TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 85c78f55593f97dffcc73e5d3c66437173a38c0c / . / tests / scripts / components.sh
blob: 82d18c37e9e3bda6a481af100da142bbc490df7e [file] [log] [blame]
Minos Galanakis6aab5b72024-07-25 14:24:37 +0100[diff] [blame]1# components.sh
2#
3# Copyright The Mbed TLS Contributors
4# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
5
6# This file contains the test components that are executed by all.sh
7
8# The functions below are named as follows:
9# * component_XXX: independent components. They can be run in any order.
10# * component_check_XXX: quick tests that aren't worth parallelizing.
11# * component_build_XXX: build things but don't run them.
12# * component_test_XXX: build and test.
13# * component_release_XXX: tests that the CI should skip during PR testing.
14# * support_XXX: if support_XXX exists and returns false then
15# component_XXX is not run by default.
16
17# Each component must start by invoking `msg` with a short informative message.
18#
19# Warning: due to the way bash detects errors, the failure of a command
20# inside 'if' or '!' is not detected. Use the 'not' function instead of '!'.
21#
22# Each component is executed in a separate shell process. The component
23# fails if any command in it returns a non-zero status.
24#
25# The framework in all.sh performs some cleanup tasks after each component.
26# This means that components can assume that the working directory is in a
27# cleaned-up state, and don't need to perform the cleanup themselves.
28# * Run `make clean`.
29# * Restore `include/mbedtls/mbedtls_config.h` from a backup made before running
30# the component.
31# * Check out `Makefile`, `library/Makefile`, `programs/Makefile`,
32# `tests/Makefile` and `programs/fuzz/Makefile` from git.
33# This cleans up after an in-tree use of CMake.
34#
35# The tests are roughly in order from fastest to slowest. This doesn't
36# have to be exact, but in general you should add slower tests towards
37# the end and fast checks near the beginning.
38
39
40################################################################
41#### Build and test many configurations and targets
42################################################################
Minos Galanakisada21b02024-07-26 12:34:19 +0100[diff] [blame]43
44# Helper function for controlling (start & stop) the psasim server.
45helper_psasim_server() {
46 OPERATION=$1
47 if [ "$OPERATION" == "start" ]; then
48 (
49 cd tests
50 msg "start server in tests"
51 psa-client-server/psasim/test/start_server.sh
52 msg "start server in tf-psa-crypto/tests"
53 cd ../tf-psa-crypto/tests
54 ../../tests/psa-client-server/psasim/test/start_server.sh
55 )
56 else
57 (
58 msg "terminate servers and cleanup"
59 tests/psa-client-server/psasim//test/kill_servers.sh
60
61 # Remove temporary files and logs
62 cd tests
63 rm -f psa_notify_*
64 rm -f psa_service_*
65 rm -f psa_server.log
66
67 cd ../tf-psa-crypto/tests
68 rm -f psa_notify_*
69 rm -f psa_service_*
70 rm -f psa_server.log
71 )
72 fi
73}
74
75################################################################
Minos Galanakisada21b02024-07-26 12:34:19 +0100[diff] [blame]76#### Build and test many configurations and targets
77################################################################
78
79component_test_default_out_of_box () {
80 msg "build: make, default config (out-of-box)" # ~1min
81 make
82 # Disable fancy stuff
83 unset MBEDTLS_TEST_OUTCOME_FILE
84
85 msg "test: main suites make, default config (out-of-box)" # ~10s
86 make test
87
88 msg "selftest: make, default config (out-of-box)" # ~10s
89 programs/test/selftest
90
91 msg "program demos: make, default config (out-of-box)" # ~10s
92 tests/scripts/run_demos.py
93}
94
95component_test_default_cmake_gcc_asan () {
96 msg "build: cmake, gcc, ASan" # ~ 1 min 50s
97 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
98 make
99
100 msg "test: main suites (inc. selftests) (ASan build)" # ~ 50s
101 make test
102
103 msg "program demos (ASan build)" # ~10s
104 tests/scripts/run_demos.py
105
106 msg "test: selftest (ASan build)" # ~ 10s
107 programs/test/selftest
108
109 msg "test: metatests (GCC, ASan build)"
110 tests/scripts/run-metatests.sh any asan poison
111
112 msg "test: ssl-opt.sh (ASan build)" # ~ 1 min
113 tests/ssl-opt.sh
114
115 msg "test: compat.sh (ASan build)" # ~ 6 min
116 tests/compat.sh
117
118 msg "test: context-info.sh (ASan build)" # ~ 15 sec
119 tests/context-info.sh
120}
121
122component_test_default_cmake_gcc_asan_new_bignum () {
123 msg "build: cmake, gcc, ASan" # ~ 1 min 50s
124 scripts/config.py set MBEDTLS_ECP_WITH_MPI_UINT
125 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
126 make
127
128 msg "test: main suites (inc. selftests) (ASan build)" # ~ 50s
129 make test
130
131 msg "test: selftest (ASan build)" # ~ 10s
132 programs/test/selftest
133
134 msg "test: ssl-opt.sh (ASan build)" # ~ 1 min
135 tests/ssl-opt.sh
136
137 msg "test: compat.sh (ASan build)" # ~ 6 min
138 tests/compat.sh
139
140 msg "test: context-info.sh (ASan build)" # ~ 15 sec
141 tests/context-info.sh
142}
143
144component_test_full_cmake_gcc_asan () {
145 msg "build: full config, cmake, gcc, ASan"
146 scripts/config.py full
147 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
148 make
149
150 msg "test: main suites (inc. selftests) (full config, ASan build)"
151 make test
152
153 msg "test: selftest (full config, ASan build)" # ~ 10s
154 programs/test/selftest
155
156 msg "test: ssl-opt.sh (full config, ASan build)"
157 tests/ssl-opt.sh
158
159 # Note: the next two invocations cover all compat.sh test cases.
160 # We should use the same here and in basic-build-test.sh.
161 msg "test: compat.sh: default version (full config, ASan build)"
162 tests/compat.sh -e 'ARIA\|CHACHA'
163
164 msg "test: compat.sh: next: ARIA, Chacha (full config, ASan build)"
165 env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
166
167 msg "test: context-info.sh (full config, ASan build)" # ~ 15 sec
168 tests/context-info.sh
169}
170
171
172component_test_full_cmake_gcc_asan_new_bignum () {
173 msg "build: full config, cmake, gcc, ASan"
174 scripts/config.py full
175 scripts/config.py set MBEDTLS_ECP_WITH_MPI_UINT
176 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
177 make
178
179 msg "test: main suites (inc. selftests) (full config, new bignum, ASan)"
180 make test
181
182 msg "test: selftest (full config, new bignum, ASan)" # ~ 10s
183 programs/test/selftest
184
185 msg "test: ssl-opt.sh (full config, new bignum, ASan)"
186 tests/ssl-opt.sh
187
188 # Note: the next two invocations cover all compat.sh test cases.
189 # We should use the same here and in basic-build-test.sh.
190 msg "test: compat.sh: default version (full config, new bignum, ASan)"
191 tests/compat.sh -e 'ARIA\|CHACHA'
192
193 msg "test: compat.sh: next: ARIA, Chacha (full config, new bignum, ASan)"
194 env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
195
196 msg "test: context-info.sh (full config, new bignum, ASan)" # ~ 15 sec
197 tests/context-info.sh
198}
199
200component_test_psa_crypto_key_id_encodes_owner () {
201 msg "build: full config + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan"
202 scripts/config.py full
203 scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
204 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
205 make
206
207 msg "test: full config - USE_PSA_CRYPTO + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan"
208 make test
209}
210
211component_test_psa_assume_exclusive_buffers () {
212 msg "build: full config + MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS, cmake, gcc, ASan"
213 scripts/config.py full
214 scripts/config.py set MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS
215 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
216 make
217
218 msg "test: full config + MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS, cmake, gcc, ASan"
219 make test
220}
221
222# check_renamed_symbols HEADER LIB
223# Check that if HEADER contains '#define MACRO ...' then MACRO is not a symbol
224# name is LIB.
225check_renamed_symbols () {
226 ! nm "$2" | sed 's/.* //' |
227 grep -x -F "$(sed -n 's/^ *# *define *\([A-Z_a-z][0-9A-Z_a-z]*\)..*/\1/p' "$1")"
228}
229
230component_build_psa_crypto_spm () {
231 msg "build: full config + PSA_CRYPTO_KEY_ID_ENCODES_OWNER + PSA_CRYPTO_SPM, make, gcc"
232 scripts/config.py full
233 scripts/config.py unset MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
234 scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
235 scripts/config.py set MBEDTLS_PSA_CRYPTO_SPM
236 # We can only compile, not link, since our test and sample programs
237 # aren't equipped for the modified names used when MBEDTLS_PSA_CRYPTO_SPM
238 # is active.
239 make CC=gcc CFLAGS='-Werror -Wall -Wextra -I../tests/include/spe' lib
240
241 # Check that if a symbol is renamed by crypto_spe.h, the non-renamed
242 # version is not present.
243 echo "Checking for renamed symbols in the library"
244 check_renamed_symbols tests/include/spe/crypto_spe.h library/libmbedcrypto.a
245}
246
247component_test_no_rsa_key_pair_generation() {
248 msg "build: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE"
249 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
250 scripts/config.py unset MBEDTLS_GENPRIME
251 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
252 make
253
254 msg "test: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE"
255 make test
256}
257
258component_test_ref_configs () {
259 msg "test/build: ref-configs (ASan build)" # ~ 6 min 20s
260 # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake
261 # want to re-generate generated files that depend on it, quite correctly.
262 # However this doesn't work as the generation script expects a specific
263 # format for mbedtls_config.h, which the other files don't follow. Also,
264 # cmake can't know this, but re-generation is actually not necessary as
265 # the generated files only depend on the list of available options, not
266 # whether they're on or off. So, disable cmake's (over-sensitive here)
267 # dependency resolution for generated files and just rely on them being
268 # present (thanks to pre_generate_files) by turning GEN_FILES off.
269 CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan .
270 tests/scripts/test-ref-configs.pl config-tfm.h
271}
272
273component_test_no_renegotiation () {
274 msg "build: Default + !MBEDTLS_SSL_RENEGOTIATION (ASan build)" # ~ 6 min
275 scripts/config.py unset MBEDTLS_SSL_RENEGOTIATION
276 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
277 make
278
279 msg "test: !MBEDTLS_SSL_RENEGOTIATION - main suites (inc. selftests) (ASan build)" # ~ 50s
280 make test
281
282 msg "test: !MBEDTLS_SSL_RENEGOTIATION - ssl-opt.sh (ASan build)" # ~ 6 min
283 tests/ssl-opt.sh
284}
285
286component_test_no_pem_no_fs () {
287 msg "build: Default + !MBEDTLS_PEM_PARSE_C + !MBEDTLS_FS_IO (ASan build)"
288 scripts/config.py unset MBEDTLS_PEM_PARSE_C
289 scripts/config.py unset MBEDTLS_FS_IO
290 scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C # requires a filesystem
291 scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C # requires PSA ITS
292 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
293 make
294
295 msg "test: !MBEDTLS_PEM_PARSE_C !MBEDTLS_FS_IO - main suites (inc. selftests) (ASan build)" # ~ 50s
296 make test
297
298 msg "test: !MBEDTLS_PEM_PARSE_C !MBEDTLS_FS_IO - ssl-opt.sh (ASan build)" # ~ 6 min
299 tests/ssl-opt.sh
300}
301
302component_test_rsa_no_crt () {
303 msg "build: Default + RSA_NO_CRT (ASan build)" # ~ 6 min
304 scripts/config.py set MBEDTLS_RSA_NO_CRT
305 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
306 make
307
308 msg "test: RSA_NO_CRT - main suites (inc. selftests) (ASan build)" # ~ 50s
309 make test
310
311 msg "test: RSA_NO_CRT - RSA-related part of ssl-opt.sh (ASan build)" # ~ 5s
312 tests/ssl-opt.sh -f RSA
313
314 msg "test: RSA_NO_CRT - RSA-related part of compat.sh (ASan build)" # ~ 3 min
315 tests/compat.sh -t RSA
316
317 msg "test: RSA_NO_CRT - RSA-related part of context-info.sh (ASan build)" # ~ 15 sec
318 tests/context-info.sh
319}
320
321component_test_no_ctr_drbg_classic () {
322 msg "build: Full minus CTR_DRBG, classic crypto in TLS"
323 scripts/config.py full
324 scripts/config.py unset MBEDTLS_CTR_DRBG_C
325 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
326 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
327
328 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
329 make
330
331 msg "test: Full minus CTR_DRBG, classic crypto - main suites"
332 make test
333
334 # In this configuration, the TLS test programs use HMAC_DRBG.
335 # The SSL tests are slow, so run a small subset, just enough to get
336 # confidence that the SSL code copes with HMAC_DRBG.
337 msg "test: Full minus CTR_DRBG, classic crypto - ssl-opt.sh (subset)"
338 tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server'
339
340 msg "test: Full minus CTR_DRBG, classic crypto - compat.sh (subset)"
341 tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL
342}
343
344component_test_no_ctr_drbg_use_psa () {
345 msg "build: Full minus CTR_DRBG, PSA crypto in TLS"
346 scripts/config.py full
347 scripts/config.py unset MBEDTLS_CTR_DRBG_C
348 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
349
350 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
351 make
352
353 msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - main suites"
354 make test
355
356 # In this configuration, the TLS test programs use HMAC_DRBG.
357 # The SSL tests are slow, so run a small subset, just enough to get
358 # confidence that the SSL code copes with HMAC_DRBG.
359 msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)"
360 tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server'
361
362 msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - compat.sh (subset)"
363 tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL
364}
365
366component_test_no_hmac_drbg_classic () {
367 msg "build: Full minus HMAC_DRBG, classic crypto in TLS"
368 scripts/config.py full
369 scripts/config.py unset MBEDTLS_HMAC_DRBG_C
370 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG
371 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
372 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
373
374 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
375 make
376
377 msg "test: Full minus HMAC_DRBG, classic crypto - main suites"
378 make test
379
380 # Normally our ECDSA implementation uses deterministic ECDSA. But since
381 # HMAC_DRBG is disabled in this configuration, randomized ECDSA is used
382 # instead.
383 # Test SSL with non-deterministic ECDSA. Only test features that
384 # might be affected by how ECDSA signature is performed.
385 msg "test: Full minus HMAC_DRBG, classic crypto - ssl-opt.sh (subset)"
386 tests/ssl-opt.sh -f 'Default\|SSL async private: sign'
387
388 # To save time, only test one protocol version, since this part of
389 # the protocol is identical in (D)TLS up to 1.2.
390 msg "test: Full minus HMAC_DRBG, classic crypto - compat.sh (ECDSA)"
391 tests/compat.sh -m tls12 -t 'ECDSA'
392}
393
394component_test_no_hmac_drbg_use_psa () {
395 msg "build: Full minus HMAC_DRBG, PSA crypto in TLS"
396 scripts/config.py full
397 scripts/config.py unset MBEDTLS_HMAC_DRBG_C
398 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG
399 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
400
401 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
402 make
403
404 msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - main suites"
405 make test
406
407 # Normally our ECDSA implementation uses deterministic ECDSA. But since
408 # HMAC_DRBG is disabled in this configuration, randomized ECDSA is used
409 # instead.
410 # Test SSL with non-deterministic ECDSA. Only test features that
411 # might be affected by how ECDSA signature is performed.
412 msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)"
413 tests/ssl-opt.sh -f 'Default\|SSL async private: sign'
414
415 # To save time, only test one protocol version, since this part of
416 # the protocol is identical in (D)TLS up to 1.2.
417 msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - compat.sh (ECDSA)"
418 tests/compat.sh -m tls12 -t 'ECDSA'
419}
420
421component_test_psa_external_rng_no_drbg_classic () {
422 msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto in TLS"
423 scripts/config.py full
424 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
425 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
426 scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
427 scripts/config.py unset MBEDTLS_ENTROPY_C
428 scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
429 scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
430 scripts/config.py unset MBEDTLS_CTR_DRBG_C
431 scripts/config.py unset MBEDTLS_HMAC_DRBG_C
432 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG
433 # When MBEDTLS_USE_PSA_CRYPTO is disabled and there is no DRBG,
434 # the SSL test programs don't have an RNG and can't work. Explicitly
435 # make them use the PSA RNG with -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG.
436 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG" LDFLAGS="$ASAN_CFLAGS"
437
438 msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - main suites"
439 make test
440
441 msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - ssl-opt.sh (subset)"
442 tests/ssl-opt.sh -f 'Default'
443}
444
445component_test_psa_external_rng_no_drbg_use_psa () {
446 msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto in TLS"
447 scripts/config.py full
448 scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
449 scripts/config.py unset MBEDTLS_ENTROPY_C
450 scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
451 scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
452 scripts/config.py unset MBEDTLS_CTR_DRBG_C
453 scripts/config.py unset MBEDTLS_HMAC_DRBG_C
454 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG
455 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
456
457 msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - main suites"
458 make test
459
460 msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - ssl-opt.sh (subset)"
461 tests/ssl-opt.sh -f 'Default\|opaque'
462}
463
464component_test_psa_external_rng_use_psa_crypto () {
465 msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
466 scripts/config.py full
467 scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
468 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
469 scripts/config.py unset MBEDTLS_CTR_DRBG_C
470 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
471
472 msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
473 make test
474
475 msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
476 tests/ssl-opt.sh -f 'Default\|opaque'
477}
478
479component_test_psa_inject_entropy () {
480 msg "build: full + MBEDTLS_PSA_INJECT_ENTROPY"
481 scripts/config.py full
482 scripts/config.py set MBEDTLS_PSA_INJECT_ENTROPY
483 scripts/config.py set MBEDTLS_ENTROPY_NV_SEED
484 scripts/config.py set MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
485 scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
486 scripts/config.py unset MBEDTLS_PLATFORM_STD_NV_SEED_READ
487 scripts/config.py unset MBEDTLS_PLATFORM_STD_NV_SEED_WRITE
488 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'" LDFLAGS="$ASAN_CFLAGS"
489
490 msg "test: full + MBEDTLS_PSA_INJECT_ENTROPY"
491 make test
492}
493
494component_test_sw_inet_pton () {
495 msg "build: default plus MBEDTLS_TEST_SW_INET_PTON"
496
497 # MBEDTLS_TEST_HOOKS required for x509_crt_parse_cn_inet_pton
498 scripts/config.py set MBEDTLS_TEST_HOOKS
499 make CFLAGS="-DMBEDTLS_TEST_SW_INET_PTON"
500
501 msg "test: default plus MBEDTLS_TEST_SW_INET_PTON"
502 make test
503}
504
505component_full_no_pkparse_pkwrite() {
506 msg "build: full without pkparse and pkwrite"
507
508 scripts/config.py crypto_full
509 scripts/config.py unset MBEDTLS_PK_PARSE_C
510 scripts/config.py unset MBEDTLS_PK_WRITE_C
511
512 make CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
513
514 # Ensure that PK_[PARSE|WRITE]_C were not re-enabled accidentally (additive config).
515 not grep mbedtls_pk_parse_key ${BUILTIN_SRC_PATH}/pkparse.o
516 not grep mbedtls_pk_write_key_der ${BUILTIN_SRC_PATH}/pkwrite.o
517
518 msg "test: full without pkparse and pkwrite"
519 make test
520}
521
522component_test_crypto_full_md_light_only () {
523 msg "build: crypto_full with only the light subset of MD"
524 scripts/config.py crypto_full
525
526 # Disable MD
527 scripts/config.py unset MBEDTLS_MD_C
528 # Disable direct dependencies of MD_C
529 scripts/config.py unset MBEDTLS_HKDF_C
530 scripts/config.py unset MBEDTLS_HMAC_DRBG_C
531 scripts/config.py unset MBEDTLS_PKCS7_C
532 # Disable indirect dependencies of MD_C
533 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # needs HMAC_DRBG
534 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
535 # Disable things that would auto-enable MD_C
536 scripts/config.py unset MBEDTLS_PKCS5_C
537
538 # Note: MD-light is auto-enabled in build_info.h by modules that need it,
539 # which we haven't disabled, so no need to explicitly enable it.
540 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
541
542 # Make sure we don't have the HMAC functions, but the hashing functions
543 not grep mbedtls_md_hmac ${BUILTIN_SRC_PATH}/md.o
544 grep mbedtls_md ${BUILTIN_SRC_PATH}/md.o
545
546 msg "test: crypto_full with only the light subset of MD"
547 make test
548}
549
550component_test_full_no_cipher () {
551 msg "build: full no CIPHER"
552
553 scripts/config.py full
554 scripts/config.py unset MBEDTLS_CIPHER_C
555
556 # The built-in implementation of the following algs/key-types depends
557 # on CIPHER_C so we disable them.
558 # This does not hold for KEY_TYPE_CHACHA20 and ALG_CHACHA20_POLY1305
559 # so we keep them enabled.
560 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
561 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CMAC
562 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING
563 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7
564 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CFB
565 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CTR
566 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING
567 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_OFB
568 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
569 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_STREAM_CIPHER
570 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES
571
572 # The following modules directly depends on CIPHER_C
573 scripts/config.py unset MBEDTLS_CMAC_C
574 scripts/config.py unset MBEDTLS_NIST_KW_C
575
576 make
577
578 # Ensure that CIPHER_C was not re-enabled
579 not grep mbedtls_cipher_init ${BUILTIN_SRC_PATH}/cipher.o
580
581 msg "test: full no CIPHER"
582 make test
583}
584
585component_test_full_no_ccm() {
586 msg "build: full no PSA_WANT_ALG_CCM"
587
588 # Full config enables:
589 # - USE_PSA_CRYPTO so that TLS code dispatches cipher/AEAD to PSA
590 # - CRYPTO_CONFIG so that PSA_WANT config symbols are evaluated
591 scripts/config.py full
592
593 # Disable PSA_WANT_ALG_CCM so that CCM is not supported in PSA. CCM_C is still
594 # enabled, but not used from TLS since USE_PSA is set.
595 # This is helpful to ensure that TLS tests below have proper dependencies.
596 #
597 # Note: also PSA_WANT_ALG_CCM_STAR_NO_TAG is enabled, but it does not cause
598 # PSA_WANT_ALG_CCM to be re-enabled.
599 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM
600
601 make
602
603 msg "test: full no PSA_WANT_ALG_CCM"
604 make test
605}
606
607component_test_full_no_ccm_star_no_tag() {
608 msg "build: full no PSA_WANT_ALG_CCM_STAR_NO_TAG"
609
610 # Full config enables CRYPTO_CONFIG so that PSA_WANT config symbols are evaluated
611 scripts/config.py full
612
613 # Disable CCM_STAR_NO_TAG, which is the target of this test, as well as all
614 # other components that enable MBEDTLS_PSA_BUILTIN_CIPHER internal symbol.
615 # This basically disables all unauthenticated ciphers on the PSA side, while
616 # keeping AEADs enabled.
617 #
618 # Note: PSA_WANT_ALG_CCM is enabled, but it does not cause
619 # PSA_WANT_ALG_CCM_STAR_NO_TAG to be re-enabled.
620 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG
621 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_STREAM_CIPHER
622 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CTR
623 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CFB
624 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_OFB
625 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING
626 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING
627 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7
628
629 make
630
631 # Ensure MBEDTLS_PSA_BUILTIN_CIPHER was not enabled
632 not grep mbedtls_psa_cipher ${PSA_CORE_PATH}/psa_crypto_cipher.o
633
634 msg "test: full no PSA_WANT_ALG_CCM_STAR_NO_TAG"
635 make test
636}
637
638component_test_tls1_2_default_stream_cipher_only () {
639 msg "build: default with only stream cipher use psa"
640
641 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
642 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
643 # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
644 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
645 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
646 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
647 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
648 # Note: The three unsets below are to be removed for Mbed TLS 4.0
649 scripts/config.py unset MBEDTLS_GCM_C
650 scripts/config.py unset MBEDTLS_CCM_C
651 scripts/config.py unset MBEDTLS_CHACHAPOLY_C
652 #Disable TLS 1.3 (as no AEAD)
653 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
654 # Disable CBC. Note: When implemented, PSA_WANT_ALG_CBC_MAC will also need to be unset here to fully disable CBC
655 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING
656 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7
657 # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
658 # Note: The unset below is to be removed for 4.0
659 scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
660 # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
661 scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
662 # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
663 scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER
664 # Modules that depend on AEAD
665 scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
666 scripts/config.py unset MBEDTLS_SSL_TICKET_C
667
668 make
669
670 msg "test: default with only stream cipher use psa"
671 make test
672
673 # Not running ssl-opt.sh because most tests require a non-NULL ciphersuite.
674}
675
676component_test_tls1_2_default_cbc_legacy_cipher_only () {
677 msg "build: default with only CBC-legacy cipher use psa"
678
679 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
680 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
681 # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
682 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
683 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
684 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
685 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
686 # Note: The three unsets below are to be removed for Mbed TLS 4.0
687 scripts/config.py unset MBEDTLS_GCM_C
688 scripts/config.py unset MBEDTLS_CCM_C
689 scripts/config.py unset MBEDTLS_CHACHAPOLY_C
690 #Disable TLS 1.3 (as no AEAD)
691 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
692 # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
693 scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
694 # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
695 scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
696 # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
697 scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER
698 # Modules that depend on AEAD
699 scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
700 scripts/config.py unset MBEDTLS_SSL_TICKET_C
701
702 make
703
704 msg "test: default with only CBC-legacy cipher use psa"
705 make test
706
707 msg "test: default with only CBC-legacy cipher use psa - ssl-opt.sh (subset)"
708 tests/ssl-opt.sh -f "TLS 1.2"
709}
710
711component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () {
712 msg "build: default with only CBC-legacy and CBC-EtM ciphers use psa"
713
714 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
715 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
716 # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
717 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
718 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
719 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
720 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
721 # Note: The three unsets below are to be removed for Mbed TLS 4.0
722 scripts/config.py unset MBEDTLS_GCM_C
723 scripts/config.py unset MBEDTLS_CCM_C
724 scripts/config.py unset MBEDTLS_CHACHAPOLY_C
725 #Disable TLS 1.3 (as no AEAD)
726 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
727 # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
728 scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
729 # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
730 scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC
731 # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
732 scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER
733 # Modules that depend on AEAD
734 scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
735 scripts/config.py unset MBEDTLS_SSL_TICKET_C
736
737 make
738
739 msg "test: default with only CBC-legacy and CBC-EtM ciphers use psa"
740 make test
741
742 msg "test: default with only CBC-legacy and CBC-EtM ciphers use psa - ssl-opt.sh (subset)"
743 tests/ssl-opt.sh -f "TLS 1.2"
744}
745
746# We're not aware of any other (open source) implementation of EC J-PAKE in TLS
747# that we could use for interop testing. However, we now have sort of two
748# implementations ourselves: one using PSA, the other not. At least test that
749# these two interoperate with each other.
750component_test_tls1_2_ecjpake_compatibility() {
751 msg "build: TLS1.2 server+client w/ EC-JPAKE w/o USE_PSA"
752 scripts/config.py set MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
753 # Explicitly make lib first to avoid a race condition:
754 # https://github.com/Mbed-TLS/mbedtls/issues/8229
755 make lib
756 make -C programs ssl/ssl_server2 ssl/ssl_client2
757 cp programs/ssl/ssl_server2 s2_no_use_psa
758 cp programs/ssl/ssl_client2 c2_no_use_psa
759
760 msg "build: TLS1.2 server+client w/ EC-JPAKE w/ USE_PSA"
761 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
762 make clean
763 make lib
764 make -C programs ssl/ssl_server2 ssl/ssl_client2
765 make -C programs test/udp_proxy test/query_compile_time_config
766
767 msg "test: server w/o USE_PSA - client w/ USE_PSA, text password"
768 P_SRV=../s2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: working, TLS"
769 msg "test: server w/o USE_PSA - client w/ USE_PSA, opaque password"
770 P_SRV=../s2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: opaque password client only, working, TLS"
771 msg "test: client w/o USE_PSA - server w/ USE_PSA, text password"
772 P_CLI=../c2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: working, TLS"
773 msg "test: client w/o USE_PSA - server w/ USE_PSA, opaque password"
774 P_CLI=../c2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: opaque password server only, working, TLS"
775
776 rm s2_no_use_psa c2_no_use_psa
777}
778
779component_test_everest () {
780 msg "build: Everest ECDH context (ASan build)" # ~ 6 min
781 scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED
782 CC=clang cmake -D CMAKE_BUILD_TYPE:String=Asan .
783 make
784
785 msg "test: Everest ECDH context - main suites (inc. selftests) (ASan build)" # ~ 50s
786 make test
787
788 msg "test: metatests (clang, ASan)"
789 tests/scripts/run-metatests.sh any asan poison
790
791 msg "test: Everest ECDH context - ECDH-related part of ssl-opt.sh (ASan build)" # ~ 5s
792 tests/ssl-opt.sh -f ECDH
793
794 msg "test: Everest ECDH context - compat.sh with some ECDH ciphersuites (ASan build)" # ~ 3 min
795 # Exclude some symmetric ciphers that are redundant here to gain time.
796 tests/compat.sh -f ECDH -V NO -e 'ARIA\|CAMELLIA\|CHACHA'
797}
798
799component_test_everest_curve25519_only () {
800 msg "build: Everest ECDH context, only Curve25519" # ~ 6 min
801 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
802 scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED
803 scripts/config.py unset MBEDTLS_ECDSA_C
804 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
805 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA
806 scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_ECDH
807 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
808 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
809 scripts/config.py unset MBEDTLS_ECJPAKE_C
810 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_JPAKE
811
812 # Disable all curves
813 scripts/config.py unset-all "MBEDTLS_ECP_DP_[0-9A-Z_a-z]*_ENABLED"
814 scripts/config.py -f $CRYPTO_CONFIG_H unset-all "PSA_WANT_ECC_[0-9A-Z_a-z]*$"
815 scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ECC_MONTGOMERY_255
816
817 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
818
819 msg "test: Everest ECDH context, only Curve25519" # ~ 50s
820 make test
821}
822
823component_test_small_ssl_out_content_len () {
824 msg "build: small SSL_OUT_CONTENT_LEN (ASan build)"
825 scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 16384
826 scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 4096
827 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
828 make
829
830 msg "test: small SSL_OUT_CONTENT_LEN - ssl-opt.sh MFL and large packet tests"
831 tests/ssl-opt.sh -f "Max fragment\|Large packet"
832}
833
834component_test_small_ssl_in_content_len () {
835 msg "build: small SSL_IN_CONTENT_LEN (ASan build)"
836 scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 4096
837 scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 16384
838 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
839 make
840
841 msg "test: small SSL_IN_CONTENT_LEN - ssl-opt.sh MFL tests"
842 tests/ssl-opt.sh -f "Max fragment"
843}
844
845component_test_small_ssl_dtls_max_buffering () {
846 msg "build: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #0"
847 scripts/config.py set MBEDTLS_SSL_DTLS_MAX_BUFFERING 1000
848 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
849 make
850
851 msg "test: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #0 - ssl-opt.sh specific reordering test"
852 tests/ssl-opt.sh -f "DTLS reordering: Buffer out-of-order hs msg before reassembling next, free buffered msg"
853}
854
855component_test_small_mbedtls_ssl_dtls_max_buffering () {
856 msg "build: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #1"
857 scripts/config.py set MBEDTLS_SSL_DTLS_MAX_BUFFERING 190
858 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
859 make
860
861 msg "test: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #1 - ssl-opt.sh specific reordering test"
862 tests/ssl-opt.sh -f "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket"
863}
864
865component_test_psa_collect_statuses () {
866 msg "build+test: psa_collect_statuses" # ~30s
867 scripts/config.py full
868 tests/scripts/psa_collect_statuses.py
869 # Check that psa_crypto_init() succeeded at least once
870 grep -q '^0:psa_crypto_init:' tests/statuses.log
871 rm -f tests/statuses.log
872}
873
874component_test_full_cmake_clang () {
875 msg "build: cmake, full config, clang" # ~ 50s
876 scripts/config.py full
877 CC=clang CXX=clang cmake -D CMAKE_BUILD_TYPE:String=Release -D ENABLE_TESTING=On -D TEST_CPP=1 .
878 make
879
880 msg "test: main suites (full config, clang)" # ~ 5s
881 make test
882
883 msg "test: cpp_dummy_build (full config, clang)" # ~ 1s
884 programs/test/cpp_dummy_build
885
886 msg "test: metatests (clang)"
887 tests/scripts/run-metatests.sh any pthread
888
889 msg "program demos (full config, clang)" # ~10s
890 tests/scripts/run_demos.py
891
892 msg "test: psa_constant_names (full config, clang)" # ~ 1s
893 tests/scripts/test_psa_constant_names.py
894
895 msg "test: ssl-opt.sh default, ECJPAKE, SSL async (full config)" # ~ 1s
896 tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private'
897}
898
899skip_suites_without_constant_flow () {
900 # Skip the test suites that don't have any constant-flow annotations.
901 # This will need to be adjusted if we ever start declaring things as
902 # secret from macros or functions inside tests/include or tests/src.
903 SKIP_TEST_SUITES=$(
904 git -C tests/suites grep -L TEST_CF_ 'test_suite_*.function' |
905 sed 's/test_suite_//; s/\.function$//' |
906 tr '\n' ,),$(
907 git -C tf-psa-crypto/tests/suites grep -L TEST_CF_ 'test_suite_*.function' |
908 sed 's/test_suite_//; s/\.function$//' |
909 tr '\n' ,)
910 export SKIP_TEST_SUITES
911}
912
913skip_all_except_given_suite () {
914 # Skip all but the given test suite
915 SKIP_TEST_SUITES=$(
916 ls -1 tests/suites/test_suite_*.function |
917 grep -v $1.function |
918 sed 's/tests.suites.test_suite_//; s/\.function$//' |
919 tr '\n' ,),$(
920 ls -1 tf-psa-crypto/tests/suites/test_suite_*.function |
921 grep -v $1.function |
922 sed 's/tf-psa-crypto.tests.suites.test_suite_//; s/\.function$//' |
923 tr '\n' ,)
924 export SKIP_TEST_SUITES
925}
926
927component_test_memsan_constant_flow () {
928 # This tests both (1) accesses to undefined memory, and (2) branches or
929 # memory access depending on secret values. To distinguish between those:
930 # - unset MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN - does the failure persist?
931 # - or alternatively, change the build type to MemSanDbg, which enables
932 # origin tracking and nicer stack traces (which are useful for debugging
933 # anyway), and check if the origin was TEST_CF_SECRET() or something else.
934 msg "build: cmake MSan (clang), full config minus MBEDTLS_USE_PSA_CRYPTO with constant flow testing"
935 scripts/config.py full
936 scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
937 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
938 scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm
939 CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan .
940 make
941
942 msg "test: main suites (full minus MBEDTLS_USE_PSA_CRYPTO, Msan + constant flow)"
943 make test
944}
945
946component_test_memsan_constant_flow_psa () {
947 # This tests both (1) accesses to undefined memory, and (2) branches or
948 # memory access depending on secret values. To distinguish between those:
949 # - unset MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN - does the failure persist?
950 # - or alternatively, change the build type to MemSanDbg, which enables
951 # origin tracking and nicer stack traces (which are useful for debugging
952 # anyway), and check if the origin was TEST_CF_SECRET() or something else.
953 msg "build: cmake MSan (clang), full config with constant flow testing"
954 scripts/config.py full
955 scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
956 scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm
957 CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan .
958 make
959
960 msg "test: main suites (Msan + constant flow)"
961 make test
962}
963
964component_release_test_valgrind_constant_flow () {
965 # This tests both (1) everything that valgrind's memcheck usually checks
966 # (heap buffer overflows, use of uninitialized memory, use-after-free,
967 # etc.) and (2) branches or memory access depending on secret values,
968 # which will be reported as uninitialized memory. To distinguish between
969 # secret and actually uninitialized:
970 # - unset MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND - does the failure persist?
971 # - or alternatively, build with debug info and manually run the offending
972 # test suite with valgrind --track-origins=yes, then check if the origin
973 # was TEST_CF_SECRET() or something else.
974 msg "build: cmake release GCC, full config minus MBEDTLS_USE_PSA_CRYPTO with constant flow testing"
975 scripts/config.py full
976 scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND
977 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
978 skip_suites_without_constant_flow
979 cmake -D CMAKE_BUILD_TYPE:String=Release .
980 make
981
982 # this only shows a summary of the results (how many of each type)
983 # details are left in Testing/<date>/DynamicAnalysis.xml
984 msg "test: some suites (full minus MBEDTLS_USE_PSA_CRYPTO, valgrind + constant flow)"
985 make memcheck
986
987 # Test asm path in constant time module - by default, it will test the plain C
988 # path under Valgrind or Memsan. Running only the constant_time tests is fast (<1s)
989 msg "test: valgrind asm constant_time"
990 scripts/config.py --force set MBEDTLS_TEST_CONSTANT_FLOW_ASM
991 skip_all_except_given_suite test_suite_constant_time
992 cmake -D CMAKE_BUILD_TYPE:String=Release .
993 make clean
994 make
995 make memcheck
996}
997
998component_release_test_valgrind_constant_flow_psa () {
999 # This tests both (1) everything that valgrind's memcheck usually checks
1000 # (heap buffer overflows, use of uninitialized memory, use-after-free,
1001 # etc.) and (2) branches or memory access depending on secret values,
1002 # which will be reported as uninitialized memory. To distinguish between
1003 # secret and actually uninitialized:
1004 # - unset MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND - does the failure persist?
1005 # - or alternatively, build with debug info and manually run the offending
1006 # test suite with valgrind --track-origins=yes, then check if the origin
1007 # was TEST_CF_SECRET() or something else.
1008 msg "build: cmake release GCC, full config with constant flow testing"
1009 scripts/config.py full
1010 scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND
1011 skip_suites_without_constant_flow
1012 cmake -D CMAKE_BUILD_TYPE:String=Release .
1013 make
1014
1015 # this only shows a summary of the results (how many of each type)
1016 # details are left in Testing/<date>/DynamicAnalysis.xml
1017 msg "test: some suites (valgrind + constant flow)"
1018 make memcheck
1019}
1020
1021component_test_tsan () {
1022 msg "build: TSan (clang)"
1023 scripts/config.py full
1024 scripts/config.py set MBEDTLS_THREADING_C
1025 scripts/config.py set MBEDTLS_THREADING_PTHREAD
1026 # Self-tests do not currently use multiple threads.
1027 scripts/config.py unset MBEDTLS_SELF_TEST
1028
1029 # The deprecated MBEDTLS_PSA_CRYPTO_SE_C interface is not thread safe.
1030 scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
1031
1032 CC=clang cmake -D CMAKE_BUILD_TYPE:String=TSan .
1033 make
1034
1035 msg "test: main suites (TSan)"
1036 make test
1037}
1038
1039component_test_default_no_deprecated () {
1040 # Test that removing the deprecated features from the default
1041 # configuration leaves something consistent.
1042 msg "build: make, default + MBEDTLS_DEPRECATED_REMOVED" # ~ 30s
1043 scripts/config.py set MBEDTLS_DEPRECATED_REMOVED
1044 make CFLAGS='-O -Werror -Wall -Wextra'
1045
1046 msg "test: make, default + MBEDTLS_DEPRECATED_REMOVED" # ~ 5s
1047 make test
1048}
1049
1050component_test_full_no_deprecated () {
1051 msg "build: make, full_no_deprecated config" # ~ 30s
1052 scripts/config.py full_no_deprecated
1053 make CFLAGS='-O -Werror -Wall -Wextra'
1054
1055 msg "test: make, full_no_deprecated config" # ~ 5s
1056 make test
1057
1058 msg "test: ensure that X509 has no direct dependency on BIGNUM_C"
1059 not grep mbedtls_mpi library/libmbedx509.a
1060}
1061
1062component_test_full_no_deprecated_deprecated_warning () {
1063 # Test that there is nothing deprecated in "full_no_deprecated".
1064 # A deprecated feature would trigger a warning (made fatal) from
1065 # MBEDTLS_DEPRECATED_WARNING.
1066 msg "build: make, full_no_deprecated config, MBEDTLS_DEPRECATED_WARNING" # ~ 30s
1067 scripts/config.py full_no_deprecated
1068 scripts/config.py unset MBEDTLS_DEPRECATED_REMOVED
1069 scripts/config.py set MBEDTLS_DEPRECATED_WARNING
1070 make CFLAGS='-O -Werror -Wall -Wextra'
1071
1072 msg "test: make, full_no_deprecated config, MBEDTLS_DEPRECATED_WARNING" # ~ 5s
1073 make test
1074}
1075
1076component_test_full_deprecated_warning () {
1077 # Test that when MBEDTLS_DEPRECATED_WARNING is enabled, the build passes
1078 # with only certain whitelisted types of warnings.
1079 msg "build: make, full config + MBEDTLS_DEPRECATED_WARNING, expect warnings" # ~ 30s
1080 scripts/config.py full
1081 scripts/config.py set MBEDTLS_DEPRECATED_WARNING
1082 # Expect warnings from '#warning' directives in check_config.h.
1083 # Note that gcc is required to allow the use of -Wno-error=cpp, which allows us to
1084 # display #warning messages without them being treated as errors.
1085 make CC=gcc CFLAGS='-O -Werror -Wall -Wextra -Wno-error=cpp' lib programs
1086
1087 msg "build: make tests, full config + MBEDTLS_DEPRECATED_WARNING, expect warnings" # ~ 30s
1088 # Set MBEDTLS_TEST_DEPRECATED to enable tests for deprecated features.
1089 # By default those are disabled when MBEDTLS_DEPRECATED_WARNING is set.
1090 # Expect warnings from '#warning' directives in check_config.h and
1091 # from the use of deprecated functions in test suites.
1092 make CC=gcc CFLAGS='-O -Werror -Wall -Wextra -Wno-error=deprecated-declarations -Wno-error=cpp -DMBEDTLS_TEST_DEPRECATED' tests
1093
1094 msg "test: full config + MBEDTLS_TEST_DEPRECATED" # ~ 30s
1095 make test
1096
1097 msg "program demos: full config + MBEDTLS_TEST_DEPRECATED" # ~10s
1098 tests/scripts/run_demos.py
1099}
1100
1101# Check that the specified libraries exist and are empty.
1102are_empty_libraries () {
1103 nm "$@" >/dev/null 2>/dev/null
1104 ! nm "$@" 2>/dev/null | grep -v ':$' | grep .
1105}
1106
1107component_build_crypto_default () {
1108 msg "build: make, crypto only"
1109 scripts/config.py crypto
1110 make CFLAGS='-O1 -Werror'
1111 are_empty_libraries library/libmbedx509.* library/libmbedtls.*
1112}
1113
1114component_build_crypto_full () {
1115 msg "build: make, crypto only, full config"
1116 scripts/config.py crypto_full
1117 make CFLAGS='-O1 -Werror'
1118 are_empty_libraries library/libmbedx509.* library/libmbedtls.*
1119}
1120
1121component_test_crypto_for_psa_service () {
1122 msg "build: make, config for PSA crypto service"
1123 scripts/config.py crypto
1124 scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
1125 # Disable things that are not needed for just cryptography, to
1126 # reach a configuration that would be typical for a PSA cryptography
1127 # service providing all implemented PSA algorithms.
1128 # System stuff
1129 scripts/config.py unset MBEDTLS_ERROR_C
1130 scripts/config.py unset MBEDTLS_TIMING_C
1131 scripts/config.py unset MBEDTLS_VERSION_FEATURES
1132 # Crypto stuff with no PSA interface
1133 scripts/config.py unset MBEDTLS_BASE64_C
1134 # Keep MBEDTLS_CIPHER_C because psa_crypto_cipher, CCM and GCM need it.
1135 scripts/config.py unset MBEDTLS_HKDF_C # PSA's HKDF is independent
1136 # Keep MBEDTLS_MD_C because deterministic ECDSA needs it for HMAC_DRBG.
1137 scripts/config.py unset MBEDTLS_NIST_KW_C
1138 scripts/config.py unset MBEDTLS_PEM_PARSE_C
1139 scripts/config.py unset MBEDTLS_PEM_WRITE_C
1140 scripts/config.py unset MBEDTLS_PKCS12_C
1141 scripts/config.py unset MBEDTLS_PKCS5_C
1142 # MBEDTLS_PK_PARSE_C and MBEDTLS_PK_WRITE_C are actually currently needed
1143 # in PSA code to work with RSA keys. We don't require users to set those:
1144 # they will be reenabled in build_info.h.
1145 scripts/config.py unset MBEDTLS_PK_C
1146 scripts/config.py unset MBEDTLS_PK_PARSE_C
1147 scripts/config.py unset MBEDTLS_PK_WRITE_C
1148 make CFLAGS='-O1 -Werror' all test
1149 are_empty_libraries library/libmbedx509.* library/libmbedtls.*
1150}
1151
1152component_build_crypto_baremetal () {
1153 msg "build: make, crypto only, baremetal config"
1154 scripts/config.py crypto_baremetal
1155 make CFLAGS="-O1 -Werror -I$PWD/tests/include/baremetal-override/"
1156 are_empty_libraries library/libmbedx509.* library/libmbedtls.*
1157}
1158support_build_crypto_baremetal () {
1159 support_build_baremetal "$@"
1160}
1161
1162component_build_baremetal () {
1163 msg "build: make, baremetal config"
1164 scripts/config.py baremetal
1165 make CFLAGS="-O1 -Werror -I$PWD/tests/include/baremetal-override/"
1166}
1167support_build_baremetal () {
1168 # Older Glibc versions include time.h from other headers such as stdlib.h,
1169 # which makes the no-time.h-in-baremetal check fail. Ubuntu 16.04 has this
1170 # problem, Ubuntu 18.04 is ok.
1171 ! grep -q -F time.h /usr/include/x86_64-linux-gnu/sys/types.h
1172}
1173
1174# depends.py family of tests
1175component_test_depends_py_cipher_id () {
1176 msg "test/build: depends.py cipher_id (gcc)"
1177 tests/scripts/depends.py cipher_id --unset-use-psa
1178}
1179
1180component_test_depends_py_cipher_chaining () {
1181 msg "test/build: depends.py cipher_chaining (gcc)"
1182 tests/scripts/depends.py cipher_chaining --unset-use-psa
1183}
1184
1185component_test_depends_py_cipher_padding () {
1186 msg "test/build: depends.py cipher_padding (gcc)"
1187 tests/scripts/depends.py cipher_padding --unset-use-psa
1188}
1189
1190component_test_depends_py_curves () {
1191 msg "test/build: depends.py curves (gcc)"
1192 tests/scripts/depends.py curves --unset-use-psa
1193}
1194
1195component_test_depends_py_hashes () {
1196 msg "test/build: depends.py hashes (gcc)"
1197 tests/scripts/depends.py hashes --unset-use-psa
1198}
1199
1200component_test_depends_py_kex () {
1201 msg "test/build: depends.py kex (gcc)"
1202 tests/scripts/depends.py kex --unset-use-psa
1203}
1204
1205component_test_depends_py_pkalgs () {
1206 msg "test/build: depends.py pkalgs (gcc)"
1207 tests/scripts/depends.py pkalgs --unset-use-psa
1208}
1209
1210# PSA equivalents of the depends.py tests
1211component_test_depends_py_cipher_id_psa () {
1212 msg "test/build: depends.py cipher_id (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
1213 tests/scripts/depends.py cipher_id
1214}
1215
1216component_test_depends_py_cipher_chaining_psa () {
1217 msg "test/build: depends.py cipher_chaining (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
1218 tests/scripts/depends.py cipher_chaining
1219}
1220
1221component_test_depends_py_cipher_padding_psa () {
1222 msg "test/build: depends.py cipher_padding (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
1223 tests/scripts/depends.py cipher_padding
1224}
1225
1226component_test_depends_py_curves_psa () {
1227 msg "test/build: depends.py curves (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
1228 tests/scripts/depends.py curves
1229}
1230
1231component_test_depends_py_hashes_psa () {
1232 msg "test/build: depends.py hashes (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
1233 tests/scripts/depends.py hashes
1234}
1235
1236component_test_depends_py_kex_psa () {
1237 msg "test/build: depends.py kex (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
1238 tests/scripts/depends.py kex
1239}
1240
1241component_test_depends_py_pkalgs_psa () {
1242 msg "test/build: depends.py pkalgs (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
1243 tests/scripts/depends.py pkalgs
1244}
1245
1246component_test_psa_crypto_config_ffdh_2048_only () {
1247 msg "build: full config - only DH 2048"
1248
1249 scripts/config.py full
1250
1251 # Disable all DH groups other than 2048.
1252 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_3072
1253 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_4096
1254 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_6144
1255 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_8192
1256
1257 make CFLAGS="$ASAN_CFLAGS -Werror" LDFLAGS="$ASAN_CFLAGS"
1258
1259 msg "test: full config - only DH 2048"
1260 make test
1261
1262 msg "ssl-opt: full config - only DH 2048"
1263 tests/ssl-opt.sh -f "ffdh"
1264}
1265
1266component_build_no_pk_rsa_alt_support () {
1267 msg "build: !MBEDTLS_PK_RSA_ALT_SUPPORT" # ~30s
1268
1269 scripts/config.py full
1270 scripts/config.py unset MBEDTLS_PK_RSA_ALT_SUPPORT
1271 scripts/config.py set MBEDTLS_RSA_C
1272 scripts/config.py set MBEDTLS_X509_CRT_WRITE_C
1273
1274 # Only compile - this is primarily to test for compile issues
1275 make CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy'
1276}
1277
1278component_build_module_alt () {
1279 msg "build: MBEDTLS_XXX_ALT" # ~30s
1280 scripts/config.py full
1281
1282 # Disable options that are incompatible with some ALT implementations:
1283 # aesni.c references mbedtls_aes_context fields directly.
1284 scripts/config.py unset MBEDTLS_AESNI_C
1285 scripts/config.py unset MBEDTLS_AESCE_C
1286 # MBEDTLS_ECP_RESTARTABLE is documented as incompatible.
1287 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
1288 # You can only have one threading implementation: alt or pthread, not both.
1289 scripts/config.py unset MBEDTLS_THREADING_PTHREAD
1290 # The SpecifiedECDomain parsing code accesses mbedtls_ecp_group fields
1291 # directly and assumes the implementation works with partial groups.
1292 scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED
1293 # MBEDTLS_SHA256_*ALT can't be used with MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*
1294 scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
1295 scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
1296 # MBEDTLS_SHA512_*ALT can't be used with MBEDTLS_SHA512_USE_A64_CRYPTO_*
1297 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
1298 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY
1299
1300 # Enable all MBEDTLS_XXX_ALT for whole modules. Do not enable
1301 # MBEDTLS_XXX_YYY_ALT which are for single functions.
1302 scripts/config.py set-all 'MBEDTLS_([A-Z0-9]*|NIST_KW)_ALT'
1303
1304 # We can only compile, not link, since we don't have any implementations
1305 # suitable for testing with the dummy alt headers.
1306 make CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy' lib
1307}
1308
1309component_test_no_psa_crypto_full_cmake_asan() {
1310 # full minus MBEDTLS_PSA_CRYPTO_C: run the same set of tests as basic-build-test.sh
1311 msg "build: cmake, full config minus PSA crypto, ASan"
1312 scripts/config.py full
1313 scripts/config.py unset MBEDTLS_PSA_CRYPTO_C
1314 scripts/config.py unset MBEDTLS_PSA_CRYPTO_CLIENT
1315 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
1316 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
1317 scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C
1318 scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
1319 scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C
1320 scripts/config.py unset MBEDTLS_LMS_C
1321 scripts/config.py unset MBEDTLS_LMS_PRIVATE
1322 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
1323 make
1324
1325 msg "test: main suites (full minus PSA crypto)"
1326 make test
1327
1328 # Note: ssl-opt.sh has some test cases that depend on
1329 # MBEDTLS_ECP_RESTARTABLE && !MBEDTLS_USE_PSA_CRYPTO
1330 # This is the only component where those tests are not skipped.
1331 msg "test: ssl-opt.sh (full minus PSA crypto)"
1332 tests/ssl-opt.sh
1333
1334 # Note: the next two invocations cover all compat.sh test cases.
1335 # We should use the same here and in basic-build-test.sh.
1336 msg "test: compat.sh: default version (full minus PSA crypto)"
1337 tests/compat.sh -e 'ARIA\|CHACHA'
1338
1339 msg "test: compat.sh: next: ARIA, Chacha (full minus PSA crypto)"
1340 env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
1341}
1342
1343component_test_psa_crypto_config_accel_ecdsa () {
1344 msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA"
1345
1346 # Algorithms and key types to accelerate
1347 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
1348 $(helper_get_psa_key_type_list "ECC") \
1349 $(helper_get_psa_curve_list)"
1350
1351 # Configure
1352 # ---------
1353
1354 # Start from default config (no USE_PSA) + TLS 1.3
1355 helper_libtestdriver1_adjust_config "default"
1356
1357 # Disable the module that's accelerated
1358 scripts/config.py unset MBEDTLS_ECDSA_C
1359
1360 # Disable things that depend on it
1361 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
1362 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
1363
1364 # Build
1365 # -----
1366
1367 # These hashes are needed for some ECDSA signature tests.
1368 loc_extra_list="ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
1369 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
1370
1371 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list"
1372
1373 helper_libtestdriver1_make_main "$loc_accel_list"
1374
1375 # Make sure this was not re-enabled by accident (additive config)
1376 not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o
1377
1378 # Run the tests
1379 # -------------
1380
1381 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA"
1382 make test
1383}
1384
1385component_test_psa_crypto_config_accel_ecdh () {
1386 msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH"
1387
1388 # Algorithms and key types to accelerate
1389 loc_accel_list="ALG_ECDH \
1390 $(helper_get_psa_key_type_list "ECC") \
1391 $(helper_get_psa_curve_list)"
1392
1393 # Configure
1394 # ---------
1395
1396 # Start from default config (no USE_PSA)
1397 helper_libtestdriver1_adjust_config "default"
1398
1399 # Disable the module that's accelerated
1400 scripts/config.py unset MBEDTLS_ECDH_C
1401
1402 # Disable things that depend on it
1403 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
1404 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
1405 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
1406 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
1407 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
1408
1409 # Build
1410 # -----
1411
1412 helper_libtestdriver1_make_drivers "$loc_accel_list"
1413
1414 helper_libtestdriver1_make_main "$loc_accel_list"
1415
1416 # Make sure this was not re-enabled by accident (additive config)
1417 not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
1418
1419 # Run the tests
1420 # -------------
1421
1422 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH"
1423 make test
1424}
1425
1426component_test_psa_crypto_config_accel_ffdh () {
1427 msg "build: full with accelerated FFDH"
1428
1429 # Algorithms and key types to accelerate
1430 loc_accel_list="ALG_FFDH \
1431 $(helper_get_psa_key_type_list "DH") \
1432 $(helper_get_psa_dh_group_list)"
1433
1434 # Configure
1435 # ---------
1436
1437 # start with full (USE_PSA and TLS 1.3)
1438 helper_libtestdriver1_adjust_config "full"
1439
1440 # Disable the module that's accelerated
1441 scripts/config.py unset MBEDTLS_DHM_C
1442
1443 # Disable things that depend on it
1444 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
1445 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
1446
1447 # Build
1448 # -----
1449
1450 helper_libtestdriver1_make_drivers "$loc_accel_list"
1451
1452 helper_libtestdriver1_make_main "$loc_accel_list"
1453
1454 # Make sure this was not re-enabled by accident (additive config)
1455 not grep mbedtls_dhm_ ${BUILTIN_SRC_PATH}/dhm.o
1456
1457 # Run the tests
1458 # -------------
1459
1460 msg "test: full with accelerated FFDH"
1461 make test
1462
1463 msg "ssl-opt: full with accelerated FFDH alg"
1464 tests/ssl-opt.sh -f "ffdh"
1465}
1466
1467component_test_psa_crypto_config_reference_ffdh () {
1468 msg "build: full with non-accelerated FFDH"
1469
1470 # Start with full (USE_PSA and TLS 1.3)
1471 helper_libtestdriver1_adjust_config "full"
1472
1473 # Disable things that are not supported
1474 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
1475 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
1476 make
1477
1478 msg "test suites: full with non-accelerated FFDH alg"
1479 make test
1480
1481 msg "ssl-opt: full with non-accelerated FFDH alg"
1482 tests/ssl-opt.sh -f "ffdh"
1483}
1484
1485component_test_psa_crypto_config_accel_pake() {
1486 msg "build: full with accelerated PAKE"
1487
1488 loc_accel_list="ALG_JPAKE \
1489 $(helper_get_psa_key_type_list "ECC") \
1490 $(helper_get_psa_curve_list)"
1491
1492 # Configure
1493 # ---------
1494
1495 helper_libtestdriver1_adjust_config "full"
1496
1497 # Make built-in fallback not available
1498 scripts/config.py unset MBEDTLS_ECJPAKE_C
1499 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
1500
1501 # Build
1502 # -----
1503
1504 helper_libtestdriver1_make_drivers "$loc_accel_list"
1505
1506 helper_libtestdriver1_make_main "$loc_accel_list"
1507
1508 # Make sure this was not re-enabled by accident (additive config)
1509 not grep mbedtls_ecjpake_init ${BUILTIN_SRC_PATH}/ecjpake.o
1510
1511 # Run the tests
1512 # -------------
1513
1514 msg "test: full with accelerated PAKE"
1515 make test
1516}
1517
1518component_test_psa_crypto_config_accel_ecc_some_key_types () {
1519 msg "build: full with accelerated EC algs and some key types"
1520
1521 # Algorithms and key types to accelerate
1522 # For key types, use an explicitly list to omit GENERATE (and DERIVE)
1523 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
1524 ALG_ECDH \
1525 ALG_JPAKE \
1526 KEY_TYPE_ECC_PUBLIC_KEY \
1527 KEY_TYPE_ECC_KEY_PAIR_BASIC \
1528 KEY_TYPE_ECC_KEY_PAIR_IMPORT \
1529 KEY_TYPE_ECC_KEY_PAIR_EXPORT \
1530 $(helper_get_psa_curve_list)"
1531
1532 # Configure
1533 # ---------
1534
1535 # start with config full for maximum coverage (also enables USE_PSA)
1536 helper_libtestdriver1_adjust_config "full"
1537
1538 # Disable modules that are accelerated - some will be re-enabled
1539 scripts/config.py unset MBEDTLS_ECDSA_C
1540 scripts/config.py unset MBEDTLS_ECDH_C
1541 scripts/config.py unset MBEDTLS_ECJPAKE_C
1542 scripts/config.py unset MBEDTLS_ECP_C
1543
1544 # Disable all curves - those that aren't accelerated should be re-enabled
1545 helper_disable_builtin_curves
1546
1547 # Restartable feature is not yet supported by PSA. Once it will in
1548 # the future, the following line could be removed (see issues
1549 # 6061, 6332 and following ones)
1550 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
1551
1552 # this is not supported by the driver API yet
1553 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
1554
1555 # Build
1556 # -----
1557
1558 # These hashes are needed for some ECDSA signature tests.
1559 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
1560 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
1561 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list"
1562
1563 helper_libtestdriver1_make_main "$loc_accel_list"
1564
1565 # ECP should be re-enabled but not the others
1566 not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
1567 not grep mbedtls_ecdsa ${BUILTIN_SRC_PATH}/ecdsa.o
1568 not grep mbedtls_ecjpake ${BUILTIN_SRC_PATH}/ecjpake.o
1569 grep mbedtls_ecp ${BUILTIN_SRC_PATH}/ecp.o
1570
1571 # Run the tests
1572 # -------------
1573
1574 msg "test suites: full with accelerated EC algs and some key types"
1575 make test
1576}
1577
1578# Run tests with only (non-)Weierstrass accelerated
1579# Common code used in:
1580# - component_test_psa_crypto_config_accel_ecc_weierstrass_curves
1581# - component_test_psa_crypto_config_accel_ecc_non_weierstrass_curves
1582common_test_psa_crypto_config_accel_ecc_some_curves () {
1583 weierstrass=$1
1584 if [ $weierstrass -eq 1 ]; then
1585 desc="Weierstrass"
1586 else
1587 desc="non-Weierstrass"
1588 fi
1589
1590 msg "build: crypto_full minus PK with accelerated EC algs and $desc curves"
1591
1592 # Note: Curves are handled in a special way by the libtestdriver machinery,
1593 # so we only want to include them in the accel list when building the main
1594 # libraries, hence the use of a separate variable.
1595 # Note: the following loop is a modified version of
1596 # helper_get_psa_curve_list that only keeps Weierstrass families.
1597 loc_weierstrass_list=""
1598 loc_non_weierstrass_list=""
1599 for item in $(sed -n 's/^#define PSA_WANT_\(ECC_[0-9A-Z_a-z]*\).*/\1/p' <"$CRYPTO_CONFIG_H"); do
1600 case $item in
1601 ECC_BRAINPOOL*|ECC_SECP*)
1602 loc_weierstrass_list="$loc_weierstrass_list $item"
1603 ;;
1604 *)
1605 loc_non_weierstrass_list="$loc_non_weierstrass_list $item"
1606 ;;
1607 esac
1608 done
1609 if [ $weierstrass -eq 1 ]; then
1610 loc_curve_list=$loc_weierstrass_list
1611 else
1612 loc_curve_list=$loc_non_weierstrass_list
1613 fi
1614
1615 # Algorithms and key types to accelerate
1616 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
1617 ALG_ECDH \
1618 ALG_JPAKE \
1619 $(helper_get_psa_key_type_list "ECC") \
1620 $loc_curve_list"
1621
1622 # Configure
1623 # ---------
1624
1625 # Start with config crypto_full and remove PK_C:
1626 # that's what's supported now, see docs/driver-only-builds.md.
1627 helper_libtestdriver1_adjust_config "crypto_full"
1628 scripts/config.py unset MBEDTLS_PK_C
1629 scripts/config.py unset MBEDTLS_PK_PARSE_C
1630 scripts/config.py unset MBEDTLS_PK_WRITE_C
1631
1632 # Disable modules that are accelerated - some will be re-enabled
1633 scripts/config.py unset MBEDTLS_ECDSA_C
1634 scripts/config.py unset MBEDTLS_ECDH_C
1635 scripts/config.py unset MBEDTLS_ECJPAKE_C
1636 scripts/config.py unset MBEDTLS_ECP_C
1637
1638 # Disable all curves - those that aren't accelerated should be re-enabled
1639 helper_disable_builtin_curves
1640
1641 # Restartable feature is not yet supported by PSA. Once it will in
1642 # the future, the following line could be removed (see issues
1643 # 6061, 6332 and following ones)
1644 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
1645
1646 # this is not supported by the driver API yet
1647 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
1648
1649 # Build
1650 # -----
1651
1652 # These hashes are needed for some ECDSA signature tests.
1653 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
1654 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
1655 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list"
1656
1657 helper_libtestdriver1_make_main "$loc_accel_list"
1658
1659 # We expect ECDH to be re-enabled for the missing curves
1660 grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
1661 # We expect ECP to be re-enabled, however the parts specific to the
1662 # families of curves that are accelerated should be ommited.
1663 # - functions with mxz in the name are specific to Montgomery curves
1664 # - ecp_muladd is specific to Weierstrass curves
1665 ##nm ${BUILTIN_SRC_PATH}/ecp.o | tee ecp.syms
1666 if [ $weierstrass -eq 1 ]; then
1667 not grep mbedtls_ecp_muladd ${BUILTIN_SRC_PATH}/ecp.o
1668 grep mxz ${BUILTIN_SRC_PATH}/ecp.o
1669 else
1670 grep mbedtls_ecp_muladd ${BUILTIN_SRC_PATH}/ecp.o
1671 not grep mxz ${BUILTIN_SRC_PATH}/ecp.o
1672 fi
1673 # We expect ECDSA and ECJPAKE to be re-enabled only when
1674 # Weierstrass curves are not accelerated
1675 if [ $weierstrass -eq 1 ]; then
1676 not grep mbedtls_ecdsa ${BUILTIN_SRC_PATH}/ecdsa.o
1677 not grep mbedtls_ecjpake ${BUILTIN_SRC_PATH}/ecjpake.o
1678 else
1679 grep mbedtls_ecdsa ${BUILTIN_SRC_PATH}/ecdsa.o
1680 grep mbedtls_ecjpake ${BUILTIN_SRC_PATH}/ecjpake.o
1681 fi
1682
1683 # Run the tests
1684 # -------------
1685
1686 msg "test suites: crypto_full minus PK with accelerated EC algs and $desc curves"
1687 make test
1688}
1689
1690component_test_psa_crypto_config_accel_ecc_weierstrass_curves () {
1691 common_test_psa_crypto_config_accel_ecc_some_curves 1
1692}
1693
1694component_test_psa_crypto_config_accel_ecc_non_weierstrass_curves () {
1695 common_test_psa_crypto_config_accel_ecc_some_curves 0
1696}
1697
1698# Auxiliary function to build config for all EC based algorithms (EC-JPAKE,
1699# ECDH, ECDSA) with and without drivers.
1700# The input parameter is a boolean value which indicates:
1701# - 0 keep built-in EC algs,
1702# - 1 exclude built-in EC algs (driver only).
1703#
1704# This is used by the two following components to ensure they always use the
1705# same config, except for the use of driver or built-in EC algorithms:
1706# - component_test_psa_crypto_config_accel_ecc_ecp_light_only;
1707# - component_test_psa_crypto_config_reference_ecc_ecp_light_only.
1708# This supports comparing their test coverage with analyze_outcomes.py.
1709config_psa_crypto_config_ecp_light_only () {
1710 driver_only="$1"
1711 # start with config full for maximum coverage (also enables USE_PSA)
1712 helper_libtestdriver1_adjust_config "full"
1713 if [ "$driver_only" -eq 1 ]; then
1714 # Disable modules that are accelerated
1715 scripts/config.py unset MBEDTLS_ECDSA_C
1716 scripts/config.py unset MBEDTLS_ECDH_C
1717 scripts/config.py unset MBEDTLS_ECJPAKE_C
1718 scripts/config.py unset MBEDTLS_ECP_C
1719 fi
1720
1721 # Restartable feature is not yet supported by PSA. Once it will in
1722 # the future, the following line could be removed (see issues
1723 # 6061, 6332 and following ones)
1724 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
1725}
1726
1727# Keep in sync with component_test_psa_crypto_config_reference_ecc_ecp_light_only
1728component_test_psa_crypto_config_accel_ecc_ecp_light_only () {
1729 msg "build: full with accelerated EC algs"
1730
1731 # Algorithms and key types to accelerate
1732 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
1733 ALG_ECDH \
1734 ALG_JPAKE \
1735 $(helper_get_psa_key_type_list "ECC") \
1736 $(helper_get_psa_curve_list)"
1737
1738 # Configure
1739 # ---------
1740
1741 # Use the same config as reference, only without built-in EC algs
1742 config_psa_crypto_config_ecp_light_only 1
1743
1744 # Do not disable builtin curves because that support is required for:
1745 # - MBEDTLS_PK_PARSE_EC_EXTENDED
1746 # - MBEDTLS_PK_PARSE_EC_COMPRESSED
1747
1748 # Build
1749 # -----
1750
1751 # These hashes are needed for some ECDSA signature tests.
1752 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
1753 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
1754 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list"
1755
1756 helper_libtestdriver1_make_main "$loc_accel_list"
1757
1758 # Make sure any built-in EC alg was not re-enabled by accident (additive config)
1759 not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o
1760 not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
1761 not grep mbedtls_ecjpake_ ${BUILTIN_SRC_PATH}/ecjpake.o
1762 not grep mbedtls_ecp_mul ${BUILTIN_SRC_PATH}/ecp.o
1763
1764 # Run the tests
1765 # -------------
1766
1767 msg "test suites: full with accelerated EC algs"
1768 make test
1769
1770 msg "ssl-opt: full with accelerated EC algs"
1771 tests/ssl-opt.sh
1772}
1773
1774# Keep in sync with component_test_psa_crypto_config_accel_ecc_ecp_light_only
1775component_test_psa_crypto_config_reference_ecc_ecp_light_only () {
1776 msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with non-accelerated EC algs"
1777
1778 config_psa_crypto_config_ecp_light_only 0
1779
1780 make
1781
1782 msg "test suites: full with non-accelerated EC algs"
1783 make test
1784
1785 msg "ssl-opt: full with non-accelerated EC algs"
1786 tests/ssl-opt.sh
1787}
1788
1789# This helper function is used by:
1790# - component_test_psa_crypto_config_accel_ecc_no_ecp_at_all()
1791# - component_test_psa_crypto_config_reference_ecc_no_ecp_at_all()
1792# to ensure that both tests use the same underlying configuration when testing
1793# driver's coverage with analyze_outcomes.py.
1794#
1795# This functions accepts 1 boolean parameter as follows:
1796# - 1: building with accelerated EC algorithms (ECDSA, ECDH, ECJPAKE), therefore
1797# excluding their built-in implementation as well as ECP_C & ECP_LIGHT
1798# - 0: include built-in implementation of EC algorithms.
1799#
1800# PK_C and RSA_C are always disabled to ensure there is no remaining dependency
1801# on the ECP module.
1802config_psa_crypto_no_ecp_at_all () {
1803 driver_only="$1"
1804 # start with full config for maximum coverage (also enables USE_PSA)
1805 helper_libtestdriver1_adjust_config "full"
1806
1807 if [ "$driver_only" -eq 1 ]; then
1808 # Disable modules that are accelerated
1809 scripts/config.py unset MBEDTLS_ECDSA_C
1810 scripts/config.py unset MBEDTLS_ECDH_C
1811 scripts/config.py unset MBEDTLS_ECJPAKE_C
1812 # Disable ECP module (entirely)
1813 scripts/config.py unset MBEDTLS_ECP_C
1814 fi
1815
1816 # Disable all the features that auto-enable ECP_LIGHT (see build_info.h)
1817 scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED
1818 scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED
1819 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
1820
1821 # Restartable feature is not yet supported by PSA. Once it will in
1822 # the future, the following line could be removed (see issues
1823 # 6061, 6332 and following ones)
1824 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
1825}
1826
1827# Build and test a configuration where driver accelerates all EC algs while
1828# all support and dependencies from ECP and ECP_LIGHT are removed on the library
1829# side.
1830#
1831# Keep in sync with component_test_psa_crypto_config_reference_ecc_no_ecp_at_all()
1832component_test_psa_crypto_config_accel_ecc_no_ecp_at_all () {
1833 msg "build: full + accelerated EC algs - ECP"
1834
1835 # Algorithms and key types to accelerate
1836 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
1837 ALG_ECDH \
1838 ALG_JPAKE \
1839 $(helper_get_psa_key_type_list "ECC") \
1840 $(helper_get_psa_curve_list)"
1841
1842 # Configure
1843 # ---------
1844
1845 # Set common configurations between library's and driver's builds
1846 config_psa_crypto_no_ecp_at_all 1
1847 # Disable all the builtin curves. All the required algs are accelerated.
1848 helper_disable_builtin_curves
1849
1850 # Build
1851 # -----
1852
1853 # Things we wanted supported in libtestdriver1, but not accelerated in the main library:
1854 # SHA-1 and all SHA-2/3 variants, as they are used by ECDSA deterministic.
1855 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
1856 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
1857
1858 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list"
1859
1860 helper_libtestdriver1_make_main "$loc_accel_list"
1861
1862 # Make sure any built-in EC alg was not re-enabled by accident (additive config)
1863 not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o
1864 not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
1865 not grep mbedtls_ecjpake_ ${BUILTIN_SRC_PATH}/ecjpake.o
1866 # Also ensure that ECP module was not re-enabled
1867 not grep mbedtls_ecp_ ${BUILTIN_SRC_PATH}/ecp.o
1868
1869 # Run the tests
1870 # -------------
1871
1872 msg "test: full + accelerated EC algs - ECP"
1873 make test
1874
1875 msg "ssl-opt: full + accelerated EC algs - ECP"
1876 tests/ssl-opt.sh
1877}
1878
1879# Reference function used for driver's coverage analysis in analyze_outcomes.py
1880# in conjunction with component_test_psa_crypto_config_accel_ecc_no_ecp_at_all().
1881# Keep in sync with its accelerated counterpart.
1882component_test_psa_crypto_config_reference_ecc_no_ecp_at_all () {
1883 msg "build: full + non accelerated EC algs"
1884
1885 config_psa_crypto_no_ecp_at_all 0
1886
1887 make
1888
1889 msg "test: full + non accelerated EC algs"
1890 make test
1891
1892 msg "ssl-opt: full + non accelerated EC algs"
1893 tests/ssl-opt.sh
1894}
1895
1896# This is a common configuration helper used directly from:
1897# - common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum
1898# - common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum
1899# and indirectly from:
1900# - component_test_psa_crypto_config_accel_ecc_no_bignum
1901# - accelerate all EC algs, disable RSA and FFDH
1902# - component_test_psa_crypto_config_reference_ecc_no_bignum
1903# - this is the reference component of the above
1904# - it still disables RSA and FFDH, but it uses builtin EC algs
1905# - component_test_psa_crypto_config_accel_ecc_ffdh_no_bignum
1906# - accelerate all EC and FFDH algs, disable only RSA
1907# - component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum
1908# - this is the reference component of the above
1909# - it still disables RSA, but it uses builtin EC and FFDH algs
1910#
1911# This function accepts 2 parameters:
1912# $1: a boolean value which states if we are testing an accelerated scenario
1913# or not.
1914# $2: a string value which states which components are tested. Allowed values
1915# are "ECC" or "ECC_DH".
1916config_psa_crypto_config_accel_ecc_ffdh_no_bignum() {
1917 driver_only="$1"
1918 test_target="$2"
1919 # start with full config for maximum coverage (also enables USE_PSA)
1920 helper_libtestdriver1_adjust_config "full"
1921
1922 if [ "$driver_only" -eq 1 ]; then
1923 # Disable modules that are accelerated
1924 scripts/config.py unset MBEDTLS_ECDSA_C
1925 scripts/config.py unset MBEDTLS_ECDH_C
1926 scripts/config.py unset MBEDTLS_ECJPAKE_C
1927 # Disable ECP module (entirely)
1928 scripts/config.py unset MBEDTLS_ECP_C
1929 # Also disable bignum
1930 scripts/config.py unset MBEDTLS_BIGNUM_C
1931 fi
1932
1933 # Disable all the features that auto-enable ECP_LIGHT (see build_info.h)
1934 scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED
1935 scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED
1936 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
1937
1938 # RSA support is intentionally disabled on this test because RSA_C depends
1939 # on BIGNUM_C.
1940 scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_RSA_[0-9A-Z_a-z]*"
1941 scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_ALG_RSA_[0-9A-Z_a-z]*"
1942 scripts/config.py unset MBEDTLS_RSA_C
1943 scripts/config.py unset MBEDTLS_PKCS1_V15
1944 scripts/config.py unset MBEDTLS_PKCS1_V21
1945 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
1946 # Also disable key exchanges that depend on RSA
1947 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
1948 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
1949 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
1950 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
1951 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
1952
1953 if [ "$test_target" = "ECC" ]; then
1954 # When testing ECC only, we disable FFDH support, both from builtin and
1955 # PSA sides, and also disable the key exchanges that depend on DHM.
1956 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_FFDH
1957 scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_DH_[0-9A-Z_a-z]*"
1958 scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_DH_RFC7919_[0-9]*"
1959 scripts/config.py unset MBEDTLS_DHM_C
1960 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
1961 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
1962 else
1963 # When testing ECC and DH instead, we disable DHM and depending key
1964 # exchanges only in the accelerated build
1965 if [ "$driver_only" -eq 1 ]; then
1966 scripts/config.py unset MBEDTLS_DHM_C
1967 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
1968 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
1969 fi
1970 fi
1971
1972 # Restartable feature is not yet supported by PSA. Once it will in
1973 # the future, the following line could be removed (see issues
1974 # 6061, 6332 and following ones)
1975 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
1976}
1977
1978# Common helper used by:
1979# - component_test_psa_crypto_config_accel_ecc_no_bignum
1980# - component_test_psa_crypto_config_accel_ecc_ffdh_no_bignum
1981#
1982# The goal is to build and test accelerating either:
1983# - ECC only or
1984# - both ECC and FFDH
1985#
1986# It is meant to be used in conjunction with
1987# common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum() for drivers
1988# coverage analysis in the "analyze_outcomes.py" script.
1989common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () {
1990 test_target="$1"
1991
1992 # This is an internal helper to simplify text message handling
1993 if [ "$test_target" = "ECC_DH" ]; then
1994 accel_text="ECC/FFDH"
1995 removed_text="ECP - DH"
1996 else
1997 accel_text="ECC"
1998 removed_text="ECP"
1999 fi
2000
2001 msg "build: full + accelerated $accel_text algs + USE_PSA - $removed_text - BIGNUM"
2002
2003 # By default we accelerate all EC keys/algs
2004 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
2005 ALG_ECDH \
2006 ALG_JPAKE \
2007 $(helper_get_psa_key_type_list "ECC") \
2008 $(helper_get_psa_curve_list)"
2009 # Optionally we can also add DH to the list of accelerated items
2010 if [ "$test_target" = "ECC_DH" ]; then
2011 loc_accel_list="$loc_accel_list \
2012 ALG_FFDH \
2013 $(helper_get_psa_key_type_list "DH") \
2014 $(helper_get_psa_dh_group_list)"
2015 fi
2016
2017 # Configure
2018 # ---------
2019
2020 # Set common configurations between library's and driver's builds
2021 config_psa_crypto_config_accel_ecc_ffdh_no_bignum 1 "$test_target"
2022 # Disable all the builtin curves. All the required algs are accelerated.
2023 helper_disable_builtin_curves
2024
2025 # Build
2026 # -----
2027
2028 # Things we wanted supported in libtestdriver1, but not accelerated in the main library:
2029 # SHA-1 and all SHA-2/3 variants, as they are used by ECDSA deterministic.
2030 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
2031 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
2032
2033 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list"
2034
2035 helper_libtestdriver1_make_main "$loc_accel_list"
2036
2037 # Make sure any built-in EC alg was not re-enabled by accident (additive config)
2038 not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o
2039 not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
2040 not grep mbedtls_ecjpake_ ${BUILTIN_SRC_PATH}/ecjpake.o
2041 # Also ensure that ECP, RSA, [DHM] or BIGNUM modules were not re-enabled
2042 not grep mbedtls_ecp_ ${BUILTIN_SRC_PATH}/ecp.o
2043 not grep mbedtls_rsa_ ${BUILTIN_SRC_PATH}/rsa.o
2044 not grep mbedtls_mpi_ ${BUILTIN_SRC_PATH}/bignum.o
2045 not grep mbedtls_dhm_ ${BUILTIN_SRC_PATH}/dhm.o
2046
2047 # Run the tests
2048 # -------------
2049
2050 msg "test suites: full + accelerated $accel_text algs + USE_PSA - $removed_text - DHM - BIGNUM"
2051
2052 make test
2053
2054 msg "ssl-opt: full + accelerated $accel_text algs + USE_PSA - $removed_text - BIGNUM"
2055 tests/ssl-opt.sh
2056}
2057
2058# Common helper used by:
2059# - component_test_psa_crypto_config_reference_ecc_no_bignum
2060# - component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum
2061#
2062# The goal is to build and test a reference scenario (i.e. with builtin
2063# components) compared to the ones used in
2064# common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum() above.
2065#
2066# It is meant to be used in conjunction with
2067# common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum() for drivers'
2068# coverage analysis in "analyze_outcomes.py" script.
2069common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () {
2070 test_target="$1"
2071
2072 # This is an internal helper to simplify text message handling
2073 if [ "$test_target" = "ECC_DH" ]; then
2074 accel_text="ECC/FFDH"
2075 else
2076 accel_text="ECC"
2077 fi
2078
2079 msg "build: full + non accelerated $accel_text algs + USE_PSA"
2080
2081 config_psa_crypto_config_accel_ecc_ffdh_no_bignum 0 "$test_target"
2082
2083 make
2084
2085 msg "test suites: full + non accelerated EC algs + USE_PSA"
2086 make test
2087
2088 msg "ssl-opt: full + non accelerated $accel_text algs + USE_PSA"
2089 tests/ssl-opt.sh
2090}
2091
2092component_test_psa_crypto_config_accel_ecc_no_bignum () {
2093 common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum "ECC"
2094}
2095
2096component_test_psa_crypto_config_reference_ecc_no_bignum () {
2097 common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum "ECC"
2098}
2099
2100component_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () {
2101 common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum "ECC_DH"
2102}
2103
2104component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () {
2105 common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum "ECC_DH"
2106}
2107
2108# Helper for setting common configurations between:
2109# - component_test_tfm_config_p256m_driver_accel_ec()
2110# - component_test_tfm_config()
2111common_tfm_config () {
2112 # Enable TF-M config
2113 cp configs/config-tfm.h "$CONFIG_H"
2114 echo "#undef MBEDTLS_PSA_CRYPTO_CONFIG_FILE" >> "$CONFIG_H"
2115 cp configs/ext/crypto_config_profile_medium.h "$CRYPTO_CONFIG_H"
2116
2117 # Other config adjustment to make the tests pass.
2118 # This should probably be adopted upstream.
2119 #
2120 # - USE_PSA_CRYPTO for PK_HAVE_ECC_KEYS
2121 echo "#define MBEDTLS_USE_PSA_CRYPTO" >> "$CONFIG_H"
2122
2123 # Config adjustment for better test coverage in our environment.
2124 # This is not needed just to build and pass tests.
2125 #
2126 # Enable filesystem I/O for the benefit of PK parse/write tests.
2127 echo "#define MBEDTLS_FS_IO" >> "$CONFIG_H"
2128}
2129
2130# Keep this in sync with component_test_tfm_config() as they are both meant
2131# to be used in analyze_outcomes.py for driver's coverage analysis.
2132component_test_tfm_config_p256m_driver_accel_ec () {
2133 msg "build: TF-M config + p256m driver + accel ECDH(E)/ECDSA"
2134
2135 common_tfm_config
2136
2137 # Build crypto library
2138 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -I../tests/include/spe" LDFLAGS="$ASAN_CFLAGS"
2139
2140 # Make sure any built-in EC alg was not re-enabled by accident (additive config)
2141 not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o
2142 not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
2143 not grep mbedtls_ecjpake_ ${BUILTIN_SRC_PATH}/ecjpake.o
2144 # Also ensure that ECP, RSA, DHM or BIGNUM modules were not re-enabled
2145 not grep mbedtls_ecp_ ${BUILTIN_SRC_PATH}/ecp.o
2146 not grep mbedtls_rsa_ ${BUILTIN_SRC_PATH}/rsa.o
2147 not grep mbedtls_dhm_ ${BUILTIN_SRC_PATH}/dhm.o
2148 not grep mbedtls_mpi_ ${BUILTIN_SRC_PATH}/bignum.o
2149 # Check that p256m was built
2150 grep -q p256_ecdsa_ library/libmbedcrypto.a
2151
2152 # In "config-tfm.h" we disabled CIPHER_C tweaking TF-M's configuration
2153 # files, so we want to ensure that it has not be re-enabled accidentally.
2154 not grep mbedtls_cipher ${BUILTIN_SRC_PATH}/cipher.o
2155
2156 # Run the tests
2157 msg "test: TF-M config + p256m driver + accel ECDH(E)/ECDSA"
2158 make test
2159}
2160
2161# Keep this in sync with component_test_tfm_config_p256m_driver_accel_ec() as
2162# they are both meant to be used in analyze_outcomes.py for driver's coverage
2163# analysis.
2164component_test_tfm_config() {
2165 common_tfm_config
2166
2167 # Disable P256M driver, which is on by default, so that analyze_outcomes
2168 # can compare this test with test_tfm_config_p256m_driver_accel_ec
2169 echo "#undef MBEDTLS_PSA_P256M_DRIVER_ENABLED" >> "$CONFIG_H"
2170
2171 msg "build: TF-M config"
2172 make CFLAGS='-Werror -Wall -Wextra -I../tests/include/spe' tests
2173
2174 # Check that p256m was not built
2175 not grep p256_ecdsa_ library/libmbedcrypto.a
2176
2177 # In "config-tfm.h" we disabled CIPHER_C tweaking TF-M's configuration
2178 # files, so we want to ensure that it has not be re-enabled accidentally.
2179 not grep mbedtls_cipher ${BUILTIN_SRC_PATH}/cipher.o
2180
2181 msg "test: TF-M config"
2182 make test
2183}
2184
2185# Common helper for component_full_without_ecdhe_ecdsa() and
2186# component_full_without_ecdhe_ecdsa_and_tls13() which:
2187# - starts from the "full" configuration minus the list of symbols passed in
2188# as 1st parameter
2189# - build
2190# - test only TLS (i.e. test_suite_tls and ssl-opt)
2191build_full_minus_something_and_test_tls () {
2192 symbols_to_disable="$1"
2193
2194 msg "build: full minus something, test TLS"
2195
2196 scripts/config.py full
2197 for sym in $symbols_to_disable; do
2198 echo "Disabling $sym"
2199 scripts/config.py unset $sym
2200 done
2201
2202 make
2203
2204 msg "test: full minus something, test TLS"
2205 ( cd tests; ./test_suite_ssl )
2206
2207 msg "ssl-opt: full minus something, test TLS"
2208 tests/ssl-opt.sh
2209}
2210
2211component_full_without_ecdhe_ecdsa () {
2212 build_full_minus_something_and_test_tls "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED"
2213}
2214
2215component_full_without_ecdhe_ecdsa_and_tls13 () {
2216 build_full_minus_something_and_test_tls "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
2217 MBEDTLS_SSL_PROTO_TLS1_3"
2218}
2219
2220# This is an helper used by:
2221# - component_test_psa_ecc_key_pair_no_derive
2222# - component_test_psa_ecc_key_pair_no_generate
2223# The goal is to test with all PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy symbols
2224# enabled, but one. Input arguments are as follows:
2225# - $1 is the key type under test, i.e. ECC/RSA/DH
2226# - $2 is the key option to be unset (i.e. generate, derive, etc)
2227build_and_test_psa_want_key_pair_partial() {
2228 key_type=$1
2229 unset_option=$2
2230 disabled_psa_want="PSA_WANT_KEY_TYPE_${key_type}_KEY_PAIR_${unset_option}"
2231
2232 msg "build: full - MBEDTLS_USE_PSA_CRYPTO - ${disabled_psa_want}"
2233 scripts/config.py full
2234 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
2235 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
2236
2237 # All the PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy are enabled by default in
2238 # crypto_config.h so we just disable the one we don't want.
2239 scripts/config.py -f "$CRYPTO_CONFIG_H" unset "$disabled_psa_want"
2240
2241 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
2242
2243 msg "test: full - MBEDTLS_USE_PSA_CRYPTO - ${disabled_psa_want}"
2244 make test
2245}
2246
2247component_test_psa_ecc_key_pair_no_derive() {
2248 build_and_test_psa_want_key_pair_partial "ECC" "DERIVE"
2249}
2250
2251component_test_psa_ecc_key_pair_no_generate() {
2252 build_and_test_psa_want_key_pair_partial "ECC" "GENERATE"
2253}
2254
2255config_psa_crypto_accel_rsa () {
2256 driver_only=$1
2257
2258 # Start from crypto_full config (no X.509, no TLS)
2259 helper_libtestdriver1_adjust_config "crypto_full"
2260
2261 if [ "$driver_only" -eq 1 ]; then
2262 # Remove RSA support and its dependencies
2263 scripts/config.py unset MBEDTLS_RSA_C
2264 scripts/config.py unset MBEDTLS_PKCS1_V15
2265 scripts/config.py unset MBEDTLS_PKCS1_V21
2266
2267 # We need PEM parsing in the test library as well to support the import
2268 # of PEM encoded RSA keys.
2269 scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_PEM_PARSE_C
2270 scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_BASE64_C
2271 fi
2272}
2273
2274component_test_psa_crypto_config_accel_rsa_crypto () {
2275 msg "build: crypto_full with accelerated RSA"
2276
2277 loc_accel_list="ALG_RSA_OAEP ALG_RSA_PSS \
2278 ALG_RSA_PKCS1V15_CRYPT ALG_RSA_PKCS1V15_SIGN \
2279 KEY_TYPE_RSA_PUBLIC_KEY \
2280 KEY_TYPE_RSA_KEY_PAIR_BASIC \
2281 KEY_TYPE_RSA_KEY_PAIR_GENERATE \
2282 KEY_TYPE_RSA_KEY_PAIR_IMPORT \
2283 KEY_TYPE_RSA_KEY_PAIR_EXPORT"
2284
2285 # Configure
2286 # ---------
2287
2288 config_psa_crypto_accel_rsa 1
2289
2290 # Build
2291 # -----
2292
2293 # These hashes are needed for unit tests.
2294 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
2295 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512 ALG_MD5"
2296 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list"
2297
2298 helper_libtestdriver1_make_main "$loc_accel_list"
2299
2300 # Make sure this was not re-enabled by accident (additive config)
2301 not grep mbedtls_rsa ${BUILTIN_SRC_PATH}/rsa.o
2302
2303 # Run the tests
2304 # -------------
2305
2306 msg "test: crypto_full with accelerated RSA"
2307 make test
2308}
2309
2310component_test_psa_crypto_config_reference_rsa_crypto () {
2311 msg "build: crypto_full with non-accelerated RSA"
2312
2313 # Configure
2314 # ---------
2315 config_psa_crypto_accel_rsa 0
2316
2317 # Build
2318 # -----
2319 make
2320
2321 # Run the tests
2322 # -------------
2323 msg "test: crypto_full with non-accelerated RSA"
2324 make test
2325}
2326
2327# This is a temporary test to verify that full RSA support is present even when
2328# only one single new symbols (PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) is defined.
2329component_test_new_psa_want_key_pair_symbol() {
2330 msg "Build: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC"
2331
2332 # Create a temporary output file unless there is already one set
2333 if [ "$MBEDTLS_TEST_OUTCOME_FILE" ]; then
2334 REMOVE_OUTCOME_ON_EXIT="no"
2335 else
2336 REMOVE_OUTCOME_ON_EXIT="yes"
2337 MBEDTLS_TEST_OUTCOME_FILE="$PWD/out.csv"
2338 export MBEDTLS_TEST_OUTCOME_FILE
2339 fi
2340
2341 # Start from crypto configuration
2342 scripts/config.py crypto
2343
2344 # Remove RSA support and its dependencies
2345 scripts/config.py unset MBEDTLS_PKCS1_V15
2346 scripts/config.py unset MBEDTLS_PKCS1_V21
2347 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
2348 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
2349 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
2350 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
2351 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
2352 scripts/config.py unset MBEDTLS_RSA_C
2353 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
2354
2355 # Enable PSA support
2356 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
2357
2358 # Keep only PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC enabled in order to ensure
2359 # that proper translations is done in crypto_legacy.h.
2360 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
2361 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT
2362 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
2363
2364 make
2365
2366 msg "Test: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC"
2367 make test
2368
2369 # Parse only 1 relevant line from the outcome file, i.e. a test which is
2370 # performing RSA signature.
2371 msg "Verify that 'RSA PKCS1 Sign #1 (SHA512, 1536 bits RSA)' is PASS"
2372 cat $MBEDTLS_TEST_OUTCOME_FILE | grep 'RSA PKCS1 Sign #1 (SHA512, 1536 bits RSA)' | grep -q "PASS"
2373
2374 if [ "$REMOVE_OUTCOME_ON_EXIT" == "yes" ]; then
2375 rm $MBEDTLS_TEST_OUTCOME_FILE
2376 fi
2377}
2378
2379component_test_psa_crypto_config_accel_hash () {
2380 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash"
2381
2382 loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \
2383 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
2384 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
2385
2386 # Configure
2387 # ---------
2388
2389 # Start from default config (no USE_PSA)
2390 helper_libtestdriver1_adjust_config "default"
2391
2392 # Disable the things that are being accelerated
2393 scripts/config.py unset MBEDTLS_MD5_C
2394 scripts/config.py unset MBEDTLS_RIPEMD160_C
2395 scripts/config.py unset MBEDTLS_SHA1_C
2396 scripts/config.py unset MBEDTLS_SHA224_C
2397 scripts/config.py unset MBEDTLS_SHA256_C
2398 scripts/config.py unset MBEDTLS_SHA384_C
2399 scripts/config.py unset MBEDTLS_SHA512_C
2400 scripts/config.py unset MBEDTLS_SHA3_C
2401
2402 # Build
2403 # -----
2404
2405 helper_libtestdriver1_make_drivers "$loc_accel_list"
2406
2407 helper_libtestdriver1_make_main "$loc_accel_list"
2408
2409 # There's a risk of something getting re-enabled via config_psa.h;
2410 # make sure it did not happen. Note: it's OK for MD_C to be enabled.
2411 not grep mbedtls_md5 ${BUILTIN_SRC_PATH}/md5.o
2412 not grep mbedtls_sha1 ${BUILTIN_SRC_PATH}/sha1.o
2413 not grep mbedtls_sha256 ${BUILTIN_SRC_PATH}/sha256.o
2414 not grep mbedtls_sha512 ${BUILTIN_SRC_PATH}/sha512.o
2415 not grep mbedtls_ripemd160 ${BUILTIN_SRC_PATH}/ripemd160.o
2416
2417 # Run the tests
2418 # -------------
2419
2420 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash"
2421 make test
2422}
2423
2424# Auxiliary function to build config for hashes with and without drivers
2425config_psa_crypto_hash_use_psa () {
2426 driver_only="$1"
2427 # start with config full for maximum coverage (also enables USE_PSA)
2428 helper_libtestdriver1_adjust_config "full"
2429 if [ "$driver_only" -eq 1 ]; then
2430 # disable the built-in implementation of hashes
2431 scripts/config.py unset MBEDTLS_MD5_C
2432 scripts/config.py unset MBEDTLS_RIPEMD160_C
2433 scripts/config.py unset MBEDTLS_SHA1_C
2434 scripts/config.py unset MBEDTLS_SHA224_C
2435 scripts/config.py unset MBEDTLS_SHA256_C # see external RNG below
2436 scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
2437 scripts/config.py unset MBEDTLS_SHA384_C
2438 scripts/config.py unset MBEDTLS_SHA512_C
2439 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
2440 scripts/config.py unset MBEDTLS_SHA3_C
2441 fi
2442}
2443
2444# Note that component_test_psa_crypto_config_reference_hash_use_psa
2445# is related to this component and both components need to be kept in sync.
2446# For details please see comments for component_test_psa_crypto_config_reference_hash_use_psa.
2447component_test_psa_crypto_config_accel_hash_use_psa () {
2448 msg "test: full with accelerated hashes"
2449
2450 loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \
2451 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
2452 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
2453
2454 # Configure
2455 # ---------
2456
2457 config_psa_crypto_hash_use_psa 1
2458
2459 # Build
2460 # -----
2461
2462 helper_libtestdriver1_make_drivers "$loc_accel_list"
2463
2464 helper_libtestdriver1_make_main "$loc_accel_list"
2465
2466 # There's a risk of something getting re-enabled via config_psa.h;
2467 # make sure it did not happen. Note: it's OK for MD_C to be enabled.
2468 not grep mbedtls_md5 ${BUILTIN_SRC_PATH}/md5.o
2469 not grep mbedtls_sha1 ${BUILTIN_SRC_PATH}/sha1.o
2470 not grep mbedtls_sha256 ${BUILTIN_SRC_PATH}/sha256.o
2471 not grep mbedtls_sha512 ${BUILTIN_SRC_PATH}/sha512.o
2472 not grep mbedtls_ripemd160 ${BUILTIN_SRC_PATH}/ripemd160.o
2473
2474 # Run the tests
2475 # -------------
2476
2477 msg "test: full with accelerated hashes"
2478 make test
2479
2480 # This is mostly useful so that we can later compare outcome files with
2481 # the reference config in analyze_outcomes.py, to check that the
2482 # dependency declarations in ssl-opt.sh and in TLS code are correct.
2483 msg "test: ssl-opt.sh, full with accelerated hashes"
2484 tests/ssl-opt.sh
2485
2486 # This is to make sure all ciphersuites are exercised, but we don't need
2487 # interop testing (besides, we already got some from ssl-opt.sh).
2488 msg "test: compat.sh, full with accelerated hashes"
2489 tests/compat.sh -p mbedTLS -V YES
2490}
2491
2492# This component provides reference configuration for test_psa_crypto_config_accel_hash_use_psa
2493# without accelerated hash. The outcome from both components are used by the analyze_outcomes.py
2494# script to find regression in test coverage when accelerated hash is used (tests and ssl-opt).
2495# Both components need to be kept in sync.
2496component_test_psa_crypto_config_reference_hash_use_psa() {
2497 msg "test: full without accelerated hashes"
2498
2499 config_psa_crypto_hash_use_psa 0
2500
2501 make
2502
2503 msg "test: full without accelerated hashes"
2504 make test
2505
2506 msg "test: ssl-opt.sh, full without accelerated hashes"
2507 tests/ssl-opt.sh
2508}
2509
2510# Auxiliary function to build config for hashes with and without drivers
2511config_psa_crypto_hmac_use_psa () {
2512 driver_only="$1"
2513 # start with config full for maximum coverage (also enables USE_PSA)
2514 helper_libtestdriver1_adjust_config "full"
2515
2516 if [ "$driver_only" -eq 1 ]; then
2517 # Disable MD_C in order to disable the builtin support for HMAC. MD_LIGHT
2518 # is still enabled though (for ENTROPY_C among others).
2519 scripts/config.py unset MBEDTLS_MD_C
2520 # Disable also the builtin hashes since they are supported by the driver
2521 # and MD module is able to perform PSA dispathing.
2522 scripts/config.py unset-all MBEDTLS_SHA
2523 scripts/config.py unset MBEDTLS_MD5_C
2524 scripts/config.py unset MBEDTLS_RIPEMD160_C
2525 fi
2526
2527 # Direct dependencies of MD_C. We disable them also in the reference
2528 # component to work with the same set of features.
2529 scripts/config.py unset MBEDTLS_PKCS7_C
2530 scripts/config.py unset MBEDTLS_PKCS5_C
2531 scripts/config.py unset MBEDTLS_HMAC_DRBG_C
2532 scripts/config.py unset MBEDTLS_HKDF_C
2533 # Dependencies of HMAC_DRBG
2534 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC
2535 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
2536}
2537
2538component_test_psa_crypto_config_accel_hmac() {
2539 msg "test: full with accelerated hmac"
2540
2541 loc_accel_list="ALG_HMAC KEY_TYPE_HMAC \
2542 ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \
2543 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
2544 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
2545
2546 # Configure
2547 # ---------
2548
2549 config_psa_crypto_hmac_use_psa 1
2550
2551 # Build
2552 # -----
2553
2554 helper_libtestdriver1_make_drivers "$loc_accel_list"
2555
2556 helper_libtestdriver1_make_main "$loc_accel_list"
2557
2558 # Ensure that built-in support for HMAC is disabled.
2559 not grep mbedtls_md_hmac ${BUILTIN_SRC_PATH}/md.o
2560
2561 # Run the tests
2562 # -------------
2563
2564 msg "test: full with accelerated hmac"
2565 make test
2566}
2567
2568component_test_psa_crypto_config_reference_hmac() {
2569 msg "test: full without accelerated hmac"
2570
2571 config_psa_crypto_hmac_use_psa 0
2572
2573 make
2574
2575 msg "test: full without accelerated hmac"
2576 make test
2577}
2578
2579component_test_psa_crypto_config_accel_des () {
2580 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated DES"
2581
2582 # Albeit this components aims at accelerating DES which should only support
2583 # CBC and ECB modes, we need to accelerate more than that otherwise DES_C
2584 # would automatically be re-enabled by "config_adjust_legacy_from_psa.c"
2585 loc_accel_list="ALG_ECB_NO_PADDING ALG_CBC_NO_PADDING ALG_CBC_PKCS7 \
2586 ALG_CTR ALG_CFB ALG_OFB ALG_XTS ALG_CMAC \
2587 KEY_TYPE_DES"
2588
2589 # Note: we cannot accelerate all ciphers' key types otherwise we would also
2590 # have to either disable CCM/GCM or accelerate them, but that's out of scope
2591 # of this component. This limitation will be addressed by #8598.
2592
2593 # Configure
2594 # ---------
2595
2596 # Start from the full config
2597 helper_libtestdriver1_adjust_config "full"
2598
2599 # Disable the things that are being accelerated
2600 scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
2601 scripts/config.py unset MBEDTLS_CIPHER_PADDING_PKCS7
2602 scripts/config.py unset MBEDTLS_CIPHER_MODE_CTR
2603 scripts/config.py unset MBEDTLS_CIPHER_MODE_CFB
2604 scripts/config.py unset MBEDTLS_CIPHER_MODE_OFB
2605 scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
2606 scripts/config.py unset MBEDTLS_DES_C
2607 scripts/config.py unset MBEDTLS_CMAC_C
2608
2609 # Build
2610 # -----
2611
2612 helper_libtestdriver1_make_drivers "$loc_accel_list"
2613
2614 helper_libtestdriver1_make_main "$loc_accel_list"
2615
2616 # Make sure this was not re-enabled by accident (additive config)
2617 not grep mbedtls_des* ${BUILTIN_SRC_PATH}/des.o
2618
2619 # Run the tests
2620 # -------------
2621
2622 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated DES"
2623 make test
2624}
2625
2626component_test_psa_crypto_config_accel_aead () {
2627 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated AEAD"
2628
2629 loc_accel_list="ALG_GCM ALG_CCM ALG_CHACHA20_POLY1305 \
2630 KEY_TYPE_AES KEY_TYPE_CHACHA20 KEY_TYPE_ARIA KEY_TYPE_CAMELLIA"
2631
2632 # Configure
2633 # ---------
2634
2635 # Start from full config
2636 helper_libtestdriver1_adjust_config "full"
2637
2638 # Disable things that are being accelerated
2639 scripts/config.py unset MBEDTLS_GCM_C
2640 scripts/config.py unset MBEDTLS_CCM_C
2641 scripts/config.py unset MBEDTLS_CHACHAPOLY_C
2642
2643 # Disable CCM_STAR_NO_TAG because this re-enables CCM_C.
2644 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG
2645
2646 # Build
2647 # -----
2648
2649 helper_libtestdriver1_make_drivers "$loc_accel_list"
2650
2651 helper_libtestdriver1_make_main "$loc_accel_list"
2652
2653 # Make sure this was not re-enabled by accident (additive config)
2654 not grep mbedtls_ccm ${BUILTIN_SRC_PATH}/ccm.o
2655 not grep mbedtls_gcm ${BUILTIN_SRC_PATH}/gcm.o
2656 not grep mbedtls_chachapoly ${BUILTIN_SRC_PATH}/chachapoly.o
2657
2658 # Run the tests
2659 # -------------
2660
2661 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated AEAD"
2662 make test
2663}
2664
2665# This is a common configuration function used in:
2666# - component_test_psa_crypto_config_accel_cipher_aead_cmac
2667# - component_test_psa_crypto_config_reference_cipher_aead_cmac
2668common_psa_crypto_config_accel_cipher_aead_cmac() {
2669 # Start from the full config
2670 helper_libtestdriver1_adjust_config "full"
2671
2672 scripts/config.py unset MBEDTLS_NIST_KW_C
2673}
2674
2675# The 2 following test components, i.e.
2676# - component_test_psa_crypto_config_accel_cipher_aead_cmac
2677# - component_test_psa_crypto_config_reference_cipher_aead_cmac
2678# are meant to be used together in analyze_outcomes.py script in order to test
2679# driver's coverage for ciphers and AEADs.
2680component_test_psa_crypto_config_accel_cipher_aead_cmac () {
2681 msg "build: full config with accelerated cipher inc. AEAD and CMAC"
2682
2683 loc_accel_list="ALG_ECB_NO_PADDING ALG_CBC_NO_PADDING ALG_CBC_PKCS7 ALG_CTR ALG_CFB \
2684 ALG_OFB ALG_XTS ALG_STREAM_CIPHER ALG_CCM_STAR_NO_TAG \
2685 ALG_GCM ALG_CCM ALG_CHACHA20_POLY1305 ALG_CMAC \
2686 KEY_TYPE_DES KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CHACHA20 KEY_TYPE_CAMELLIA"
2687
2688 # Configure
2689 # ---------
2690
2691 common_psa_crypto_config_accel_cipher_aead_cmac
2692
2693 # Disable the things that are being accelerated
2694 scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
2695 scripts/config.py unset MBEDTLS_CIPHER_PADDING_PKCS7
2696 scripts/config.py unset MBEDTLS_CIPHER_MODE_CTR
2697 scripts/config.py unset MBEDTLS_CIPHER_MODE_CFB
2698 scripts/config.py unset MBEDTLS_CIPHER_MODE_OFB
2699 scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
2700 scripts/config.py unset MBEDTLS_GCM_C
2701 scripts/config.py unset MBEDTLS_CCM_C
2702 scripts/config.py unset MBEDTLS_CHACHAPOLY_C
2703 scripts/config.py unset MBEDTLS_CMAC_C
2704 scripts/config.py unset MBEDTLS_DES_C
2705 scripts/config.py unset MBEDTLS_AES_C
2706 scripts/config.py unset MBEDTLS_ARIA_C
2707 scripts/config.py unset MBEDTLS_CHACHA20_C
2708 scripts/config.py unset MBEDTLS_CAMELLIA_C
2709
2710 # Disable CIPHER_C entirely as all ciphers/AEADs are accelerated and PSA
2711 # does not depend on it.
2712 scripts/config.py unset MBEDTLS_CIPHER_C
2713
2714 # Build
2715 # -----
2716
2717 helper_libtestdriver1_make_drivers "$loc_accel_list"
2718
2719 helper_libtestdriver1_make_main "$loc_accel_list"
2720
2721 # Make sure this was not re-enabled by accident (additive config)
2722 not grep mbedtls_cipher ${BUILTIN_SRC_PATH}/cipher.o
2723 not grep mbedtls_des ${BUILTIN_SRC_PATH}/des.o
2724 not grep mbedtls_aes ${BUILTIN_SRC_PATH}/aes.o
2725 not grep mbedtls_aria ${BUILTIN_SRC_PATH}/aria.o
2726 not grep mbedtls_camellia ${BUILTIN_SRC_PATH}/camellia.o
2727 not grep mbedtls_ccm ${BUILTIN_SRC_PATH}/ccm.o
2728 not grep mbedtls_gcm ${BUILTIN_SRC_PATH}/gcm.o
2729 not grep mbedtls_chachapoly ${BUILTIN_SRC_PATH}/chachapoly.o
2730 not grep mbedtls_cmac ${BUILTIN_SRC_PATH}/cmac.o
2731
2732 # Run the tests
2733 # -------------
2734
2735 msg "test: full config with accelerated cipher inc. AEAD and CMAC"
2736 make test
2737
2738 msg "ssl-opt: full config with accelerated cipher inc. AEAD and CMAC"
2739 tests/ssl-opt.sh
2740
2741 msg "compat.sh: full config with accelerated cipher inc. AEAD and CMAC"
2742 tests/compat.sh -V NO -p mbedTLS
2743}
2744
2745component_test_psa_crypto_config_reference_cipher_aead_cmac () {
2746 msg "build: full config with non-accelerated cipher inc. AEAD and CMAC"
2747 common_psa_crypto_config_accel_cipher_aead_cmac
2748
2749 make
2750
2751 msg "test: full config with non-accelerated cipher inc. AEAD and CMAC"
2752 make test
2753
2754 msg "ssl-opt: full config with non-accelerated cipher inc. AEAD and CMAC"
2755 tests/ssl-opt.sh
2756
2757 msg "compat.sh: full config with non-accelerated cipher inc. AEAD and CMAC"
2758 tests/compat.sh -V NO -p mbedTLS
2759}
2760
2761common_block_cipher_dispatch() {
2762 TEST_WITH_DRIVER="$1"
2763
2764 # Start from the full config
2765 helper_libtestdriver1_adjust_config "full"
2766
2767 if [ "$TEST_WITH_DRIVER" -eq 1 ]; then
2768 # Disable key types that are accelerated (there is no legacy equivalent
2769 # symbol for ECB)
2770 scripts/config.py unset MBEDTLS_AES_C
2771 scripts/config.py unset MBEDTLS_ARIA_C
2772 scripts/config.py unset MBEDTLS_CAMELLIA_C
2773 fi
2774
2775 # Disable cipher's modes that, when not accelerated, cause
2776 # legacy key types to be re-enabled in "config_adjust_legacy_from_psa.h".
2777 # Keep this also in the reference component in order to skip the same tests
2778 # that were skipped in the accelerated one.
2779 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CTR
2780 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CFB
2781 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_OFB
2782 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING
2783 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7
2784 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC
2785 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG
2786 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
2787
2788 # Disable direct dependency on AES_C
2789 scripts/config.py unset MBEDTLS_NIST_KW_C
2790
2791 # Prevent the cipher module from using deprecated PSA path. The reason is
2792 # that otherwise there will be tests relying on "aes_info" (defined in
2793 # "cipher_wrap.c") whose functions are not available when AES_C is
2794 # not defined. ARIA and Camellia are not a problem in this case because
2795 # the PSA path is not tested for these key types.
2796 scripts/config.py set MBEDTLS_DEPRECATED_REMOVED
2797}
2798
2799component_test_full_block_cipher_psa_dispatch () {
2800 msg "build: full + PSA dispatch in block_cipher"
2801
2802 loc_accel_list="ALG_ECB_NO_PADDING \
2803 KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CAMELLIA"
2804
2805 # Configure
2806 # ---------
2807
2808 common_block_cipher_dispatch 1
2809
2810 # Build
2811 # -----
2812
2813 helper_libtestdriver1_make_drivers "$loc_accel_list"
2814
2815 helper_libtestdriver1_make_main "$loc_accel_list"
2816
2817 # Make sure disabled components were not re-enabled by accident (additive
2818 # config)
2819 not grep mbedtls_aes_ ${BUILTIN_SRC_PATH}/aes.o
2820 not grep mbedtls_aria_ ${BUILTIN_SRC_PATH}/aria.o
2821 not grep mbedtls_camellia_ ${BUILTIN_SRC_PATH}/camellia.o
2822
2823 # Run the tests
2824 # -------------
2825
2826 msg "test: full + PSA dispatch in block_cipher"
2827 make test
2828}
2829
2830# This is the reference component of component_test_full_block_cipher_psa_dispatch
2831component_test_full_block_cipher_legacy_dispatch () {
2832 msg "build: full + legacy dispatch in block_cipher"
2833
2834 common_block_cipher_dispatch 0
2835
2836 make
2837
2838 msg "test: full + legacy dispatch in block_cipher"
2839 make test
2840}
2841
2842component_test_aead_chachapoly_disabled() {
2843 msg "build: full minus CHACHAPOLY"
2844 scripts/config.py full
2845 scripts/config.py unset MBEDTLS_CHACHAPOLY_C
2846 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305
2847 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
2848
2849 msg "test: full minus CHACHAPOLY"
2850 make test
2851}
2852
2853component_test_aead_only_ccm() {
2854 msg "build: full minus CHACHAPOLY and GCM"
2855 scripts/config.py full
2856 scripts/config.py unset MBEDTLS_CHACHAPOLY_C
2857 scripts/config.py unset MBEDTLS_GCM_C
2858 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305
2859 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_GCM
2860 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
2861
2862 msg "test: full minus CHACHAPOLY and GCM"
2863 make test
2864}
2865
2866component_test_ccm_aes_sha256() {
2867 msg "build: CCM + AES + SHA256 configuration"
2868
2869 cp "$CONFIG_TEST_DRIVER_H" "$CONFIG_H"
2870 cp configs/crypto-config-ccm-aes-sha256.h "$CRYPTO_CONFIG_H"
2871
2872 make
2873
2874 msg "test: CCM + AES + SHA256 configuration"
2875 make test
2876}
2877
2878support_build_tfm_armcc () {
2879 support_build_armcc
2880}
2881
2882component_build_tfm_armcc() {
2883 # test the TF-M configuration can build cleanly with various warning flags enabled
2884 cp configs/config-tfm.h "$CONFIG_H"
2885
2886 msg "build: TF-M config, armclang armv7-m thumb2"
2887 armc6_build_test "--target=arm-arm-none-eabi -march=armv7-m -mthumb -Os -std=c99 -Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wasm-operand-widths -Wunused -I../tests/include/spe"
2888}
2889
2890component_build_tfm() {
2891 # Check that the TF-M configuration can build cleanly with various
2892 # warning flags enabled. We don't build or run tests, since the
2893 # TF-M configuration needs a TF-M platform. A tweaked version of
2894 # the configuration that works on mainstream platforms is in
2895 # configs/config-tfm.h, tested via test-ref-configs.pl.
2896 cp configs/config-tfm.h "$CONFIG_H"
2897
2898 msg "build: TF-M config, clang, armv7-m thumb2"
2899 make lib CC="clang" CFLAGS="--target=arm-linux-gnueabihf -march=armv7-m -mthumb -Os -std=c99 -Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wasm-operand-widths -Wunused -I../tests/include/spe"
2900
2901 msg "build: TF-M config, gcc native build"
2902 make clean
2903 make lib CC="gcc" CFLAGS="-Os -std=c99 -Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wformat-signedness -Wlogical-op -I../tests/include/spe"
2904}
2905
2906# Test that the given .o file builds with all (valid) combinations of the given options.
2907#
2908# Syntax: build_test_config_combos FILE VALIDATOR_FUNCTION OPT1 OPT2 ...
2909#
2910# The validator function is the name of a function to validate the combination of options.
2911# It may be "" if all combinations are valid.
2912# It receives a string containing a combination of options, as passed to the compiler,
2913# e.g. "-DOPT1 -DOPT2 ...". It must return 0 iff the combination is valid, non-zero if invalid.
2914build_test_config_combos() {
2915 file=$1
2916 shift
2917 validate_options=$1
2918 shift
2919 options=("$@")
2920
2921 # clear all of the options so that they can be overridden on the clang commandline
2922 for opt in "${options[@]}"; do
2923 ./scripts/config.py unset ${opt}
2924 done
2925
2926 # enter the library directory
2927 cd library
2928
2929 # The most common issue is unused variables/functions, so ensure -Wunused is set.
2930 warning_flags="-Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wasm-operand-widths -Wunused"
2931
2932 # Extract the command generated by the Makefile to build the target file.
2933 # This ensures that we have any include paths, macro definitions, etc
2934 # that may be applied by make.
2935 # Add -fsyntax-only as we only want a syntax check and don't need to generate a file.
2936 compile_cmd="clang \$(LOCAL_CFLAGS) ${warning_flags} -fsyntax-only -c"
2937
2938 makefile=$(TMPDIR=. mktemp)
2939 deps=""
2940
2941 len=${#options[@]}
2942 source_file=../${file%.o}.c
2943
2944 targets=0
2945 echo 'include Makefile' >${makefile}
2946
2947 for ((i = 0; i < $((2**${len})); i++)); do
2948 # generate each of 2^n combinations of options
2949 # each bit of $i is used to determine if options[i] will be set or not
2950 target="t"
2951 clang_args=""
2952 for ((j = 0; j < ${len}; j++)); do
2953 if (((i >> j) & 1)); then
2954 opt=-D${options[$j]}
2955 clang_args="${clang_args} ${opt}"
2956 target="${target}${opt}"
2957 fi
2958 done
2959
2960 # if combination is not known to be invalid, add it to the makefile
2961 if [[ -z $validate_options ]] || $validate_options "${clang_args}"; then
2962 cmd="${compile_cmd} ${clang_args}"
2963 echo "${target}: ${source_file}; $cmd ${source_file}" >> ${makefile}
2964
2965 deps="${deps} ${target}"
2966 ((++targets))
2967 fi
2968 done
2969
2970 echo "build_test_config_combos: ${deps}" >> ${makefile}
2971
2972 # execute all of the commands via Make (probably in parallel)
2973 make -s -f ${makefile} build_test_config_combos
2974 echo "$targets targets checked"
2975
2976 # clean up the temporary makefile
2977 rm ${makefile}
2978}
2979
2980validate_aes_config_variations() {
2981 if [[ "$1" == *"MBEDTLS_AES_USE_HARDWARE_ONLY"* ]]; then
2982 if [[ !(("$HOSTTYPE" == "aarch64" && "$1" != *"MBEDTLS_AESCE_C"*) || \
2983 ("$HOSTTYPE" == "x86_64" && "$1" != *"MBEDTLS_AESNI_C"*)) ]]; then
2984 return 1
2985 fi
2986 fi
2987 return 0
2988}
2989
2990component_build_aes_variations() {
2991 # 18s - around 90ms per clang invocation on M1 Pro
2992 #
2993 # aes.o has many #if defined(...) guards that intersect in complex ways.
2994 # Test that all the combinations build cleanly.
2995
2996 MBEDTLS_ROOT_DIR="$PWD"
2997 msg "build: aes.o for all combinations of relevant config options"
2998
2999 build_test_config_combos ${BUILTIN_SRC_PATH}/aes.o validate_aes_config_variations \
3000 "MBEDTLS_AES_SETKEY_ENC_ALT" "MBEDTLS_AES_DECRYPT_ALT" \
3001 "MBEDTLS_AES_ROM_TABLES" "MBEDTLS_AES_ENCRYPT_ALT" "MBEDTLS_AES_SETKEY_DEC_ALT" \
3002 "MBEDTLS_AES_FEWER_TABLES" "MBEDTLS_AES_USE_HARDWARE_ONLY" \
3003 "MBEDTLS_AESNI_C" "MBEDTLS_AESCE_C" "MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH"
3004
3005 cd "$MBEDTLS_ROOT_DIR"
3006 msg "build: aes.o for all combinations of relevant config options + BLOCK_CIPHER_NO_DECRYPT"
3007
3008 # MBEDTLS_BLOCK_CIPHER_NO_DECRYPT is incompatible with ECB in PSA, CBC/XTS/NIST_KW/DES,
3009 # manually set or unset those configurations to check
3010 # MBEDTLS_BLOCK_CIPHER_NO_DECRYPT with various combinations in aes.o.
3011 scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
3012 scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
3013 scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
3014 scripts/config.py unset MBEDTLS_DES_C
3015 scripts/config.py unset MBEDTLS_NIST_KW_C
3016 build_test_config_combos ${BUILTIN_SRC_PATH}/aes.o validate_aes_config_variations \
3017 "MBEDTLS_AES_SETKEY_ENC_ALT" "MBEDTLS_AES_DECRYPT_ALT" \
3018 "MBEDTLS_AES_ROM_TABLES" "MBEDTLS_AES_ENCRYPT_ALT" "MBEDTLS_AES_SETKEY_DEC_ALT" \
3019 "MBEDTLS_AES_FEWER_TABLES" "MBEDTLS_AES_USE_HARDWARE_ONLY" \
3020 "MBEDTLS_AESNI_C" "MBEDTLS_AESCE_C" "MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH"
3021}
3022
3023component_test_no_platform () {
3024 # Full configuration build, without platform support, file IO and net sockets.
3025 # This should catch missing mbedtls_printf definitions, and by disabling file
3026 # IO, it should catch missing '#include <stdio.h>'
3027 msg "build: full config except platform/fsio/net, make, gcc, C99" # ~ 30s
3028 scripts/config.py full_no_platform
3029 scripts/config.py unset MBEDTLS_PLATFORM_C
3030 scripts/config.py unset MBEDTLS_NET_C
3031 scripts/config.py unset MBEDTLS_FS_IO
3032 scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
3033 scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C
3034 scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C
3035 scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
3036 # Note, _DEFAULT_SOURCE needs to be defined for platforms using glibc version >2.19,
3037 # to re-enable platform integration features otherwise disabled in C99 builds
3038 make CC=gcc CFLAGS='-Werror -Wall -Wextra -std=c99 -pedantic -Os -D_DEFAULT_SOURCE' lib programs
3039 make CC=gcc CFLAGS='-Werror -Wall -Wextra -Os' test
3040}
3041
3042component_build_no_std_function () {
3043 # catch compile bugs in _uninit functions
3044 msg "build: full config with NO_STD_FUNCTION, make, gcc" # ~ 30s
3045 scripts/config.py full
3046 scripts/config.py set MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
3047 scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
3048 scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
3049 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Check .
3050 make
3051}
3052
3053component_build_no_ssl_srv () {
3054 msg "build: full config except SSL server, make, gcc" # ~ 30s
3055 scripts/config.py full
3056 scripts/config.py unset MBEDTLS_SSL_SRV_C
3057 make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1'
3058}
3059
3060component_build_no_ssl_cli () {
3061 msg "build: full config except SSL client, make, gcc" # ~ 30s
3062 scripts/config.py full
3063 scripts/config.py unset MBEDTLS_SSL_CLI_C
3064 make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1'
3065}
3066
3067component_build_no_sockets () {
3068 # Note, C99 compliance can also be tested with the sockets support disabled,
3069 # as that requires a POSIX platform (which isn't the same as C99).
3070 msg "build: full config except net_sockets.c, make, gcc -std=c99 -pedantic" # ~ 30s
3071 scripts/config.py full
3072 scripts/config.py unset MBEDTLS_NET_C # getaddrinfo() undeclared, etc.
3073 scripts/config.py set MBEDTLS_NO_PLATFORM_ENTROPY # uses syscall() on GNU/Linux
3074 make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1 -std=c99 -pedantic' lib
3075}
3076
3077component_test_memory_buffer_allocator_backtrace () {
3078 msg "build: default config with memory buffer allocator and backtrace enabled"
3079 scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C
3080 scripts/config.py set MBEDTLS_PLATFORM_MEMORY
3081 scripts/config.py set MBEDTLS_MEMORY_BACKTRACE
3082 scripts/config.py set MBEDTLS_MEMORY_DEBUG
3083 cmake -DCMAKE_BUILD_TYPE:String=Release .
3084 make
3085
3086 msg "test: MBEDTLS_MEMORY_BUFFER_ALLOC_C and MBEDTLS_MEMORY_BACKTRACE"
3087 make test
3088}
3089
3090component_test_memory_buffer_allocator () {
3091 msg "build: default config with memory buffer allocator"
3092 scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C
3093 scripts/config.py set MBEDTLS_PLATFORM_MEMORY
3094 cmake -DCMAKE_BUILD_TYPE:String=Release .
3095 make
3096
3097 msg "test: MBEDTLS_MEMORY_BUFFER_ALLOC_C"
3098 make test
3099
3100 msg "test: ssl-opt.sh, MBEDTLS_MEMORY_BUFFER_ALLOC_C"
3101 # MBEDTLS_MEMORY_BUFFER_ALLOC is slow. Skip tests that tend to time out.
3102 tests/ssl-opt.sh -e '^DTLS proxy'
3103}
3104
3105component_test_no_max_fragment_length () {
3106 # Run max fragment length tests with MFL disabled
3107 msg "build: default config except MFL extension (ASan build)" # ~ 30s
3108 scripts/config.py unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3109 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
3110 make
3111
3112 msg "test: ssl-opt.sh, MFL-related tests"
3113 tests/ssl-opt.sh -f "Max fragment length"
3114}
3115
3116component_test_asan_remove_peer_certificate () {
3117 msg "build: default config with MBEDTLS_SSL_KEEP_PEER_CERTIFICATE disabled (ASan build)"
3118 scripts/config.py unset MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
3119 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
3120 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
3121 make
3122
3123 msg "test: !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE"
3124 make test
3125
3126 msg "test: ssl-opt.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE"
3127 tests/ssl-opt.sh
3128
3129 msg "test: compat.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE"
3130 tests/compat.sh
3131
3132 msg "test: context-info.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE"
3133 tests/context-info.sh
3134}
3135
3136component_test_no_max_fragment_length_small_ssl_out_content_len () {
3137 msg "build: no MFL extension, small SSL_OUT_CONTENT_LEN (ASan build)"
3138 scripts/config.py unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3139 scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 16384
3140 scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 4096
3141 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
3142 make
3143
3144 msg "test: MFL tests (disabled MFL extension case) & large packet tests"
3145 tests/ssl-opt.sh -f "Max fragment length\|Large buffer"
3146
3147 msg "test: context-info.sh (disabled MFL extension case)"
3148 tests/context-info.sh
3149}
3150
3151component_test_variable_ssl_in_out_buffer_len () {
3152 msg "build: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled (ASan build)"
3153 scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
3154 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
3155 make
3156
3157 msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled"
3158 make test
3159
3160 msg "test: ssl-opt.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled"
3161 tests/ssl-opt.sh
3162
3163 msg "test: compat.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled"
3164 tests/compat.sh
3165}
3166
3167component_test_dtls_cid_legacy () {
3168 msg "build: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled (ASan build)"
3169 scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 1
3170
3171 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
3172 make
3173
3174 msg "test: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy)"
3175 make test
3176
3177 msg "test: ssl-opt.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled"
3178 tests/ssl-opt.sh
3179
3180 msg "test: compat.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled"
3181 tests/compat.sh
3182}
3183
3184component_test_ssl_alloc_buffer_and_mfl () {
3185 msg "build: default config with memory buffer allocator and MFL extension"
3186 scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C
3187 scripts/config.py set MBEDTLS_PLATFORM_MEMORY
3188 scripts/config.py set MBEDTLS_MEMORY_DEBUG
3189 scripts/config.py set MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3190 scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
3191 cmake -DCMAKE_BUILD_TYPE:String=Release .
3192 make
3193
3194 msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH, MBEDTLS_MEMORY_BUFFER_ALLOC_C, MBEDTLS_MEMORY_DEBUG and MBEDTLS_SSL_MAX_FRAGMENT_LENGTH"
3195 make test
3196
3197 msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH, MBEDTLS_MEMORY_BUFFER_ALLOC_C, MBEDTLS_MEMORY_DEBUG and MBEDTLS_SSL_MAX_FRAGMENT_LENGTH"
3198 tests/ssl-opt.sh -f "Handshake memory usage"
3199}
3200
3201component_test_when_no_ciphersuites_have_mac () {
3202 msg "build: when no ciphersuites have MAC"
3203 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
3204 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING
3205 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7
3206 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC
3207 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
3208
3209 scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER
3210 scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
3211 scripts/config.py unset MBEDTLS_CMAC_C
3212
3213 make
3214
3215 msg "test: !MBEDTLS_SSL_SOME_SUITES_USE_MAC"
3216 make test
3217
3218 msg "test ssl-opt.sh: !MBEDTLS_SSL_SOME_SUITES_USE_MAC"
3219 tests/ssl-opt.sh -f 'Default\|EtM' -e 'without EtM'
3220}
3221
3222component_test_no_date_time () {
3223 msg "build: default config without MBEDTLS_HAVE_TIME_DATE"
3224 scripts/config.py unset MBEDTLS_HAVE_TIME_DATE
3225 cmake -D CMAKE_BUILD_TYPE:String=Check .
3226 make
3227
3228 msg "test: !MBEDTLS_HAVE_TIME_DATE - main suites"
3229 make test
3230}
3231
3232component_test_platform_calloc_macro () {
3233 msg "build: MBEDTLS_PLATFORM_{CALLOC/FREE}_MACRO enabled (ASan build)"
3234 scripts/config.py set MBEDTLS_PLATFORM_MEMORY
3235 scripts/config.py set MBEDTLS_PLATFORM_CALLOC_MACRO calloc
3236 scripts/config.py set MBEDTLS_PLATFORM_FREE_MACRO free
3237 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
3238 make
3239
3240 msg "test: MBEDTLS_PLATFORM_{CALLOC/FREE}_MACRO enabled (ASan build)"
3241 make test
3242}
3243
3244component_test_malloc_0_null () {
3245 msg "build: malloc(0) returns NULL (ASan+UBSan build)"
3246 scripts/config.py full
3247 make CC=$ASAN_CC CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"$PWD/tests/configs/user-config-malloc-0-null.h\"' $ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
3248
3249 msg "test: malloc(0) returns NULL (ASan+UBSan build)"
3250 make test
3251
3252 msg "selftest: malloc(0) returns NULL (ASan+UBSan build)"
3253 # Just the calloc selftest. "make test" ran the others as part of the
3254 # test suites.
3255 programs/test/selftest calloc
3256
3257 msg "test ssl-opt.sh: malloc(0) returns NULL (ASan+UBSan build)"
3258 # Run a subset of the tests. The choice is a balance between coverage
3259 # and time (including time indirectly wasted due to flaky tests).
3260 # The current choice is to skip tests whose description includes
3261 # "proxy", which is an approximation of skipping tests that use the
3262 # UDP proxy, which tend to be slower and flakier.
3263 tests/ssl-opt.sh -e 'proxy'
3264}
3265
3266support_test_aesni() {
3267 # Check that gcc targets x86_64 (we can build AESNI), and check for
3268 # AESNI support on the host (we can run AESNI).
3269 #
3270 # The name of this function is possibly slightly misleading, but needs to align
3271 # with the name of the corresponding test, component_test_aesni.
3272 #
3273 # In principle 32-bit x86 can support AESNI, but our implementation does not
3274 # support 32-bit x86, so we check for x86-64.
3275 # We can only grep /proc/cpuinfo on Linux, so this also checks for Linux
3276 (gcc -v 2>&1 | grep Target | grep -q x86_64) &&
3277 [[ "$HOSTTYPE" == "x86_64" && "$OSTYPE" == "linux-gnu" ]] &&
3278 (lscpu | grep -qw aes)
3279}
3280
3281component_test_aesni () { # ~ 60s
3282 # This tests the two AESNI implementations (intrinsics and assembly), and also the plain C
3283 # fallback. It also tests the logic that is used to select which implementation(s) to build.
3284 #
3285 # This test does not require the host to have support for AESNI (if it doesn't, the run-time
3286 # AESNI detection will fallback to the plain C implementation, so the tests will instead
3287 # exercise the plain C impl).
3288
3289 msg "build: default config with different AES implementations"
3290 scripts/config.py set MBEDTLS_AESNI_C
3291 scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY
3292 scripts/config.py set MBEDTLS_HAVE_ASM
3293
3294 # test the intrinsics implementation
3295 msg "AES tests, test intrinsics"
3296 make clean
3297 make CC=gcc CFLAGS='-Werror -Wall -Wextra -mpclmul -msse2 -maes'
3298 # check that we built intrinsics - this should be used by default when supported by the compiler
3299 ./programs/test/selftest aes | grep "AESNI code" | grep -q "intrinsics"
3300
3301 # test the asm implementation
3302 msg "AES tests, test assembly"
3303 make clean
3304 make CC=gcc CFLAGS='-Werror -Wall -Wextra -mno-pclmul -mno-sse2 -mno-aes'
3305 # check that we built assembly - this should be built if the compiler does not support intrinsics
3306 ./programs/test/selftest aes | grep "AESNI code" | grep -q "assembly"
3307
3308 # test the plain C implementation
3309 scripts/config.py unset MBEDTLS_AESNI_C
3310 scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY
3311 msg "AES tests, plain C"
3312 make clean
3313 make CC=gcc CFLAGS='-O2 -Werror'
3314 # check that there is no AESNI code present
3315 ./programs/test/selftest aes | not grep -q "AESNI code"
3316 not grep -q "AES note: using AESNI" ./programs/test/selftest
3317 grep -q "AES note: built-in implementation." ./programs/test/selftest
3318
3319 # test the intrinsics implementation
3320 scripts/config.py set MBEDTLS_AESNI_C
3321 scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY
3322 msg "AES tests, test AESNI only"
3323 make clean
3324 make CC=gcc CFLAGS='-Werror -Wall -Wextra -mpclmul -msse2 -maes'
3325 ./programs/test/selftest aes | grep -q "AES note: using AESNI"
3326 ./programs/test/selftest aes | not grep -q "AES note: built-in implementation."
3327 grep -q "AES note: using AESNI" ./programs/test/selftest
3328 not grep -q "AES note: built-in implementation." ./programs/test/selftest
3329}
3330
3331component_test_sha3_variations() {
3332 msg "sha3 loop unroll variations"
3333
3334 # define minimal config sufficient to test SHA3
3335 cat > include/mbedtls/mbedtls_config.h << END
3336 #define MBEDTLS_SELF_TEST
3337 #define MBEDTLS_SHA3_C
3338END
3339
3340 msg "all loops unrolled"
3341 make clean
3342 make -C tests ../tf-psa-crypto/tests/test_suite_shax CFLAGS="-DMBEDTLS_SHA3_THETA_UNROLL=1 -DMBEDTLS_SHA3_PI_UNROLL=1 -DMBEDTLS_SHA3_CHI_UNROLL=1 -DMBEDTLS_SHA3_RHO_UNROLL=1"
3343 ./tf-psa-crypto/tests/test_suite_shax
3344
3345 msg "all loops rolled up"
3346 make clean
3347 make -C tests ../tf-psa-crypto/tests/test_suite_shax CFLAGS="-DMBEDTLS_SHA3_THETA_UNROLL=0 -DMBEDTLS_SHA3_PI_UNROLL=0 -DMBEDTLS_SHA3_CHI_UNROLL=0 -DMBEDTLS_SHA3_RHO_UNROLL=0"
3348 ./tf-psa-crypto/tests/test_suite_shax
3349}
3350
3351support_test_aesni_m32() {
3352 support_test_m32_no_asm && (lscpu | grep -qw aes)
3353}
3354
3355component_test_aesni_m32 () { # ~ 60s
3356 # This tests are duplicated from component_test_aesni for i386 target
3357 #
3358 # AESNI intrinsic code supports i386 and assembly code does not support it.
3359
3360 msg "build: default config with different AES implementations"
3361 scripts/config.py set MBEDTLS_AESNI_C
3362 scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY
3363 scripts/config.py set MBEDTLS_HAVE_ASM
3364
3365 # test the intrinsics implementation with gcc
3366 msg "AES tests, test intrinsics (gcc)"
3367 make clean
3368 make CC=gcc CFLAGS='-m32 -Werror -Wall -Wextra' LDFLAGS='-m32'
3369 # check that we built intrinsics - this should be used by default when supported by the compiler
3370 ./programs/test/selftest aes | grep "AESNI code" | grep -q "intrinsics"
3371 grep -q "AES note: using AESNI" ./programs/test/selftest
3372 grep -q "AES note: built-in implementation." ./programs/test/selftest
3373 grep -q mbedtls_aesni_has_support ./programs/test/selftest
3374
3375 scripts/config.py set MBEDTLS_AESNI_C
3376 scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY
3377 msg "AES tests, test AESNI only"
3378 make clean
3379 make CC=gcc CFLAGS='-m32 -Werror -Wall -Wextra -mpclmul -msse2 -maes' LDFLAGS='-m32'
3380 ./programs/test/selftest aes | grep -q "AES note: using AESNI"
3381 ./programs/test/selftest aes | not grep -q "AES note: built-in implementation."
3382 grep -q "AES note: using AESNI" ./programs/test/selftest
3383 not grep -q "AES note: built-in implementation." ./programs/test/selftest
3384 not grep -q mbedtls_aesni_has_support ./programs/test/selftest
3385}
3386
3387support_test_aesni_m32_clang() {
3388 # clang >= 4 is required to build with target attributes
3389 support_test_aesni_m32 && [[ $(clang_version) -ge 4 ]]
3390}
3391
3392component_test_aesni_m32_clang() {
3393
3394 scripts/config.py set MBEDTLS_AESNI_C
3395 scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY
3396 scripts/config.py set MBEDTLS_HAVE_ASM
3397
3398 # test the intrinsics implementation with clang
3399 msg "AES tests, test intrinsics (clang)"
3400 make clean
3401 make CC=clang CFLAGS='-m32 -Werror -Wall -Wextra' LDFLAGS='-m32'
3402 # check that we built intrinsics - this should be used by default when supported by the compiler
3403 ./programs/test/selftest aes | grep "AESNI code" | grep -q "intrinsics"
3404 grep -q "AES note: using AESNI" ./programs/test/selftest
3405 grep -q "AES note: built-in implementation." ./programs/test/selftest
3406 grep -q mbedtls_aesni_has_support ./programs/test/selftest
3407}
3408
3409# For timebeing, no aarch64 gcc available in CI and no arm64 CI node.
3410component_build_aes_aesce_armcc () {
3411 msg "Build: AESCE test on arm64 platform without plain C."
3412 scripts/config.py baremetal
3413
3414 # armc[56] don't support SHA-512 intrinsics
3415 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
3416
3417 # Stop armclang warning about feature detection for A64_CRYPTO.
3418 # With this enabled, the library does build correctly under armclang,
3419 # but in baremetal builds (as tested here), feature detection is
3420 # unavailable, and the user is notified via a #warning. So enabling
3421 # this feature would prevent us from building with -Werror on
3422 # armclang. Tracked in #7198.
3423 scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
3424 scripts/config.py set MBEDTLS_HAVE_ASM
3425
3426 msg "AESCE, build with default configuration."
3427 scripts/config.py set MBEDTLS_AESCE_C
3428 scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY
3429 armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto"
3430
3431 msg "AESCE, build AESCE only"
3432 scripts/config.py set MBEDTLS_AESCE_C
3433 scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY
3434 armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto"
3435}
3436
3437support_build_aes_armce() {
3438 # clang >= 11 is required to build with AES extensions
3439 [[ $(clang_version) -ge 11 ]]
3440}
3441
3442component_build_aes_armce () {
3443 # Test variations of AES with Armv8 crypto extensions
3444 scripts/config.py set MBEDTLS_AESCE_C
3445 scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY
3446
3447 msg "MBEDTLS_AES_USE_HARDWARE_ONLY, clang, aarch64"
3448 make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a+crypto"
3449
3450 msg "MBEDTLS_AES_USE_HARDWARE_ONLY, clang, arm"
3451 make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm"
3452
3453 msg "MBEDTLS_AES_USE_HARDWARE_ONLY, clang, thumb"
3454 make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb"
3455
3456 scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY
3457
3458 msg "no MBEDTLS_AES_USE_HARDWARE_ONLY, clang, aarch64"
3459 make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a+crypto"
3460
3461 msg "no MBEDTLS_AES_USE_HARDWARE_ONLY, clang, arm"
3462 make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm"
3463
3464 msg "no MBEDTLS_AES_USE_HARDWARE_ONLY, clang, thumb"
3465 make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb"
3466
3467 # test for presence of AES instructions
3468 scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY
3469 msg "clang, test A32 crypto instructions built"
3470 make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S"
3471 grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.o
3472 msg "clang, test T32 crypto instructions built"
3473 make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S"
3474 grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.o
3475 msg "clang, test aarch64 crypto instructions built"
3476 make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S"
3477 grep -E 'aes[a-z]+\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.o
3478
3479 # test for absence of AES instructions
3480 scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY
3481 scripts/config.py unset MBEDTLS_AESCE_C
3482 msg "clang, test A32 crypto instructions not built"
3483 make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S"
3484 not grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.o
3485 msg "clang, test T32 crypto instructions not built"
3486 make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S"
3487 not grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.o
3488 msg "clang, test aarch64 crypto instructions not built"
3489 make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S"
3490 not grep -E 'aes[a-z]+\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.o
3491}
3492
3493support_build_sha_armce() {
3494 # clang >= 4 is required to build with SHA extensions
3495 [[ $(clang_version) -ge 4 ]]
3496}
3497
3498component_build_sha_armce () {
3499 scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
3500
3501
3502 # Test variations of SHA256 Armv8 crypto extensions
3503 scripts/config.py set MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
3504 msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY clang, aarch64"
3505 make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a"
3506 msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY clang, arm"
3507 make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm"
3508 scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
3509
3510
3511 # test the deprecated form of the config option
3512 scripts/config.py set MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY
3513 msg "MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY clang, thumb"
3514 make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb"
3515 scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY
3516
3517 scripts/config.py set MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
3518 msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT clang, aarch64"
3519 make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a"
3520 scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
3521
3522
3523 # test the deprecated form of the config option
3524 scripts/config.py set MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
3525 msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, arm"
3526 make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -std=c99"
3527 msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, thumb"
3528 make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb"
3529 scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
3530
3531
3532 # examine the disassembly for presence of SHA instructions
3533 for opt in MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT; do
3534 scripts/config.py set ${opt}
3535 msg "${opt} clang, test A32 crypto instructions built"
3536 make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S"
3537 grep -E 'sha256[a-z0-9]+.32\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.o
3538
3539 msg "${opt} clang, test T32 crypto instructions built"
3540 make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S"
3541 grep -E 'sha256[a-z0-9]+.32\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.o
3542
3543 msg "${opt} clang, test aarch64 crypto instructions built"
3544 make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S"
3545 grep -E 'sha256[a-z0-9]+\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.o
3546 scripts/config.py unset ${opt}
3547 done
3548
3549
3550 # examine the disassembly for absence of SHA instructions
3551 msg "clang, test A32 crypto instructions not built"
3552 make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S"
3553 not grep -E 'sha256[a-z0-9]+.32\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.o
3554
3555 msg "clang, test T32 crypto instructions not built"
3556 make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S"
3557 not grep -E 'sha256[a-z0-9]+.32\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.o
3558
3559 msg "clang, test aarch64 crypto instructions not built"
3560 make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S"
3561 not grep -E 'sha256[a-z0-9]+\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.o
3562}
3563
3564support_build_aes_aesce_armcc () {
3565 support_build_armcc
3566}
3567
3568component_test_aes_only_128_bit_keys () {
3569 msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH"
3570 scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
3571
3572 make CFLAGS='-O2 -Werror -Wall -Wextra'
3573
3574 msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH"
3575 make test
3576}
3577
3578component_test_no_ctr_drbg_aes_only_128_bit_keys () {
3579 msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH - CTR_DRBG_C"
3580 scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
3581 scripts/config.py unset MBEDTLS_CTR_DRBG_C
3582
3583 make CC=clang CFLAGS='-Werror -Wall -Wextra'
3584
3585 msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH - CTR_DRBG_C"
3586 make test
3587}
3588
3589component_test_aes_only_128_bit_keys_have_builtins () {
3590 msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C"
3591 scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
3592 scripts/config.py unset MBEDTLS_AESNI_C
3593 scripts/config.py unset MBEDTLS_AESCE_C
3594
3595 make CFLAGS='-O2 -Werror -Wall -Wextra'
3596
3597 msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C"
3598 make test
3599
3600 msg "selftest: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C"
3601 programs/test/selftest
3602}
3603
3604component_test_gcm_largetable () {
3605 msg "build: default config + GCM_LARGE_TABLE - AESNI_C - AESCE_C"
3606 scripts/config.py set MBEDTLS_GCM_LARGE_TABLE
3607 scripts/config.py unset MBEDTLS_AESNI_C
3608 scripts/config.py unset MBEDTLS_AESCE_C
3609
3610 make CFLAGS='-O2 -Werror -Wall -Wextra'
3611
3612 msg "test: default config - GCM_LARGE_TABLE - AESNI_C - AESCE_C"
3613 make test
3614}
3615
3616component_test_aes_fewer_tables () {
3617 msg "build: default config with AES_FEWER_TABLES enabled"
3618 scripts/config.py set MBEDTLS_AES_FEWER_TABLES
3619 make CFLAGS='-O2 -Werror -Wall -Wextra'
3620
3621 msg "test: AES_FEWER_TABLES"
3622 make test
3623}
3624
3625component_test_aes_rom_tables () {
3626 msg "build: default config with AES_ROM_TABLES enabled"
3627 scripts/config.py set MBEDTLS_AES_ROM_TABLES
3628 make CFLAGS='-O2 -Werror -Wall -Wextra'
3629
3630 msg "test: AES_ROM_TABLES"
3631 make test
3632}
3633
3634component_test_aes_fewer_tables_and_rom_tables () {
3635 msg "build: default config with AES_ROM_TABLES and AES_FEWER_TABLES enabled"
3636 scripts/config.py set MBEDTLS_AES_FEWER_TABLES
3637 scripts/config.py set MBEDTLS_AES_ROM_TABLES
3638 make CFLAGS='-O2 -Werror -Wall -Wextra'
3639
3640 msg "test: AES_FEWER_TABLES + AES_ROM_TABLES"
3641 make test
3642}
3643
3644# helper for common_block_cipher_no_decrypt() which:
3645# - enable/disable the list of config options passed from -s/-u respectively.
3646# - build
3647# - test for tests_suite_xxx
3648# - selftest
3649#
3650# Usage: helper_block_cipher_no_decrypt_build_test
3651# [-s set_opts] [-u unset_opts] [-c cflags] [-l ldflags] [option [...]]
3652# Options: -s set_opts the list of config options to enable
3653# -u unset_opts the list of config options to disable
3654# -c cflags the list of options passed to CFLAGS
3655# -l ldflags the list of options passed to LDFLAGS
3656helper_block_cipher_no_decrypt_build_test () {
3657 while [ $# -gt 0 ]; do
3658 case "$1" in
3659 -s)
3660 shift; local set_opts="$1";;
3661 -u)
3662 shift; local unset_opts="$1";;
3663 -c)
3664 shift; local cflags="-Werror -Wall -Wextra $1";;
3665 -l)
3666 shift; local ldflags="$1";;
3667 esac
3668 shift
3669 done
3670 set_opts="${set_opts:-}"
3671 unset_opts="${unset_opts:-}"
3672 cflags="${cflags:-}"
3673 ldflags="${ldflags:-}"
3674
3675 [ -n "$set_opts" ] && echo "Enabling: $set_opts" && scripts/config.py set-all $set_opts
3676 [ -n "$unset_opts" ] && echo "Disabling: $unset_opts" && scripts/config.py unset-all $unset_opts
3677
3678 msg "build: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}"
3679 make clean
3680 make CFLAGS="-O2 $cflags" LDFLAGS="$ldflags"
3681
3682 # Make sure we don't have mbedtls_xxx_setkey_dec in AES/ARIA/CAMELLIA
3683 not grep mbedtls_aes_setkey_dec ${BUILTIN_SRC_PATH}/aes.o
3684 not grep mbedtls_aria_setkey_dec ${BUILTIN_SRC_PATH}/aria.o
3685 not grep mbedtls_camellia_setkey_dec ${BUILTIN_SRC_PATH}/camellia.o
3686 # Make sure we don't have mbedtls_internal_aes_decrypt in AES
3687 not grep mbedtls_internal_aes_decrypt ${BUILTIN_SRC_PATH}/aes.o
3688 # Make sure we don't have mbedtls_aesni_inverse_key in AESNI
3689 not grep mbedtls_aesni_inverse_key ${BUILTIN_SRC_PATH}/aesni.o
3690
3691 msg "test: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}"
3692 make test
3693
3694 msg "selftest: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}"
3695 programs/test/selftest
3696}
3697
3698# This is a common configuration function used in:
3699# - component_test_block_cipher_no_decrypt_aesni_legacy()
3700# - component_test_block_cipher_no_decrypt_aesni_use_psa()
3701# in order to test BLOCK_CIPHER_NO_DECRYPT with AESNI intrinsics,
3702# AESNI assembly and AES C implementation on x86_64 and with AESNI intrinsics
3703# on x86.
3704common_block_cipher_no_decrypt () {
3705 # test AESNI intrinsics
3706 helper_block_cipher_no_decrypt_build_test \
3707 -s "MBEDTLS_AESNI_C" \
3708 -c "-mpclmul -msse2 -maes"
3709
3710 # test AESNI assembly
3711 helper_block_cipher_no_decrypt_build_test \
3712 -s "MBEDTLS_AESNI_C" \
3713 -c "-mno-pclmul -mno-sse2 -mno-aes"
3714
3715 # test AES C implementation
3716 helper_block_cipher_no_decrypt_build_test \
3717 -u "MBEDTLS_AESNI_C"
3718
3719 # test AESNI intrinsics for i386 target
3720 helper_block_cipher_no_decrypt_build_test \
3721 -s "MBEDTLS_AESNI_C" \
3722 -c "-m32 -mpclmul -msse2 -maes" \
3723 -l "-m32"
3724}
3725
3726# This is a configuration function used in component_test_block_cipher_no_decrypt_xxx:
3727# usage: 0: no PSA crypto configuration
3728# 1: use PSA crypto configuration
3729config_block_cipher_no_decrypt () {
3730 use_psa=$1
3731
3732 scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
3733 scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
3734 scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
3735 scripts/config.py unset MBEDTLS_DES_C
3736 scripts/config.py unset MBEDTLS_NIST_KW_C
3737
3738 if [ "$use_psa" -eq 1 ]; then
3739 # Enable support for cryptographic mechanisms through the PSA API.
3740 # Note: XTS, KW are not yet supported via the PSA API in Mbed TLS.
3741 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
3742 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING
3743 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7
3744 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING
3745 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_DES
3746 fi
3747}
3748
3749component_test_block_cipher_no_decrypt_aesni () {
3750 # This consistently causes an llvm crash on clang 3.8, so use gcc
3751 export CC=gcc
3752 config_block_cipher_no_decrypt 0
3753 common_block_cipher_no_decrypt
3754}
3755
3756component_test_block_cipher_no_decrypt_aesni_use_psa () {
3757 # This consistently causes an llvm crash on clang 3.8, so use gcc
3758 export CC=gcc
3759 config_block_cipher_no_decrypt 1
3760 common_block_cipher_no_decrypt
3761}
3762
3763support_test_block_cipher_no_decrypt_aesce_armcc () {
3764 support_build_armcc
3765}
3766
3767component_test_block_cipher_no_decrypt_aesce_armcc () {
3768 scripts/config.py baremetal
3769
3770 # armc[56] don't support SHA-512 intrinsics
3771 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
3772
3773 # Stop armclang warning about feature detection for A64_CRYPTO.
3774 # With this enabled, the library does build correctly under armclang,
3775 # but in baremetal builds (as tested here), feature detection is
3776 # unavailable, and the user is notified via a #warning. So enabling
3777 # this feature would prevent us from building with -Werror on
3778 # armclang. Tracked in #7198.
3779 scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
3780 scripts/config.py set MBEDTLS_HAVE_ASM
3781
3782 config_block_cipher_no_decrypt 1
3783
3784 # test AESCE baremetal build
3785 scripts/config.py set MBEDTLS_AESCE_C
3786 msg "build: default config + BLOCK_CIPHER_NO_DECRYPT with AESCE"
3787 armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto -Werror -Wall -Wextra"
3788
3789 # Make sure we don't have mbedtls_xxx_setkey_dec in AES/ARIA/CAMELLIA
3790 not grep mbedtls_aes_setkey_dec ${BUILTIN_SRC_PATH}/aes.o
3791 not grep mbedtls_aria_setkey_dec ${BUILTIN_SRC_PATH}/aria.o
3792 not grep mbedtls_camellia_setkey_dec ${BUILTIN_SRC_PATH}/camellia.o
3793 # Make sure we don't have mbedtls_internal_aes_decrypt in AES
3794 not grep mbedtls_internal_aes_decrypt ${BUILTIN_SRC_PATH}/aes.o
3795 # Make sure we don't have mbedtls_aesce_inverse_key and aesce_decrypt_block in AESCE
3796 not grep mbedtls_aesce_inverse_key ${BUILTIN_SRC_PATH}/aesce.o
3797 not grep aesce_decrypt_block ${BUILTIN_SRC_PATH}/aesce.o
3798}
3799
3800component_test_ctr_drbg_aes_256_sha_256 () {
3801 msg "build: full + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)"
3802 scripts/config.py full
3803 scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
3804 scripts/config.py set MBEDTLS_ENTROPY_FORCE_SHA256
3805 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
3806 make
3807
3808 msg "test: full + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)"
3809 make test
3810}
3811
3812component_test_ctr_drbg_aes_128_sha_512 () {
3813 msg "build: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY (ASan build)"
3814 scripts/config.py full
3815 scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
3816 scripts/config.py set MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
3817 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
3818 make
3819
3820 msg "test: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY (ASan build)"
3821 make test
3822}
3823
3824component_test_ctr_drbg_aes_128_sha_256 () {
3825 msg "build: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)"
3826 scripts/config.py full
3827 scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
3828 scripts/config.py set MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
3829 scripts/config.py set MBEDTLS_ENTROPY_FORCE_SHA256
3830 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
3831 make
3832
3833 msg "test: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)"
3834 make test
3835}
3836
3837component_test_se_default () {
3838 msg "build: default config + MBEDTLS_PSA_CRYPTO_SE_C"
3839 scripts/config.py set MBEDTLS_PSA_CRYPTO_SE_C
3840 make CC=clang CFLAGS="$ASAN_CFLAGS -Os" LDFLAGS="$ASAN_CFLAGS"
3841
3842 msg "test: default config + MBEDTLS_PSA_CRYPTO_SE_C"
3843 make test
3844}
3845
3846component_test_psa_crypto_drivers () {
3847 msg "build: full + test drivers dispatching to builtins"
3848 scripts/config.py full
3849 scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG
3850 loc_cflags="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST_ALL"
3851 loc_cflags="${loc_cflags} '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'"
3852 loc_cflags="${loc_cflags} -I../tests/include -O2"
3853
3854 make CC=$ASAN_CC CFLAGS="${loc_cflags}" LDFLAGS="$ASAN_CFLAGS"
3855
3856 msg "test: full + test drivers dispatching to builtins"
3857 make test
3858}
3859
3860component_test_make_shared () {
3861 msg "build/test: make shared" # ~ 40s
3862 make SHARED=1 all check
3863 ldd programs/util/strerror | grep libmbedcrypto
3864 programs/test/dlopen_demo.sh
3865}
3866
3867component_test_cmake_shared () {
3868 msg "build/test: cmake shared" # ~ 2min
3869 cmake -DUSE_SHARED_MBEDTLS_LIBRARY=On .
3870 make
3871 ldd programs/util/strerror | grep libmbedcrypto
3872 make test
3873 programs/test/dlopen_demo.sh
3874}
3875
3876test_build_opt () {
3877 info=$1 cc=$2; shift 2
3878 $cc --version
3879 for opt in "$@"; do
3880 msg "build/test: $cc $opt, $info" # ~ 30s
3881 make CC="$cc" CFLAGS="$opt -std=c99 -pedantic -Wall -Wextra -Werror"
3882 # We're confident enough in compilers to not run _all_ the tests,
3883 # but at least run the unit tests. In particular, runs with
3884 # optimizations use inline assembly whereas runs with -O0
3885 # skip inline assembly.
3886 make test # ~30s
3887 make clean
3888 done
3889}
3890
3891# For FreeBSD we invoke the function by name so this condition is added
3892# to disable the existing test_clang_opt function for linux.
3893if [[ $(uname) != "Linux" ]]; then
3894 component_test_clang_opt () {
3895 scripts/config.py full
3896 test_build_opt 'full config' clang -O0 -Os -O2
3897 }
3898fi
3899
3900component_test_clang_latest_opt () {
3901 scripts/config.py full
3902 test_build_opt 'full config' "$CLANG_LATEST" -O0 -Os -O2
3903}
3904support_test_clang_latest_opt () {
3905 type "$CLANG_LATEST" >/dev/null 2>/dev/null
3906}
3907
3908component_test_clang_earliest_opt () {
3909 scripts/config.py full
3910 test_build_opt 'full config' "$CLANG_EARLIEST" -O0
3911}
3912support_test_clang_earliest_opt () {
3913 type "$CLANG_EARLIEST" >/dev/null 2>/dev/null
3914}
3915
3916component_test_gcc_latest_opt () {
3917 scripts/config.py full
3918 test_build_opt 'full config' "$GCC_LATEST" -O0 -Os -O2
3919}
3920support_test_gcc_latest_opt () {
3921 type "$GCC_LATEST" >/dev/null 2>/dev/null
3922}
3923
3924component_test_gcc_earliest_opt () {
3925 scripts/config.py full
3926 test_build_opt 'full config' "$GCC_EARLIEST" -O0
3927}
3928support_test_gcc_earliest_opt () {
3929 type "$GCC_EARLIEST" >/dev/null 2>/dev/null
3930}
3931
3932component_build_mbedtls_config_file () {
3933 msg "build: make with MBEDTLS_CONFIG_FILE" # ~40s
3934 scripts/config.py -w full_config.h full
3935 echo '#error "MBEDTLS_CONFIG_FILE is not working"' >"$CONFIG_H"
3936 make CFLAGS="-I '$PWD' -DMBEDTLS_CONFIG_FILE='\"full_config.h\"'"
3937 # Make sure this feature is enabled. We'll disable it in the next phase.
3938 programs/test/query_compile_time_config MBEDTLS_NIST_KW_C
3939 make clean
3940
3941 msg "build: make with MBEDTLS_CONFIG_FILE + MBEDTLS_USER_CONFIG_FILE"
3942 # In the user config, disable one feature (for simplicity, pick a feature
3943 # that nothing else depends on).
3944 echo '#undef MBEDTLS_NIST_KW_C' >user_config.h
3945 make CFLAGS="-I '$PWD' -DMBEDTLS_CONFIG_FILE='\"full_config.h\"' -DMBEDTLS_USER_CONFIG_FILE='\"user_config.h\"'"
3946 not programs/test/query_compile_time_config MBEDTLS_NIST_KW_C
3947
3948 rm -f user_config.h full_config.h
3949}
3950
3951component_build_psa_config_file () {
3952 msg "build: make with MBEDTLS_PSA_CRYPTO_CONFIG_FILE" # ~40s
3953 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
3954 cp "$CRYPTO_CONFIG_H" psa_test_config.h
3955 echo '#error "MBEDTLS_PSA_CRYPTO_CONFIG_FILE is not working"' >"$CRYPTO_CONFIG_H"
3956 make CFLAGS="-I '$PWD' -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"'"
3957 # Make sure this feature is enabled. We'll disable it in the next phase.
3958 programs/test/query_compile_time_config MBEDTLS_CMAC_C
3959 make clean
3960
3961 msg "build: make with MBEDTLS_PSA_CRYPTO_CONFIG_FILE + MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE" # ~40s
3962 # In the user config, disable one feature and its dependencies, which will
3963 # reflect on the mbedtls configuration so we can query it with
3964 # query_compile_time_config.
3965 echo '#undef PSA_WANT_ALG_CMAC' >psa_user_config.h
3966 echo '#undef PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128' >> psa_user_config.h
3967 scripts/config.py unset MBEDTLS_CMAC_C
3968 make CFLAGS="-I '$PWD' -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"' -DMBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE='\"psa_user_config.h\"'"
3969 not programs/test/query_compile_time_config MBEDTLS_CMAC_C
3970
3971 rm -f psa_test_config.h psa_user_config.h
3972}
3973
3974component_build_psa_alt_headers () {
3975 msg "build: make with PSA alt headers" # ~20s
3976
3977 # Generate alternative versions of the substitutable headers with the
3978 # same content except different include guards.
3979 make -C tests include/alt-extra/psa/crypto_platform_alt.h include/alt-extra/psa/crypto_struct_alt.h
3980
3981 # Build the library and some programs.
3982 # Don't build the fuzzers to avoid having to go through hoops to set
3983 # a correct include path for programs/fuzz/Makefile.
3984 make CFLAGS="-I ../tests/include/alt-extra -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'" lib
3985 make -C programs -o fuzz CFLAGS="-I ../tests/include/alt-extra -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'"
3986
3987 # Check that we're getting the alternative include guards and not the
3988 # original include guards.
3989 programs/test/query_included_headers | grep -x PSA_CRYPTO_PLATFORM_ALT_H
3990 programs/test/query_included_headers | grep -x PSA_CRYPTO_STRUCT_ALT_H
3991 programs/test/query_included_headers | not grep -x PSA_CRYPTO_PLATFORM_H
3992 programs/test/query_included_headers | not grep -x PSA_CRYPTO_STRUCT_H
3993}
3994
3995component_test_m32_no_asm () {
3996 # Build without assembly, so as to use portable C code (in a 32-bit
3997 # build) and not the i386-specific inline assembly.
3998 #
3999 # Note that we require gcc, because clang Asan builds fail to link for
4000 # this target (cannot find libclang_rt.lsan-i386.a - this is a known clang issue).
4001 msg "build: i386, make, gcc, no asm (ASan build)" # ~ 30s
4002 scripts/config.py full
4003 scripts/config.py unset MBEDTLS_HAVE_ASM
4004 scripts/config.py unset MBEDTLS_AESNI_C # AESNI for 32-bit is tested in test_aesni_m32
4005 make CC=gcc CFLAGS="$ASAN_CFLAGS -m32" LDFLAGS="-m32 $ASAN_CFLAGS"
4006
4007 msg "test: i386, make, gcc, no asm (ASan build)"
4008 make test
4009}
4010support_test_m32_no_asm () {
4011 case $(uname -m) in
4012 amd64|x86_64) true;;
4013 *) false;;
4014 esac
4015}
4016
4017component_test_m32_o2 () {
4018 # Build with optimization, to use the i386 specific inline assembly
4019 # and go faster for tests.
4020 msg "build: i386, make, gcc -O2 (ASan build)" # ~ 30s
4021 scripts/config.py full
4022 scripts/config.py unset MBEDTLS_AESNI_C # AESNI for 32-bit is tested in test_aesni_m32
4023 make CC=gcc CFLAGS="$ASAN_CFLAGS -m32" LDFLAGS="-m32 $ASAN_CFLAGS"
4024
4025 msg "test: i386, make, gcc -O2 (ASan build)"
4026 make test
4027
4028 msg "test ssl-opt.sh, i386, make, gcc-O2"
4029 tests/ssl-opt.sh
4030}
4031support_test_m32_o2 () {
4032 support_test_m32_no_asm "$@"
4033}
4034
4035component_test_m32_everest () {
4036 msg "build: i386, Everest ECDH context (ASan build)" # ~ 6 min
4037 scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED
4038 scripts/config.py unset MBEDTLS_AESNI_C # AESNI for 32-bit is tested in test_aesni_m32
4039 make CC=gcc CFLAGS="$ASAN_CFLAGS -m32" LDFLAGS="-m32 $ASAN_CFLAGS"
4040
4041 msg "test: i386, Everest ECDH context - main suites (inc. selftests) (ASan build)" # ~ 50s
4042 make test
4043
4044 msg "test: i386, Everest ECDH context - ECDH-related part of ssl-opt.sh (ASan build)" # ~ 5s
4045 tests/ssl-opt.sh -f ECDH
4046
4047 msg "test: i386, Everest ECDH context - compat.sh with some ECDH ciphersuites (ASan build)" # ~ 3 min
4048 # Exclude some symmetric ciphers that are redundant here to gain time.
4049 tests/compat.sh -f ECDH -V NO -e 'ARIA\|CAMELLIA\|CHACHA'
4050}
4051support_test_m32_everest () {
4052 support_test_m32_no_asm "$@"
4053}
4054
4055component_test_mx32 () {
4056 msg "build: 64-bit ILP32, make, gcc" # ~ 30s
4057 scripts/config.py full
4058 make CC=gcc CFLAGS='-O2 -Werror -Wall -Wextra -mx32' LDFLAGS='-mx32'
4059
4060 msg "test: 64-bit ILP32, make, gcc"
4061 make test
4062}
4063support_test_mx32 () {
4064 case $(uname -m) in
4065 amd64|x86_64) true;;
4066 *) false;;
4067 esac
4068}
4069
4070component_test_min_mpi_window_size () {
4071 msg "build: Default + MBEDTLS_MPI_WINDOW_SIZE=1 (ASan build)" # ~ 10s
4072 scripts/config.py set MBEDTLS_MPI_WINDOW_SIZE 1
4073 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
4074 make
4075
4076 msg "test: MBEDTLS_MPI_WINDOW_SIZE=1 - main suites (inc. selftests) (ASan build)" # ~ 10s
4077 make test
4078}
4079
4080component_test_have_int32 () {
4081 msg "build: gcc, force 32-bit bignum limbs"
4082 scripts/config.py unset MBEDTLS_HAVE_ASM
4083 scripts/config.py unset MBEDTLS_AESNI_C
4084 scripts/config.py unset MBEDTLS_AESCE_C
4085 make CC=gcc CFLAGS='-O2 -Werror -Wall -Wextra -DMBEDTLS_HAVE_INT32'
4086
4087 msg "test: gcc, force 32-bit bignum limbs"
4088 make test
4089}
4090
4091component_test_have_int64 () {
4092 msg "build: gcc, force 64-bit bignum limbs"
4093 scripts/config.py unset MBEDTLS_HAVE_ASM
4094 scripts/config.py unset MBEDTLS_AESNI_C
4095 scripts/config.py unset MBEDTLS_AESCE_C
4096 make CC=gcc CFLAGS='-O2 -Werror -Wall -Wextra -DMBEDTLS_HAVE_INT64'
4097
4098 msg "test: gcc, force 64-bit bignum limbs"
4099 make test
4100}
4101
4102component_test_have_int32_cmake_new_bignum () {
4103 msg "build: gcc, force 32-bit bignum limbs, new bignum interface, test hooks (ASan build)"
4104 scripts/config.py unset MBEDTLS_HAVE_ASM
4105 scripts/config.py unset MBEDTLS_AESNI_C
4106 scripts/config.py unset MBEDTLS_AESCE_C
4107 scripts/config.py set MBEDTLS_TEST_HOOKS
4108 scripts/config.py set MBEDTLS_ECP_WITH_MPI_UINT
4109 make CC=gcc CFLAGS="$ASAN_CFLAGS -Werror -Wall -Wextra -DMBEDTLS_HAVE_INT32" LDFLAGS="$ASAN_CFLAGS"
4110
4111 msg "test: gcc, force 32-bit bignum limbs, new bignum interface, test hooks (ASan build)"
4112 make test
4113}
4114
4115component_test_no_udbl_division () {
4116 msg "build: MBEDTLS_NO_UDBL_DIVISION native" # ~ 10s
4117 scripts/config.py full
4118 scripts/config.py set MBEDTLS_NO_UDBL_DIVISION
4119 make CFLAGS='-Werror -O1'
4120
4121 msg "test: MBEDTLS_NO_UDBL_DIVISION native" # ~ 10s
4122 make test
4123}
4124
4125component_test_no_64bit_multiplication () {
4126 msg "build: MBEDTLS_NO_64BIT_MULTIPLICATION native" # ~ 10s
4127 scripts/config.py full
4128 scripts/config.py set MBEDTLS_NO_64BIT_MULTIPLICATION
4129 make CFLAGS='-Werror -O1'
4130
4131 msg "test: MBEDTLS_NO_64BIT_MULTIPLICATION native" # ~ 10s
4132 make test
4133}
4134
4135component_test_no_strings () {
4136 msg "build: no strings" # ~10s
4137 scripts/config.py full
4138 # Disable options that activate a large amount of string constants.
4139 scripts/config.py unset MBEDTLS_DEBUG_C
4140 scripts/config.py unset MBEDTLS_ERROR_C
4141 scripts/config.py set MBEDTLS_ERROR_STRERROR_DUMMY
4142 scripts/config.py unset MBEDTLS_VERSION_FEATURES
4143 make CFLAGS='-Werror -Os'
4144
4145 msg "test: no strings" # ~ 10s
4146 make test
4147}
4148
4149component_test_no_x509_info () {
4150 msg "build: full + MBEDTLS_X509_REMOVE_INFO" # ~ 10s
4151 scripts/config.pl full
4152 scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests
4153 scripts/config.pl set MBEDTLS_X509_REMOVE_INFO
4154 make CFLAGS='-Werror -O2'
4155
4156 msg "test: full + MBEDTLS_X509_REMOVE_INFO" # ~ 10s
4157 make test
4158
4159 msg "test: ssl-opt.sh, full + MBEDTLS_X509_REMOVE_INFO" # ~ 1 min
4160 tests/ssl-opt.sh
4161}
4162
4163component_build_arm_none_eabi_gcc () {
4164 msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc -O1, baremetal+debug" # ~ 10s
4165 scripts/config.py baremetal
4166 make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -Wall -Wextra -O1' lib
4167
4168 msg "size: ${ARM_NONE_EABI_GCC_PREFIX}gcc -O1, baremetal+debug"
4169 ${ARM_NONE_EABI_GCC_PREFIX}size -t library/*.o
4170 ${ARM_NONE_EABI_GCC_PREFIX}size -t ${PSA_CORE_PATH}/*.o
4171 ${ARM_NONE_EABI_GCC_PREFIX}size -t ${BUILTIN_SRC_PATH}/*.o
4172}
4173
4174component_build_arm_linux_gnueabi_gcc_arm5vte () {
4175 msg "build: ${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc -march=arm5vte, baremetal+debug" # ~ 10s
4176 scripts/config.py baremetal
4177 # Build for a target platform that's close to what Debian uses
4178 # for its "armel" distribution (https://wiki.debian.org/ArmEabiPort).
4179 # See https://github.com/Mbed-TLS/mbedtls/pull/2169 and comments.
4180 # Build everything including programs, see for example
4181 # https://github.com/Mbed-TLS/mbedtls/pull/3449#issuecomment-675313720
4182 make CC="${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc" AR="${ARM_LINUX_GNUEABI_GCC_PREFIX}ar" CFLAGS='-Werror -Wall -Wextra -march=armv5te -O1' LDFLAGS='-march=armv5te'
4183
4184 msg "size: ${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc -march=armv5te -O1, baremetal+debug"
4185 ${ARM_LINUX_GNUEABI_GCC_PREFIX}size -t library/*.o
4186 ${ARM_LINUX_GNUEABI_GCC_PREFIX}size -t ${PSA_CORE_PATH}/*.o
4187 ${ARM_LINUX_GNUEABI_GCC_PREFIX}size -t ${BUILTIN_SRC_PATH}/*.o
4188}
4189support_build_arm_linux_gnueabi_gcc_arm5vte () {
4190 type ${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc >/dev/null 2>&1
4191}
4192
4193component_build_arm_none_eabi_gcc_arm5vte () {
4194 msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc -march=arm5vte, baremetal+debug" # ~ 10s
4195 scripts/config.py baremetal
4196 # This is an imperfect substitute for
4197 # component_build_arm_linux_gnueabi_gcc_arm5vte
4198 # in case the gcc-arm-linux-gnueabi toolchain is not available
4199 make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" CFLAGS='-std=c99 -Werror -Wall -Wextra -march=armv5te -O1' LDFLAGS='-march=armv5te' SHELL='sh -x' lib
4200
4201 msg "size: ${ARM_NONE_EABI_GCC_PREFIX}gcc -march=armv5te -O1, baremetal+debug"
4202 ${ARM_NONE_EABI_GCC_PREFIX}size -t library/*.o
4203 ${ARM_NONE_EABI_GCC_PREFIX}size -t ${PSA_CORE_PATH}/*.o
4204 ${ARM_NONE_EABI_GCC_PREFIX}size -t ${BUILTIN_SRC_PATH}/*.o
4205}
4206
4207component_build_arm_none_eabi_gcc_m0plus () {
4208 msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc -mthumb -mcpu=cortex-m0plus, baremetal_size" # ~ 10s
4209 scripts/config.py baremetal_size
4210 make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -Wall -Wextra -mthumb -mcpu=cortex-m0plus -Os' lib
4211
4212 msg "size: ${ARM_NONE_EABI_GCC_PREFIX}gcc -mthumb -mcpu=cortex-m0plus -Os, baremetal_size"
4213 ${ARM_NONE_EABI_GCC_PREFIX}size -t library/*.o
4214 ${ARM_NONE_EABI_GCC_PREFIX}size -t ${PSA_CORE_PATH}/*.o
4215 ${ARM_NONE_EABI_GCC_PREFIX}size -t ${BUILTIN_SRC_PATH}/*.o
4216 for lib in library/*.a; do
4217 echo "$lib:"
4218 ${ARM_NONE_EABI_GCC_PREFIX}size -t $lib | grep TOTALS
4219 done
4220}
4221
4222component_build_arm_none_eabi_gcc_no_udbl_division () {
4223 msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc -DMBEDTLS_NO_UDBL_DIVISION, make" # ~ 10s
4224 scripts/config.py baremetal
4225 scripts/config.py set MBEDTLS_NO_UDBL_DIVISION
4226 make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -Wall -Wextra' lib
4227 echo "Checking that software 64-bit division is not required"
4228 not grep __aeabi_uldiv library/*.o
4229 not grep __aeabi_uldiv ${PSA_CORE_PATH}/*.o
4230 not grep __aeabi_uldiv ${BUILTIN_SRC_PATH}/*.o
4231}
4232
4233component_build_arm_none_eabi_gcc_no_64bit_multiplication () {
4234 msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc MBEDTLS_NO_64BIT_MULTIPLICATION, make" # ~ 10s
4235 scripts/config.py baremetal
4236 scripts/config.py set MBEDTLS_NO_64BIT_MULTIPLICATION
4237 make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -O1 -march=armv6-m -mthumb' lib
4238 echo "Checking that software 64-bit multiplication is not required"
4239 not grep __aeabi_lmul library/*.o
4240 not grep __aeabi_lmul ${PSA_CORE_PATH}/*.o
4241 not grep __aeabi_lmul ${BUILTIN_SRC_PATH}/*.o
4242}
4243
4244component_build_arm_clang_thumb () {
4245 # ~ 30s
4246
4247 scripts/config.py baremetal
4248
4249 msg "build: clang thumb 2, make"
4250 make clean
4251 make CC="clang" CFLAGS='-std=c99 -Werror -Os --target=arm-linux-gnueabihf -march=armv7-m -mthumb' lib
4252
4253 # Some Thumb 1 asm is sensitive to optimisation level, so test both -O0 and -Os
4254 msg "build: clang thumb 1 -O0, make"
4255 make clean
4256 make CC="clang" CFLAGS='-std=c99 -Werror -O0 --target=arm-linux-gnueabihf -mcpu=arm1136j-s -mthumb' lib
4257
4258 msg "build: clang thumb 1 -Os, make"
4259 make clean
4260 make CC="clang" CFLAGS='-std=c99 -Werror -Os --target=arm-linux-gnueabihf -mcpu=arm1136j-s -mthumb' lib
4261}
4262
4263component_build_armcc () {
4264 msg "build: ARM Compiler 5"
4265 scripts/config.py baremetal
4266 # armc[56] don't support SHA-512 intrinsics
4267 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
4268
4269 # older versions of armcc/armclang don't support AESCE_C on 32-bit Arm
4270 scripts/config.py unset MBEDTLS_AESCE_C
4271
4272 # Stop armclang warning about feature detection for A64_CRYPTO.
4273 # With this enabled, the library does build correctly under armclang,
4274 # but in baremetal builds (as tested here), feature detection is
4275 # unavailable, and the user is notified via a #warning. So enabling
4276 # this feature would prevent us from building with -Werror on
4277 # armclang. Tracked in #7198.
4278 scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
4279
4280 scripts/config.py set MBEDTLS_HAVE_ASM
4281
4282 make CC="$ARMC5_CC" AR="$ARMC5_AR" WARNING_CFLAGS='--strict --c99' lib
4283
4284 msg "size: ARM Compiler 5"
4285 "$ARMC5_FROMELF" -z library/*.o
4286 "$ARMC5_FROMELF" -z ${PSA_CORE_PATH}/*.o
4287 "$ARMC5_FROMELF" -z ${BUILTIN_SRC_PATH}/*.o
4288
4289 # Compile mostly with -O1 since some Arm inline assembly is disabled for -O0.
4290
4291 # ARM Compiler 6 - Target ARMv7-A
4292 armc6_build_test "-O1 --target=arm-arm-none-eabi -march=armv7-a"
4293
4294 # ARM Compiler 6 - Target ARMv7-M
4295 armc6_build_test "-O1 --target=arm-arm-none-eabi -march=armv7-m"
4296
4297 # ARM Compiler 6 - Target ARMv7-M+DSP
4298 armc6_build_test "-O1 --target=arm-arm-none-eabi -march=armv7-m+dsp"
4299
4300 # ARM Compiler 6 - Target ARMv8-A - AArch32
4301 armc6_build_test "-O1 --target=arm-arm-none-eabi -march=armv8.2-a"
4302
4303 # ARM Compiler 6 - Target ARMv8-M
4304 armc6_build_test "-O1 --target=arm-arm-none-eabi -march=armv8-m.main"
4305
4306 # ARM Compiler 6 - Target Cortex-M0 - no optimisation
4307 armc6_build_test "-O0 --target=arm-arm-none-eabi -mcpu=cortex-m0"
4308
4309 # ARM Compiler 6 - Target Cortex-M0
4310 armc6_build_test "-Os --target=arm-arm-none-eabi -mcpu=cortex-m0"
4311
4312 # ARM Compiler 6 - Target ARMv8.2-A - AArch64
4313 #
4314 # Re-enable MBEDTLS_AESCE_C as this should be supported by the version of armclang
4315 # that we have in our CI
4316 scripts/config.py set MBEDTLS_AESCE_C
4317 armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8.2-a+crypto"
4318}
4319
4320support_build_armcc () {
4321 armc5_cc="$ARMC5_BIN_DIR/armcc"
4322 armc6_cc="$ARMC6_BIN_DIR/armclang"
4323 (check_tools "$armc5_cc" "$armc6_cc" > /dev/null 2>&1)
4324}
4325
4326component_test_tls12_only () {
4327 msg "build: default config without MBEDTLS_SSL_PROTO_TLS1_3, cmake, gcc, ASan"
4328 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
4329 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
4330 make
4331
4332 msg "test: main suites (inc. selftests) (ASan build)"
4333 make test
4334
4335 msg "test: ssl-opt.sh (ASan build)"
4336 tests/ssl-opt.sh
4337
4338 msg "test: compat.sh (ASan build)"
4339 tests/compat.sh
4340}
4341
4342component_test_tls13_only () {
4343 msg "build: default config without MBEDTLS_SSL_PROTO_TLS1_2"
4344 scripts/config.py set MBEDTLS_SSL_EARLY_DATA
4345 scripts/config.py set MBEDTLS_SSL_RECORD_SIZE_LIMIT
4346 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
4347
4348 msg "test: TLS 1.3 only, all key exchange modes enabled"
4349 make test
4350
4351 msg "ssl-opt.sh: TLS 1.3 only, all key exchange modes enabled"
4352 tests/ssl-opt.sh
4353}
4354
4355component_test_tls13_only_psk () {
4356 msg "build: TLS 1.3 only from default, only PSK key exchange mode"
4357 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
4358 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
4359 scripts/config.py unset MBEDTLS_ECDH_C
4360 scripts/config.py unset MBEDTLS_DHM_C
4361 scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C
4362 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
4363 scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION
4364 scripts/config.py unset MBEDTLS_ECDSA_C
4365 scripts/config.py unset MBEDTLS_PKCS1_V21
4366 scripts/config.py unset MBEDTLS_PKCS7_C
4367 scripts/config.py set MBEDTLS_SSL_EARLY_DATA
4368 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
4369
4370 msg "test_suite_ssl: TLS 1.3 only, only PSK key exchange mode enabled"
4371 cd tests; ./test_suite_ssl; cd ..
4372
4373 msg "ssl-opt.sh: TLS 1.3 only, only PSK key exchange mode enabled"
4374 tests/ssl-opt.sh
4375}
4376
4377component_test_tls13_only_ephemeral () {
4378 msg "build: TLS 1.3 only from default, only ephemeral key exchange mode"
4379 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
4380 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
4381 scripts/config.py unset MBEDTLS_SSL_EARLY_DATA
4382 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
4383
4384 msg "test_suite_ssl: TLS 1.3 only, only ephemeral key exchange mode"
4385 cd tests; ./test_suite_ssl; cd ..
4386
4387 msg "ssl-opt.sh: TLS 1.3 only, only ephemeral key exchange mode"
4388 tests/ssl-opt.sh
4389}
4390
4391component_test_tls13_only_ephemeral_ffdh () {
4392 msg "build: TLS 1.3 only from default, only ephemeral ffdh key exchange mode"
4393 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
4394 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
4395 scripts/config.py unset MBEDTLS_SSL_EARLY_DATA
4396 scripts/config.py unset MBEDTLS_ECDH_C
4397
4398 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
4399
4400 msg "test_suite_ssl: TLS 1.3 only, only ephemeral ffdh key exchange mode"
4401 cd tests; ./test_suite_ssl; cd ..
4402
4403 msg "ssl-opt.sh: TLS 1.3 only, only ephemeral ffdh key exchange mode"
4404 tests/ssl-opt.sh
4405}
4406
4407component_test_tls13_only_psk_ephemeral () {
4408 msg "build: TLS 1.3 only from default, only PSK ephemeral key exchange mode"
4409 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
4410 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
4411 scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C
4412 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
4413 scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION
4414 scripts/config.py unset MBEDTLS_ECDSA_C
4415 scripts/config.py unset MBEDTLS_PKCS1_V21
4416 scripts/config.py unset MBEDTLS_PKCS7_C
4417 scripts/config.py set MBEDTLS_SSL_EARLY_DATA
4418 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
4419
4420 msg "test_suite_ssl: TLS 1.3 only, only PSK ephemeral key exchange mode"
4421 cd tests; ./test_suite_ssl; cd ..
4422
4423 msg "ssl-opt.sh: TLS 1.3 only, only PSK ephemeral key exchange mode"
4424 tests/ssl-opt.sh
4425}
4426
4427component_test_tls13_only_psk_ephemeral_ffdh () {
4428 msg "build: TLS 1.3 only from default, only PSK ephemeral ffdh key exchange mode"
4429 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
4430 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
4431 scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C
4432 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
4433 scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION
4434 scripts/config.py unset MBEDTLS_ECDSA_C
4435 scripts/config.py unset MBEDTLS_PKCS1_V21
4436 scripts/config.py unset MBEDTLS_PKCS7_C
4437 scripts/config.py set MBEDTLS_SSL_EARLY_DATA
4438 scripts/config.py unset MBEDTLS_ECDH_C
4439 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
4440
4441 msg "test_suite_ssl: TLS 1.3 only, only PSK ephemeral ffdh key exchange mode"
4442 cd tests; ./test_suite_ssl; cd ..
4443
4444 msg "ssl-opt.sh: TLS 1.3 only, only PSK ephemeral ffdh key exchange mode"
4445 tests/ssl-opt.sh
4446}
4447
4448component_test_tls13_only_psk_all () {
4449 msg "build: TLS 1.3 only from default, without ephemeral key exchange mode"
4450 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
4451 scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C
4452 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
4453 scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION
4454 scripts/config.py unset MBEDTLS_ECDSA_C
4455 scripts/config.py unset MBEDTLS_PKCS1_V21
4456 scripts/config.py unset MBEDTLS_PKCS7_C
4457 scripts/config.py set MBEDTLS_SSL_EARLY_DATA
4458 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
4459
4460 msg "test_suite_ssl: TLS 1.3 only, PSK and PSK ephemeral key exchange modes"
4461 cd tests; ./test_suite_ssl; cd ..
4462
4463 msg "ssl-opt.sh: TLS 1.3 only, PSK and PSK ephemeral key exchange modes"
4464 tests/ssl-opt.sh
4465}
4466
4467component_test_tls13_only_ephemeral_all () {
4468 msg "build: TLS 1.3 only from default, without PSK key exchange mode"
4469 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
4470 scripts/config.py set MBEDTLS_SSL_EARLY_DATA
4471 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
4472
4473 msg "test_suite_ssl: TLS 1.3 only, ephemeral and PSK ephemeral key exchange modes"
4474 cd tests; ./test_suite_ssl; cd ..
4475
4476 msg "ssl-opt.sh: TLS 1.3 only, ephemeral and PSK ephemeral key exchange modes"
4477 tests/ssl-opt.sh
4478}
4479
4480component_test_tls13_no_padding () {
4481 msg "build: default config plus early data minus padding"
4482 scripts/config.py set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1
4483 scripts/config.py set MBEDTLS_SSL_EARLY_DATA
4484 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
4485 make
4486 msg "test: default config plus early data minus padding"
4487 make test
4488 msg "ssl-opt.sh (TLS 1.3 no padding)"
4489 tests/ssl-opt.sh
4490}
4491
4492component_test_tls13_no_compatibility_mode () {
4493 msg "build: default config plus early data minus middlebox compatibility mode"
4494 scripts/config.py unset MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
4495 scripts/config.py set MBEDTLS_SSL_EARLY_DATA
4496 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
4497 make
4498 msg "test: default config plus early data minus middlebox compatibility mode"
4499 make test
4500 msg "ssl-opt.sh (TLS 1.3 no compatibility mode)"
4501 tests/ssl-opt.sh
4502}
4503
4504component_test_full_minus_session_tickets() {
4505 msg "build: full config without session tickets"
4506 scripts/config.py full
4507 scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS
4508 scripts/config.py unset MBEDTLS_SSL_EARLY_DATA
4509 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
4510 make
4511 msg "test: full config without session tickets"
4512 make test
4513 msg "ssl-opt.sh (full config without session tickets)"
4514 tests/ssl-opt.sh
4515}
4516
4517component_build_mingw () {
4518 msg "build: Windows cross build - mingw64, make (Link Library)" # ~ 30s
4519 make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra -maes -msse2 -mpclmul' WINDOWS_BUILD=1 lib programs
4520
4521 # note Make tests only builds the tests, but doesn't run them
4522 make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -maes -msse2 -mpclmul' WINDOWS_BUILD=1 tests
4523 make WINDOWS_BUILD=1 clean
4524
4525 msg "build: Windows cross build - mingw64, make (DLL)" # ~ 30s
4526 make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra -maes -msse2 -mpclmul' WINDOWS_BUILD=1 SHARED=1 lib programs
4527 make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra -maes -msse2 -mpclmul' WINDOWS_BUILD=1 SHARED=1 tests
4528 make WINDOWS_BUILD=1 clean
4529
4530 msg "build: Windows cross build - mingw64, make (Library only, default config without MBEDTLS_AESNI_C)" # ~ 30s
4531 ./scripts/config.py unset MBEDTLS_AESNI_C #
4532 make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 lib
4533 make WINDOWS_BUILD=1 clean
4534}
4535support_build_mingw() {
4536 case $(i686-w64-mingw32-gcc -dumpversion 2>/dev/null) in
4537 [0-5]*|"") false;;
4538 *) true;;
4539 esac
4540}
4541
4542component_test_memsan () {
4543 msg "build: MSan (clang)" # ~ 1 min 20s
4544 scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm
4545 CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan .
4546 make
4547
4548 msg "test: main suites (MSan)" # ~ 10s
4549 make test
4550
4551 msg "test: metatests (MSan)"
4552 tests/scripts/run-metatests.sh any msan
4553
4554 msg "program demos (MSan)" # ~20s
4555 tests/scripts/run_demos.py
4556
4557 msg "test: ssl-opt.sh (MSan)" # ~ 1 min
4558 tests/ssl-opt.sh
4559
4560 # Optional part(s)
4561
4562 if [ "$MEMORY" -gt 0 ]; then
4563 msg "test: compat.sh (MSan)" # ~ 6 min 20s
4564 tests/compat.sh
4565 fi
4566}
4567
4568component_release_test_valgrind () {
4569 msg "build: Release (clang)"
4570 # default config, in particular without MBEDTLS_USE_PSA_CRYPTO
4571 CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release .
4572 make
4573
4574 msg "test: main suites, Valgrind (default config)"
4575 make memcheck
4576
4577 # Optional parts (slow; currently broken on OS X because programs don't
4578 # seem to receive signals under valgrind on OS X).
4579 # These optional parts don't run on the CI.
4580 if [ "$MEMORY" -gt 0 ]; then
4581 msg "test: ssl-opt.sh --memcheck (default config)"
4582 tests/ssl-opt.sh --memcheck
4583 fi
4584
4585 if [ "$MEMORY" -gt 1 ]; then
4586 msg "test: compat.sh --memcheck (default config)"
4587 tests/compat.sh --memcheck
4588 fi
4589
4590 if [ "$MEMORY" -gt 0 ]; then
4591 msg "test: context-info.sh --memcheck (default config)"
4592 tests/context-info.sh --memcheck
4593 fi
4594}
4595
4596component_release_test_valgrind_psa () {
4597 msg "build: Release, full (clang)"
4598 # full config, in particular with MBEDTLS_USE_PSA_CRYPTO
4599 scripts/config.py full
4600 CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release .
4601 make
4602
4603 msg "test: main suites, Valgrind (full config)"
4604 make memcheck
4605}
4606
4607support_test_cmake_out_of_source () {
4608 distrib_id=""
4609 distrib_ver=""
4610 distrib_ver_minor=""
4611 distrib_ver_major=""
4612
4613 # Attempt to parse lsb-release to find out distribution and version. If not
4614 # found this should fail safe (test is supported).
4615 if [[ -f /etc/lsb-release ]]; then
4616
4617 while read -r lsb_line; do
4618 case "$lsb_line" in
4619 "DISTRIB_ID"*) distrib_id=${lsb_line/#DISTRIB_ID=};;
4620 "DISTRIB_RELEASE"*) distrib_ver=${lsb_line/#DISTRIB_RELEASE=};;
4621 esac
4622 done < /etc/lsb-release
4623
4624 distrib_ver_major="${distrib_ver%%.*}"
4625 distrib_ver="${distrib_ver#*.}"
4626 distrib_ver_minor="${distrib_ver%%.*}"
4627 fi
4628
4629 # Running the out of source CMake test on Ubuntu 16.04 using more than one
4630 # processor (as the CI does) can create a race condition whereby the build
4631 # fails to see a generated file, despite that file actually having been
4632 # generated. This problem appears to go away with 18.04 or newer, so make
4633 # the out of source tests unsupported on Ubuntu 16.04.
4634 [ "$distrib_id" != "Ubuntu" ] || [ "$distrib_ver_major" -gt 16 ]
4635}
4636
4637component_test_cmake_out_of_source () {
4638 # Remove existing generated files so that we use the ones cmake
4639 # generates
4640 make neat
4641
4642 msg "build: cmake 'out-of-source' build"
4643 MBEDTLS_ROOT_DIR="$PWD"
4644 mkdir "$OUT_OF_SOURCE_DIR"
4645 cd "$OUT_OF_SOURCE_DIR"
4646 # Note: Explicitly generate files as these are turned off in releases
4647 cmake -D CMAKE_BUILD_TYPE:String=Check -D GEN_FILES=ON "$MBEDTLS_ROOT_DIR"
4648 make
4649
4650 msg "test: cmake 'out-of-source' build"
4651 make test
4652 # Check that ssl-opt.sh can find the test programs.
4653 # Also ensure that there are no error messages such as
4654 # "No such file or directory", which would indicate that some required
4655 # file is missing (ssl-opt.sh tolerates the absence of some files so
4656 # may exit with status 0 but emit errors).
4657 ./tests/ssl-opt.sh -f 'Default' >ssl-opt.out 2>ssl-opt.err
4658 grep PASS ssl-opt.out
4659 cat ssl-opt.err >&2
4660 # If ssl-opt.err is non-empty, record an error and keep going.
4661 [ ! -s ssl-opt.err ]
4662 rm ssl-opt.out ssl-opt.err
4663 cd "$MBEDTLS_ROOT_DIR"
4664 rm -rf "$OUT_OF_SOURCE_DIR"
4665}
4666
4667component_test_cmake_as_subdirectory () {
4668 # Remove existing generated files so that we use the ones CMake
4669 # generates
4670 make neat
4671
4672 msg "build: cmake 'as-subdirectory' build"
4673 cd programs/test/cmake_subproject
4674 # Note: Explicitly generate files as these are turned off in releases
4675 cmake -D GEN_FILES=ON .
4676 make
4677 ./cmake_subproject
4678}
4679support_test_cmake_as_subdirectory () {
4680 support_test_cmake_out_of_source
4681}
4682
4683component_test_cmake_as_package () {
4684 # Remove existing generated files so that we use the ones CMake
4685 # generates
4686 make neat
4687
4688 msg "build: cmake 'as-package' build"
4689 cd programs/test/cmake_package
4690 cmake .
4691 make
4692 ./cmake_package
4693}
4694support_test_cmake_as_package () {
4695 support_test_cmake_out_of_source
4696}
4697
4698component_test_cmake_as_package_install () {
4699 # Remove existing generated files so that we use the ones CMake
4700 # generates
4701 make neat
4702
4703 msg "build: cmake 'as-installed-package' build"
4704 cd programs/test/cmake_package_install
4705 cmake .
4706 make
4707 ./cmake_package_install
4708}
4709support_test_cmake_as_package_install () {
4710 support_test_cmake_out_of_source
4711}
4712
4713component_build_cmake_custom_config_file () {
4714 # Make a copy of config file to use for the in-tree test
4715 cp "$CONFIG_H" include/mbedtls_config_in_tree_copy.h
4716
4717 MBEDTLS_ROOT_DIR="$PWD"
4718 mkdir "$OUT_OF_SOURCE_DIR"
4719 cd "$OUT_OF_SOURCE_DIR"
4720
4721 # Build once to get the generated files (which need an intact config file)
4722 cmake "$MBEDTLS_ROOT_DIR"
4723 make
4724
4725 msg "build: cmake with -DMBEDTLS_CONFIG_FILE"
4726 scripts/config.py -w full_config.h full
4727 echo '#error "cmake -DMBEDTLS_CONFIG_FILE is not working."' > "$MBEDTLS_ROOT_DIR/$CONFIG_H"
4728 cmake -DGEN_FILES=OFF -DMBEDTLS_CONFIG_FILE=full_config.h "$MBEDTLS_ROOT_DIR"
4729 make
4730
4731 msg "build: cmake with -DMBEDTLS_CONFIG_FILE + -DMBEDTLS_USER_CONFIG_FILE"
4732 # In the user config, disable one feature (for simplicity, pick a feature
4733 # that nothing else depends on).
4734 echo '#undef MBEDTLS_NIST_KW_C' >user_config.h
4735
4736 cmake -DGEN_FILES=OFF -DMBEDTLS_CONFIG_FILE=full_config.h -DMBEDTLS_USER_CONFIG_FILE=user_config.h "$MBEDTLS_ROOT_DIR"
4737 make
4738 not programs/test/query_compile_time_config MBEDTLS_NIST_KW_C
4739
4740 rm -f user_config.h full_config.h
4741
4742 cd "$MBEDTLS_ROOT_DIR"
4743 rm -rf "$OUT_OF_SOURCE_DIR"
4744
4745 # Now repeat the test for an in-tree build:
4746
4747 # Restore config for the in-tree test
4748 mv include/mbedtls_config_in_tree_copy.h "$CONFIG_H"
4749
4750 # Build once to get the generated files (which need an intact config)
4751 cmake .
4752 make
4753
4754 msg "build: cmake (in-tree) with -DMBEDTLS_CONFIG_FILE"
4755 scripts/config.py -w full_config.h full
4756 echo '#error "cmake -DMBEDTLS_CONFIG_FILE is not working."' > "$MBEDTLS_ROOT_DIR/$CONFIG_H"
4757 cmake -DGEN_FILES=OFF -DMBEDTLS_CONFIG_FILE=full_config.h .
4758 make
4759
4760 msg "build: cmake (in-tree) with -DMBEDTLS_CONFIG_FILE + -DMBEDTLS_USER_CONFIG_FILE"
4761 # In the user config, disable one feature (for simplicity, pick a feature
4762 # that nothing else depends on).
4763 echo '#undef MBEDTLS_NIST_KW_C' >user_config.h
4764
4765 cmake -DGEN_FILES=OFF -DMBEDTLS_CONFIG_FILE=full_config.h -DMBEDTLS_USER_CONFIG_FILE=user_config.h .
4766 make
4767 not programs/test/query_compile_time_config MBEDTLS_NIST_KW_C
4768
4769 rm -f user_config.h full_config.h
4770}
4771support_build_cmake_custom_config_file () {
4772 support_test_cmake_out_of_source
4773}
4774
4775component_build_cmake_programs_no_testing () {
4776 # Verify that the type of builds performed by oss-fuzz don't get accidentally broken
4777 msg "build: cmake with -DENABLE_PROGRAMS=ON and -DENABLE_TESTING=OFF"
4778 cmake -DENABLE_PROGRAMS=ON -DENABLE_TESTING=OFF .
4779 make
4780}
4781support_build_cmake_programs_no_testing () {
4782 support_test_cmake_out_of_source
4783}
4784
4785component_build_zeroize_checks () {
4786 msg "build: check for obviously wrong calls to mbedtls_platform_zeroize()"
4787
4788 scripts/config.py full
4789
4790 # Only compile - we're looking for sizeof-pointer-memaccess warnings
4791 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-zeroize-memset.h\"' -DMBEDTLS_TEST_DEFINES_ZEROIZE -Werror -Wsizeof-pointer-memaccess"
4792}
4793
4794
4795component_test_zeroize () {
4796 # Test that the function mbedtls_platform_zeroize() is not optimized away by
4797 # different combinations of compilers and optimization flags by using an
4798 # auxiliary GDB script. Unfortunately, GDB does not return error values to the
4799 # system in all cases that the script fails, so we must manually search the
4800 # output to check whether the pass string is present and no failure strings
4801 # were printed.
4802
4803 # Don't try to disable ASLR. We don't care about ASLR here. We do care
4804 # about a spurious message if Gdb tries and fails, so suppress that.
4805 gdb_disable_aslr=
4806 if [ -z "$(gdb -batch -nw -ex 'set disable-randomization off' 2>&1)" ]; then
4807 gdb_disable_aslr='set disable-randomization off'
4808 fi
4809
4810 for optimization_flag in -O2 -O3 -Ofast -Os; do
4811 for compiler in clang gcc; do
4812 msg "test: $compiler $optimization_flag, mbedtls_platform_zeroize()"
4813 make programs CC="$compiler" DEBUG=1 CFLAGS="$optimization_flag"
4814 gdb -ex "$gdb_disable_aslr" -x tests/scripts/test_zeroize.gdb -nw -batch -nx 2>&1 | tee test_zeroize.log
4815 grep "The buffer was correctly zeroized" test_zeroize.log
4816 not grep -i "error" test_zeroize.log
4817 rm -f test_zeroize.log
4818 make clean
4819 done
4820 done
4821}
4822
4823component_test_psa_compliance () {
4824 # The arch tests build with gcc, so require use of gcc here to link properly
4825 msg "build: make, default config (out-of-box), libmbedcrypto.a only"
4826 CC=gcc make -C library libmbedcrypto.a
4827
4828 msg "unit test: test_psa_compliance.py"
4829 CC=gcc ./tests/scripts/test_psa_compliance.py
4830}
4831
4832support_test_psa_compliance () {
4833 # psa-compliance-tests only supports CMake >= 3.10.0
4834 ver="$(cmake --version)"
4835 ver="${ver#cmake version }"
4836 ver_major="${ver%%.*}"
4837
4838 ver="${ver#*.}"
4839 ver_minor="${ver%%.*}"
4840
4841 [ "$ver_major" -eq 3 ] && [ "$ver_minor" -ge 10 ]
4842}
4843
Minos Galanakisdb7b1bb2024-07-26 13:39:09 +0100[diff] [blame]4844component_test_psasim () {
Minos Galanakisada21b02024-07-26 12:34:19 +0100[diff] [blame]4845 msg "build server library and application"
4846 scripts/config.py crypto
4847 helper_psasim_config server
4848 helper_psasim_build server
4849
4850 helper_psasim_cleanup_before_client
4851
4852 msg "build library for client"
4853 helper_psasim_config client
4854 helper_psasim_build client
4855
4856 msg "build basic psasim client"
4857 make -C tests/psa-client-server/psasim CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" test/psa_client_base
4858 msg "test basic psasim client"
4859 tests/psa-client-server/psasim/test/run_test.sh psa_client_base
4860
4861 msg "build full psasim client"
4862 make -C tests/psa-client-server/psasim CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" test/psa_client_full
4863 msg "test full psasim client"
4864 tests/psa-client-server/psasim/test/run_test.sh psa_client_full
4865
4866 make -C tests/psa-client-server/psasim clean
4867}
4868
Minos Galanakisdb7b1bb2024-07-26 13:39:09 +0100[diff] [blame]4869component_test_suite_with_psasim () {
Minos Galanakisada21b02024-07-26 12:34:19 +0100[diff] [blame]4870 msg "build server library and application"
4871 helper_psasim_config server
4872 # Modify server's library configuration here (if needed)
4873 helper_psasim_build server
4874
4875 helper_psasim_cleanup_before_client
4876
4877 msg "build client library"
4878 helper_psasim_config client
4879 # PAKE functions are still unsupported from PSASIM
4880 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_JPAKE
4881 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
4882 helper_psasim_build client
4883
4884 msg "build test suites"
4885 make PSASIM=1 CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" tests
4886
4887 helper_psasim_server kill
4888 helper_psasim_server start
4889
4890 # psasim takes an extremely long execution time on some test suites so we
4891 # exclude them from the list.
4892 SKIP_TEST_SUITES="constant_time_hmac,lmots,lms"
4893 export SKIP_TEST_SUITES
4894
4895 msg "run test suites"
4896 make PSASIM=1 test
4897
4898 helper_psasim_server kill
Minos Galanakis85c78f52024-07-26 14:11:08 +0100[diff] [blame^]4899}