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
tests/scripts/depends.py pkalgs
}
diff --git a/tests/scripts/basic-in-docker.sh b/tests/scripts/basic-in-docker.sh
index 50bcb05..1f65710 100755
--- a/tests/scripts/basic-in-docker.sh
+++ b/tests/scripts/basic-in-docker.sh
@@ -40,6 +40,6 @@
run_in_docker -e OSSL_NO_DTLS=1 tests/compat.sh
run_in_docker tests/ssl-opt.sh -e '\(DTLS\|SCSV\).*openssl'
run_in_docker tests/scripts/test-ref-configs.pl
- run_in_docker tests/scripts/curves.pl
- run_in_docker tests/scripts/key-exchanges.pl
+ run_in_docker tests/scripts/depends.py curves
+ run_in_docker tests/scripts/depends.py kex
done
diff --git a/tests/scripts/curves.pl b/tests/scripts/curves.pl
deleted file mode 100755
index fcaca91..0000000
--- a/tests/scripts/curves.pl
+++ /dev/null
@@ -1,126 +0,0 @@
-#!/usr/bin/env perl
-
-# curves.pl
-#
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# Purpose
-#
-# The purpose of this test script is to validate that the library works
-# when only a single curve is enabled. In particular, this validates that
-# curve-specific code is guarded by the proper preprocessor conditionals,
-# both in the library and in tests.
-#
-# Since this script only tests builds with a single curve, it can't detect
-# bugs that are only triggered when multiple curves are present. We do
-# also test in many configurations where all curves are enabled, as well
-# as a few configurations in configs/*.h with a restricted subset of curves.
-#
-# Here are some known test gaps that could be addressed by testing all
-# 2^n combinations of support for n curves, which is impractical:
-# * There could be product bugs when curves A and B are enabled but not C.
-# For example, a MAX_SIZE calculation that forgets B, where
-# size(A) < size(B) < size(C).
-# * For test cases that require three or more curves, validate that they're
-# not missing dependencies. This is extremely rare. (For test cases that
-# require curves A and B but are missing a dependency on B, this is
-# detected in the A-only build.)
-# Usage: tests/scripts/curves.pl
-#
-# This script should be executed from the root of the project directory.
-#
-# Only curves that are enabled in mbedtls_config.h will be tested.
-#
-# For best effect, run either with cmake disabled, or cmake enabled in a mode
-# that includes -Werror.
-
-use warnings;
-use strict;
-
--d 'library' && -d 'include' && -d 'tests' or die "Must be run from root\n";
-
-my $sed_cmd = 's/^#define \(MBEDTLS_ECP_DP.*_ENABLED\)/\1/p';
-my $config_h = 'include/mbedtls/mbedtls_config.h';
-my @curves = split( /\s+/, `sed -n -e '$sed_cmd' $config_h` );
-
-# Determine which curves support ECDSA by checking the dependencies of
-# ECDSA in check_config.h.
-my %curve_supports_ecdsa = ();
-{
- local $/ = "";
- local *CHECK_CONFIG;
- open(CHECK_CONFIG, '<', 'include/mbedtls/check_config.h')
- or die "open include/mbedtls/check_config.h: $!";
- while (my $stanza = <CHECK_CONFIG>) {
- if ($stanza =~ /\A#if defined\(MBEDTLS_ECDSA_C\)/) {
- for my $curve ($stanza =~ /(?<=\()MBEDTLS_ECP_DP_\w+_ENABLED(?=\))/g) {
- $curve_supports_ecdsa{$curve} = 1;
- }
- last;
- }
- }
- close(CHECK_CONFIG);
-}
-
-system( "cp $config_h $config_h.bak" ) and die;
-sub abort {
- system( "mv $config_h.bak $config_h" ) and warn "$config_h not restored\n";
- # use an exit code between 1 and 124 for git bisect (die returns 255)
- warn $_[0];
- exit 1;
-}
-
-# Disable all the curves. We'll then re-enable them one by one.
-for my $curve (@curves) {
- system( "scripts/config.pl unset $curve" )
- and abort "Failed to disable $curve\n";
-}
-# Depends on a specific curve. Also, ignore error if it wasn't enabled.
-system( "scripts/config.pl unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED" );
-system( "scripts/config.pl unset MBEDTLS_ECJPAKE_C" );
-
-# Test with only $curve enabled, for each $curve.
-for my $curve (@curves) {
- system( "make clean" ) and die;
-
- print "\n******************************************\n";
- print "* Testing with only curve: $curve\n";
- print "******************************************\n";
- $ENV{MBEDTLS_TEST_CONFIGURATION} = "$curve";
-
- system( "scripts/config.pl set $curve" )
- and abort "Failed to enable $curve\n";
-
- my $ecdsa = $curve_supports_ecdsa{$curve} ? "set" : "unset";
- for my $dep (qw(MBEDTLS_ECDSA_C
- MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
- MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)) {
- system( "scripts/config.pl $ecdsa $dep" )
- and abort "Failed to $ecdsa $dep\n";
- }
-
- system( "CFLAGS='-Werror -Wall -Wextra' make" )
- and abort "Failed to build: only $curve\n";
- system( "make test" )
- and abort "Failed test suite: only $curve\n";
-
- system( "scripts/config.pl unset $curve" )
- and abort "Failed to disable $curve\n";
-}
-
-system( "mv $config_h.bak $config_h" ) and die "$config_h not restored\n";
-system( "make clean" ) and die;
-exit 0;
diff --git a/tests/scripts/depends-hashes.pl b/tests/scripts/depends-hashes.pl
deleted file mode 100755
index db18a92..0000000
--- a/tests/scripts/depends-hashes.pl
+++ /dev/null
@@ -1,101 +0,0 @@
-#!/usr/bin/env perl
-
-# depends-hashes.pl
-#
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# Purpose
-#
-# To test the code dependencies on individual hashes in each test suite. This
-# is a verification step to ensure we don't ship test suites that do not work
-# for some build options.
-#
-# The process is:
-# for each possible hash
-# build the library and test suites with the hash disabled
-# execute the test suites
-#
-# And any test suite with the wrong dependencies will fail.
-#
-# Usage: tests/scripts/depends-hashes.pl
-#
-# This script should be executed from the root of the project directory.
-#
-# For best effect, run either with cmake disabled, or cmake enabled in a mode
-# that includes -Werror.
-
-use warnings;
-use strict;
-
--d 'library' && -d 'include' && -d 'tests' or die "Must be run from root\n";
-
-my $config_h = 'include/mbedtls/mbedtls_config.h';
-
-# as many SSL options depend on specific hashes,
-# and SSL is not in the test suites anyways,
-# disable it to avoid dependency issues
-my $ssl_sed_cmd = 's/^#define \(MBEDTLS_SSL.*\)/\1/p';
-my @ssl = split( /\s+/, `sed -n -e '$ssl_sed_cmd' $config_h` );
-
-# Each element of this array holds list of configuration options that
-# should be tested together. Certain options depend on each other and
-# separating them would generate invalid configurations.
-my @hash_configs = (
- ['unset MBEDTLS_MD5_C'],
- ['unset MBEDTLS_SHA512_C', 'unset MBEDTLS_SHA384_C '],
- ['unset MBEDTLS_SHA384_C'],
- ['unset MBEDTLS_SHA256_C', 'unset MBEDTLS_SHA224_C', 'unset MBEDTLS_LMS_C', 'unset MBEDTLS_LMS_PRIVATE'],
- ['unset MBEDTLS_SHA1_C'],
-);
-
-system( "cp $config_h $config_h.bak" ) and die;
-sub abort {
- system( "mv $config_h.bak $config_h" ) and warn "$config_h not restored\n";
- # use an exit code between 1 and 124 for git bisect (die returns 255)
- warn $_[0];
- exit 1;
-}
-
-for my $hash_config (@hash_configs) {
- system( "cp $config_h.bak $config_h" ) and die "$config_h not restored\n";
- system( "make clean" ) and die;
-
- my $hash_config_string = join(', ', @$hash_config);
-
- print "\n******************************************\n";
- print "* Testing hash options: $hash_config_string\n";
- print "******************************************\n";
- $ENV{MBEDTLS_TEST_CONFIGURATION} = "-$hash_config_string";
-
- for my $hash (@$hash_config) {
- system( "scripts/config.py $hash" )
- and abort "Failed to $hash\n";
- }
-
- for my $opt (@ssl) {
- system( "scripts/config.py unset $opt" )
- and abort "Failed to disable $opt\n";
- }
-
- system( "CFLAGS='-Werror -Wall -Wextra' make lib" )
- and abort "Failed to build lib: $hash_config_string\n";
- system( "cd tests && make" ) and abort "Failed to build tests: $hash_config_string\n";
- system( "make test" ) and abort "Failed test suite: $hash_config_string\n";
-}
-
-system( "mv $config_h.bak $config_h" ) and die "$config_h not restored\n";
-system( "make clean" ) and die;
-exit 0;
diff --git a/tests/scripts/depends-pkalgs.pl b/tests/scripts/depends-pkalgs.pl
deleted file mode 100755
index 6eb7269..0000000
--- a/tests/scripts/depends-pkalgs.pl
+++ /dev/null
@@ -1,107 +0,0 @@
-#!/usr/bin/env perl
-
-# depends-pkalgs.pl
-#
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# Purpose
-#
-# To test the code dependencies on individual PK algs (those that can be used
-# from the PK layer, so currently signature and encryption but not key
-# exchange) in each test suite. This is a verification step to ensure we don't
-# ship test suites that do not work for some build options.
-#
-# The process is:
-# for each possible PK alg
-# build the library and test suites with that alg disabled
-# execute the test suites
-#
-# And any test suite with the wrong dependencies will fail.
-#
-# Usage: tests/scripts/depends-pkalgs.pl
-#
-# This script should be executed from the root of the project directory.
-#
-# For best effect, run either with cmake disabled, or cmake enabled in a mode
-# that includes -Werror.
-
-use warnings;
-use strict;
-
--d 'library' && -d 'include' && -d 'tests' or die "Must be run from root\n";
-
-my $config_h = 'include/mbedtls/mbedtls_config.h';
-
-# Some algorithms can't be disabled on their own as others depend on them, so
-# we list those reverse-dependencies here to keep check_config.h happy.
-my %algs = (
- 'MBEDTLS_ECDSA_C' => ['MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED',
- 'MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED'],
- 'MBEDTLS_ECP_C' => ['MBEDTLS_ECDSA_C',
- 'MBEDTLS_ECDH_C',
- 'MBEDTLS_ECJPAKE_C',
- 'MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED',
- 'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED',
- 'MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED',
- 'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED',
- 'MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED'],
- 'MBEDTLS_X509_RSASSA_PSS_SUPPORT' => [],
- 'MBEDTLS_PKCS1_V21' => ['MBEDTLS_X509_RSASSA_PSS_SUPPORT'],
- 'MBEDTLS_PKCS1_V15' => ['MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED',
- 'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED',
- 'MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED',
- 'MBEDTLS_KEY_EXCHANGE_RSA_ENABLED'],
- 'MBEDTLS_RSA_C' => ['MBEDTLS_X509_RSASSA_PSS_SUPPORT',
- 'MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED',
- 'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED',
- 'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED',
- 'MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED',
- 'MBEDTLS_KEY_EXCHANGE_RSA_ENABLED'],
-);
-
-system( "cp $config_h $config_h.bak" ) and die;
-sub abort {
- system( "mv $config_h.bak $config_h" ) and warn "$config_h not restored\n";
- # use an exit code between 1 and 124 for git bisect (die returns 255)
- warn $_[0];
- exit 1;
-}
-
-while( my ($alg, $extras) = each %algs ) {
- system( "cp $config_h.bak $config_h" ) and die "$config_h not restored\n";
- system( "make clean" ) and die;
-
- print "\n******************************************\n";
- print "* Testing without alg: $alg\n";
- print "******************************************\n";
- $ENV{MBEDTLS_TEST_CONFIGURATION} = "-$alg";
-
- system( "scripts/config.py unset $alg" )
- and abort "Failed to disable $alg\n";
- for my $opt (@$extras) {
- system( "scripts/config.py unset $opt" )
- and abort "Failed to disable $opt\n";
- }
-
- system( "CFLAGS='-Werror -Wall -Wextra' make lib" )
- and abort "Failed to build lib: $alg\n";
- system( "cd tests && make" ) and abort "Failed to build tests: $alg\n";
- system( "make test" ) and abort "Failed test suite: $alg\n";
-}
-
-system( "mv $config_h.bak $config_h" ) and die "$config_h not restored\n";
-system( "make clean" ) and die;
-exit 0;
diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py
index f2396ee..0d6ec94 100755
--- a/tests/scripts/depends.py
+++ b/tests/scripts/depends.py
@@ -146,6 +146,8 @@
# Turn off options that are not relevant to the tests and slow them down.
run_config_py(options, ['full'])
run_config_py(options, ['unset', 'MBEDTLS_TEST_HOOKS'])
+ if options.unset_use_psa:
+ run_config_py(options, ['unset', 'MBEDTLS_USE_PSA_CRYPTO'])
def collect_config_symbols(options):
"""Read the list of settings from mbedtls_config.h.
@@ -536,6 +538,9 @@
parser.add_argument('--make-command', metavar='CMD',
help='Command to run instead of make (e.g. gmake)',
action='store', default='make')
+ parser.add_argument('--unset-use-psa',
+ help='Unset MBEDTLS_USE_PSA_CRYPTO before any test',
+ action='store_true', dest='unset_use_psa')
parser.add_argument('tasks', metavar='TASKS', nargs='*',
help='The domain(s) or job(s) to test (default: all).',
default=True)
diff --git a/tests/scripts/key-exchanges.pl b/tests/scripts/key-exchanges.pl
deleted file mode 100755
index 46f1b97..0000000
--- a/tests/scripts/key-exchanges.pl
+++ /dev/null
@@ -1,76 +0,0 @@
-#!/usr/bin/env perl
-
-# key-exchanges.pl
-#
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# Purpose
-#
-# To test the code dependencies on individual key exchanges in the SSL module.
-# is a verification step to ensure we don't ship SSL code that do not work
-# for some build options.
-#
-# The process is:
-# for each possible key exchange
-# build the library with all but that key exchange disabled
-#
-# Usage: tests/scripts/key-exchanges.pl
-#
-# This script should be executed from the root of the project directory.
-#
-# For best effect, run either with cmake disabled, or cmake enabled in a mode
-# that includes -Werror.
-
-use warnings;
-use strict;
-
--d 'library' && -d 'include' && -d 'tests' or die "Must be run from root\n";
-
-my $sed_cmd = 's/^#define \(MBEDTLS_KEY_EXCHANGE_.*_ENABLED\)/\1/p';
-my $config_h = 'include/mbedtls/mbedtls_config.h';
-my @kexes = split( /\s+/, `sed -n -e '$sed_cmd' $config_h` );
-
-system( "cp $config_h $config_h.bak" ) and die;
-sub abort {
- system( "mv $config_h.bak $config_h" ) and warn "$config_h not restored\n";
- # use an exit code between 1 and 124 for git bisect (die returns 255)
- warn $_[0];
- exit 1;
-}
-
-for my $kex (@kexes) {
- system( "cp $config_h.bak $config_h" ) and die "$config_h not restored\n";
- system( "make clean" ) and die;
-
- print "\n******************************************\n";
- print "* Testing with key exchange: $kex\n";
- print "******************************************\n";
- $ENV{MBEDTLS_TEST_CONFIGURATION} = $kex;
-
- # full config with all key exchanges disabled except one
- system( "scripts/config.py full" ) and abort "Failed config full\n";
- for my $k (@kexes) {
- next if $k eq $kex;
- system( "scripts/config.py unset $k" )
- and abort "Failed to disable $k\n";
- }
-
- system( "make lib CFLAGS='-Os -Werror'" ) and abort "Failed to build lib: $kex\n";
-}
-
-system( "mv $config_h.bak $config_h" ) and die "$config_h not restored\n";
-system( "make clean" ) and die;
-exit 0;