Merge pull request #10315 from bjwtaylor/include-private-pk
Add copy of header file for libtestdriver1
diff --git a/ChangeLog.d/check_config.txt b/ChangeLog.d/check_config.txt
new file mode 100644
index 0000000..f9f44a4
--- /dev/null
+++ b/ChangeLog.d/check_config.txt
@@ -0,0 +1,5 @@
+Removals
+ * The header <mbedtls/check_config.h> no longer exists. Including it
+ from a custom config file was no longer needed since Mbed TLS 3.0,
+ and could lead to spurious errors. The checks that it performed are
+ now done automatically when building the library.
diff --git a/framework b/framework
index df3307f..87dbfb2 160000
--- a/framework
+++ b/framework
@@ -1 +1 @@
-Subproject commit df3307f2b4fe512def60886024f7be8fd1523ccd
+Subproject commit 87dbfb290fa42ca2ccfb403e8c2fa7334fa4f1dd
diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h
index 534f016..c6e89db 100644
--- a/include/mbedtls/build_info.h
+++ b/include/mbedtls/build_info.h
@@ -85,6 +85,4 @@
*/
#define MBEDTLS_CONFIG_IS_FINALIZED
-#include "mbedtls/check_config.h"
-
#endif /* MBEDTLS_BUILD_INFO_H */
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index 451dbfd..0875bb9 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -1,5 +1,6 @@
set(src_x509
error.c
+ mbedtls_config.c
pkcs7.c
x509.c
x509_create.c
diff --git a/library/Makefile b/library/Makefile
index a880f26..f872934 100644
--- a/library/Makefile
+++ b/library/Makefile
@@ -121,6 +121,7 @@
OBJS_CRYPTO+=$(THIRDPARTY_CRYPTO_OBJECTS)
OBJS_X509= \
+ mbedtls_config.o \
x509.o \
x509_create.o \
x509_crl.o \
diff --git a/include/mbedtls/check_config.h b/library/mbedtls_check_config.h
similarity index 100%
rename from include/mbedtls/check_config.h
rename to library/mbedtls_check_config.h
diff --git a/library/mbedtls_config.c b/library/mbedtls_config.c
new file mode 100644
index 0000000..679f8e3
--- /dev/null
+++ b/library/mbedtls_config.c
@@ -0,0 +1,13 @@
+/*
+ * Mbed TLS configuration checks
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include <mbedtls/build_info.h>
+
+/* Consistency checks in the configuration: check for incompatible options,
+ * missing options when at least one of a set needs to be enabled, etc. */
+#include "mbedtls_check_config.h"
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 372bf84..15731ca 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -963,7 +963,7 @@
MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len);
- if ((ret = mbedtls_pk_sign_ext(pk_type, own_key,
+ if ((ret = mbedtls_pk_sign_ext((mbedtls_pk_sigalg_t) pk_type, own_key,
md_alg, verify_hash, verify_hash_len,
p + 4, (size_t) (end - (p + 4)), &signature_len)) != 0) {
MBEDTLS_SSL_DEBUG_MSG(2, ("CertificateVerify signature failed with %s",
diff --git a/library/x509.c b/library/x509.c
index f315821..03ca1b7 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -24,6 +24,7 @@
#include "mbedtls/oid.h"
#include "x509_oid.h"
+#include <limits.h>
#include <stdio.h>
#include <string.h>
diff --git a/library/x509_create.c b/library/x509_create.c
index 17fc8fb..09ac69d 100644
--- a/library/x509_create.c
+++ b/library/x509_create.c
@@ -14,6 +14,7 @@
#include "mbedtls/oid.h"
#include "x509_oid.h"
+#include <limits.h>
#include <string.h>
#include "mbedtls/platform.h"
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 3947eb0..7b65b69 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -27,6 +27,7 @@
#include "x509_oid.h"
#include "mbedtls/platform_util.h"
+#include <limits.h>
#include <string.h>
#if defined(MBEDTLS_PEM_PARSE_C)
diff --git a/programs/test/udp_proxy.c b/programs/test/udp_proxy.c
index 6e9ebf9..c80a3f5 100644
--- a/programs/test/udp_proxy.c
+++ b/programs/test/udp_proxy.c
@@ -16,6 +16,7 @@
#include "mbedtls/build_info.h"
+#include <limits.h>
#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
#else
diff --git a/tests/scripts/components-basic-checks.sh b/tests/scripts/components-basic-checks.sh
index 85731a1..c7d8161 100644
--- a/tests/scripts/components-basic-checks.sh
+++ b/tests/scripts/components-basic-checks.sh
@@ -123,4 +123,7 @@
msg "unit test: translate_ciphers.py"
python3 -m unittest framework/scripts/translate_ciphers.py 2>&1
+
+ msg "unit test: generate_config_checks.py"
+ tests/scripts/test_config_checks.py 2>&1
}
diff --git a/tests/scripts/test_config_checks.py b/tests/scripts/test_config_checks.py
new file mode 100755
index 0000000..5401449
--- /dev/null
+++ b/tests/scripts/test_config_checks.py
@@ -0,0 +1,63 @@
+#!/usr/bin/env python3
+"""Test the configuration checks generated by generate_config_checks.py.
+"""
+
+## Copyright The Mbed TLS Contributors
+## SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+
+import unittest
+
+import scripts_path # pylint: disable=unused-import
+from mbedtls_framework import unittest_config_checks
+
+
+class MbedtlsTestConfigChecks(unittest_config_checks.TestConfigChecks):
+ """Mbed TLS unit tests for checks generated by config_checks_generator."""
+
+ #pylint: disable=invalid-name # uppercase letters make sense here
+
+ PROJECT_CONFIG_C = 'library/mbedtls_config.c'
+ PROJECT_SPECIFIC_INCLUDE_DIRECTORIES = [
+ 'tf-psa-crypto/include',
+ 'tf-psa-crypto/drivers/builtin/include',
+ ]
+
+ @unittest.skip("At this time, mbedtls does not go through crypto's check_config.h.")
+ def test_crypto_no_fs_io(self) -> None:
+ """A sample error expected from crypto's check_config.h."""
+ self.bad_case('#undef MBEDTLS_FS_IO',
+ None,
+ error=('MBEDTLS_PSA_ITS_FILE_C'))
+
+ def test_mbedtls_no_session_tickets_for_early_data(self) -> None:
+ """An error expected from mbedtls_check_config.h based on the TLS configuration."""
+ self.bad_case(None,
+ '''
+ #define MBEDTLS_SSL_EARLY_DATA
+ #undef MBEDTLS_SSL_SESSION_TICKETS
+ ''',
+ error=('MBEDTLS_SSL_EARLY_DATA'))
+
+ def test_mbedtls_no_ecdsa(self) -> None:
+ """An error expected from mbedtls_check_config.h based on crypto+TLS configuration."""
+ self.bad_case('''
+ #undef PSA_WANT_ALG_ECDSA
+ #undef PSA_WANT_ALG_DETERMINISTIC_ECDSA
+ #undef MBEDTLS_ECDSA_C
+ ''',
+ '''
+ #if defined(PSA_WANT_ALG_ECDSA)
+ #error PSA_WANT_ALG_ECDSA unexpected
+ #endif
+ #if defined(PSA_WANT_ALG_DETERMINSTIC_ECDSA)
+ #error PSA_WANT_ALG_DETERMINSTIC_ECDSA unexpected
+ #endif
+ #if defined(MBEDTLS_ECDSA_C)
+ #error MBEDTLS_ECDSA_C unexpected
+ #endif
+ ''',
+ error=('MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED'))
+
+
+if __name__ == '__main__':
+ unittest.main()
diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c
index faa79ff..1eca6e4 100644
--- a/tests/src/test_helpers/ssl_helpers.c
+++ b/tests/src/test_helpers/ssl_helpers.c
@@ -11,6 +11,8 @@
#include <test/ssl_helpers.h>
#include "mbedtls/psa_util.h"
+#include <limits.h>
+
#if defined(MBEDTLS_SSL_TLS_C)
int mbedtls_test_random(void *p_rng, unsigned char *output, size_t output_len)
{
diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data
index 4dcd967..3860076 100644
--- a/tests/suites/test_suite_x509write.data
+++ b/tests/suites/test_suite_x509write.data
@@ -47,7 +47,7 @@
x509_csr_check:"../framework/data_files/server1.key":"../framework/data_files/server1.req.ku-ct":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0
Certificate Request check Server5 ECDSA, key_usage
-depends_on:PSA_WANT_ALG_SHA_1:PSA_HAVE_ALG_ECDSA_SIGN:MBEDTLS_ECDSA_DETERMINISTIC:PSA_WANT_ECC_SECP_R1_256
+depends_on:PSA_WANT_ALG_SHA_1:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ECC_SECP_R1_256
x509_csr_check:"../framework/data_files/server5.key":"../framework/data_files/server5.req.ku.sha1":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:1:0:0:0
Certificate Request check Server1, set_extension
@@ -155,11 +155,11 @@
x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"ffffffffffffffffffffffffffffffff":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"../framework/data_files/server1.long_serial_FF.crt":0:0:"../framework/data_files/test-ca.crt":0
Certificate write check Server5 ECDSA
-depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:MBEDTLS_ECDSA_DETERMINISTIC:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256
+depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256
x509_crt_check:"../framework/data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"../framework/data_files/server5.crt":0:0:"../framework/data_files/test-ca2.crt":0
Certificate write check Server5 ECDSA, Opaque
-depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:MBEDTLS_ECDSA_DETERMINISTIC:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_USE_PSA_CRYPTO
+depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_USE_PSA_CRYPTO
x509_crt_check:"../framework/data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"":2:0:"../framework/data_files/test-ca2.crt":0
Certificate write check Server1 SHA1, SubjectAltNames
@@ -337,4 +337,3 @@
OID from numeric string - OID with overflowing subidentifier
oid_from_numeric_string:"2.4294967216":MBEDTLS_ERR_ASN1_INVALID_DATA:""
-
diff --git a/tf-psa-crypto b/tf-psa-crypto
index 19edaa7..5df033e 160000
--- a/tf-psa-crypto
+++ b/tf-psa-crypto
@@ -1 +1 @@
-Subproject commit 19edaa785dd71ec8f0c9f72235243314c3d895fa
+Subproject commit 5df033ee3cb9e0c05262bc57b821ca20b9483b54