Merge pull request #8264 from mpg/follow-up-8075
Follow up to 8075
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index 6a2f9d2..e18e9a5 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -125,6 +125,46 @@
#endif /* MBEDTLS_PSA_CRYPTO_CONFIG || MBEDTLS_PSA_CRYPTO_C */
+/* Limitations on ECC key types acceleration: if we have any of `PUBLIC_KEY`,
+ * `KEY_PAIR_BASIC`, `KEY_PAIR_IMPORT`, `KEY_PAIR_EXPORT` then we must have
+ * all 4 of them.
+ */
+#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) || \
+ defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
+ defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
+ defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) || \
+ !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
+ !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
+ !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT)
+#error "Unsupported partial support for ECC key type acceleration, see docs/driver-only-builds.md"
+#endif /* not all of public, basic, import, export */
+#endif /* one of public, basic, import, export */
+
+/* Limitations on ECC curves acceleration: partial curve acceleration is only
+ * supported with crypto excluding PK, X.509 or TLS.
+ * Note: no need to check X.509 as it depends on PK. */
+#if defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_256) || \
+ defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_384) || \
+ defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_512) || \
+ defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_255) || \
+ defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_448) || \
+ defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192) || \
+ defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_224) || \
+ defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256) || \
+ defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_192) || \
+ defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_224) || \
+ defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256) || \
+ defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_384) || \
+ defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_521)
+#if defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES)
+#if defined(MBEDTLS_PK_C) || \
+ defined(MBEDTLS_SSL_TLS_C)
+#error "Unsupported partial support for ECC curves acceleration, see docs/driver-only-builds.md"
+#endif /* modules beyond what's supported */
+#endif /* not all curves accelerated */
+#endif /* some curve accelerated */
+
#if defined(MBEDTLS_CTR_DRBG_C) && !defined(MBEDTLS_AES_C)
#error "MBEDTLS_CTR_DRBG_C defined, but not all prerequisites"
#endif
diff --git a/include/mbedtls/config_adjust_legacy_from_psa.h b/include/mbedtls/config_adjust_legacy_from_psa.h
index 1519da7..e3c2ed1 100644
--- a/include/mbedtls/config_adjust_legacy_from_psa.h
+++ b/include/mbedtls/config_adjust_legacy_from_psa.h
@@ -159,35 +159,40 @@
/* ECC: key types: is acceleration complete? */
#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) && \
!defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES_BASIC
+#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES
+#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC
#endif
#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) && \
!defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES_BASIC
+#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES
+#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC
#endif
#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT) && \
!defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES
+#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES
#endif
#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT) && \
!defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES
+#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES
#endif
#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE) && \
!defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES
+#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES
#endif
/* Special case: we don't support cooked key derivation in drivers yet */
+#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
+#undef MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE
+#endif
+
+/* Note: the condition is always true as DERIVE can't be accelerated yet */
#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE) && \
- (1 || !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE))
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES
+ !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
+#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES
#endif
/* ECC: curves: enable built-ins as needed.
@@ -199,7 +204,7 @@
*/
#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
#if !defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_256) || \
- defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES) || \
+ defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
#define MBEDTLS_PSA_BUILTIN_ECC_BRAINPOOL_P_R1_256 1
#define MBEDTLS_ECP_DP_BP256R1_ENABLED
@@ -208,7 +213,7 @@
#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
#if !defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_384) || \
- defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES) || \
+ defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
#define MBEDTLS_PSA_BUILTIN_ECC_BRAINPOOL_P_R1_384 1
#define MBEDTLS_ECP_DP_BP384R1_ENABLED
@@ -217,7 +222,7 @@
#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
#if !defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_512) || \
- defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES) || \
+ defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
#define MBEDTLS_PSA_BUILTIN_ECC_BRAINPOOL_P_R1_512 1
#define MBEDTLS_ECP_DP_BP512R1_ENABLED
@@ -226,7 +231,7 @@
#if defined(PSA_WANT_ECC_MONTGOMERY_255)
#if !defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_255) || \
- defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES) || \
+ defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
#define MBEDTLS_PSA_BUILTIN_ECC_MONTGOMERY_255 1
#define MBEDTLS_ECP_DP_CURVE25519_ENABLED
@@ -235,7 +240,7 @@
#if defined(PSA_WANT_ECC_MONTGOMERY_448)
#if !defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_448) || \
- defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES) || \
+ defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
#define MBEDTLS_PSA_BUILTIN_ECC_MONTGOMERY_448 1
#define MBEDTLS_ECP_DP_CURVE448_ENABLED
@@ -244,7 +249,7 @@
#if defined(PSA_WANT_ECC_SECP_R1_192)
#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_192) || \
- defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES) || \
+ defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_192 1
#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
@@ -253,7 +258,7 @@
#if defined(PSA_WANT_ECC_SECP_R1_224)
#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_224) || \
- defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES) || \
+ defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_224 1
#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
@@ -262,7 +267,7 @@
#if defined(PSA_WANT_ECC_SECP_R1_256)
#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256) || \
- defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES) || \
+ defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_256 1
#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
@@ -271,7 +276,7 @@
#if defined(PSA_WANT_ECC_SECP_R1_384)
#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_384) || \
- defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES) || \
+ defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_384 1
#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
@@ -280,7 +285,7 @@
#if defined(PSA_WANT_ECC_SECP_R1_521)
#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_521) || \
- defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES) || \
+ defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_521 1
#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
@@ -289,7 +294,7 @@
#if defined(PSA_WANT_ECC_SECP_K1_192)
#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192) || \
- defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES) || \
+ defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
#define MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_192 1
#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
@@ -298,7 +303,7 @@
#if defined(PSA_WANT_ECC_SECP_K1_224)
#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_224) || \
- defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES) || \
+ defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
#define MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_224 1
#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
@@ -309,7 +314,7 @@
#if defined(PSA_WANT_ECC_SECP_K1_256)
#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256) || \
- defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES) || \
+ defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
#define MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_256 1
#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
@@ -331,7 +336,7 @@
#if defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA)
#if !defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA) || \
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES) || \
- defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES_BASIC)
+ defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC)
#define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA 1
#define MBEDTLS_ECDSA_DETERMINISTIC
#define MBEDTLS_HMAC_DRBG_C
@@ -347,7 +352,7 @@
#if defined(PSA_WANT_ALG_ECDH)
#if !defined(MBEDTLS_PSA_ACCEL_ALG_ECDH) || \
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES) || \
- defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES_BASIC)
+ defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC)
#define MBEDTLS_PSA_BUILTIN_ALG_ECDH 1
#define MBEDTLS_ECDH_C
#define MBEDTLS_ECP_C
@@ -358,7 +363,7 @@
#if defined(PSA_WANT_ALG_ECDSA)
#if !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) || \
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES) || \
- defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES_BASIC)
+ defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC)
#define MBEDTLS_PSA_BUILTIN_ALG_ECDSA 1
#define MBEDTLS_ECDSA_C
#define MBEDTLS_ECP_C
@@ -371,7 +376,7 @@
#if defined(PSA_WANT_ALG_JPAKE)
#if !defined(MBEDTLS_PSA_ACCEL_ALG_JPAKE) || \
!defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256) || \
- defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES_BASIC)
+ defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC)
#define MBEDTLS_PSA_BUILTIN_PAKE 1
#define MBEDTLS_PSA_BUILTIN_ALG_JPAKE 1
#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
@@ -435,9 +440,9 @@
#endif /* missing accel */
#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE */
-/* Special case: we don't support cooked key derivation in drivers yet */
+/* Note: the condition is always true as DERIVE can't be accelerated yet */
#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
-#if 1 || !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE) || \
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE) || \
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES)
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1
#define MBEDTLS_ECP_LIGHT
diff --git a/tests/configs/user-config-for-test.h b/tests/configs/user-config-for-test.h
index 9151532..a9386a2 100644
--- a/tests/configs/user-config-for-test.h
+++ b/tests/configs/user-config-for-test.h
@@ -52,7 +52,11 @@
* the test driver implemented. */
#define MBEDTLS_PSA_ACCEL_KEY_TYPE_AES
#define MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA
-#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_GENERATE
#define MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR
#define MBEDTLS_PSA_ACCEL_ALG_CBC_NO_PADDING
#define MBEDTLS_PSA_ACCEL_ALG_CBC_PKCS7
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 45c5619..9e1d84f 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -428,9 +428,9 @@
check_tools()
{
- for TOOL in "$@"; do
- if ! `type "$TOOL" >/dev/null 2>&1`; then
- err_msg "$TOOL not found!"
+ for tool in "$@"; do
+ if ! `type "$tool" >/dev/null 2>&1`; then
+ err_msg "$tool not found!"
exit 1
fi
done
@@ -884,10 +884,10 @@
# Adjust the configuration - for both libtestdriver1 and main library,
# as they should have the same PSA_WANT macros.
helper_libtestdriver1_adjust_config() {
- BASE_CONFIG=$1
+ base_config=$1
# Select the base configuration
- if [ "$BASE_CONFIG" != "default" ]; then
- scripts/config.py "$BASE_CONFIG"
+ if [ "$base_config" != "default" ]; then
+ scripts/config.py "$base_config"
fi
# Enable PSA-based config (necessary to use drivers)
@@ -910,8 +910,8 @@
allowed_list="${1:-}"
scripts/config.py unset-all "MBEDTLS_ECP_DP_[0-9A-Z_a-z]*_ENABLED"
- for CURVE in $allowed_list; do
- scripts/config.py set $CURVE
+ for curve in $allowed_list; do
+ scripts/config.py set $curve
done
}
@@ -920,8 +920,8 @@
# in the following helpers.
helper_get_psa_curve_list () {
loc_list=""
- for ITEM in $(sed -n 's/^#define PSA_WANT_\(ECC_[0-9A-Z_a-z]*\).*/\1/p' <"$CRYPTO_CONFIG_H"); do
- loc_list="$loc_list $ITEM"
+ for item in $(sed -n 's/^#define PSA_WANT_\(ECC_[0-9A-Z_a-z]*\).*/\1/p' <"$CRYPTO_CONFIG_H"); do
+ loc_list="$loc_list $item"
done
echo "$loc_list"
@@ -931,13 +931,13 @@
# is useful to easily get a list of key type symbols to accelerate.
# The function accepts a single argument which is the key type: ECC, DH, RSA.
helper_get_psa_key_type_list() {
- KEY_TYPE="$1"
+ key_type="$1"
loc_list=""
- for ITEM in $(sed -n "s/^#define PSA_WANT_\(KEY_TYPE_${KEY_TYPE}_[0-9A-Z_a-z]*\).*/\1/p" <"$CRYPTO_CONFIG_H"); do
+ for item in $(sed -n "s/^#define PSA_WANT_\(KEY_TYPE_${key_type}_[0-9A-Z_a-z]*\).*/\1/p" <"$CRYPTO_CONFIG_H"); do
# Skip DERIVE for elliptic keys since there is no driver dispatch for
# it so it cannot be accelerated.
- if [ "$ITEM" != "KEY_TYPE_ECC_KEY_PAIR_DERIVE" ]; then
- loc_list="$loc_list $ITEM"
+ if [ "$item" != "KEY_TYPE_ECC_KEY_PAIR_DERIVE" ]; then
+ loc_list="$loc_list $item"
fi
done
@@ -2560,17 +2560,17 @@
# Run tests with only (non-)Weierstrass accelerated
# Common code used in:
-# - component_test_psa_crypto_config_accel_ecc_weirstrass_curves
-# - component_test_psa_crypto_config_accel_ecc_non_weirstrass_curves
+# - component_test_psa_crypto_config_accel_ecc_weierstrass_curves
+# - component_test_psa_crypto_config_accel_ecc_non_weierstrass_curves
common_test_psa_crypto_config_accel_ecc_some_curves () {
- WEIERSTRASS=$1
- if [ $WEIERSTRASS -eq 1 ]; then
- DESC="Weierstrass"
+ weierstrass=$1
+ if [ $weierstrass -eq 1 ]; then
+ desc="Weierstrass"
else
- DESC="non-Weierstrass"
+ desc="non-Weierstrass"
fi
- msg "build: full with accelerated EC algs and $DESC curves"
+ msg "build: crypto_full minus PK with accelerated EC algs and $desc curves"
# Algorithms and key types to accelerate
loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
@@ -2585,17 +2585,17 @@
# helper_get_psa_curve_list that only keeps Weierstrass families.
loc_weierstrass_list=""
loc_non_weierstrass_list=""
- for ITEM in $(sed -n 's/^#define PSA_WANT_\(ECC_[0-9A-Z_a-z]*\).*/\1/p' <"$CRYPTO_CONFIG_H"); do
- case $ITEM in
+ for item in $(sed -n 's/^#define PSA_WANT_\(ECC_[0-9A-Z_a-z]*\).*/\1/p' <"$CRYPTO_CONFIG_H"); do
+ case $item in
ECC_BRAINPOOL*|ECC_SECP*)
- loc_weierstrass_list="$loc_weierstrass_list $ITEM"
+ loc_weierstrass_list="$loc_weierstrass_list $item"
;;
*)
- loc_non_weierstrass_list="$loc_non_weierstrass_list $ITEM"
+ loc_non_weierstrass_list="$loc_non_weierstrass_list $item"
;;
esac
done
- if [ $WEIERSTRASS -eq 1 ]; then
+ if [ $weierstrass -eq 1 ]; then
loc_curve_list=$loc_weierstrass_list
else
loc_curve_list=$loc_non_weierstrass_list
@@ -2604,8 +2604,18 @@
# Configure
# ---------
- # start with config full for maximum coverage (also enables USE_PSA)
- helper_libtestdriver1_adjust_config "full"
+ # Start with config crypto_full and remove PK_C:
+ # that's what's supported now, see docs/driver-only-builds.md.
+ helper_libtestdriver1_adjust_config "crypto_full"
+ scripts/config.py unset MBEDTLS_PK_C
+ scripts/config.py unset MBEDTLS_PK_PARSE_C
+ scripts/config.py unset MBEDTLS_PK_WRITE_C
+ # We need to disable RSA too or PK will be re-enabled.
+ scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_RSA_[0-9A-Z_a-z]*"
+ scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_ALG_RSA_[0-9A-Z_a-z]*"
+ scripts/config.py unset MBEDTLS_RSA_C
+ scripts/config.py unset MBEDTLS_PKCS1_V15
+ scripts/config.py unset MBEDTLS_PKCS1_V21
# Disable modules that are accelerated - some will be re-enabled
scripts/config.py unset MBEDTLS_ECDSA_C
@@ -2641,7 +2651,7 @@
# - functions with mxz in the name are specific to Montgomery curves
# - ecp_muladd is specific to Weierstrass curves
##nm library/ecp.o | tee ecp.syms
- if [ $WEIERSTRASS -eq 1 ]; then
+ if [ $weierstrass -eq 1 ]; then
not grep mbedtls_ecp_muladd library/ecp.o
grep mxz library/ecp.o
else
@@ -2650,7 +2660,7 @@
fi
# We expect ECDSA and ECJPAKE to be re-enabled only when
# Weierstrass curves are not accelerated
- if [ $WEIERSTRASS -eq 1 ]; then
+ if [ $weierstrass -eq 1 ]; then
not grep mbedtls_ecdsa library/ecdsa.o
not grep mbedtls_ecjpake library/ecjpake.o
else
@@ -2661,16 +2671,15 @@
# Run the tests
# -------------
- msg "test suites: full with accelerated EC algs and $DESC curves"
- # does not work for PK (and above), see #8255
- make test SKIP_TEST_SUITES=pk,pkparse,pkwrite,x509parse,x509write,ssl,debug
+ msg "test suites: crypto_full minus PK with accelerated EC algs and $desc curves"
+ make test
}
-component_test_psa_crypto_config_accel_ecc_weirstrass_curves () {
+component_test_psa_crypto_config_accel_ecc_weierstrass_curves () {
common_test_psa_crypto_config_accel_ecc_some_curves 1
}
-component_test_psa_crypto_config_accel_ecc_non_weirstrass_curves () {
+component_test_psa_crypto_config_accel_ecc_non_weierstrass_curves () {
common_test_psa_crypto_config_accel_ecc_some_curves 0
}
@@ -2686,10 +2695,10 @@
# - component_test_psa_crypto_config_reference_ecc_ecp_light_only.
# This supports comparing their test coverage with analyze_outcomes.py.
config_psa_crypto_config_ecp_light_only () {
- DRIVER_ONLY="$1"
+ driver_only="$1"
# start with config full for maximum coverage (also enables USE_PSA)
helper_libtestdriver1_adjust_config "full"
- if [ "$DRIVER_ONLY" -eq 1 ]; then
+ if [ "$driver_only" -eq 1 ]; then
# Disable modules that are accelerated
scripts/config.py unset MBEDTLS_ECDSA_C
scripts/config.py unset MBEDTLS_ECDH_C
@@ -2783,11 +2792,11 @@
# PK_C and RSA_C are always disabled to ensure there is no remaining dependency
# on the ECP module.
config_psa_crypto_no_ecp_at_all () {
- DRIVER_ONLY="$1"
+ driver_only="$1"
# start with full config for maximum coverage (also enables USE_PSA)
helper_libtestdriver1_adjust_config "full"
- if [ "$DRIVER_ONLY" -eq 1 ]; then
+ if [ "$driver_only" -eq 1 ]; then
# Disable modules that are accelerated
scripts/config.py unset MBEDTLS_ECDSA_C
scripts/config.py unset MBEDTLS_ECDH_C
@@ -2901,12 +2910,12 @@
# $2: a string value which states which components are tested. Allowed values
# are "ECC" or "ECC_DH".
config_psa_crypto_config_accel_ecc_ffdh_no_bignum() {
- DRIVER_ONLY="$1"
- TEST_TARGET="$2"
+ driver_only="$1"
+ test_target="$2"
# start with full config for maximum coverage (also enables USE_PSA)
helper_libtestdriver1_adjust_config "full"
- if [ "$DRIVER_ONLY" -eq 1 ]; then
+ if [ "$driver_only" -eq 1 ]; then
# Disable modules that are accelerated
scripts/config.py unset MBEDTLS_ECDSA_C
scripts/config.py unset MBEDTLS_ECDH_C
@@ -2937,7 +2946,7 @@
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
- if [ "$TEST_TARGET" = "ECC" ]; then
+ if [ "$test_target" = "ECC" ]; then
# When testing ECC only, we disable FFDH support, both from builtin and
# PSA sides, and also disable the key exchanges that depend on DHM.
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_FFDH
@@ -2948,7 +2957,7 @@
else
# When testing ECC and DH instead, we disable DHM and depending key
# exchanges only in the accelerated build
- if [ "$DRIVER_ONLY" -eq 1 ]; then
+ if [ "$driver_only" -eq 1 ]; then
scripts/config.py unset MBEDTLS_DHM_C
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
@@ -2973,18 +2982,18 @@
# common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum() for drivers
# coverage analysis in the "analyze_outcomes.py" script.
common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () {
- TEST_TARGET="$1"
+ test_target="$1"
# This is an internal helper to simplify text message handling
- if [ "$TEST_TARGET" = "ECC_DH" ]; then
- ACCEL_TEXT="ECC/FFDH"
- REMOVED_TEXT="ECP - DH"
+ if [ "$test_target" = "ECC_DH" ]; then
+ accel_text="ECC/FFDH"
+ removed_text="ECP - DH"
else
- ACCEL_TEXT="ECC"
- REMOVED_TEXT="ECP"
+ accel_text="ECC"
+ removed_text="ECP"
fi
- msg "build: full + accelerated $ACCEL_TEXT algs + USE_PSA - $REMOVED_TEXT - BIGNUM"
+ msg "build: full + accelerated $accel_text algs + USE_PSA - $removed_text - BIGNUM"
# By default we accelerate all EC keys/algs
loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
@@ -2992,7 +3001,7 @@
ALG_JPAKE \
$(helper_get_psa_key_type_list "ECC")"
# Optionally we can also add DH to the list of accelerated items
- if [ "$TEST_TARGET" = "ECC_DH" ]; then
+ if [ "$test_target" = "ECC_DH" ]; then
loc_accel_list="$loc_accel_list \
ALG_FFDH \
$(helper_get_psa_key_type_list "DH")"
@@ -3007,7 +3016,7 @@
# ---------
# Set common configurations between library's and driver's builds
- config_psa_crypto_config_accel_ecc_ffdh_no_bignum 1 "$TEST_TARGET"
+ config_psa_crypto_config_accel_ecc_ffdh_no_bignum 1 "$test_target"
# Disable all the builtin curves. All the required algs are accelerated.
helper_disable_builtin_curves
@@ -3036,11 +3045,11 @@
# Run the tests
# -------------
- msg "test suites: full + accelerated $ACCEL_TEXT algs + USE_PSA - $REMOVED_TEXT - DHM - BIGNUM"
+ msg "test suites: full + accelerated $accel_text algs + USE_PSA - $removed_text - DHM - BIGNUM"
make test
- msg "ssl-opt: full + accelerated $ACCEL_TEXT algs + USE_PSA - $REMOVED_TEXT - BIGNUM"
+ msg "ssl-opt: full + accelerated $accel_text algs + USE_PSA - $removed_text - BIGNUM"
tests/ssl-opt.sh
}
@@ -3056,25 +3065,25 @@
# common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum() for drivers'
# coverage analysis in "analyze_outcomes.py" script.
common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () {
- TEST_TARGET="$1"
+ test_target="$1"
# This is an internal helper to simplify text message handling
- if [ "$TEST_TARGET" = "ECC_DH" ]; then
- ACCEL_TEXT="ECC/FFDH"
+ if [ "$test_target" = "ECC_DH" ]; then
+ accel_text="ECC/FFDH"
else
- ACCEL_TEXT="ECC"
+ accel_text="ECC"
fi
- msg "build: full + non accelerated $ACCEL_TEXT algs + USE_PSA"
+ msg "build: full + non accelerated $accel_text algs + USE_PSA"
- config_psa_crypto_config_accel_ecc_ffdh_no_bignum 0 "$TEST_TARGET"
+ config_psa_crypto_config_accel_ecc_ffdh_no_bignum 0 "$test_target"
make
msg "test suites: full + non accelerated EC algs + USE_PSA"
make test
- msg "ssl-opt: full + non accelerated $ACCEL_TEXT algs + USE_PSA"
+ msg "ssl-opt: full + non accelerated $accel_text algs + USE_PSA"
tests/ssl-opt.sh
}
@@ -3189,14 +3198,14 @@
# - build
# - test only TLS (i.e. test_suite_tls and ssl-opt)
build_full_minus_something_and_test_tls () {
- SYMBOLS_TO_DISABLE="$1"
+ symbols_to_disable="$1"
msg "build: full minus something, test TLS"
scripts/config.py full
- for SYM in $SYMBOLS_TO_DISABLE; do
- echo "Disabling $SYM"
- scripts/config.py unset $SYM
+ for sym in $symbols_to_disable; do
+ echo "Disabling $sym"
+ scripts/config.py unset $sym
done
make
@@ -3225,22 +3234,22 @@
# - $1 is the key type under test, i.e. ECC/RSA/DH
# - $2 is the key option to be unset (i.e. generate, derive, etc)
build_and_test_psa_want_key_pair_partial() {
- KEY_TYPE=$1
- UNSET_OPTION=$2
- DISABLED_PSA_WANT="PSA_WANT_KEY_TYPE_${KEY_TYPE}_KEY_PAIR_${UNSET_OPTION}"
+ key_type=$1
+ unset_option=$2
+ disabled_psa_want="PSA_WANT_KEY_TYPE_${key_type}_KEY_PAIR_${unset_option}"
- msg "build: full - MBEDTLS_USE_PSA_CRYPTO - ${DISABLED_PSA_WANT}"
+ msg "build: full - MBEDTLS_USE_PSA_CRYPTO - ${disabled_psa_want}"
scripts/config.py full
scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
# All the PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy are enabled by default in
# crypto_config.h so we just disable the one we don't want.
- scripts/config.py -f "$CRYPTO_CONFIG_H" unset "$DISABLED_PSA_WANT"
+ scripts/config.py -f "$CRYPTO_CONFIG_H" unset "$disabled_psa_want"
make CC=gcc CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
- msg "test: full - MBEDTLS_USE_PSA_CRYPTO - ${DISABLED_PSA_WANT}"
+ msg "test: full - MBEDTLS_USE_PSA_CRYPTO - ${disabled_psa_want}"
make test
}
@@ -3445,10 +3454,10 @@
# Auxiliary function to build config for hashes with and without drivers
config_psa_crypto_hash_use_psa () {
- DRIVER_ONLY="$1"
+ driver_only="$1"
# start with config full for maximum coverage (also enables USE_PSA)
helper_libtestdriver1_adjust_config "full"
- if [ "$DRIVER_ONLY" -eq 1 ]; then
+ if [ "$driver_only" -eq 1 ]; then
# disable the built-in implementation of hashes
scripts/config.py unset MBEDTLS_MD5_C
scripts/config.py unset MBEDTLS_RIPEMD160_C
@@ -3664,33 +3673,6 @@
make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_ECDH -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
}
-# This should be renamed to test and updated once the accelerator ECC key pair code is in place and ready to test.
-component_build_psa_accel_key_type_ecc_key_pair() {
- msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_xxx"
- scripts/config.py full
- scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
- scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
- scripts/config.py -f "$CRYPTO_CONFIG_H" set-all "PSA_WANT_KEY_TYPE_ECC_[0-9A-Z_a-z]*"
- # Need to define the correct symbol and include the test driver header path in order to build with the test driver
- make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
-}
-
-# This should be renamed to test and updated once the accelerator ECC public key code is in place and ready to test.
-component_build_psa_accel_key_type_ecc_public_key() {
- msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY"
- scripts/config.py full
- scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
- scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
- scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 1
- scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC
- scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
- scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT
- scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE
- scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
- # Need to define the correct symbol and include the test driver header path in order to build with the test driver
- make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
-}
-
# This should be renamed to test and updated once the accelerator HMAC code is in place and ready to test.
component_build_psa_accel_alg_hmac() {
msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_HMAC"