Merge pull request #10324 from gilles-peskine-arm/query_config-glob-headers
query_config.fmt: glob headers instead of listing them explicitly
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index ddab7d0..d18d0fa 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -255,7 +255,7 @@
*
* Requires: MBEDTLS_ECDH_C or PSA_WANT_ALG_ECDH
* MBEDTLS_RSA_C
- * MBEDTLS_PKCS1_V15
+ * PSA_WANT_ALG_RSA_PKCS1V15_SIGN
* MBEDTLS_X509_CRT_PARSE_C
*
* This enables the following ciphersuites (if other requisites are
@@ -331,7 +331,7 @@
* might still happen. For this reason, this is disabled by default.
*
* Requires: MBEDTLS_ECJPAKE_C or PSA_WANT_ALG_JPAKE
- * SHA-256 (via MBEDTLS_SHA256_C or a PSA driver)
+ * PSA_WANT_ALG_SHA_256
* MBEDTLS_ECP_DP_SECP256R1_ENABLED
*
* This enables the following ciphersuites (if other requisites are
@@ -446,7 +446,7 @@
* saved after the handshake to allow for more efficient serialization, so if
* you don't need this feature you'll save RAM by disabling it.
*
- * Requires: MBEDTLS_GCM_C or MBEDTLS_CCM_C or MBEDTLS_CHACHAPOLY_C
+ * Requires: PSA_WANT_ALG_GCM or PSA_WANT_ALG_CCM or PSA_WANT_ALG_CHACHA20_POLY1305
*
* Comment to disable the context serialization APIs.
*/
@@ -824,7 +824,7 @@
* Module: library/ssl_ticket.c
* Caller:
*
- * Requires: MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C
+ * Requires: PSA_WANT_ALG_GCM or PSA_WANT_ALG_CCM or PSA_WANT_ALG_CHACHA20_POLY1305
*/
#define MBEDTLS_SSL_TICKET_C
@@ -859,7 +859,7 @@
* MBEDTLS_X509_CRT_PARSE_C
* and at least one of:
* MBEDTLS_ECDSA_C or PSA_WANT_ALG_ECDSA
- * MBEDTLS_PKCS1_V21
+ * PSA_WANT_ALG_RSA_PSS
*
* Comment to disable support for the ephemeral key exchange mode in TLS 1.3.
* If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any
@@ -903,7 +903,7 @@
* Caller: library/ssl*_client.c
* library/ssl*_server.c
*
- * Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C
+ * Requires: PSA_WANT_ALG_SHA_256 or PSA_WANT_ALG_SHA_384
* and at least one of the MBEDTLS_SSL_PROTO_XXX defines
*
* This module is required for SSL/TLS.
@@ -1210,7 +1210,7 @@
* Enable parsing and verification of X.509 certificates, CRLs and CSRS
* signed with RSASSA-PSS (aka PKCS#1 v2.1).
*
- * Requires: MBEDTLS_PKCS1_V21
+ * Requires: PSA_WANT_ALG_RSA_PSS
*
* Comment this macro to disallow using RSASSA-PSS in certificates.
*/
diff --git a/include/mbedtls/version.h b/include/mbedtls/version.h
index 718e99e..837787b 100644
--- a/include/mbedtls/version.h
+++ b/include/mbedtls/version.h
@@ -60,7 +60,7 @@
* support", "Mbed TLS modules" and "Mbed TLS feature
* support" in mbedtls_config.h
*
- * \param feature The string for the define to check (e.g. "MBEDTLS_AES_C")
+ * \param feature The string for the define to check (e.g. "MBEDTLS_SSL_SRV_C")
*
* \return 0 if the feature is present,
* -1 if the feature is not present and
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index a308711..72dc941 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -2376,7 +2376,7 @@
#endif /* PSA_WANT_ALG_SHA_512 && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
#endif /* PSA_HAVE_ALG_SOME_ECDSA */
-#if defined(MBEDTLS_PKCS1_V21)
+#if defined(PSA_WANT_ALG_RSA_PSS)
#if defined(PSA_WANT_ALG_SHA_256)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
break;
@@ -2389,7 +2389,7 @@
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
break;
#endif /* PSA_WANT_ALG_SHA_512 */
-#endif /* MBEDTLS_PKCS1_V21 */
+#endif /* PSA_WANT_ALG_RSA_PSS */
default:
return 0;
}
@@ -2401,7 +2401,7 @@
const uint16_t sig_alg)
{
switch (sig_alg) {
-#if defined(MBEDTLS_PKCS1_V15)
+#if defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN)
#if defined(PSA_WANT_ALG_SHA_256)
case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
break;
@@ -2414,7 +2414,7 @@
case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
break;
#endif /* PSA_WANT_ALG_SHA_512 */
-#endif /* MBEDTLS_PKCS1_V15 */
+#endif /* PSA_WANT_ALG_RSA_PKCS1V15_SIGN */
default:
return mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
sig_alg);
@@ -2455,7 +2455,7 @@
}
switch (sig_alg) {
-#if defined(MBEDTLS_PKCS1_V21)
+#if defined(PSA_WANT_ALG_RSA_PSS)
#if defined(PSA_WANT_ALG_SHA_256)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
*md_alg = MBEDTLS_MD_SHA256;
@@ -2474,7 +2474,7 @@
*pk_type = MBEDTLS_PK_RSASSA_PSS;
break;
#endif /* PSA_WANT_ALG_SHA_512 */
-#endif /* MBEDTLS_PKCS1_V21 */
+#endif /* PSA_WANT_ALG_RSA_PSS */
default:
return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
}
diff --git a/programs/fuzz/CMakeLists.txt b/programs/fuzz/CMakeLists.txt
index 54b07b4..d5995aa 100644
--- a/programs/fuzz/CMakeLists.txt
+++ b/programs/fuzz/CMakeLists.txt
@@ -31,18 +31,19 @@
$<TARGET_OBJECTS:mbedtls_test_helpers>
$<TARGET_OBJECTS:mbedtls_test>)
if(NOT FUZZINGENGINE_LIB)
- list(APPEND exe_sources onefile.c)
+ list(APPEND exe_sources ${MBEDTLS_DIR}/tf-psa-crypto/programs/fuzz/fuzz_onefile.c)
endif()
# This emulates "if ( ... IN_LIST ... )" which becomes available in CMake 3.3
list(FIND executables_with_common_c ${exe} exe_index)
if(${exe_index} GREATER -1)
- list(APPEND exe_sources common.c)
+ list(APPEND exe_sources ${MBEDTLS_DIR}/tf-psa-crypto/programs/fuzz/fuzz_common.c)
endif()
add_executable(${exe} ${exe_sources})
set_base_compile_options(${exe})
target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../framework/tests/include
+ ${CMAKE_CURRENT_SOURCE_DIR}/../../tf-psa-crypto/programs/fuzz/
${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
if (NOT FUZZINGENGINE_LIB)
diff --git a/programs/fuzz/Makefile b/programs/fuzz/Makefile
index 29483ea..65ac6f8 100644
--- a/programs/fuzz/Makefile
+++ b/programs/fuzz/Makefile
@@ -3,7 +3,7 @@
MBEDTLS_PATH := ../..
include ../../scripts/common.make
-PROGRAM_FUZZ_PATH:=$(MBEDTLS_PATH)/programs/fuzz
+PROGRAM_FUZZ_PATH:=$(MBEDTLS_PATH)/tf-psa-crypto/programs/fuzz
DEP=${MBEDLIBS}
@@ -15,6 +15,8 @@
# A test application is built for each fuzz_*.c file.
APPS = $(basename $(wildcard fuzz_*.c))
+APPS += $(basename $(PROGRAM_FUZZ_PATH)/fuzz_privkey.c)
+APPS += $(basename $(PROGRAM_FUZZ_PATH)/fuzz_pubkey.c)
# Construct executable name by adding OS specific suffix $(EXEXT).
BINARIES := $(addsuffix $(EXEXT),$(APPS))
@@ -32,13 +34,13 @@
ifdef FUZZINGENGINE
-$(BINARIES): %$(EXEXT): %.o $(PROGRAM_FUZZ_PATH)/common.o $(DEP)
- echo " $(PROGRAM_FUZZ_PATH)/common.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@"
- $(CXX) $(PROGRAM_FUZZ_PATH)/common.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+$(BINARIES): %$(EXEXT): %.o $(PROGRAM_FUZZ_PATH)/fuzz_common.o $(DEP)
+ echo " $(CC) $(PROGRAM_FUZZ_PATH)/fuzz_common.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@"
+ $(CXX) $(PROGRAM_FUZZ_PATH)/fuzz_common.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
else
-$(BINARIES): %$(EXEXT): %.o $(PROGRAM_FUZZ_PATH)/common.o $(PROGRAM_FUZZ_PATH)/onefile.o $(DEP)
- echo " $(CC) $(PROGRAM_FUZZ_PATH)/common.o $(PROGRAM_FUZZ_PATH)/onefile.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@"
- $(CC) $(PROGRAM_FUZZ_PATH)/common.o $(PROGRAM_FUZZ_PATH)/onefile.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+$(BINARIES): %$(EXEXT): %.o $(PROGRAM_FUZZ_PATH)/fuzz_common.o $(PROGRAM_FUZZ_PATH)/fuzz_onefile.o $(DEP)
+ echo " $(CC) $(PROGRAM_FUZZ_PATH)/fuzz_common.o $(PROGRAM_FUZZ_PATH)/fuzz_onefile.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@"
+ $(CC) $(PROGRAM_FUZZ_PATH)/fuzz_common.o $(PROGRAM_FUZZ_PATH)/fuzz_onefile.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
endif
clean:
diff --git a/programs/fuzz/common.c b/programs/fuzz/common.c
deleted file mode 100644
index 41fa858..0000000
--- a/programs/fuzz/common.c
+++ /dev/null
@@ -1,107 +0,0 @@
-#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS
-
-#include "common.h"
-#include <limits.h>
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include "mbedtls/ctr_drbg.h"
-
-#if defined(MBEDTLS_PLATFORM_TIME_ALT)
-mbedtls_time_t dummy_constant_time(mbedtls_time_t *time)
-{
- (void) time;
- return 0x5af2a056;
-}
-#endif
-
-void dummy_init(void)
-{
-#if defined(MBEDTLS_PLATFORM_TIME_ALT)
- mbedtls_platform_set_time(dummy_constant_time);
-#else
- fprintf(stderr, "Warning: fuzzing without constant time\n");
-#endif
-}
-
-int dummy_send(void *ctx, const unsigned char *buf, size_t len)
-{
- //silence warning about unused parameter
- (void) ctx;
- (void) buf;
-
- //pretends we wrote everything ok
- if (len > INT_MAX) {
- return -1;
- }
- return (int) len;
-}
-
-int fuzz_recv(void *ctx, unsigned char *buf, size_t len)
-{
- //reads from the buffer from fuzzer
- fuzzBufferOffset_t *biomemfuzz = (fuzzBufferOffset_t *) ctx;
-
- if (biomemfuzz->Offset == biomemfuzz->Size) {
- //EOF
- return 0;
- }
- if (len > INT_MAX) {
- return -1;
- }
- if (len + biomemfuzz->Offset > biomemfuzz->Size) {
- //do not overflow
- len = biomemfuzz->Size - biomemfuzz->Offset;
- }
- memcpy(buf, biomemfuzz->Data + biomemfuzz->Offset, len);
- biomemfuzz->Offset += len;
- return (int) len;
-}
-
-int dummy_random(void *p_rng, unsigned char *output, size_t output_len)
-{
- int ret;
- size_t i;
-
-#if defined(MBEDTLS_CTR_DRBG_C)
- //mbedtls_ctr_drbg_random requires a valid mbedtls_ctr_drbg_context in p_rng
- if (p_rng != NULL) {
- //use mbedtls_ctr_drbg_random to find bugs in it
- ret = mbedtls_ctr_drbg_random(p_rng, output, output_len);
- } else {
- //fall through to pseudo-random
- ret = 0;
- }
-#else
- (void) p_rng;
- ret = 0;
-#endif
- for (i = 0; i < output_len; i++) {
- //replace result with pseudo random
- output[i] = (unsigned char) rand();
- }
- return ret;
-}
-
-int dummy_entropy(void *data, unsigned char *output, size_t len)
-{
- size_t i;
- (void) data;
-
- //use mbedtls_entropy_func to find bugs in it
- //test performance impact of entropy
- //ret = mbedtls_entropy_func(data, output, len);
- for (i = 0; i < len; i++) {
- //replace result with pseudo random
- output[i] = (unsigned char) rand();
- }
- return 0;
-}
-
-int fuzz_recv_timeout(void *ctx, unsigned char *buf, size_t len,
- uint32_t timeout)
-{
- (void) timeout;
-
- return fuzz_recv(ctx, buf, len);
-}
diff --git a/programs/fuzz/common.h b/programs/fuzz/common.h
deleted file mode 100644
index 88dceac..0000000
--- a/programs/fuzz/common.h
+++ /dev/null
@@ -1,28 +0,0 @@
-#include "mbedtls/build_info.h"
-
-#if defined(MBEDTLS_HAVE_TIME)
-#include "mbedtls/platform_time.h"
-#endif
-#include <stddef.h>
-#include <stdint.h>
-
-typedef struct fuzzBufferOffset {
- const uint8_t *Data;
- size_t Size;
- size_t Offset;
-} fuzzBufferOffset_t;
-
-#if defined(MBEDTLS_HAVE_TIME)
-mbedtls_time_t dummy_constant_time(mbedtls_time_t *time);
-#endif
-void dummy_init(void);
-
-int dummy_send(void *ctx, const unsigned char *buf, size_t len);
-int fuzz_recv(void *ctx, unsigned char *buf, size_t len);
-int dummy_random(void *p_rng, unsigned char *output, size_t output_len);
-int dummy_entropy(void *data, unsigned char *output, size_t len);
-int fuzz_recv_timeout(void *ctx, unsigned char *buf, size_t len,
- uint32_t timeout);
-
-/* Implemented in the fuzz_*.c sources and required by onefile.c */
-int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
diff --git a/programs/fuzz/fuzz_client.c b/programs/fuzz/fuzz_client.c
index 6d3b73f..440c024 100644
--- a/programs/fuzz/fuzz_client.c
+++ b/programs/fuzz/fuzz_client.c
@@ -4,7 +4,7 @@
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "test/certs.h"
-#include "common.h"
+#include "fuzz_common.h"
#include <string.h>
#include <stdlib.h>
#include <stdint.h>
diff --git a/programs/fuzz/fuzz_dtlsclient.c b/programs/fuzz/fuzz_dtlsclient.c
index efe1362..7a1da13 100644
--- a/programs/fuzz/fuzz_dtlsclient.c
+++ b/programs/fuzz/fuzz_dtlsclient.c
@@ -3,7 +3,7 @@
#include <string.h>
#include <stdlib.h>
#include <stdint.h>
-#include "common.h"
+#include "fuzz_common.h"
#include "mbedtls/ssl.h"
#if defined(MBEDTLS_SSL_PROTO_DTLS)
#include "mbedtls/entropy.h"
diff --git a/programs/fuzz/fuzz_dtlsserver.c b/programs/fuzz/fuzz_dtlsserver.c
index 31eb514..98a7021 100644
--- a/programs/fuzz/fuzz_dtlsserver.c
+++ b/programs/fuzz/fuzz_dtlsserver.c
@@ -3,7 +3,7 @@
#include <string.h>
#include <stdlib.h>
#include <stdint.h>
-#include "common.h"
+#include "fuzz_common.h"
#include "mbedtls/ssl.h"
#include "test/certs.h"
#if defined(MBEDTLS_SSL_PROTO_DTLS)
diff --git a/programs/fuzz/fuzz_pkcs7.c b/programs/fuzz/fuzz_pkcs7.c
index 9ec9351..f236190 100644
--- a/programs/fuzz/fuzz_pkcs7.c
+++ b/programs/fuzz/fuzz_pkcs7.c
@@ -2,7 +2,7 @@
#include <stdint.h>
#include "mbedtls/pkcs7.h"
-#include "common.h"
+#include "fuzz_common.h"
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
diff --git a/programs/fuzz/fuzz_server.c b/programs/fuzz/fuzz_server.c
index bb9dd0a..05b7480 100644
--- a/programs/fuzz/fuzz_server.c
+++ b/programs/fuzz/fuzz_server.c
@@ -5,7 +5,7 @@
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/ssl_ticket.h"
#include "test/certs.h"
-#include "common.h"
+#include "fuzz_common.h"
#include <string.h>
#include <stdlib.h>
#include <stdint.h>
diff --git a/programs/fuzz/fuzz_x509crl.c b/programs/fuzz/fuzz_x509crl.c
index 2840fbb..92e0f5d 100644
--- a/programs/fuzz/fuzz_x509crl.c
+++ b/programs/fuzz/fuzz_x509crl.c
@@ -2,7 +2,7 @@
#include <stdint.h>
#include "mbedtls/x509_crl.h"
-#include "common.h"
+#include "fuzz_common.h"
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
diff --git a/programs/fuzz/fuzz_x509crt.c b/programs/fuzz/fuzz_x509crt.c
index 29331b9..c99ae2e 100644
--- a/programs/fuzz/fuzz_x509crt.c
+++ b/programs/fuzz/fuzz_x509crt.c
@@ -2,7 +2,7 @@
#include <stdint.h>
#include "mbedtls/x509_crt.h"
-#include "common.h"
+#include "fuzz_common.h"
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
diff --git a/programs/fuzz/fuzz_x509csr.c b/programs/fuzz/fuzz_x509csr.c
index e0aaabc..4ab071f 100644
--- a/programs/fuzz/fuzz_x509csr.c
+++ b/programs/fuzz/fuzz_x509csr.c
@@ -2,7 +2,7 @@
#include <stdint.h>
#include "mbedtls/x509_csr.h"
-#include "common.h"
+#include "fuzz_common.h"
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
diff --git a/programs/fuzz/onefile.c b/programs/fuzz/onefile.c
deleted file mode 100644
index 6c02a64..0000000
--- a/programs/fuzz/onefile.c
+++ /dev/null
@@ -1,70 +0,0 @@
-#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS
-
-#include <stdint.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include "common.h"
-
-/* This file doesn't use any Mbed TLS function, but grab mbedtls_config.h anyway
- * in case it contains platform-specific #defines related to malloc or
- * stdio functions. */
-#include "mbedtls/build_info.h"
-
-int main(int argc, char **argv)
-{
- FILE *fp;
- uint8_t *Data;
- size_t Size;
- const char *argv0 = argv[0] == NULL ? "PROGRAM_NAME" : argv[0];
-
- if (argc != 2) {
- fprintf(stderr, "Usage: %s REPRODUCER_FILE\n", argv0);
- return 1;
- }
- //opens the file, get its size, and reads it into a buffer
- fp = fopen(argv[1], "rb");
- if (fp == NULL) {
- fprintf(stderr, "%s: Error in fopen\n", argv0);
- perror(argv[1]);
- return 2;
- }
- if (fseek(fp, 0L, SEEK_END) != 0) {
- fprintf(stderr, "%s: Error in fseek(SEEK_END)\n", argv0);
- perror(argv[1]);
- fclose(fp);
- return 2;
- }
- Size = ftell(fp);
- if (Size == (size_t) -1) {
- fprintf(stderr, "%s: Error in ftell\n", argv0);
- perror(argv[1]);
- fclose(fp);
- return 2;
- }
- if (fseek(fp, 0L, SEEK_SET) != 0) {
- fprintf(stderr, "%s: Error in fseek(0)\n", argv0);
- perror(argv[1]);
- fclose(fp);
- return 2;
- }
- Data = malloc(Size);
- if (Data == NULL) {
- fprintf(stderr, "%s: Could not allocate memory\n", argv0);
- perror(argv[1]);
- fclose(fp);
- return 2;
- }
- if (fread(Data, Size, 1, fp) != 1) {
- fprintf(stderr, "%s: Error in fread\n", argv0);
- perror(argv[1]);
- free(Data);
- fclose(fp);
- return 2;
- }
-
- //launch fuzzer
- LLVMFuzzerTestOneInput(Data, Size);
- free(Data);
- fclose(fp);
- return 0;
-}
diff --git a/programs/ssl/ssl_test_lib.c b/programs/ssl/ssl_test_lib.c
index 6aa60fb..f9a6402 100644
--- a/programs/ssl/ssl_test_lib.c
+++ b/programs/ssl/ssl_test_lib.c
@@ -293,7 +293,7 @@
}
mbedtls_pk_free(pk);
mbedtls_pk_init(pk);
- ret = mbedtls_pk_setup_opaque(pk, *key_id);
+ ret = mbedtls_pk_wrap_psa(pk, *key_id);
if (ret != 0) {
return ret;
}
diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index 67a3885..d1bb553 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -327,10 +327,6 @@
'Low and high error',
'Single low error'
],
- # Similar to test_suite_error above.
- 'test_suite_version': [
- 'Check for MBEDTLS_AES_C when already present',
- ],
# The en/decryption part of PKCS#12 is not supported so far.
# The rest of PKCS#12 (key derivation) works though.
'test_suite_pkcs12': [
@@ -659,10 +655,6 @@
'Single low error',
'Low and high error',
],
- 'test_suite_version': [
- # Similar to test_suite_error above.
- 'Check for MBEDTLS_AES_C when already present',
- ],
'test_suite_platform': [
# Incompatible with sanitizers (e.g. ASan). If the driver
# component uses a sanitizer but the reference component
diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh
index bb0375a..da776e7 100644
--- a/tests/scripts/components-configuration-crypto.sh
+++ b/tests/scripts/components-configuration-crypto.sh
@@ -138,7 +138,6 @@
component_test_no_rsa_key_pair_generation () {
msg "build: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE"
- scripts/config.py unset MBEDTLS_GENPRIME
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
make
@@ -310,7 +309,6 @@
msg "build: full no CIPHER"
scripts/config.py full
- scripts/config.py unset MBEDTLS_CIPHER_C
# The built-in implementation of the following algs/key-types depends
# on CIPHER_C so we disable them.
@@ -329,7 +327,6 @@
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES
# The following modules directly depends on CIPHER_C
- scripts/config.py unset MBEDTLS_CMAC_C
scripts/config.py unset MBEDTLS_NIST_KW_C
make
@@ -479,7 +476,6 @@
scripts/config.py unset MBEDTLS_VERSION_FEATURES
# Crypto stuff with no PSA interface
scripts/config.py unset MBEDTLS_BASE64_C
- # Keep MBEDTLS_CIPHER_C because psa_crypto_cipher, CCM and GCM need it.
scripts/config.py unset MBEDTLS_HKDF_C # PSA's HKDF is independent
# Keep MBEDTLS_MD_C because deterministic ECDSA needs it for HMAC_DRBG.
scripts/config.py unset MBEDTLS_NIST_KW_C
@@ -519,11 +515,6 @@
tests/scripts/depends.py cipher_chaining
}
-component_test_depends_py_cipher_padding () {
- msg "test/build: depends.py cipher_padding (gcc)"
- tests/scripts/depends.py cipher_padding
-}
-
component_test_depends_py_curves () {
msg "test/build: depends.py curves (gcc)"
tests/scripts/depends.py curves
@@ -1148,9 +1139,6 @@
# on BIGNUM_C.
scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_RSA_[0-9A-Z_a-z]*"
scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_ALG_RSA_[0-9A-Z_a-z]*"
- scripts/config.py unset MBEDTLS_RSA_C
- scripts/config.py unset MBEDTLS_PKCS1_V15
- scripts/config.py unset MBEDTLS_PKCS1_V21
scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
# Also disable key exchanges that depend on RSA
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
@@ -1425,12 +1413,6 @@
helper_libtestdriver1_adjust_config "crypto_full"
if [ "$driver_only" -eq 1 ]; then
- # Remove RSA support and its dependencies
- scripts/config.py unset MBEDTLS_RSA_C
- scripts/config.py unset MBEDTLS_PKCS1_V15
- scripts/config.py unset MBEDTLS_PKCS1_V21
- scripts/config.py unset MBEDTLS_GENPRIME
-
# We need PEM parsing in the test library as well to support the import
# of PEM encoded RSA keys.
scripts/config.py -c "$CONFIG_TEST_DRIVER_H" set MBEDTLS_PEM_PARSE_C
@@ -1494,7 +1476,7 @@
# This is a temporary test to verify that full RSA support is present even when
# only one single new symbols (PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) is defined.
component_test_new_psa_want_key_pair_symbol () {
- msg "Build: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC"
+ msg "Build: crypto config - PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC"
# Create a temporary output file unless there is already one set
if [ "$MBEDTLS_TEST_OUTCOME_FILE" ]; then
@@ -1509,11 +1491,8 @@
scripts/config.py crypto
# Remove RSA support and its dependencies
- scripts/config.py unset MBEDTLS_PKCS1_V15
- scripts/config.py unset MBEDTLS_PKCS1_V21
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
- scripts/config.py unset MBEDTLS_RSA_C
scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
# Keep only PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC enabled in order to ensure
@@ -1524,7 +1503,7 @@
make
- msg "Test: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC"
+ msg "Test: crypto config - PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC"
make test
# Parse only 1 relevant line from the outcome file, i.e. a test which is
@@ -1550,15 +1529,6 @@
# Start from default config (no USE_PSA)
helper_libtestdriver1_adjust_config "default"
- # Disable the things that are being accelerated
- scripts/config.py unset MBEDTLS_MD5_C
- scripts/config.py unset MBEDTLS_RIPEMD160_C
- scripts/config.py unset MBEDTLS_SHA1_C
- scripts/config.py unset MBEDTLS_SHA224_C
- scripts/config.py unset MBEDTLS_SHA256_C
- scripts/config.py unset MBEDTLS_SHA384_C
- scripts/config.py unset MBEDTLS_SHA512_C
-
# Build
# -----
@@ -1588,14 +1558,7 @@
helper_libtestdriver1_adjust_config "full"
if [ "$driver_only" -eq 1 ]; then
# disable the built-in implementation of hashes
- scripts/config.py unset MBEDTLS_MD5_C
- scripts/config.py unset MBEDTLS_RIPEMD160_C
- scripts/config.py unset MBEDTLS_SHA1_C
- scripts/config.py unset MBEDTLS_SHA224_C
- scripts/config.py unset MBEDTLS_SHA256_C # see external RNG below
scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
- scripts/config.py unset MBEDTLS_SHA384_C
- scripts/config.py unset MBEDTLS_SHA512_C
scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
fi
}
@@ -1676,11 +1639,9 @@
# Disable MD_C in order to disable the builtin support for HMAC. MD_LIGHT
# is still enabled though (for ENTROPY_C among others).
scripts/config.py unset MBEDTLS_MD_C
- # Disable also the builtin hashes since they are supported by the driver
- # and MD module is able to perform PSA dispathing.
+ # Also disable the configuration options that tune the builtin hashes,
+ # since those hashes are disabled.
scripts/config.py unset-all MBEDTLS_SHA
- scripts/config.py unset MBEDTLS_MD5_C
- scripts/config.py unset MBEDTLS_RIPEMD160_C
fi
# Direct dependencies of MD_C. We disable them also in the reference
@@ -1747,11 +1708,6 @@
# Start from full config
helper_libtestdriver1_adjust_config "full"
- # Disable things that are being accelerated
- scripts/config.py unset MBEDTLS_GCM_C
- scripts/config.py unset MBEDTLS_CCM_C
- scripts/config.py unset MBEDTLS_CHACHAPOLY_C
-
# Disable CCM_STAR_NO_TAG because this re-enables CCM_C.
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG
@@ -1802,32 +1758,10 @@
common_psa_crypto_config_accel_cipher_aead_cmac
- # Disable the things that are being accelerated
- scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
- scripts/config.py unset MBEDTLS_CIPHER_PADDING_PKCS7
- scripts/config.py unset MBEDTLS_CIPHER_MODE_CTR
- scripts/config.py unset MBEDTLS_CIPHER_MODE_CFB
- scripts/config.py unset MBEDTLS_CIPHER_MODE_OFB
- scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
- scripts/config.py unset MBEDTLS_GCM_C
- scripts/config.py unset MBEDTLS_CCM_C
- scripts/config.py unset MBEDTLS_CHACHAPOLY_C
- scripts/config.py unset MBEDTLS_CMAC_C
- scripts/config.py unset MBEDTLS_DES_C
- scripts/config.py unset MBEDTLS_AES_C
- scripts/config.py unset MBEDTLS_ARIA_C
- scripts/config.py unset MBEDTLS_CHACHA20_C
- scripts/config.py unset MBEDTLS_CAMELLIA_C
- scripts/config.py unset MBEDTLS_POLY1305_C
-
# Disable DES, if it still exists.
# This can be removed once we remove DES from the library.
scripts/config.py unset PSA_WANT_KEY_TYPE_DES
- # Disable CIPHER_C entirely as all ciphers/AEADs are accelerated and PSA
- # does not depend on it.
- scripts/config.py unset MBEDTLS_CIPHER_C
-
# Build
# -----
@@ -1887,14 +1821,6 @@
# Start from the full config
helper_libtestdriver1_adjust_config "full"
- if [ "$TEST_WITH_DRIVER" -eq 1 ]; then
- # Disable key types that are accelerated (there is no legacy equivalent
- # symbol for ECB)
- scripts/config.py unset MBEDTLS_AES_C
- scripts/config.py unset MBEDTLS_ARIA_C
- scripts/config.py unset MBEDTLS_CAMELLIA_C
- fi
-
# Disable cipher's modes that, when not accelerated, cause
# legacy key types to be re-enabled in "config_adjust_legacy_from_psa.h".
# Keep this also in the reference component in order to skip the same tests
@@ -1999,7 +1925,6 @@
component_test_aead_chachapoly_disabled () {
msg "build: full minus CHACHAPOLY"
scripts/config.py full
- scripts/config.py unset MBEDTLS_CHACHAPOLY_C
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
@@ -2010,8 +1935,6 @@
component_test_aead_only_ccm () {
msg "build: full minus CHACHAPOLY and GCM"
scripts/config.py full
- scripts/config.py unset MBEDTLS_CHACHAPOLY_C
- scripts/config.py unset MBEDTLS_GCM_C
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_GCM
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
@@ -2137,16 +2060,12 @@
# manually set or unset those configurations to check
# MBEDTLS_BLOCK_CIPHER_NO_DECRYPT with various combinations in aes.o.
scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
- scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
scripts/config.py unset MBEDTLS_NIST_KW_C
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES
- # Note: The two unsets below are to be removed for Mbed TLS 4.0
- scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
- scripts/config.py unset MBEDTLS_DES_C
build_test_config_combos ${BUILTIN_SRC_PATH}/aes.o validate_aes_config_variations \
"MBEDTLS_AES_ROM_TABLES" \
@@ -2167,7 +2086,7 @@
#define PSA_WANT_ALG_SHA3_256 1
#define PSA_WANT_ALG_SHA3_384 1
#define PSA_WANT_ALG_SHA3_512 1
- #define MBEDTLS_AES_C
+ #define PSA_WANT_KEY_TYPE_AES 1
#define MBEDTLS_CTR_DRBG_C
#define MBEDTLS_ENTROPY_C
#define MBEDTLS_PSA_CRYPTO_C
@@ -2350,7 +2269,6 @@
# This is a configuration function used in component_test_block_cipher_no_decrypt_xxx:
config_block_cipher_no_decrypt () {
scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
- scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
scripts/config.py unset MBEDTLS_NIST_KW_C
# Enable support for cryptographic mechanisms through the PSA API.
@@ -2359,9 +2277,6 @@
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_DES
- # Note: The two unsets below are to be removed for Mbed TLS 4.0
- scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
- scripts/config.py unset MBEDTLS_DES_C
}
component_test_block_cipher_no_decrypt_aesni () {
@@ -2513,7 +2428,6 @@
# query_compile_time_config.
echo '#undef PSA_WANT_ALG_CMAC' >psa_user_config.h
echo '#undef PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128' >> psa_user_config.h
- echo '#undef MBEDTLS_CMAC_C' >> psa_user_config.h
make CFLAGS="-I '$PWD' -DTF_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"' -DTF_PSA_CRYPTO_USER_CONFIG_FILE='\"psa_user_config.h\"'"
not programs/test/query_compile_time_config PSA_WANT_ALG_CMAC
diff --git a/tests/scripts/components-configuration-tls.sh b/tests/scripts/components-configuration-tls.sh
index ff83157..450bdeb 100644
--- a/tests/scripts/components-configuration-tls.sh
+++ b/tests/scripts/components-configuration-tls.sh
@@ -54,18 +54,11 @@
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
- # Note: The three unsets below are to be removed for Mbed TLS 4.0
- scripts/config.py unset MBEDTLS_GCM_C
- scripts/config.py unset MBEDTLS_CCM_C
- scripts/config.py unset MBEDTLS_CHACHAPOLY_C
#Disable TLS 1.3 (as no AEAD)
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
# Disable CBC. Note: When implemented, PSA_WANT_ALG_CBC_MAC will also need to be unset here to fully disable CBC
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7
- # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia))
- # Note: The unset below is to be removed for 4.0
- scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
# Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
# Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
@@ -90,13 +83,9 @@
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
- # Note: The three unsets below are to be removed for Mbed TLS 4.0
- scripts/config.py unset MBEDTLS_GCM_C
- scripts/config.py unset MBEDTLS_CCM_C
- scripts/config.py unset MBEDTLS_CHACHAPOLY_C
#Disable TLS 1.3 (as no AEAD)
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
- # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia))
+ # Enable CBC-legacy
scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
# Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
@@ -123,13 +112,9 @@
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
- # Note: The three unsets below are to be removed for Mbed TLS 4.0
- scripts/config.py unset MBEDTLS_GCM_C
- scripts/config.py unset MBEDTLS_CCM_C
- scripts/config.py unset MBEDTLS_CHACHAPOLY_C
#Disable TLS 1.3 (as no AEAD)
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
- # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia))
+ # Enable CBC-legacy
scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
# Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC
@@ -399,8 +384,6 @@
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER
- scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
- scripts/config.py unset MBEDTLS_CMAC_C
make
@@ -472,7 +455,6 @@
# Note: The four unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_ECDH_C
scripts/config.py unset MBEDTLS_ECDSA_C
- scripts/config.py unset MBEDTLS_PKCS1_V21
make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
@@ -536,7 +518,6 @@
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS
# Note: The two unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_ECDSA_C
- scripts/config.py unset MBEDTLS_PKCS1_V21
make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
@@ -566,7 +547,6 @@
# Note: The three unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_ECDH_C
scripts/config.py unset MBEDTLS_ECDSA_C
- scripts/config.py unset MBEDTLS_PKCS1_V21
make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
@@ -593,7 +573,6 @@
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS
# Note: The two unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_ECDSA_C
- scripts/config.py unset MBEDTLS_PKCS1_V21
make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py
index 7fccb20..679f05a 100755
--- a/tests/scripts/depends.py
+++ b/tests/scripts/depends.py
@@ -30,11 +30,11 @@
direct dependencies, but rather non-trivial results of other configs missing. Then
look for any unset symbols and handle their reverse dependencies.
Examples of EXCLUSIVE_GROUPS usage:
- - MBEDTLS_SHA512_C job turns off all hashes except SHA512. MBEDTLS_SSL_COOKIE_C
+ - PSA_WANT_ALG_SHA_512 job turns off all hashes except SHA512. MBEDTLS_SSL_COOKIE_C
requires either SHA256 or SHA384 to work, so it also has to be disabled.
- This is not a dependency on SHA512_C, but a result of an exclusive domain
+ This is not a dependency on SHA512, but a result of an exclusive domain
config building method. Relevant field:
- 'MBEDTLS_SHA512_C': ['-MBEDTLS_SSL_COOKIE_C'],
+ 'PSA_WANT_ALG_SHA_512': ['-MBEDTLS_SSL_COOKIE_C'],
- DualDomain - combination of the two above - both complementary and exclusive domain
job generation code will be run. Currently only used for hashes.
@@ -251,34 +251,11 @@
REVERSE_DEPENDENCIES = {
'PSA_WANT_KEY_TYPE_AES': ['PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128',
'MBEDTLS_CTR_DRBG_C',
- 'MBEDTLS_NIST_KW_C',
- 'MBEDTLS_AES_C'],
- 'PSA_WANT_KEY_TYPE_ARIA': ['MBEDTLS_ARIA_C'],
- 'PSA_WANT_KEY_TYPE_CAMELLIA': ['MBEDTLS_CAMELLIA_C'],
+ 'MBEDTLS_NIST_KW_C'],
'PSA_WANT_KEY_TYPE_CHACHA20': ['PSA_WANT_ALG_CHACHA20_POLY1305',
- 'PSA_WANT_ALG_STREAM_CIPHER',
- 'MBEDTLS_CHACHA20_C',
- 'MBEDTLS_CHACHAPOLY_C'],
- 'PSA_WANT_KEY_TYPE_DES': ['MBEDTLS_DES_C'],
- 'PSA_WANT_ALG_CCM': ['PSA_WANT_ALG_CCM_STAR_NO_TAG',
- 'MBEDTLS_CCM_C'],
- 'PSA_WANT_ALG_CMAC': ['PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128',
- 'MBEDTLS_CMAC_C'],
- 'PSA_WANT_ALG_GCM': ['MBEDTLS_GCM_C'],
-
- 'PSA_WANT_ALG_CBC_NO_PADDING': ['MBEDTLS_CIPHER_MODE_CBC'],
- 'PSA_WANT_ALG_CBC_PKCS7': ['MBEDTLS_CIPHER_MODE_CBC'],
- 'PSA_WANT_ALG_CFB': ['MBEDTLS_CIPHER_MODE_CFB'],
- 'PSA_WANT_ALG_CTR': ['MBEDTLS_CIPHER_MODE_CTR'],
- 'PSA_WANT_ALG_OFB': ['MBEDTLS_CIPHER_MODE_OFB'],
- 'PSA_WANT_ALG_XTS': ['MBEDTLS_CIPHER_MODE_XTS'],
-
- 'MBEDTLS_CIPHER_PADDING_PKCS7': ['MBEDTLS_PKCS5_C',
- 'MBEDTLS_PKCS12_C',
- 'PSA_WANT_ALG_CBC_PKCS7'],
- 'MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS': ['MBEDTLS_CIPHER_MODE_CBC'],
- 'MBEDTLS_CIPHER_PADDING_ZEROS': ['MBEDTLS_CIPHER_MODE_CBC'],
- 'MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN': ['MBEDTLS_CIPHER_MODE_CBC'],
+ 'PSA_WANT_ALG_STREAM_CIPHER'],
+ 'PSA_WANT_ALG_CCM': ['PSA_WANT_ALG_CCM_STAR_NO_TAG'],
+ 'PSA_WANT_ALG_CMAC': ['PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128'],
'PSA_WANT_ECC_BRAINPOOL_P_R1_256': ['MBEDTLS_ECP_DP_BP256R1_ENABLED'],
'PSA_WANT_ECC_BRAINPOOL_P_R1_384': ['MBEDTLS_ECP_DP_BP384R1_ENABLED'],
@@ -319,11 +296,9 @@
'PSA_WANT_ALG_JPAKE': ['MBEDTLS_ECJPAKE_C',
'MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'],
'PSA_WANT_ALG_RSA_OAEP': ['PSA_WANT_ALG_RSA_PSS',
- 'MBEDTLS_X509_RSASSA_PSS_SUPPORT',
- 'MBEDTLS_PKCS1_V21'],
+ 'MBEDTLS_X509_RSASSA_PSS_SUPPORT'],
'PSA_WANT_ALG_RSA_PKCS1V15_CRYPT': ['PSA_WANT_ALG_RSA_PKCS1V15_SIGN',
- 'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED',
- 'MBEDTLS_PKCS1_V15'],
+ 'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED'],
'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC': [
'PSA_WANT_ALG_RSA_PKCS1V15_CRYPT',
'PSA_WANT_ALG_RSA_OAEP',
@@ -331,29 +306,21 @@
'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT',
'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT',
'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE',
- 'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED',
- 'MBEDTLS_RSA_C'],
+ 'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED'],
- 'PSA_WANT_ALG_MD5': ['MBEDTLS_MD5_C'],
- 'PSA_WANT_ALG_RIPEMD160': ['MBEDTLS_RIPEMD160_C'],
- 'PSA_WANT_ALG_SHA_1': ['MBEDTLS_SHA1_C'],
'PSA_WANT_ALG_SHA_224': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED',
'MBEDTLS_ENTROPY_FORCE_SHA256',
'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT',
- 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY',
- 'MBEDTLS_SHA224_C'],
+ 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY'],
'PSA_WANT_ALG_SHA_256': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED',
'MBEDTLS_ENTROPY_FORCE_SHA256',
'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT',
'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY',
'MBEDTLS_LMS_C',
'MBEDTLS_LMS_PRIVATE',
- 'MBEDTLS_SHA256_C',
'PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS'],
- 'PSA_WANT_ALG_SHA_384': ['MBEDTLS_SHA384_C'],
'PSA_WANT_ALG_SHA_512': ['MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT',
- 'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY',
- 'MBEDTLS_SHA512_C'],
+ 'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY'],
'PSA_WANT_ALG_ECB_NO_PADDING' : ['MBEDTLS_NIST_KW_C'],
}
@@ -531,9 +498,6 @@
# Get cipher modes
cipher_chaining_symbols = {algs[cipher_alg] for cipher_alg in cipher_algs}
- # Find block padding mode enabling macros by name.
- cipher_padding_symbols = self.config_symbols_matching(r'MBEDTLS_CIPHER_PADDING_\w+\Z')
-
self.domains = {
# Cipher key types
'cipher_id': ExclusiveDomain(cipher_key_types, build_and_test),
@@ -544,9 +508,6 @@
build_and_test,
exclude=r'PSA_WANT_ALG_XTS'),
- 'cipher_padding': ExclusiveDomain(cipher_padding_symbols,
- build_and_test),
-
# Elliptic curves. Run the test suites.
'curves': ExclusiveDomain(curve_symbols, build_and_test),
@@ -639,8 +600,8 @@
description=
"Test Mbed TLS with a subset of algorithms.\n\n"
"Example usage:\n"
- r"./tests/scripts/depends.py \!MBEDTLS_SHA1_C MBEDTLS_SHA256_C""\n"
- "./tests/scripts/depends.py MBEDTLS_AES_C hashes\n"
+ r"./tests/scripts/depends.py \!PSA_WANT_ALG_SHA_1 PSA_WANT_ALG_SHA_256""\n"
+ "./tests/scripts/depends.py PSA_WANT_KEY_TYPE_AES hashes\n"
"./tests/scripts/depends.py cipher_id cipher_chaining\n")
parser.add_argument('--color', metavar='WHEN',
help='Colorize the output (always/auto/never)',
diff --git a/tests/scripts/test_config_script.py b/tests/scripts/test_config_script.py
index e500b33..b58a311 100755
--- a/tests/scripts/test_config_script.py
+++ b/tests/scripts/test_config_script.py
@@ -130,7 +130,7 @@
### config.py stops handling that case correctly.
TEST_SYMBOLS = [
'CUSTOM_SYMBOL', # does not exist
- 'MBEDTLS_AES_C', # set, no value
+ 'PSA_WANT_KEY_TYPE_AES', # set, no value
'MBEDTLS_MPI_MAX_SIZE', # unset, has a value
'MBEDTLS_NO_UDBL_DIVISION', # unset, in "System support"
'MBEDTLS_PLATFORM_ZEROIZE_ALT', # unset, in "Customisation configuration options"
diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c
index e6c082e..faa79ff 100644
--- a/tests/src/test_helpers/ssl_helpers.c
+++ b/tests/src/test_helpers/ssl_helpers.c
@@ -772,7 +772,7 @@
TEST_EQUAL(mbedtls_pk_import_into_psa(ep->pkey, &key_attr, &key_slot), 0);
mbedtls_pk_free(ep->pkey);
mbedtls_pk_init(ep->pkey);
- TEST_EQUAL(mbedtls_pk_setup_opaque(ep->pkey, key_slot), 0);
+ TEST_EQUAL(mbedtls_pk_wrap_psa(ep->pkey, key_slot), 0);
}
#else
(void) opaque_alg;
diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index db571da..e0aad90 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@@ -286,7 +286,7 @@
TEST_EQUAL(mbedtls_pk_import_into_psa(&key, &key_attr, &key_id), 0);
mbedtls_pk_free(&key);
mbedtls_pk_init(&key);
- TEST_EQUAL(mbedtls_pk_setup_opaque(&key, key_id), 0);
+ TEST_EQUAL(mbedtls_pk_wrap_psa(&key, key_id), 0);
mbedtls_x509write_csr_set_md_alg(&req, md_type);
mbedtls_x509write_csr_set_key(&req, &key);
@@ -417,7 +417,7 @@
TEST_EQUAL(mbedtls_pk_import_into_psa(&issuer_key, &key_attr, &key_id), 0);
mbedtls_pk_free(&issuer_key);
mbedtls_pk_init(&issuer_key);
- TEST_EQUAL(mbedtls_pk_setup_opaque(&issuer_key, key_id), 0);
+ TEST_EQUAL(mbedtls_pk_wrap_psa(&issuer_key, key_id), 0);
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
diff --git a/tf-psa-crypto b/tf-psa-crypto
index a0ff5d6..19edaa7 160000
--- a/tf-psa-crypto
+++ b/tf-psa-crypto
@@ -1 +1 @@
-Subproject commit a0ff5d64831aad7d19aa7e02eb8af065e07506f2
+Subproject commit 19edaa785dd71ec8f0c9f72235243314c3d895fa