TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 24273c06db37ad4fa67cf15b0b5df8645c0fab65^! / .
commit24273c06db37ad4fa67cf15b0b5df8645c0fab65[log] [tgz]
authorGilles Peskine <Gilles.Peskine@arm.com>Wed Jul 16 22:27:09 2025 +0200
committerGilles Peskine <Gilles.Peskine@arm.com>Wed Sep 24 17:20:35 2025 +0200
treee39898c4a3e6a8fa3c96355150d5481c8fb5cc95
parent24d058bc6c09118d897cef42c0a7f91fbdbd3b07 [diff]
Checks for crypto options or internal macros set in mbedtls

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

diff --git a/scripts/generate_config_checks.py b/scripts/generate_config_checks.py
index b0dc26b..c5d8054 100755
--- a/scripts/generate_config_checks.py
+++ b/scripts/generate_config_checks.py

@@ -7,11 +7,19 @@
 from mbedtls_framework.config_checks_generator import * \
     #pylint: disable=wildcard-import,unused-wildcard-import
 
+class CryptoInternal(SubprojectInternal):
+    SUBPROJECT = 'TF-PSA-Crypto'
+
+class CryptoOption(SubprojectOption):
+    SUBPROJECT = 'psa/crypto_config.h'
+
 MBEDTLS_CHECKS = BranchData(
     header_directory='library',
     header_prefix='mbedtls_',
     project_cpp_prefix='MBEDTLS',
     checkers=[
+        CryptoInternal('MBEDTLS_MD5_C', 'PSA_WANT_ALG_MD5 in psa/crypto_config.h'),
+        CryptoOption('MBEDTLS_BASE64_C'),
         Removed('MBEDTLS_KEY_EXCHANGE_RSA_ENABLED', 'Mbed TLS 4.0'),
         Removed('MBEDTLS_PADLOCK_C', 'Mbed TLS 4.0'),
     ],

diff --git a/tests/scripts/test_config_checks.py b/tests/scripts/test_config_checks.py
index 7403f7e..911e2d9 100755
--- a/tests/scripts/test_config_checks.py
+++ b/tests/scripts/test_config_checks.py

@@ -55,5 +55,43 @@
                       error=('MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED'))
 
 
+    def test_define_MBEDTLS_MD5_C_redundant(self) -> None:
+        """Error when redundantly setting a subproject internal option."""
+        self.bad_case('#define PSA_WANT_ALG_MD5 1',
+                      '#define MBEDTLS_MD5_C',
+                      error=r'MBEDTLS_MD5_C.* PSA_WANT_ALG_MD5 in psa/crypto_config\.h')
+
+    def test_define_MBEDTLS_MD5_C_added(self) -> None:
+        """Error when setting a subproject internal option that was disabled."""
+        self.bad_case('''
+                      #undef PSA_WANT_ALG_MD5
+                      #undef MBEDTLS_MD5_C
+                      ''',
+                      '#define MBEDTLS_MD5_C',
+                      error=r'MBEDTLS_MD5_C.* PSA_WANT_ALG_MD5 in psa/crypto_config\.h')
+
+    def test_define_MBEDTLS_BASE64_C_redundant(self) -> None:
+        """Ok to redundantly set a subproject option."""
+        self.good_case(None,
+                       '#define MBEDTLS_BASE64_C')
+
+    def test_define_MBEDTLS_BASE64_C_added(self) -> None:
+        """Error when setting a subproject option that was disabled."""
+        self.bad_case('''
+                      #undef MBEDTLS_BASE64_C
+                      #undef MBEDTLS_PEM_PARSE_C
+                      #undef MBEDTLS_PEM_WRITE_C
+                      ''',
+                      '#define MBEDTLS_BASE64_C',
+                      error=r'MBEDTLS_BASE64_C .*psa/crypto_config\.h')
+
+    @unittest.skip("Checks for #undef are not implemented yet.")
+    def test_define_MBEDTLS_BASE64_C_unset(self) -> None:
+        """Error when unsetting a subproject option that was enabled."""
+        self.bad_case(None,
+                      '#undef MBEDTLS_BASE64_C',
+                      error=r'MBEDTLS_BASE64_C .*psa/crypto_config\.h')
+
+
 if __name__ == '__main__':
     unittest.main()