TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / a47b045a68fd8bbe1732739d49fe40a3fba53592 / . / tests / scripts / components-configuration-crypto.sh
blob: cbebd16b37eb6feff05b7800842e96da6212a52f [file] [log] [blame]
Minos Galanakis6aab5b72024-07-25 14:24:37 +0100[diff] [blame]1# components-configuration-crypto.sh
2#
3# Copyright The Mbed TLS Contributors
4# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
5
Minos Galanakis609f7492024-07-31 16:39:28 +0100[diff] [blame]6# This file contains test components that are executed by all.sh
Minos Galanakis6aab5b72024-07-25 14:24:37 +0100[diff] [blame]7
8################################################################
9#### Configuration Testing - Crypto
10################################################################
11
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]12component_test_psa_crypto_key_id_encodes_owner () {
13 msg "build: full config + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan"
14 scripts/config.py full
15 scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
16 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
17 make
18
19 msg "test: full config - USE_PSA_CRYPTO + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan"
20 make test
21}
22
23component_test_psa_assume_exclusive_buffers () {
24 msg "build: full config + MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS, cmake, gcc, ASan"
25 scripts/config.py full
26 scripts/config.py set MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS
27 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
28 make
29
30 msg "test: full config + MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS, cmake, gcc, ASan"
31 make test
32}
33
Valerio Settidbb646b2024-06-20 14:40:54 +0200[diff] [blame]34component_test_crypto_with_static_key_slots() {
35 msg "build: crypto full + MBEDTLS_PSA_STATIC_KEY_SLOTS"
36 scripts/config.py crypto_full
37 scripts/config.py set MBEDTLS_PSA_STATIC_KEY_SLOTS
38
39 make test
40}
41
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]42# check_renamed_symbols HEADER LIB
43# Check that if HEADER contains '#define MACRO ...' then MACRO is not a symbol
Minos Galanakis609f7492024-07-31 16:39:28 +0100[diff] [blame]44# name in LIB.
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]45check_renamed_symbols () {
46 ! nm "$2" | sed 's/.* //' |
47 grep -x -F "$(sed -n 's/^ *# *define *\([A-Z_a-z][0-9A-Z_a-z]*\)..*/\1/p' "$1")"
48}
49
50component_build_psa_crypto_spm () {
51 msg "build: full config + PSA_CRYPTO_KEY_ID_ENCODES_OWNER + PSA_CRYPTO_SPM, make, gcc"
52 scripts/config.py full
53 scripts/config.py unset MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
54 scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
55 scripts/config.py set MBEDTLS_PSA_CRYPTO_SPM
56 # We can only compile, not link, since our test and sample programs
57 # aren't equipped for the modified names used when MBEDTLS_PSA_CRYPTO_SPM
58 # is active.
59 make CC=gcc CFLAGS='-Werror -Wall -Wextra -I../tests/include/spe' lib
60
61 # Check that if a symbol is renamed by crypto_spe.h, the non-renamed
62 # version is not present.
63 echo "Checking for renamed symbols in the library"
64 check_renamed_symbols tests/include/spe/crypto_spe.h library/libmbedcrypto.a
65}
66
Valerio Settia47b0452024-06-25 18:31:36 +0200[diff] [blame^]67# The goal of this component is to build a configuration where:
68# - test code and libtestdriver1 can make use of calloc/free and
69# - core library (including PSA core) cannot use calloc/free.
70component_test_psa_crypto_without_heap() {
71 # Disable PSA features that cannot be accelerated and whose builtin support
72 # requires calloc/free.
73 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
74 scripts/config.py -f $CRYPTO_CONFIG_H unset-all PSA_WANT_ALG_HKDF*
75 scripts/config.py -f $CRYPTO_CONFIG_H unset-all PSA_WANT_ALG_PBKDF2*
76 scripts/config.py -f $CRYPTO_CONFIG_H unset-all PSA_WANT_ALG_TLS12*
77 # RSA key support requires ASN1 parse/write support for testing, but ASN1
78 # is disabled below.
79 scripts/config.py -f $CRYPTO_CONFIG_H unset-all PSA_WANT_KEY_TYPE_RSA_*
80 scripts/config.py -f $CRYPTO_CONFIG_H unset-all PSA_WANT_ALG_RSA_*
81 # DES requires built-in support for key generation (parity check) so it
82 # cannot be accelerated
83 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES
84 # EC-JPAKE use calloc/free in PSA core
85 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_JPAKE
86
87 # Accelerate all PSA features (which are still enabled in CRYPTO_CONFIG_H).
88 PSA_SYM_LIST=$(./scripts/config.py -f $CRYPTO_CONFIG_H get-all-enabled PSA_WANT)
89 loc_accel_list=$(echo $PSA_SYM_LIST | sed 's/PSA_WANT_//g')
90
91 msg "build: libtestdriver1"
92 helper_libtestdriver1_adjust_config crypto
93 helper_libtestdriver1_make_drivers "$loc_accel_list"
94
95 msg "build: main library"
96 # Enable fully-static key slots in PSA core.
97 scripts/config.py set MBEDTLS_PSA_STATIC_KEY_SLOTS
98 # Prevent PSA core from creating a copy of input/output buffers
99 scripts/config.py set MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS
100 # Prevent PSA core from using CTR-DRBG or HMAC-DRBG for random generation.
101 scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
102 # Set cmalloc/free as null pointer functions. Calling them would crash
103 # the program so we can use this as a "sentinel" for being sure no module
104 # is making use of these functions in the library.
105 scripts/config.py set MBEDTLS_PLATFORM_MEMORY
106 scripts/config.py set MBEDTLS_PLATFORM_STD_CALLOC NULL
107 scripts/config.py set MBEDTLS_PLATFORM_STD_FREE NULL
108
109 # Disable all the modules/features that use cmalloc directly
110 scripts/config.py unset-all MBEDTLS_ASN1_
111 scripts/config.py unset MBEDTLS_BIGNUM_C
112 scripts/config.py unset MBEDTLS_CIPHER_C
113 scripts/config.py unset MBEDTLS_CMAC_C
114 scripts/config.py unset MBEDTLS_DHM_C
115 scripts/config.py unset MBEDTLS_ECDSA_C
116 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
117 scripts/config.py unset MBEDTLS_ECP_C
118 scripts/config.py unset-all MBEDTLS_LMS_
119 scripts/config.py unset MBEDTLS_MD_C
120 scripts/config.py unset MBEDTLS_OID_C
121 scripts/config.py unset-all MBEDTLS_PEM_
122 scripts/config.py unset MBEDTLS_PKCS7_C
123 scripts/config.py unset-all MBEDTLS_PK_
124 scripts/config.py unset MBEDTLS_RSA_C
125 scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C
126 # Disable all modules that depend on the the previous ones
127 scripts/config.py unset MBEDTLS_NIST_KW_C
128 scripts/config.py unset MBEDTLS_ECDH_C
129 scripts/config.py unset MBEDTLS_ECJPAKE_C
130 scripts/config.py unset-all MBEDTLS_PKCS1_
131 scripts/config.py unset-all MBEDTLS_ENTROPY_
132 scripts/config.py unset-all MBEDTLS_SHA
133 scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
134 scripts/config.py unset MBEDTLS_HKDF_C
135 scripts/config.py unset MBEDTLS_PKCS5_C
136 scripts/config.py unset MBEDTLS_PKCS12_C
137 scripts/config.py unset MBEDTLS_HMAC_DRBG_C
138 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC
139 helper_libtestdriver1_make_main "$loc_accel_list" lib
140
141 msg "build: test suites and helpers"
142 # Reset cmalloc/free functions to normal operations so that test code can
143 # freely use them.
144 scripts/config.py unset MBEDTLS_PLATFORM_MEMORY
145 scripts/config.py unset MBEDTLS_PLATFORM_STD_CALLOC
146 scripts/config.py unset MBEDTLS_PLATFORM_STD_FREE
147 helper_libtestdriver1_make_main "$loc_accel_list" tests
148
149 msg "run tests"
150 make test
151}
152
Minos Galanakisf78447f2024-07-26 20:49:51 +0100[diff] [blame]153component_test_no_rsa_key_pair_generation () {
Minos Galanakisdc0f73a2024-07-26 20:41:42 +0100[diff] [blame]154 msg "build: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE"
155 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
156 scripts/config.py unset MBEDTLS_GENPRIME
157 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
158 make
159
160 msg "test: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE"
161 make test
162}
163
Minos Galanakisc06fd302024-08-01 12:16:59 +0100[diff] [blame]164component_test_no_pem_no_fs () {
165 msg "build: Default + !MBEDTLS_PEM_PARSE_C + !MBEDTLS_FS_IO (ASan build)"
166 scripts/config.py unset MBEDTLS_PEM_PARSE_C
167 scripts/config.py unset MBEDTLS_FS_IO
168 scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C # requires a filesystem
169 scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C # requires PSA ITS
170 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
171 make
172
173 msg "test: !MBEDTLS_PEM_PARSE_C !MBEDTLS_FS_IO - main suites (inc. selftests) (ASan build)" # ~ 50s
174 make test
175
176 msg "test: !MBEDTLS_PEM_PARSE_C !MBEDTLS_FS_IO - ssl-opt.sh (ASan build)" # ~ 6 min
177 tests/ssl-opt.sh
178}
179
180component_test_rsa_no_crt () {
181 msg "build: Default + RSA_NO_CRT (ASan build)" # ~ 6 min
182 scripts/config.py set MBEDTLS_RSA_NO_CRT
183 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
184 make
185
186 msg "test: RSA_NO_CRT - main suites (inc. selftests) (ASan build)" # ~ 50s
187 make test
188
189 msg "test: RSA_NO_CRT - RSA-related part of ssl-opt.sh (ASan build)" # ~ 5s
190 tests/ssl-opt.sh -f RSA
191
192 msg "test: RSA_NO_CRT - RSA-related part of compat.sh (ASan build)" # ~ 3 min
193 tests/compat.sh -t RSA
194
195 msg "test: RSA_NO_CRT - RSA-related part of context-info.sh (ASan build)" # ~ 15 sec
196 tests/context-info.sh
197}
198
199component_test_no_ctr_drbg_classic () {
200 msg "build: Full minus CTR_DRBG, classic crypto in TLS"
201 scripts/config.py full
202 scripts/config.py unset MBEDTLS_CTR_DRBG_C
203 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
204 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
205
206 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
207 make
208
209 msg "test: Full minus CTR_DRBG, classic crypto - main suites"
210 make test
211
212 # In this configuration, the TLS test programs use HMAC_DRBG.
213 # The SSL tests are slow, so run a small subset, just enough to get
214 # confidence that the SSL code copes with HMAC_DRBG.
215 msg "test: Full minus CTR_DRBG, classic crypto - ssl-opt.sh (subset)"
216 tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server'
217
218 msg "test: Full minus CTR_DRBG, classic crypto - compat.sh (subset)"
219 tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL
220}
221
222component_test_no_ctr_drbg_use_psa () {
223 msg "build: Full minus CTR_DRBG, PSA crypto in TLS"
224 scripts/config.py full
225 scripts/config.py unset MBEDTLS_CTR_DRBG_C
226 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
227
228 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
229 make
230
231 msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - main suites"
232 make test
233
234 # In this configuration, the TLS test programs use HMAC_DRBG.
235 # The SSL tests are slow, so run a small subset, just enough to get
236 # confidence that the SSL code copes with HMAC_DRBG.
237 msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)"
238 tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server'
239
240 msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - compat.sh (subset)"
241 tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL
242}
243
244component_test_no_hmac_drbg_classic () {
245 msg "build: Full minus HMAC_DRBG, classic crypto in TLS"
246 scripts/config.py full
247 scripts/config.py unset MBEDTLS_HMAC_DRBG_C
248 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG
249 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
250 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
251
252 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
253 make
254
255 msg "test: Full minus HMAC_DRBG, classic crypto - main suites"
256 make test
257
258 # Normally our ECDSA implementation uses deterministic ECDSA. But since
259 # HMAC_DRBG is disabled in this configuration, randomized ECDSA is used
260 # instead.
261 # Test SSL with non-deterministic ECDSA. Only test features that
262 # might be affected by how ECDSA signature is performed.
263 msg "test: Full minus HMAC_DRBG, classic crypto - ssl-opt.sh (subset)"
264 tests/ssl-opt.sh -f 'Default\|SSL async private: sign'
265
266 # To save time, only test one protocol version, since this part of
267 # the protocol is identical in (D)TLS up to 1.2.
268 msg "test: Full minus HMAC_DRBG, classic crypto - compat.sh (ECDSA)"
269 tests/compat.sh -m tls12 -t 'ECDSA'
270}
271
272component_test_no_hmac_drbg_use_psa () {
273 msg "build: Full minus HMAC_DRBG, PSA crypto in TLS"
274 scripts/config.py full
275 scripts/config.py unset MBEDTLS_HMAC_DRBG_C
276 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG
277 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
278
279 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
280 make
281
282 msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - main suites"
283 make test
284
285 # Normally our ECDSA implementation uses deterministic ECDSA. But since
286 # HMAC_DRBG is disabled in this configuration, randomized ECDSA is used
287 # instead.
288 # Test SSL with non-deterministic ECDSA. Only test features that
289 # might be affected by how ECDSA signature is performed.
290 msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)"
291 tests/ssl-opt.sh -f 'Default\|SSL async private: sign'
292
293 # To save time, only test one protocol version, since this part of
294 # the protocol is identical in (D)TLS up to 1.2.
295 msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - compat.sh (ECDSA)"
296 tests/compat.sh -m tls12 -t 'ECDSA'
297}
298
299component_test_psa_external_rng_no_drbg_classic () {
300 msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto in TLS"
301 scripts/config.py full
302 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
303 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
304 scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
305 scripts/config.py unset MBEDTLS_ENTROPY_C
306 scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
307 scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
308 scripts/config.py unset MBEDTLS_CTR_DRBG_C
309 scripts/config.py unset MBEDTLS_HMAC_DRBG_C
310 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG
311 # When MBEDTLS_USE_PSA_CRYPTO is disabled and there is no DRBG,
312 # the SSL test programs don't have an RNG and can't work. Explicitly
313 # make them use the PSA RNG with -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG.
314 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG" LDFLAGS="$ASAN_CFLAGS"
315
316 msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - main suites"
317 make test
318
319 msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - ssl-opt.sh (subset)"
320 tests/ssl-opt.sh -f 'Default'
321}
322
323component_test_psa_external_rng_no_drbg_use_psa () {
324 msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto in TLS"
325 scripts/config.py full
326 scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
327 scripts/config.py unset MBEDTLS_ENTROPY_C
328 scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
329 scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
330 scripts/config.py unset MBEDTLS_CTR_DRBG_C
331 scripts/config.py unset MBEDTLS_HMAC_DRBG_C
332 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG
333 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
334
335 msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - main suites"
336 make test
337
338 msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - ssl-opt.sh (subset)"
339 tests/ssl-opt.sh -f 'Default\|opaque'
340}
341
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]342component_test_psa_external_rng_use_psa_crypto () {
343 msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
344 scripts/config.py full
345 scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
346 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
347 scripts/config.py unset MBEDTLS_CTR_DRBG_C
348 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
349
350 msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
351 make test
352
353 msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
354 tests/ssl-opt.sh -f 'Default\|opaque'
355}
356
357component_test_psa_inject_entropy () {
358 msg "build: full + MBEDTLS_PSA_INJECT_ENTROPY"
359 scripts/config.py full
360 scripts/config.py set MBEDTLS_PSA_INJECT_ENTROPY
361 scripts/config.py set MBEDTLS_ENTROPY_NV_SEED
362 scripts/config.py set MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
363 scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
364 scripts/config.py unset MBEDTLS_PLATFORM_STD_NV_SEED_READ
365 scripts/config.py unset MBEDTLS_PLATFORM_STD_NV_SEED_WRITE
366 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'" LDFLAGS="$ASAN_CFLAGS"
367
368 msg "test: full + MBEDTLS_PSA_INJECT_ENTROPY"
369 make test
370}
371
Minos Galanakisf78447f2024-07-26 20:49:51 +0100[diff] [blame]372component_full_no_pkparse_pkwrite () {
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]373 msg "build: full without pkparse and pkwrite"
374
375 scripts/config.py crypto_full
376 scripts/config.py unset MBEDTLS_PK_PARSE_C
377 scripts/config.py unset MBEDTLS_PK_WRITE_C
378
379 make CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
380
381 # Ensure that PK_[PARSE|WRITE]_C were not re-enabled accidentally (additive config).
382 not grep mbedtls_pk_parse_key ${BUILTIN_SRC_PATH}/pkparse.o
383 not grep mbedtls_pk_write_key_der ${BUILTIN_SRC_PATH}/pkwrite.o
384
385 msg "test: full without pkparse and pkwrite"
386 make test
387}
388
389component_test_crypto_full_md_light_only () {
390 msg "build: crypto_full with only the light subset of MD"
391 scripts/config.py crypto_full
392
393 # Disable MD
394 scripts/config.py unset MBEDTLS_MD_C
395 # Disable direct dependencies of MD_C
396 scripts/config.py unset MBEDTLS_HKDF_C
397 scripts/config.py unset MBEDTLS_HMAC_DRBG_C
398 scripts/config.py unset MBEDTLS_PKCS7_C
399 # Disable indirect dependencies of MD_C
400 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # needs HMAC_DRBG
401 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
402 # Disable things that would auto-enable MD_C
403 scripts/config.py unset MBEDTLS_PKCS5_C
404
405 # Note: MD-light is auto-enabled in build_info.h by modules that need it,
406 # which we haven't disabled, so no need to explicitly enable it.
407 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
408
409 # Make sure we don't have the HMAC functions, but the hashing functions
410 not grep mbedtls_md_hmac ${BUILTIN_SRC_PATH}/md.o
411 grep mbedtls_md ${BUILTIN_SRC_PATH}/md.o
412
413 msg "test: crypto_full with only the light subset of MD"
414 make test
415}
416
Minos Galanakiscd5668f2024-07-26 20:36:23 +0100[diff] [blame]417component_test_full_no_cipher () {
418 msg "build: full no CIPHER"
419
420 scripts/config.py full
421 scripts/config.py unset MBEDTLS_CIPHER_C
422
423 # The built-in implementation of the following algs/key-types depends
424 # on CIPHER_C so we disable them.
425 # This does not hold for KEY_TYPE_CHACHA20 and ALG_CHACHA20_POLY1305
426 # so we keep them enabled.
427 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
428 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CMAC
429 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING
430 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7
431 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CFB
432 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CTR
433 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING
434 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_OFB
435 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
436 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_STREAM_CIPHER
437 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES
438
439 # The following modules directly depends on CIPHER_C
440 scripts/config.py unset MBEDTLS_CMAC_C
441 scripts/config.py unset MBEDTLS_NIST_KW_C
442
443 make
444
445 # Ensure that CIPHER_C was not re-enabled
446 not grep mbedtls_cipher_init ${BUILTIN_SRC_PATH}/cipher.o
447
448 msg "test: full no CIPHER"
449 make test
450}
451
Minos Galanakisf78447f2024-07-26 20:49:51 +0100[diff] [blame]452component_test_full_no_ccm () {
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]453 msg "build: full no PSA_WANT_ALG_CCM"
454
455 # Full config enables:
456 # - USE_PSA_CRYPTO so that TLS code dispatches cipher/AEAD to PSA
457 # - CRYPTO_CONFIG so that PSA_WANT config symbols are evaluated
458 scripts/config.py full
459
460 # Disable PSA_WANT_ALG_CCM so that CCM is not supported in PSA. CCM_C is still
461 # enabled, but not used from TLS since USE_PSA is set.
462 # This is helpful to ensure that TLS tests below have proper dependencies.
463 #
464 # Note: also PSA_WANT_ALG_CCM_STAR_NO_TAG is enabled, but it does not cause
465 # PSA_WANT_ALG_CCM to be re-enabled.
466 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM
467
468 make
469
470 msg "test: full no PSA_WANT_ALG_CCM"
471 make test
472}
473
Minos Galanakisf78447f2024-07-26 20:49:51 +0100[diff] [blame]474component_test_full_no_ccm_star_no_tag () {
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]475 msg "build: full no PSA_WANT_ALG_CCM_STAR_NO_TAG"
476
477 # Full config enables CRYPTO_CONFIG so that PSA_WANT config symbols are evaluated
478 scripts/config.py full
479
480 # Disable CCM_STAR_NO_TAG, which is the target of this test, as well as all
481 # other components that enable MBEDTLS_PSA_BUILTIN_CIPHER internal symbol.
482 # This basically disables all unauthenticated ciphers on the PSA side, while
483 # keeping AEADs enabled.
484 #
485 # Note: PSA_WANT_ALG_CCM is enabled, but it does not cause
486 # PSA_WANT_ALG_CCM_STAR_NO_TAG to be re-enabled.
487 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG
488 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_STREAM_CIPHER
489 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CTR
490 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CFB
491 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_OFB
492 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING
493 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING
494 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7
495
496 make
497
498 # Ensure MBEDTLS_PSA_BUILTIN_CIPHER was not enabled
499 not grep mbedtls_psa_cipher ${PSA_CORE_PATH}/psa_crypto_cipher.o
500
501 msg "test: full no PSA_WANT_ALG_CCM_STAR_NO_TAG"
502 make test
503}
504
Gilles Peskineea5de2b2024-09-19 18:41:55 +0200[diff] [blame]505component_test_config_symmetric_only () {
506 msg "build: configs/config-symmetric-only.h"
Gilles Peskineaf5a8992024-09-14 11:27:44 +0200[diff] [blame]507 cp configs/config-symmetric-only.h "$CONFIG_H"
Gilles Peskineaf5a8992024-09-14 11:27:44 +0200[diff] [blame]508 # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake
509 # want to re-generate generated files that depend on it, quite correctly.
510 # However this doesn't work as the generation script expects a specific
511 # format for mbedtls_config.h, which the other files don't follow. Also,
512 # cmake can't know this, but re-generation is actually not necessary as
513 # the generated files only depend on the list of available options, not
514 # whether they're on or off. So, disable cmake's (over-sensitive here)
515 # dependency resolution for generated files and just rely on them being
516 # present (thanks to pre_generate_files) by turning GEN_FILES off.
517 CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan .
518 make
519
Gilles Peskineea5de2b2024-09-19 18:41:55 +0200[diff] [blame]520 msg "test: configs/config-symmetric-only.h - unit tests"
Gilles Peskineaf5a8992024-09-14 11:27:44 +0200[diff] [blame]521 make test
522}
523
Minos Galanakisc06fd302024-08-01 12:16:59 +0100[diff] [blame]524component_test_everest () {
525 msg "build: Everest ECDH context (ASan build)" # ~ 6 min
526 scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED
527 CC=clang cmake -D CMAKE_BUILD_TYPE:String=Asan .
528 make
529
530 msg "test: Everest ECDH context - main suites (inc. selftests) (ASan build)" # ~ 50s
531 make test
532
533 msg "test: metatests (clang, ASan)"
534 tests/scripts/run-metatests.sh any asan poison
535
536 msg "test: Everest ECDH context - ECDH-related part of ssl-opt.sh (ASan build)" # ~ 5s
537 tests/ssl-opt.sh -f ECDH
538
539 msg "test: Everest ECDH context - compat.sh with some ECDH ciphersuites (ASan build)" # ~ 3 min
540 # Exclude some symmetric ciphers that are redundant here to gain time.
541 tests/compat.sh -f ECDH -V NO -e 'ARIA\|CAMELLIA\|CHACHA'
542}
543
544component_test_everest_curve25519_only () {
545 msg "build: Everest ECDH context, only Curve25519" # ~ 6 min
546 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
547 scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED
548 scripts/config.py unset MBEDTLS_ECDSA_C
549 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
550 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA
551 scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_ECDH
552 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
553 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
554 scripts/config.py unset MBEDTLS_ECJPAKE_C
555 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_JPAKE
556
557 # Disable all curves
558 scripts/config.py unset-all "MBEDTLS_ECP_DP_[0-9A-Z_a-z]*_ENABLED"
559 scripts/config.py -f $CRYPTO_CONFIG_H unset-all "PSA_WANT_ECC_[0-9A-Z_a-z]*$"
560 scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ECC_MONTGOMERY_255
561
562 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
563
564 msg "test: Everest ECDH context, only Curve25519" # ~ 50s
565 make test
566}
567
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]568component_test_psa_collect_statuses () {
569 msg "build+test: psa_collect_statuses" # ~30s
570 scripts/config.py full
571 tests/scripts/psa_collect_statuses.py
572 # Check that psa_crypto_init() succeeded at least once
573 grep -q '^0:psa_crypto_init:' tests/statuses.log
574 rm -f tests/statuses.log
575}
576
577# Check that the specified libraries exist and are empty.
578are_empty_libraries () {
579 nm "$@" >/dev/null 2>/dev/null
580 ! nm "$@" 2>/dev/null | grep -v ':$' | grep .
581}
582
583component_build_crypto_default () {
584 msg "build: make, crypto only"
585 scripts/config.py crypto
586 make CFLAGS='-O1 -Werror'
587 are_empty_libraries library/libmbedx509.* library/libmbedtls.*
588}
589
590component_build_crypto_full () {
591 msg "build: make, crypto only, full config"
592 scripts/config.py crypto_full
593 make CFLAGS='-O1 -Werror'
594 are_empty_libraries library/libmbedx509.* library/libmbedtls.*
595}
596
597component_test_crypto_for_psa_service () {
598 msg "build: make, config for PSA crypto service"
599 scripts/config.py crypto
600 scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
601 # Disable things that are not needed for just cryptography, to
602 # reach a configuration that would be typical for a PSA cryptography
603 # service providing all implemented PSA algorithms.
604 # System stuff
605 scripts/config.py unset MBEDTLS_ERROR_C
606 scripts/config.py unset MBEDTLS_TIMING_C
607 scripts/config.py unset MBEDTLS_VERSION_FEATURES
608 # Crypto stuff with no PSA interface
609 scripts/config.py unset MBEDTLS_BASE64_C
610 # Keep MBEDTLS_CIPHER_C because psa_crypto_cipher, CCM and GCM need it.
611 scripts/config.py unset MBEDTLS_HKDF_C # PSA's HKDF is independent
612 # Keep MBEDTLS_MD_C because deterministic ECDSA needs it for HMAC_DRBG.
613 scripts/config.py unset MBEDTLS_NIST_KW_C
614 scripts/config.py unset MBEDTLS_PEM_PARSE_C
615 scripts/config.py unset MBEDTLS_PEM_WRITE_C
616 scripts/config.py unset MBEDTLS_PKCS12_C
617 scripts/config.py unset MBEDTLS_PKCS5_C
618 # MBEDTLS_PK_PARSE_C and MBEDTLS_PK_WRITE_C are actually currently needed
619 # in PSA code to work with RSA keys. We don't require users to set those:
620 # they will be reenabled in build_info.h.
621 scripts/config.py unset MBEDTLS_PK_C
622 scripts/config.py unset MBEDTLS_PK_PARSE_C
623 scripts/config.py unset MBEDTLS_PK_WRITE_C
624 make CFLAGS='-O1 -Werror' all test
625 are_empty_libraries library/libmbedx509.* library/libmbedtls.*
626}
627
628component_build_crypto_baremetal () {
629 msg "build: make, crypto only, baremetal config"
630 scripts/config.py crypto_baremetal
631 make CFLAGS="-O1 -Werror -I$PWD/tests/include/baremetal-override/"
632 are_empty_libraries library/libmbedx509.* library/libmbedtls.*
633}
634
635support_build_crypto_baremetal () {
636 support_build_baremetal "$@"
637}
638
639# depends.py family of tests
640component_test_depends_py_cipher_id () {
641 msg "test/build: depends.py cipher_id (gcc)"
Gabor Mezei9ce6d242024-06-19 17:47:05 +0200[diff] [blame]642 tests/scripts/depends.py cipher_id
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]643}
644
645component_test_depends_py_cipher_chaining () {
646 msg "test/build: depends.py cipher_chaining (gcc)"
Gabor Mezei9ce6d242024-06-19 17:47:05 +0200[diff] [blame]647 tests/scripts/depends.py cipher_chaining
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]648}
649
650component_test_depends_py_cipher_padding () {
651 msg "test/build: depends.py cipher_padding (gcc)"
Gabor Mezei9ce6d242024-06-19 17:47:05 +0200[diff] [blame]652 tests/scripts/depends.py cipher_padding
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]653}
654
655component_test_depends_py_curves () {
656 msg "test/build: depends.py curves (gcc)"
Gabor Mezei9ce6d242024-06-19 17:47:05 +0200[diff] [blame]657 tests/scripts/depends.py curves
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]658}
659
660component_test_depends_py_hashes () {
661 msg "test/build: depends.py hashes (gcc)"
Gabor Mezei9ce6d242024-06-19 17:47:05 +0200[diff] [blame]662 tests/scripts/depends.py hashes
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]663}
664
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]665component_test_depends_py_pkalgs () {
666 msg "test/build: depends.py pkalgs (gcc)"
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]667 tests/scripts/depends.py pkalgs
668}
669
670component_test_psa_crypto_config_ffdh_2048_only () {
671 msg "build: full config - only DH 2048"
672
673 scripts/config.py full
674
675 # Disable all DH groups other than 2048.
676 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_3072
677 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_4096
678 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_6144
679 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_8192
680
681 make CFLAGS="$ASAN_CFLAGS -Werror" LDFLAGS="$ASAN_CFLAGS"
682
683 msg "test: full config - only DH 2048"
684 make test
685
686 msg "ssl-opt: full config - only DH 2048"
687 tests/ssl-opt.sh -f "ffdh"
688}
689
690component_build_no_pk_rsa_alt_support () {
691 msg "build: !MBEDTLS_PK_RSA_ALT_SUPPORT" # ~30s
692
693 scripts/config.py full
694 scripts/config.py unset MBEDTLS_PK_RSA_ALT_SUPPORT
695 scripts/config.py set MBEDTLS_RSA_C
696 scripts/config.py set MBEDTLS_X509_CRT_WRITE_C
697
698 # Only compile - this is primarily to test for compile issues
699 make CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy'
700}
701
702component_build_module_alt () {
703 msg "build: MBEDTLS_XXX_ALT" # ~30s
704 scripts/config.py full
705
706 # Disable options that are incompatible with some ALT implementations:
707 # aesni.c references mbedtls_aes_context fields directly.
708 scripts/config.py unset MBEDTLS_AESNI_C
709 scripts/config.py unset MBEDTLS_AESCE_C
710 # MBEDTLS_ECP_RESTARTABLE is documented as incompatible.
711 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
712 # You can only have one threading implementation: alt or pthread, not both.
713 scripts/config.py unset MBEDTLS_THREADING_PTHREAD
714 # The SpecifiedECDomain parsing code accesses mbedtls_ecp_group fields
715 # directly and assumes the implementation works with partial groups.
716 scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED
717 # MBEDTLS_SHA256_*ALT can't be used with MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*
718 scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
719 scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
720 # MBEDTLS_SHA512_*ALT can't be used with MBEDTLS_SHA512_USE_A64_CRYPTO_*
721 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
722 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY
723
724 # Enable all MBEDTLS_XXX_ALT for whole modules. Do not enable
725 # MBEDTLS_XXX_YYY_ALT which are for single functions.
726 scripts/config.py set-all 'MBEDTLS_([A-Z0-9]*|NIST_KW)_ALT'
727
728 # We can only compile, not link, since we don't have any implementations
729 # suitable for testing with the dummy alt headers.
730 make CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy' lib
731}
732
733component_test_psa_crypto_config_accel_ecdsa () {
734 msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA"
735
736 # Algorithms and key types to accelerate
737 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
738 $(helper_get_psa_key_type_list "ECC") \
739 $(helper_get_psa_curve_list)"
740
741 # Configure
742 # ---------
743
Elena Uziunaite91d83862024-09-04 14:51:31 +0100[diff] [blame]744 # Start from default config + TLS 1.3
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]745 helper_libtestdriver1_adjust_config "default"
746
Elena Uziunaite91d83862024-09-04 14:51:31 +0100[diff] [blame]747 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
748
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]749 # Disable the module that's accelerated
750 scripts/config.py unset MBEDTLS_ECDSA_C
751
752 # Disable things that depend on it
753 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
754 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
755
756 # Build
757 # -----
758
759 # These hashes are needed for some ECDSA signature tests.
Elena Uziunaiteffce45c2024-09-12 14:58:52 +0100[diff] [blame]760 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]761 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
762
763 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list"
764
765 helper_libtestdriver1_make_main "$loc_accel_list"
766
767 # Make sure this was not re-enabled by accident (additive config)
768 not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o
769
770 # Run the tests
771 # -------------
772
773 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA"
774 make test
775}
776
777component_test_psa_crypto_config_accel_ecdh () {
778 msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH"
779
780 # Algorithms and key types to accelerate
781 loc_accel_list="ALG_ECDH \
782 $(helper_get_psa_key_type_list "ECC") \
783 $(helper_get_psa_curve_list)"
784
785 # Configure
786 # ---------
787
788 # Start from default config (no USE_PSA)
789 helper_libtestdriver1_adjust_config "default"
790
791 # Disable the module that's accelerated
792 scripts/config.py unset MBEDTLS_ECDH_C
793
794 # Disable things that depend on it
795 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
796 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
797 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
798 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
799 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
800
801 # Build
802 # -----
803
804 helper_libtestdriver1_make_drivers "$loc_accel_list"
805
806 helper_libtestdriver1_make_main "$loc_accel_list"
807
808 # Make sure this was not re-enabled by accident (additive config)
809 not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
810
811 # Run the tests
812 # -------------
813
814 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH"
815 make test
816}
817
818component_test_psa_crypto_config_accel_ffdh () {
819 msg "build: full with accelerated FFDH"
820
821 # Algorithms and key types to accelerate
822 loc_accel_list="ALG_FFDH \
823 $(helper_get_psa_key_type_list "DH") \
824 $(helper_get_psa_dh_group_list)"
825
826 # Configure
827 # ---------
828
829 # start with full (USE_PSA and TLS 1.3)
830 helper_libtestdriver1_adjust_config "full"
831
832 # Disable the module that's accelerated
833 scripts/config.py unset MBEDTLS_DHM_C
834
835 # Disable things that depend on it
836 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
837 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
838
839 # Build
840 # -----
841
842 helper_libtestdriver1_make_drivers "$loc_accel_list"
843
844 helper_libtestdriver1_make_main "$loc_accel_list"
845
846 # Make sure this was not re-enabled by accident (additive config)
847 not grep mbedtls_dhm_ ${BUILTIN_SRC_PATH}/dhm.o
848
849 # Run the tests
850 # -------------
851
852 msg "test: full with accelerated FFDH"
853 make test
854
855 msg "ssl-opt: full with accelerated FFDH alg"
856 tests/ssl-opt.sh -f "ffdh"
857}
858
859component_test_psa_crypto_config_reference_ffdh () {
860 msg "build: full with non-accelerated FFDH"
861
862 # Start with full (USE_PSA and TLS 1.3)
863 helper_libtestdriver1_adjust_config "full"
864
865 # Disable things that are not supported
866 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
867 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
868 make
869
870 msg "test suites: full with non-accelerated FFDH alg"
871 make test
872
873 msg "ssl-opt: full with non-accelerated FFDH alg"
874 tests/ssl-opt.sh -f "ffdh"
875}
876
Minos Galanakisf78447f2024-07-26 20:49:51 +0100[diff] [blame]877component_test_psa_crypto_config_accel_pake () {
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]878 msg "build: full with accelerated PAKE"
879
880 loc_accel_list="ALG_JPAKE \
881 $(helper_get_psa_key_type_list "ECC") \
882 $(helper_get_psa_curve_list)"
883
884 # Configure
885 # ---------
886
887 helper_libtestdriver1_adjust_config "full"
888
889 # Make built-in fallback not available
890 scripts/config.py unset MBEDTLS_ECJPAKE_C
891 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
892
893 # Build
894 # -----
895
896 helper_libtestdriver1_make_drivers "$loc_accel_list"
897
898 helper_libtestdriver1_make_main "$loc_accel_list"
899
900 # Make sure this was not re-enabled by accident (additive config)
901 not grep mbedtls_ecjpake_init ${BUILTIN_SRC_PATH}/ecjpake.o
902
903 # Run the tests
904 # -------------
905
906 msg "test: full with accelerated PAKE"
907 make test
908}
909
910component_test_psa_crypto_config_accel_ecc_some_key_types () {
911 msg "build: full with accelerated EC algs and some key types"
912
913 # Algorithms and key types to accelerate
914 # For key types, use an explicitly list to omit GENERATE (and DERIVE)
915 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
916 ALG_ECDH \
917 ALG_JPAKE \
918 KEY_TYPE_ECC_PUBLIC_KEY \
919 KEY_TYPE_ECC_KEY_PAIR_BASIC \
920 KEY_TYPE_ECC_KEY_PAIR_IMPORT \
921 KEY_TYPE_ECC_KEY_PAIR_EXPORT \
922 $(helper_get_psa_curve_list)"
923
924 # Configure
925 # ---------
926
927 # start with config full for maximum coverage (also enables USE_PSA)
928 helper_libtestdriver1_adjust_config "full"
929
930 # Disable modules that are accelerated - some will be re-enabled
931 scripts/config.py unset MBEDTLS_ECDSA_C
932 scripts/config.py unset MBEDTLS_ECDH_C
933 scripts/config.py unset MBEDTLS_ECJPAKE_C
934 scripts/config.py unset MBEDTLS_ECP_C
935
936 # Disable all curves - those that aren't accelerated should be re-enabled
937 helper_disable_builtin_curves
938
939 # Restartable feature is not yet supported by PSA. Once it will in
940 # the future, the following line could be removed (see issues
941 # 6061, 6332 and following ones)
942 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
943
944 # this is not supported by the driver API yet
945 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
946
947 # Build
948 # -----
949
950 # These hashes are needed for some ECDSA signature tests.
951 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
952 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
953 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list"
954
955 helper_libtestdriver1_make_main "$loc_accel_list"
956
957 # ECP should be re-enabled but not the others
958 not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
959 not grep mbedtls_ecdsa ${BUILTIN_SRC_PATH}/ecdsa.o
960 not grep mbedtls_ecjpake ${BUILTIN_SRC_PATH}/ecjpake.o
961 grep mbedtls_ecp ${BUILTIN_SRC_PATH}/ecp.o
962
963 # Run the tests
964 # -------------
965
966 msg "test suites: full with accelerated EC algs and some key types"
967 make test
968}
969
970# Run tests with only (non-)Weierstrass accelerated
971# Common code used in:
972# - component_test_psa_crypto_config_accel_ecc_weierstrass_curves
973# - component_test_psa_crypto_config_accel_ecc_non_weierstrass_curves
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]974common_test_psa_crypto_config_accel_ecc_some_curves () {
975 weierstrass=$1
976 if [ $weierstrass -eq 1 ]; then
977 desc="Weierstrass"
978 else
979 desc="non-Weierstrass"
980 fi
981
982 msg "build: crypto_full minus PK with accelerated EC algs and $desc curves"
983
984 # Note: Curves are handled in a special way by the libtestdriver machinery,
985 # so we only want to include them in the accel list when building the main
986 # libraries, hence the use of a separate variable.
987 # Note: the following loop is a modified version of
988 # helper_get_psa_curve_list that only keeps Weierstrass families.
989 loc_weierstrass_list=""
990 loc_non_weierstrass_list=""
991 for item in $(sed -n 's/^#define PSA_WANT_\(ECC_[0-9A-Z_a-z]*\).*/\1/p' <"$CRYPTO_CONFIG_H"); do
992 case $item in
993 ECC_BRAINPOOL*|ECC_SECP*)
994 loc_weierstrass_list="$loc_weierstrass_list $item"
995 ;;
996 *)
997 loc_non_weierstrass_list="$loc_non_weierstrass_list $item"
998 ;;
999 esac
1000 done
1001 if [ $weierstrass -eq 1 ]; then
1002 loc_curve_list=$loc_weierstrass_list
1003 else
1004 loc_curve_list=$loc_non_weierstrass_list
1005 fi
1006
1007 # Algorithms and key types to accelerate
1008 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
1009 ALG_ECDH \
1010 ALG_JPAKE \
1011 $(helper_get_psa_key_type_list "ECC") \
1012 $loc_curve_list"
1013
1014 # Configure
1015 # ---------
1016
1017 # Start with config crypto_full and remove PK_C:
1018 # that's what's supported now, see docs/driver-only-builds.md.
1019 helper_libtestdriver1_adjust_config "crypto_full"
1020 scripts/config.py unset MBEDTLS_PK_C
1021 scripts/config.py unset MBEDTLS_PK_PARSE_C
1022 scripts/config.py unset MBEDTLS_PK_WRITE_C
1023
1024 # Disable modules that are accelerated - some will be re-enabled
1025 scripts/config.py unset MBEDTLS_ECDSA_C
1026 scripts/config.py unset MBEDTLS_ECDH_C
1027 scripts/config.py unset MBEDTLS_ECJPAKE_C
1028 scripts/config.py unset MBEDTLS_ECP_C
1029
1030 # Disable all curves - those that aren't accelerated should be re-enabled
1031 helper_disable_builtin_curves
1032
1033 # Restartable feature is not yet supported by PSA. Once it will in
1034 # the future, the following line could be removed (see issues
1035 # 6061, 6332 and following ones)
1036 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
1037
1038 # this is not supported by the driver API yet
1039 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
1040
1041 # Build
1042 # -----
1043
1044 # These hashes are needed for some ECDSA signature tests.
1045 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
1046 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
1047 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list"
1048
1049 helper_libtestdriver1_make_main "$loc_accel_list"
1050
1051 # We expect ECDH to be re-enabled for the missing curves
1052 grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
1053 # We expect ECP to be re-enabled, however the parts specific to the
1054 # families of curves that are accelerated should be ommited.
1055 # - functions with mxz in the name are specific to Montgomery curves
1056 # - ecp_muladd is specific to Weierstrass curves
1057 ##nm ${BUILTIN_SRC_PATH}/ecp.o | tee ecp.syms
1058 if [ $weierstrass -eq 1 ]; then
1059 not grep mbedtls_ecp_muladd ${BUILTIN_SRC_PATH}/ecp.o
1060 grep mxz ${BUILTIN_SRC_PATH}/ecp.o
1061 else
1062 grep mbedtls_ecp_muladd ${BUILTIN_SRC_PATH}/ecp.o
1063 not grep mxz ${BUILTIN_SRC_PATH}/ecp.o
1064 fi
1065 # We expect ECDSA and ECJPAKE to be re-enabled only when
1066 # Weierstrass curves are not accelerated
1067 if [ $weierstrass -eq 1 ]; then
1068 not grep mbedtls_ecdsa ${BUILTIN_SRC_PATH}/ecdsa.o
1069 not grep mbedtls_ecjpake ${BUILTIN_SRC_PATH}/ecjpake.o
1070 else
1071 grep mbedtls_ecdsa ${BUILTIN_SRC_PATH}/ecdsa.o
1072 grep mbedtls_ecjpake ${BUILTIN_SRC_PATH}/ecjpake.o
1073 fi
1074
1075 # Run the tests
1076 # -------------
1077
1078 msg "test suites: crypto_full minus PK with accelerated EC algs and $desc curves"
1079 make test
1080}
1081
1082component_test_psa_crypto_config_accel_ecc_weierstrass_curves () {
1083 common_test_psa_crypto_config_accel_ecc_some_curves 1
1084}
1085
1086component_test_psa_crypto_config_accel_ecc_non_weierstrass_curves () {
1087 common_test_psa_crypto_config_accel_ecc_some_curves 0
1088}
1089
1090# Auxiliary function to build config for all EC based algorithms (EC-JPAKE,
1091# ECDH, ECDSA) with and without drivers.
1092# The input parameter is a boolean value which indicates:
1093# - 0 keep built-in EC algs,
1094# - 1 exclude built-in EC algs (driver only).
1095#
1096# This is used by the two following components to ensure they always use the
1097# same config, except for the use of driver or built-in EC algorithms:
1098# - component_test_psa_crypto_config_accel_ecc_ecp_light_only;
1099# - component_test_psa_crypto_config_reference_ecc_ecp_light_only.
1100# This supports comparing their test coverage with analyze_outcomes.py.
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]1101config_psa_crypto_config_ecp_light_only () {
1102 driver_only="$1"
1103 # start with config full for maximum coverage (also enables USE_PSA)
1104 helper_libtestdriver1_adjust_config "full"
1105 if [ "$driver_only" -eq 1 ]; then
1106 # Disable modules that are accelerated
1107 scripts/config.py unset MBEDTLS_ECDSA_C
1108 scripts/config.py unset MBEDTLS_ECDH_C
1109 scripts/config.py unset MBEDTLS_ECJPAKE_C
1110 scripts/config.py unset MBEDTLS_ECP_C
1111 fi
1112
1113 # Restartable feature is not yet supported by PSA. Once it will in
1114 # the future, the following line could be removed (see issues
1115 # 6061, 6332 and following ones)
1116 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
1117}
1118
1119# Keep in sync with component_test_psa_crypto_config_reference_ecc_ecp_light_only
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]1120component_test_psa_crypto_config_accel_ecc_ecp_light_only () {
1121 msg "build: full with accelerated EC algs"
1122
1123 # Algorithms and key types to accelerate
1124 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
1125 ALG_ECDH \
1126 ALG_JPAKE \
1127 $(helper_get_psa_key_type_list "ECC") \
1128 $(helper_get_psa_curve_list)"
1129
1130 # Configure
1131 # ---------
1132
1133 # Use the same config as reference, only without built-in EC algs
1134 config_psa_crypto_config_ecp_light_only 1
1135
1136 # Do not disable builtin curves because that support is required for:
1137 # - MBEDTLS_PK_PARSE_EC_EXTENDED
1138 # - MBEDTLS_PK_PARSE_EC_COMPRESSED
1139
1140 # Build
1141 # -----
1142
1143 # These hashes are needed for some ECDSA signature tests.
1144 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
1145 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
1146 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list"
1147
1148 helper_libtestdriver1_make_main "$loc_accel_list"
1149
1150 # Make sure any built-in EC alg was not re-enabled by accident (additive config)
1151 not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o
1152 not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
1153 not grep mbedtls_ecjpake_ ${BUILTIN_SRC_PATH}/ecjpake.o
1154 not grep mbedtls_ecp_mul ${BUILTIN_SRC_PATH}/ecp.o
1155
1156 # Run the tests
1157 # -------------
1158
1159 msg "test suites: full with accelerated EC algs"
1160 make test
1161
1162 msg "ssl-opt: full with accelerated EC algs"
1163 tests/ssl-opt.sh
1164}
1165
1166# Keep in sync with component_test_psa_crypto_config_accel_ecc_ecp_light_only
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]1167component_test_psa_crypto_config_reference_ecc_ecp_light_only () {
1168 msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with non-accelerated EC algs"
1169
1170 config_psa_crypto_config_ecp_light_only 0
1171
1172 make
1173
1174 msg "test suites: full with non-accelerated EC algs"
1175 make test
1176
1177 msg "ssl-opt: full with non-accelerated EC algs"
1178 tests/ssl-opt.sh
1179}
1180
1181# This helper function is used by:
1182# - component_test_psa_crypto_config_accel_ecc_no_ecp_at_all()
1183# - component_test_psa_crypto_config_reference_ecc_no_ecp_at_all()
1184# to ensure that both tests use the same underlying configuration when testing
1185# driver's coverage with analyze_outcomes.py.
1186#
1187# This functions accepts 1 boolean parameter as follows:
1188# - 1: building with accelerated EC algorithms (ECDSA, ECDH, ECJPAKE), therefore
1189# excluding their built-in implementation as well as ECP_C & ECP_LIGHT
1190# - 0: include built-in implementation of EC algorithms.
1191#
1192# PK_C and RSA_C are always disabled to ensure there is no remaining dependency
1193# on the ECP module.
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]1194config_psa_crypto_no_ecp_at_all () {
1195 driver_only="$1"
1196 # start with full config for maximum coverage (also enables USE_PSA)
1197 helper_libtestdriver1_adjust_config "full"
1198
1199 if [ "$driver_only" -eq 1 ]; then
1200 # Disable modules that are accelerated
1201 scripts/config.py unset MBEDTLS_ECDSA_C
1202 scripts/config.py unset MBEDTLS_ECDH_C
1203 scripts/config.py unset MBEDTLS_ECJPAKE_C
1204 # Disable ECP module (entirely)
1205 scripts/config.py unset MBEDTLS_ECP_C
1206 fi
1207
1208 # Disable all the features that auto-enable ECP_LIGHT (see build_info.h)
1209 scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED
1210 scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED
1211 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
1212
1213 # Restartable feature is not yet supported by PSA. Once it will in
1214 # the future, the following line could be removed (see issues
1215 # 6061, 6332 and following ones)
1216 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
1217}
1218
1219# Build and test a configuration where driver accelerates all EC algs while
1220# all support and dependencies from ECP and ECP_LIGHT are removed on the library
1221# side.
1222#
1223# Keep in sync with component_test_psa_crypto_config_reference_ecc_no_ecp_at_all()
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]1224component_test_psa_crypto_config_accel_ecc_no_ecp_at_all () {
1225 msg "build: full + accelerated EC algs - ECP"
1226
1227 # Algorithms and key types to accelerate
1228 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
1229 ALG_ECDH \
1230 ALG_JPAKE \
1231 $(helper_get_psa_key_type_list "ECC") \
1232 $(helper_get_psa_curve_list)"
1233
1234 # Configure
1235 # ---------
1236
1237 # Set common configurations between library's and driver's builds
1238 config_psa_crypto_no_ecp_at_all 1
1239 # Disable all the builtin curves. All the required algs are accelerated.
1240 helper_disable_builtin_curves
1241
1242 # Build
1243 # -----
1244
1245 # Things we wanted supported in libtestdriver1, but not accelerated in the main library:
1246 # SHA-1 and all SHA-2/3 variants, as they are used by ECDSA deterministic.
1247 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
1248 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
1249
1250 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list"
1251
1252 helper_libtestdriver1_make_main "$loc_accel_list"
1253
1254 # Make sure any built-in EC alg was not re-enabled by accident (additive config)
1255 not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o
1256 not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
1257 not grep mbedtls_ecjpake_ ${BUILTIN_SRC_PATH}/ecjpake.o
1258 # Also ensure that ECP module was not re-enabled
1259 not grep mbedtls_ecp_ ${BUILTIN_SRC_PATH}/ecp.o
1260
1261 # Run the tests
1262 # -------------
1263
1264 msg "test: full + accelerated EC algs - ECP"
1265 make test
1266
1267 msg "ssl-opt: full + accelerated EC algs - ECP"
1268 tests/ssl-opt.sh
1269}
1270
1271# Reference function used for driver's coverage analysis in analyze_outcomes.py
1272# in conjunction with component_test_psa_crypto_config_accel_ecc_no_ecp_at_all().
1273# Keep in sync with its accelerated counterpart.
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]1274component_test_psa_crypto_config_reference_ecc_no_ecp_at_all () {
1275 msg "build: full + non accelerated EC algs"
1276
1277 config_psa_crypto_no_ecp_at_all 0
1278
1279 make
1280
1281 msg "test: full + non accelerated EC algs"
1282 make test
1283
1284 msg "ssl-opt: full + non accelerated EC algs"
1285 tests/ssl-opt.sh
1286}
1287
1288# This is a common configuration helper used directly from:
1289# - common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum
1290# - common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum
1291# and indirectly from:
1292# - component_test_psa_crypto_config_accel_ecc_no_bignum
1293# - accelerate all EC algs, disable RSA and FFDH
1294# - component_test_psa_crypto_config_reference_ecc_no_bignum
1295# - this is the reference component of the above
1296# - it still disables RSA and FFDH, but it uses builtin EC algs
1297# - component_test_psa_crypto_config_accel_ecc_ffdh_no_bignum
1298# - accelerate all EC and FFDH algs, disable only RSA
1299# - component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum
1300# - this is the reference component of the above
1301# - it still disables RSA, but it uses builtin EC and FFDH algs
1302#
1303# This function accepts 2 parameters:
1304# $1: a boolean value which states if we are testing an accelerated scenario
1305# or not.
1306# $2: a string value which states which components are tested. Allowed values
1307# are "ECC" or "ECC_DH".
Minos Galanakisf78447f2024-07-26 20:49:51 +0100[diff] [blame]1308config_psa_crypto_config_accel_ecc_ffdh_no_bignum () {
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]1309 driver_only="$1"
1310 test_target="$2"
1311 # start with full config for maximum coverage (also enables USE_PSA)
1312 helper_libtestdriver1_adjust_config "full"
1313
1314 if [ "$driver_only" -eq 1 ]; then
1315 # Disable modules that are accelerated
1316 scripts/config.py unset MBEDTLS_ECDSA_C
1317 scripts/config.py unset MBEDTLS_ECDH_C
1318 scripts/config.py unset MBEDTLS_ECJPAKE_C
1319 # Disable ECP module (entirely)
1320 scripts/config.py unset MBEDTLS_ECP_C
1321 # Also disable bignum
1322 scripts/config.py unset MBEDTLS_BIGNUM_C
1323 fi
1324
1325 # Disable all the features that auto-enable ECP_LIGHT (see build_info.h)
1326 scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED
1327 scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED
1328 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
1329
1330 # RSA support is intentionally disabled on this test because RSA_C depends
1331 # on BIGNUM_C.
1332 scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_RSA_[0-9A-Z_a-z]*"
1333 scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_ALG_RSA_[0-9A-Z_a-z]*"
1334 scripts/config.py unset MBEDTLS_RSA_C
1335 scripts/config.py unset MBEDTLS_PKCS1_V15
1336 scripts/config.py unset MBEDTLS_PKCS1_V21
1337 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
1338 # Also disable key exchanges that depend on RSA
1339 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
1340 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
1341 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
1342 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
1343 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
1344
1345 if [ "$test_target" = "ECC" ]; then
1346 # When testing ECC only, we disable FFDH support, both from builtin and
1347 # PSA sides, and also disable the key exchanges that depend on DHM.
1348 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_FFDH
1349 scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_DH_[0-9A-Z_a-z]*"
1350 scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_DH_RFC7919_[0-9]*"
1351 scripts/config.py unset MBEDTLS_DHM_C
1352 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
1353 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
1354 else
1355 # When testing ECC and DH instead, we disable DHM and depending key
1356 # exchanges only in the accelerated build
1357 if [ "$driver_only" -eq 1 ]; then
1358 scripts/config.py unset MBEDTLS_DHM_C
1359 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
1360 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
1361 fi
1362 fi
1363
1364 # Restartable feature is not yet supported by PSA. Once it will in
1365 # the future, the following line could be removed (see issues
1366 # 6061, 6332 and following ones)
1367 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
1368}
1369
1370# Common helper used by:
1371# - component_test_psa_crypto_config_accel_ecc_no_bignum
1372# - component_test_psa_crypto_config_accel_ecc_ffdh_no_bignum
1373#
1374# The goal is to build and test accelerating either:
1375# - ECC only or
1376# - both ECC and FFDH
1377#
1378# It is meant to be used in conjunction with
1379# common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum() for drivers
1380# coverage analysis in the "analyze_outcomes.py" script.
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]1381common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () {
1382 test_target="$1"
1383
1384 # This is an internal helper to simplify text message handling
1385 if [ "$test_target" = "ECC_DH" ]; then
1386 accel_text="ECC/FFDH"
1387 removed_text="ECP - DH"
1388 else
1389 accel_text="ECC"
1390 removed_text="ECP"
1391 fi
1392
1393 msg "build: full + accelerated $accel_text algs + USE_PSA - $removed_text - BIGNUM"
1394
1395 # By default we accelerate all EC keys/algs
1396 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
1397 ALG_ECDH \
1398 ALG_JPAKE \
1399 $(helper_get_psa_key_type_list "ECC") \
1400 $(helper_get_psa_curve_list)"
1401 # Optionally we can also add DH to the list of accelerated items
1402 if [ "$test_target" = "ECC_DH" ]; then
1403 loc_accel_list="$loc_accel_list \
1404 ALG_FFDH \
1405 $(helper_get_psa_key_type_list "DH") \
1406 $(helper_get_psa_dh_group_list)"
1407 fi
1408
1409 # Configure
1410 # ---------
1411
1412 # Set common configurations between library's and driver's builds
1413 config_psa_crypto_config_accel_ecc_ffdh_no_bignum 1 "$test_target"
1414 # Disable all the builtin curves. All the required algs are accelerated.
1415 helper_disable_builtin_curves
1416
1417 # Build
1418 # -----
1419
1420 # Things we wanted supported in libtestdriver1, but not accelerated in the main library:
1421 # SHA-1 and all SHA-2/3 variants, as they are used by ECDSA deterministic.
1422 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
1423 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
1424
1425 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list"
1426
1427 helper_libtestdriver1_make_main "$loc_accel_list"
1428
1429 # Make sure any built-in EC alg was not re-enabled by accident (additive config)
1430 not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o
1431 not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
1432 not grep mbedtls_ecjpake_ ${BUILTIN_SRC_PATH}/ecjpake.o
1433 # Also ensure that ECP, RSA, [DHM] or BIGNUM modules were not re-enabled
1434 not grep mbedtls_ecp_ ${BUILTIN_SRC_PATH}/ecp.o
1435 not grep mbedtls_rsa_ ${BUILTIN_SRC_PATH}/rsa.o
1436 not grep mbedtls_mpi_ ${BUILTIN_SRC_PATH}/bignum.o
1437 not grep mbedtls_dhm_ ${BUILTIN_SRC_PATH}/dhm.o
1438
1439 # Run the tests
1440 # -------------
1441
1442 msg "test suites: full + accelerated $accel_text algs + USE_PSA - $removed_text - DHM - BIGNUM"
1443
1444 make test
1445
1446 msg "ssl-opt: full + accelerated $accel_text algs + USE_PSA - $removed_text - BIGNUM"
1447 tests/ssl-opt.sh
1448}
1449
1450# Common helper used by:
1451# - component_test_psa_crypto_config_reference_ecc_no_bignum
1452# - component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum
1453#
1454# The goal is to build and test a reference scenario (i.e. with builtin
1455# components) compared to the ones used in
1456# common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum() above.
1457#
1458# It is meant to be used in conjunction with
1459# common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum() for drivers'
1460# coverage analysis in "analyze_outcomes.py" script.
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]1461common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () {
1462 test_target="$1"
1463
1464 # This is an internal helper to simplify text message handling
1465 if [ "$test_target" = "ECC_DH" ]; then
1466 accel_text="ECC/FFDH"
1467 else
1468 accel_text="ECC"
1469 fi
1470
1471 msg "build: full + non accelerated $accel_text algs + USE_PSA"
1472
1473 config_psa_crypto_config_accel_ecc_ffdh_no_bignum 0 "$test_target"
1474
1475 make
1476
1477 msg "test suites: full + non accelerated EC algs + USE_PSA"
1478 make test
1479
1480 msg "ssl-opt: full + non accelerated $accel_text algs + USE_PSA"
1481 tests/ssl-opt.sh
1482}
1483
1484component_test_psa_crypto_config_accel_ecc_no_bignum () {
1485 common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum "ECC"
1486}
1487
1488component_test_psa_crypto_config_reference_ecc_no_bignum () {
1489 common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum "ECC"
1490}
1491
1492component_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () {
1493 common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum "ECC_DH"
1494}
1495
1496component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () {
1497 common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum "ECC_DH"
1498}
1499
Gilles Peskineeffa6a02024-09-14 11:35:36 +0200[diff] [blame]1500component_test_tfm_config_as_is () {
1501 msg "build: configs/config-tfm.h"
1502 cp configs/config-tfm.h "$CONFIG_H"
1503 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
1504 make
1505
1506 msg "test: configs/config-tfm.h - unit tests"
1507 make test
1508}
1509
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]1510# Helper for setting common configurations between:
1511# - component_test_tfm_config_p256m_driver_accel_ec()
Gilles Peskineeffa6a02024-09-14 11:35:36 +0200[diff] [blame]1512# - component_test_tfm_config_no_p256m()
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]1513common_tfm_config () {
1514 # Enable TF-M config
1515 cp configs/config-tfm.h "$CONFIG_H"
1516 echo "#undef MBEDTLS_PSA_CRYPTO_CONFIG_FILE" >> "$CONFIG_H"
1517 cp configs/ext/crypto_config_profile_medium.h "$CRYPTO_CONFIG_H"
1518
1519 # Other config adjustment to make the tests pass.
1520 # This should probably be adopted upstream.
1521 #
1522 # - USE_PSA_CRYPTO for PK_HAVE_ECC_KEYS
1523 echo "#define MBEDTLS_USE_PSA_CRYPTO" >> "$CONFIG_H"
1524
1525 # Config adjustment for better test coverage in our environment.
1526 # This is not needed just to build and pass tests.
1527 #
1528 # Enable filesystem I/O for the benefit of PK parse/write tests.
1529 echo "#define MBEDTLS_FS_IO" >> "$CONFIG_H"
1530}
1531
1532# Keep this in sync with component_test_tfm_config() as they are both meant
1533# to be used in analyze_outcomes.py for driver's coverage analysis.
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]1534component_test_tfm_config_p256m_driver_accel_ec () {
1535 msg "build: TF-M config + p256m driver + accel ECDH(E)/ECDSA"
1536
1537 common_tfm_config
1538
1539 # Build crypto library
1540 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -I../tests/include/spe" LDFLAGS="$ASAN_CFLAGS"
1541
1542 # Make sure any built-in EC alg was not re-enabled by accident (additive config)
1543 not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o
1544 not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
1545 not grep mbedtls_ecjpake_ ${BUILTIN_SRC_PATH}/ecjpake.o
1546 # Also ensure that ECP, RSA, DHM or BIGNUM modules were not re-enabled
1547 not grep mbedtls_ecp_ ${BUILTIN_SRC_PATH}/ecp.o
1548 not grep mbedtls_rsa_ ${BUILTIN_SRC_PATH}/rsa.o
1549 not grep mbedtls_dhm_ ${BUILTIN_SRC_PATH}/dhm.o
1550 not grep mbedtls_mpi_ ${BUILTIN_SRC_PATH}/bignum.o
1551 # Check that p256m was built
1552 grep -q p256_ecdsa_ library/libmbedcrypto.a
1553
1554 # In "config-tfm.h" we disabled CIPHER_C tweaking TF-M's configuration
1555 # files, so we want to ensure that it has not be re-enabled accidentally.
1556 not grep mbedtls_cipher ${BUILTIN_SRC_PATH}/cipher.o
1557
1558 # Run the tests
1559 msg "test: TF-M config + p256m driver + accel ECDH(E)/ECDSA"
1560 make test
1561}
1562
1563# Keep this in sync with component_test_tfm_config_p256m_driver_accel_ec() as
1564# they are both meant to be used in analyze_outcomes.py for driver's coverage
1565# analysis.
Gilles Peskineeffa6a02024-09-14 11:35:36 +0200[diff] [blame]1566component_test_tfm_config_no_p256m () {
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]1567 common_tfm_config
1568
1569 # Disable P256M driver, which is on by default, so that analyze_outcomes
1570 # can compare this test with test_tfm_config_p256m_driver_accel_ec
1571 echo "#undef MBEDTLS_PSA_P256M_DRIVER_ENABLED" >> "$CONFIG_H"
1572
Gilles Peskineeffa6a02024-09-14 11:35:36 +0200[diff] [blame]1573 msg "build: TF-M config without p256m"
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]1574 make CFLAGS='-Werror -Wall -Wextra -I../tests/include/spe' tests
1575
1576 # Check that p256m was not built
1577 not grep p256_ecdsa_ library/libmbedcrypto.a
1578
1579 # In "config-tfm.h" we disabled CIPHER_C tweaking TF-M's configuration
1580 # files, so we want to ensure that it has not be re-enabled accidentally.
1581 not grep mbedtls_cipher ${BUILTIN_SRC_PATH}/cipher.o
1582
Gilles Peskineeffa6a02024-09-14 11:35:36 +0200[diff] [blame]1583 msg "test: TF-M config without p256m"
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]1584 make test
1585}
1586
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]1587# This is an helper used by:
1588# - component_test_psa_ecc_key_pair_no_derive
1589# - component_test_psa_ecc_key_pair_no_generate
1590# The goal is to test with all PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy symbols
1591# enabled, but one. Input arguments are as follows:
1592# - $1 is the key type under test, i.e. ECC/RSA/DH
1593# - $2 is the key option to be unset (i.e. generate, derive, etc)
Minos Galanakisf78447f2024-07-26 20:49:51 +0100[diff] [blame]1594build_and_test_psa_want_key_pair_partial () {
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]1595 key_type=$1
1596 unset_option=$2
1597 disabled_psa_want="PSA_WANT_KEY_TYPE_${key_type}_KEY_PAIR_${unset_option}"
1598
1599 msg "build: full - MBEDTLS_USE_PSA_CRYPTO - ${disabled_psa_want}"
1600 scripts/config.py full
1601 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
1602 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
1603
1604 # All the PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy are enabled by default in
1605 # crypto_config.h so we just disable the one we don't want.
1606 scripts/config.py -f "$CRYPTO_CONFIG_H" unset "$disabled_psa_want"
1607
1608 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
1609
1610 msg "test: full - MBEDTLS_USE_PSA_CRYPTO - ${disabled_psa_want}"
1611 make test
1612}
1613
Minos Galanakisf78447f2024-07-26 20:49:51 +0100[diff] [blame]1614component_test_psa_ecc_key_pair_no_derive () {
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]1615 build_and_test_psa_want_key_pair_partial "ECC" "DERIVE"
1616}
1617
Minos Galanakisf78447f2024-07-26 20:49:51 +0100[diff] [blame]1618component_test_psa_ecc_key_pair_no_generate () {
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]1619 build_and_test_psa_want_key_pair_partial "ECC" "GENERATE"
1620}
1621
1622config_psa_crypto_accel_rsa () {
1623 driver_only=$1
1624
1625 # Start from crypto_full config (no X.509, no TLS)
1626 helper_libtestdriver1_adjust_config "crypto_full"
1627
1628 if [ "$driver_only" -eq 1 ]; then
1629 # Remove RSA support and its dependencies
1630 scripts/config.py unset MBEDTLS_RSA_C
1631 scripts/config.py unset MBEDTLS_PKCS1_V15
1632 scripts/config.py unset MBEDTLS_PKCS1_V21
1633
1634 # We need PEM parsing in the test library as well to support the import
1635 # of PEM encoded RSA keys.
1636 scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_PEM_PARSE_C
1637 scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_BASE64_C
1638 fi
1639}
1640
1641component_test_psa_crypto_config_accel_rsa_crypto () {
1642 msg "build: crypto_full with accelerated RSA"
1643
1644 loc_accel_list="ALG_RSA_OAEP ALG_RSA_PSS \
1645 ALG_RSA_PKCS1V15_CRYPT ALG_RSA_PKCS1V15_SIGN \
1646 KEY_TYPE_RSA_PUBLIC_KEY \
1647 KEY_TYPE_RSA_KEY_PAIR_BASIC \
1648 KEY_TYPE_RSA_KEY_PAIR_GENERATE \
1649 KEY_TYPE_RSA_KEY_PAIR_IMPORT \
1650 KEY_TYPE_RSA_KEY_PAIR_EXPORT"
1651
1652 # Configure
1653 # ---------
1654
1655 config_psa_crypto_accel_rsa 1
1656
1657 # Build
1658 # -----
1659
1660 # These hashes are needed for unit tests.
1661 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
1662 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512 ALG_MD5"
1663 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list"
1664
1665 helper_libtestdriver1_make_main "$loc_accel_list"
1666
1667 # Make sure this was not re-enabled by accident (additive config)
1668 not grep mbedtls_rsa ${BUILTIN_SRC_PATH}/rsa.o
1669
1670 # Run the tests
1671 # -------------
1672
1673 msg "test: crypto_full with accelerated RSA"
1674 make test
1675}
1676
1677component_test_psa_crypto_config_reference_rsa_crypto () {
1678 msg "build: crypto_full with non-accelerated RSA"
1679
1680 # Configure
1681 # ---------
1682 config_psa_crypto_accel_rsa 0
1683
1684 # Build
1685 # -----
1686 make
1687
1688 # Run the tests
1689 # -------------
1690 msg "test: crypto_full with non-accelerated RSA"
1691 make test
1692}
1693
1694# This is a temporary test to verify that full RSA support is present even when
1695# only one single new symbols (PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) is defined.
Minos Galanakisf78447f2024-07-26 20:49:51 +0100[diff] [blame]1696component_test_new_psa_want_key_pair_symbol () {
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]1697 msg "Build: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC"
1698
1699 # Create a temporary output file unless there is already one set
1700 if [ "$MBEDTLS_TEST_OUTCOME_FILE" ]; then
1701 REMOVE_OUTCOME_ON_EXIT="no"
1702 else
1703 REMOVE_OUTCOME_ON_EXIT="yes"
1704 MBEDTLS_TEST_OUTCOME_FILE="$PWD/out.csv"
1705 export MBEDTLS_TEST_OUTCOME_FILE
1706 fi
1707
1708 # Start from crypto configuration
1709 scripts/config.py crypto
1710
1711 # Remove RSA support and its dependencies
1712 scripts/config.py unset MBEDTLS_PKCS1_V15
1713 scripts/config.py unset MBEDTLS_PKCS1_V21
1714 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
1715 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
1716 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
1717 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
1718 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
1719 scripts/config.py unset MBEDTLS_RSA_C
1720 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
1721
1722 # Enable PSA support
1723 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
1724
1725 # Keep only PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC enabled in order to ensure
1726 # that proper translations is done in crypto_legacy.h.
1727 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
1728 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT
1729 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
1730
1731 make
1732
1733 msg "Test: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC"
1734 make test
1735
1736 # Parse only 1 relevant line from the outcome file, i.e. a test which is
1737 # performing RSA signature.
1738 msg "Verify that 'RSA PKCS1 Sign #1 (SHA512, 1536 bits RSA)' is PASS"
1739 cat $MBEDTLS_TEST_OUTCOME_FILE | grep 'RSA PKCS1 Sign #1 (SHA512, 1536 bits RSA)' | grep -q "PASS"
1740
1741 if [ "$REMOVE_OUTCOME_ON_EXIT" == "yes" ]; then
1742 rm $MBEDTLS_TEST_OUTCOME_FILE
1743 fi
1744}
1745
1746component_test_psa_crypto_config_accel_hash () {
1747 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash"
1748
1749 loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \
1750 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
1751 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
1752
1753 # Configure
1754 # ---------
1755
1756 # Start from default config (no USE_PSA)
1757 helper_libtestdriver1_adjust_config "default"
1758
1759 # Disable the things that are being accelerated
1760 scripts/config.py unset MBEDTLS_MD5_C
1761 scripts/config.py unset MBEDTLS_RIPEMD160_C
1762 scripts/config.py unset MBEDTLS_SHA1_C
1763 scripts/config.py unset MBEDTLS_SHA224_C
1764 scripts/config.py unset MBEDTLS_SHA256_C
1765 scripts/config.py unset MBEDTLS_SHA384_C
1766 scripts/config.py unset MBEDTLS_SHA512_C
1767 scripts/config.py unset MBEDTLS_SHA3_C
1768
1769 # Build
1770 # -----
1771
1772 helper_libtestdriver1_make_drivers "$loc_accel_list"
1773
1774 helper_libtestdriver1_make_main "$loc_accel_list"
1775
1776 # There's a risk of something getting re-enabled via config_psa.h;
1777 # make sure it did not happen. Note: it's OK for MD_C to be enabled.
1778 not grep mbedtls_md5 ${BUILTIN_SRC_PATH}/md5.o
1779 not grep mbedtls_sha1 ${BUILTIN_SRC_PATH}/sha1.o
1780 not grep mbedtls_sha256 ${BUILTIN_SRC_PATH}/sha256.o
1781 not grep mbedtls_sha512 ${BUILTIN_SRC_PATH}/sha512.o
1782 not grep mbedtls_ripemd160 ${BUILTIN_SRC_PATH}/ripemd160.o
1783
1784 # Run the tests
1785 # -------------
1786
1787 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash"
1788 make test
1789}
1790
1791# Auxiliary function to build config for hashes with and without drivers
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]1792config_psa_crypto_hash_use_psa () {
1793 driver_only="$1"
1794 # start with config full for maximum coverage (also enables USE_PSA)
1795 helper_libtestdriver1_adjust_config "full"
1796 if [ "$driver_only" -eq 1 ]; then
1797 # disable the built-in implementation of hashes
1798 scripts/config.py unset MBEDTLS_MD5_C
1799 scripts/config.py unset MBEDTLS_RIPEMD160_C
1800 scripts/config.py unset MBEDTLS_SHA1_C
1801 scripts/config.py unset MBEDTLS_SHA224_C
1802 scripts/config.py unset MBEDTLS_SHA256_C # see external RNG below
1803 scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
1804 scripts/config.py unset MBEDTLS_SHA384_C
1805 scripts/config.py unset MBEDTLS_SHA512_C
1806 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
1807 scripts/config.py unset MBEDTLS_SHA3_C
1808 fi
1809}
1810
1811# Note that component_test_psa_crypto_config_reference_hash_use_psa
1812# is related to this component and both components need to be kept in sync.
1813# For details please see comments for component_test_psa_crypto_config_reference_hash_use_psa.
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]1814component_test_psa_crypto_config_accel_hash_use_psa () {
1815 msg "test: full with accelerated hashes"
1816
1817 loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \
1818 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
1819 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
1820
1821 # Configure
1822 # ---------
1823
1824 config_psa_crypto_hash_use_psa 1
1825
1826 # Build
1827 # -----
1828
1829 helper_libtestdriver1_make_drivers "$loc_accel_list"
1830
1831 helper_libtestdriver1_make_main "$loc_accel_list"
1832
1833 # There's a risk of something getting re-enabled via config_psa.h;
1834 # make sure it did not happen. Note: it's OK for MD_C to be enabled.
1835 not grep mbedtls_md5 ${BUILTIN_SRC_PATH}/md5.o
1836 not grep mbedtls_sha1 ${BUILTIN_SRC_PATH}/sha1.o
1837 not grep mbedtls_sha256 ${BUILTIN_SRC_PATH}/sha256.o
1838 not grep mbedtls_sha512 ${BUILTIN_SRC_PATH}/sha512.o
1839 not grep mbedtls_ripemd160 ${BUILTIN_SRC_PATH}/ripemd160.o
1840
1841 # Run the tests
1842 # -------------
1843
1844 msg "test: full with accelerated hashes"
1845 make test
1846
1847 # This is mostly useful so that we can later compare outcome files with
1848 # the reference config in analyze_outcomes.py, to check that the
1849 # dependency declarations in ssl-opt.sh and in TLS code are correct.
1850 msg "test: ssl-opt.sh, full with accelerated hashes"
1851 tests/ssl-opt.sh
1852
1853 # This is to make sure all ciphersuites are exercised, but we don't need
1854 # interop testing (besides, we already got some from ssl-opt.sh).
1855 msg "test: compat.sh, full with accelerated hashes"
1856 tests/compat.sh -p mbedTLS -V YES
1857}
1858
1859# This component provides reference configuration for test_psa_crypto_config_accel_hash_use_psa
1860# without accelerated hash. The outcome from both components are used by the analyze_outcomes.py
1861# script to find regression in test coverage when accelerated hash is used (tests and ssl-opt).
1862# Both components need to be kept in sync.
Minos Galanakisf78447f2024-07-26 20:49:51 +0100[diff] [blame]1863component_test_psa_crypto_config_reference_hash_use_psa () {
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]1864 msg "test: full without accelerated hashes"
1865
1866 config_psa_crypto_hash_use_psa 0
1867
1868 make
1869
1870 msg "test: full without accelerated hashes"
1871 make test
1872
1873 msg "test: ssl-opt.sh, full without accelerated hashes"
1874 tests/ssl-opt.sh
1875}
1876
1877# Auxiliary function to build config for hashes with and without drivers
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]1878config_psa_crypto_hmac_use_psa () {
1879 driver_only="$1"
1880 # start with config full for maximum coverage (also enables USE_PSA)
1881 helper_libtestdriver1_adjust_config "full"
1882
1883 if [ "$driver_only" -eq 1 ]; then
1884 # Disable MD_C in order to disable the builtin support for HMAC. MD_LIGHT
1885 # is still enabled though (for ENTROPY_C among others).
1886 scripts/config.py unset MBEDTLS_MD_C
1887 # Disable also the builtin hashes since they are supported by the driver
1888 # and MD module is able to perform PSA dispathing.
1889 scripts/config.py unset-all MBEDTLS_SHA
1890 scripts/config.py unset MBEDTLS_MD5_C
1891 scripts/config.py unset MBEDTLS_RIPEMD160_C
1892 fi
1893
1894 # Direct dependencies of MD_C. We disable them also in the reference
1895 # component to work with the same set of features.
1896 scripts/config.py unset MBEDTLS_PKCS7_C
1897 scripts/config.py unset MBEDTLS_PKCS5_C
1898 scripts/config.py unset MBEDTLS_HMAC_DRBG_C
1899 scripts/config.py unset MBEDTLS_HKDF_C
1900 # Dependencies of HMAC_DRBG
1901 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC
1902 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
1903}
1904
Minos Galanakisf78447f2024-07-26 20:49:51 +0100[diff] [blame]1905component_test_psa_crypto_config_accel_hmac () {
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]1906 msg "test: full with accelerated hmac"
1907
1908 loc_accel_list="ALG_HMAC KEY_TYPE_HMAC \
1909 ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \
1910 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
1911 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
1912
1913 # Configure
1914 # ---------
1915
1916 config_psa_crypto_hmac_use_psa 1
1917
1918 # Build
1919 # -----
1920
1921 helper_libtestdriver1_make_drivers "$loc_accel_list"
1922
1923 helper_libtestdriver1_make_main "$loc_accel_list"
1924
1925 # Ensure that built-in support for HMAC is disabled.
1926 not grep mbedtls_md_hmac ${BUILTIN_SRC_PATH}/md.o
1927
1928 # Run the tests
1929 # -------------
1930
1931 msg "test: full with accelerated hmac"
1932 make test
1933}
1934
Minos Galanakisf78447f2024-07-26 20:49:51 +0100[diff] [blame]1935component_test_psa_crypto_config_reference_hmac () {
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]1936 msg "test: full without accelerated hmac"
1937
1938 config_psa_crypto_hmac_use_psa 0
1939
1940 make
1941
1942 msg "test: full without accelerated hmac"
1943 make test
1944}
1945
1946component_test_psa_crypto_config_accel_des () {
1947 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated DES"
1948
1949 # Albeit this components aims at accelerating DES which should only support
1950 # CBC and ECB modes, we need to accelerate more than that otherwise DES_C
1951 # would automatically be re-enabled by "config_adjust_legacy_from_psa.c"
1952 loc_accel_list="ALG_ECB_NO_PADDING ALG_CBC_NO_PADDING ALG_CBC_PKCS7 \
1953 ALG_CTR ALG_CFB ALG_OFB ALG_XTS ALG_CMAC \
1954 KEY_TYPE_DES"
1955
1956 # Note: we cannot accelerate all ciphers' key types otherwise we would also
1957 # have to either disable CCM/GCM or accelerate them, but that's out of scope
1958 # of this component. This limitation will be addressed by #8598.
1959
1960 # Configure
1961 # ---------
1962
1963 # Start from the full config
1964 helper_libtestdriver1_adjust_config "full"
1965
1966 # Disable the things that are being accelerated
1967 scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
1968 scripts/config.py unset MBEDTLS_CIPHER_PADDING_PKCS7
1969 scripts/config.py unset MBEDTLS_CIPHER_MODE_CTR
1970 scripts/config.py unset MBEDTLS_CIPHER_MODE_CFB
1971 scripts/config.py unset MBEDTLS_CIPHER_MODE_OFB
1972 scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
1973 scripts/config.py unset MBEDTLS_DES_C
1974 scripts/config.py unset MBEDTLS_CMAC_C
1975
1976 # Build
1977 # -----
1978
1979 helper_libtestdriver1_make_drivers "$loc_accel_list"
1980
1981 helper_libtestdriver1_make_main "$loc_accel_list"
1982
1983 # Make sure this was not re-enabled by accident (additive config)
1984 not grep mbedtls_des* ${BUILTIN_SRC_PATH}/des.o
1985
1986 # Run the tests
1987 # -------------
1988
1989 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated DES"
1990 make test
1991}
1992
1993component_test_psa_crypto_config_accel_aead () {
1994 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated AEAD"
1995
1996 loc_accel_list="ALG_GCM ALG_CCM ALG_CHACHA20_POLY1305 \
1997 KEY_TYPE_AES KEY_TYPE_CHACHA20 KEY_TYPE_ARIA KEY_TYPE_CAMELLIA"
1998
1999 # Configure
2000 # ---------
2001
2002 # Start from full config
2003 helper_libtestdriver1_adjust_config "full"
2004
2005 # Disable things that are being accelerated
2006 scripts/config.py unset MBEDTLS_GCM_C
2007 scripts/config.py unset MBEDTLS_CCM_C
2008 scripts/config.py unset MBEDTLS_CHACHAPOLY_C
2009
2010 # Disable CCM_STAR_NO_TAG because this re-enables CCM_C.
2011 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG
2012
2013 # Build
2014 # -----
2015
2016 helper_libtestdriver1_make_drivers "$loc_accel_list"
2017
2018 helper_libtestdriver1_make_main "$loc_accel_list"
2019
2020 # Make sure this was not re-enabled by accident (additive config)
2021 not grep mbedtls_ccm ${BUILTIN_SRC_PATH}/ccm.o
2022 not grep mbedtls_gcm ${BUILTIN_SRC_PATH}/gcm.o
2023 not grep mbedtls_chachapoly ${BUILTIN_SRC_PATH}/chachapoly.o
2024
2025 # Run the tests
2026 # -------------
2027
2028 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated AEAD"
2029 make test
2030}
2031
2032# This is a common configuration function used in:
2033# - component_test_psa_crypto_config_accel_cipher_aead_cmac
2034# - component_test_psa_crypto_config_reference_cipher_aead_cmac
Minos Galanakisf78447f2024-07-26 20:49:51 +0100[diff] [blame]2035common_psa_crypto_config_accel_cipher_aead_cmac () {
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2036 # Start from the full config
2037 helper_libtestdriver1_adjust_config "full"
2038
2039 scripts/config.py unset MBEDTLS_NIST_KW_C
2040}
2041
2042# The 2 following test components, i.e.
2043# - component_test_psa_crypto_config_accel_cipher_aead_cmac
2044# - component_test_psa_crypto_config_reference_cipher_aead_cmac
2045# are meant to be used together in analyze_outcomes.py script in order to test
2046# driver's coverage for ciphers and AEADs.
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2047component_test_psa_crypto_config_accel_cipher_aead_cmac () {
2048 msg "build: full config with accelerated cipher inc. AEAD and CMAC"
2049
2050 loc_accel_list="ALG_ECB_NO_PADDING ALG_CBC_NO_PADDING ALG_CBC_PKCS7 ALG_CTR ALG_CFB \
2051 ALG_OFB ALG_XTS ALG_STREAM_CIPHER ALG_CCM_STAR_NO_TAG \
2052 ALG_GCM ALG_CCM ALG_CHACHA20_POLY1305 ALG_CMAC \
2053 KEY_TYPE_DES KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CHACHA20 KEY_TYPE_CAMELLIA"
2054
2055 # Configure
2056 # ---------
2057
2058 common_psa_crypto_config_accel_cipher_aead_cmac
2059
2060 # Disable the things that are being accelerated
2061 scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
2062 scripts/config.py unset MBEDTLS_CIPHER_PADDING_PKCS7
2063 scripts/config.py unset MBEDTLS_CIPHER_MODE_CTR
2064 scripts/config.py unset MBEDTLS_CIPHER_MODE_CFB
2065 scripts/config.py unset MBEDTLS_CIPHER_MODE_OFB
2066 scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
2067 scripts/config.py unset MBEDTLS_GCM_C
2068 scripts/config.py unset MBEDTLS_CCM_C
2069 scripts/config.py unset MBEDTLS_CHACHAPOLY_C
2070 scripts/config.py unset MBEDTLS_CMAC_C
2071 scripts/config.py unset MBEDTLS_DES_C
2072 scripts/config.py unset MBEDTLS_AES_C
2073 scripts/config.py unset MBEDTLS_ARIA_C
2074 scripts/config.py unset MBEDTLS_CHACHA20_C
2075 scripts/config.py unset MBEDTLS_CAMELLIA_C
2076
2077 # Disable CIPHER_C entirely as all ciphers/AEADs are accelerated and PSA
2078 # does not depend on it.
2079 scripts/config.py unset MBEDTLS_CIPHER_C
2080
2081 # Build
2082 # -----
2083
2084 helper_libtestdriver1_make_drivers "$loc_accel_list"
2085
2086 helper_libtestdriver1_make_main "$loc_accel_list"
2087
2088 # Make sure this was not re-enabled by accident (additive config)
2089 not grep mbedtls_cipher ${BUILTIN_SRC_PATH}/cipher.o
2090 not grep mbedtls_des ${BUILTIN_SRC_PATH}/des.o
2091 not grep mbedtls_aes ${BUILTIN_SRC_PATH}/aes.o
2092 not grep mbedtls_aria ${BUILTIN_SRC_PATH}/aria.o
2093 not grep mbedtls_camellia ${BUILTIN_SRC_PATH}/camellia.o
2094 not grep mbedtls_ccm ${BUILTIN_SRC_PATH}/ccm.o
2095 not grep mbedtls_gcm ${BUILTIN_SRC_PATH}/gcm.o
2096 not grep mbedtls_chachapoly ${BUILTIN_SRC_PATH}/chachapoly.o
2097 not grep mbedtls_cmac ${BUILTIN_SRC_PATH}/cmac.o
2098
2099 # Run the tests
2100 # -------------
2101
2102 msg "test: full config with accelerated cipher inc. AEAD and CMAC"
2103 make test
2104
2105 msg "ssl-opt: full config with accelerated cipher inc. AEAD and CMAC"
2106 tests/ssl-opt.sh
2107
2108 msg "compat.sh: full config with accelerated cipher inc. AEAD and CMAC"
2109 tests/compat.sh -V NO -p mbedTLS
2110}
2111
2112component_test_psa_crypto_config_reference_cipher_aead_cmac () {
2113 msg "build: full config with non-accelerated cipher inc. AEAD and CMAC"
2114 common_psa_crypto_config_accel_cipher_aead_cmac
2115
2116 make
2117
2118 msg "test: full config with non-accelerated cipher inc. AEAD and CMAC"
2119 make test
2120
2121 msg "ssl-opt: full config with non-accelerated cipher inc. AEAD and CMAC"
2122 tests/ssl-opt.sh
2123
2124 msg "compat.sh: full config with non-accelerated cipher inc. AEAD and CMAC"
2125 tests/compat.sh -V NO -p mbedTLS
2126}
2127
Minos Galanakisf78447f2024-07-26 20:49:51 +0100[diff] [blame]2128common_block_cipher_dispatch () {
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2129 TEST_WITH_DRIVER="$1"
2130
2131 # Start from the full config
2132 helper_libtestdriver1_adjust_config "full"
2133
2134 if [ "$TEST_WITH_DRIVER" -eq 1 ]; then
2135 # Disable key types that are accelerated (there is no legacy equivalent
2136 # symbol for ECB)
2137 scripts/config.py unset MBEDTLS_AES_C
2138 scripts/config.py unset MBEDTLS_ARIA_C
2139 scripts/config.py unset MBEDTLS_CAMELLIA_C
2140 fi
2141
2142 # Disable cipher's modes that, when not accelerated, cause
2143 # legacy key types to be re-enabled in "config_adjust_legacy_from_psa.h".
2144 # Keep this also in the reference component in order to skip the same tests
2145 # that were skipped in the accelerated one.
2146 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CTR
2147 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CFB
2148 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_OFB
2149 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING
2150 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7
2151 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC
2152 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG
2153 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
2154
2155 # Disable direct dependency on AES_C
2156 scripts/config.py unset MBEDTLS_NIST_KW_C
2157
2158 # Prevent the cipher module from using deprecated PSA path. The reason is
2159 # that otherwise there will be tests relying on "aes_info" (defined in
2160 # "cipher_wrap.c") whose functions are not available when AES_C is
2161 # not defined. ARIA and Camellia are not a problem in this case because
2162 # the PSA path is not tested for these key types.
2163 scripts/config.py set MBEDTLS_DEPRECATED_REMOVED
2164}
2165
Gilles Peskinea9dda7e2024-06-21 11:25:01 +0200[diff] [blame]2166component_test_full_block_cipher_psa_dispatch_static_keystore () {
2167 msg "build: full + PSA dispatch in block_cipher with static keystore"
2168 # Check that the static key store works well when CTR_DRBG uses a
2169 # PSA key for AES.
2170 scripts/config.py unset MBEDTLS_PSA_KEY_STORE_DYNAMIC
2171
2172 loc_accel_list="ALG_ECB_NO_PADDING \
2173 KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CAMELLIA"
2174
2175 # Configure
2176 # ---------
2177
2178 common_block_cipher_dispatch 1
2179
2180 # Build
2181 # -----
2182
2183 helper_libtestdriver1_make_drivers "$loc_accel_list"
2184
2185 helper_libtestdriver1_make_main "$loc_accel_list"
2186
2187 # Make sure disabled components were not re-enabled by accident (additive
2188 # config)
2189 not grep mbedtls_aes_ library/aes.o
2190 not grep mbedtls_aria_ library/aria.o
2191 not grep mbedtls_camellia_ library/camellia.o
2192
2193 # Run the tests
2194 # -------------
2195
2196 msg "test: full + PSA dispatch in block_cipher with static keystore"
2197 make test
2198}
2199
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2200component_test_full_block_cipher_psa_dispatch () {
2201 msg "build: full + PSA dispatch in block_cipher"
2202
2203 loc_accel_list="ALG_ECB_NO_PADDING \
2204 KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CAMELLIA"
2205
2206 # Configure
2207 # ---------
2208
2209 common_block_cipher_dispatch 1
2210
2211 # Build
2212 # -----
2213
2214 helper_libtestdriver1_make_drivers "$loc_accel_list"
2215
2216 helper_libtestdriver1_make_main "$loc_accel_list"
2217
2218 # Make sure disabled components were not re-enabled by accident (additive
2219 # config)
2220 not grep mbedtls_aes_ ${BUILTIN_SRC_PATH}/aes.o
2221 not grep mbedtls_aria_ ${BUILTIN_SRC_PATH}/aria.o
2222 not grep mbedtls_camellia_ ${BUILTIN_SRC_PATH}/camellia.o
2223
2224 # Run the tests
2225 # -------------
2226
2227 msg "test: full + PSA dispatch in block_cipher"
2228 make test
2229}
2230
2231# This is the reference component of component_test_full_block_cipher_psa_dispatch
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2232component_test_full_block_cipher_legacy_dispatch () {
2233 msg "build: full + legacy dispatch in block_cipher"
2234
2235 common_block_cipher_dispatch 0
2236
2237 make
2238
2239 msg "test: full + legacy dispatch in block_cipher"
2240 make test
2241}
2242
Minos Galanakisf78447f2024-07-26 20:49:51 +0100[diff] [blame]2243component_test_aead_chachapoly_disabled () {
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2244 msg "build: full minus CHACHAPOLY"
2245 scripts/config.py full
2246 scripts/config.py unset MBEDTLS_CHACHAPOLY_C
2247 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305
2248 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
2249
2250 msg "test: full minus CHACHAPOLY"
2251 make test
2252}
2253
Minos Galanakisf78447f2024-07-26 20:49:51 +0100[diff] [blame]2254component_test_aead_only_ccm () {
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2255 msg "build: full minus CHACHAPOLY and GCM"
2256 scripts/config.py full
2257 scripts/config.py unset MBEDTLS_CHACHAPOLY_C
2258 scripts/config.py unset MBEDTLS_GCM_C
2259 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305
2260 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_GCM
2261 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
2262
2263 msg "test: full minus CHACHAPOLY and GCM"
2264 make test
2265}
2266
Minos Galanakisf78447f2024-07-26 20:49:51 +0100[diff] [blame]2267component_test_ccm_aes_sha256 () {
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2268 msg "build: CCM + AES + SHA256 configuration"
2269
2270 cp "$CONFIG_TEST_DRIVER_H" "$CONFIG_H"
2271 cp configs/crypto-config-ccm-aes-sha256.h "$CRYPTO_CONFIG_H"
2272
2273 make
2274
2275 msg "test: CCM + AES + SHA256 configuration"
2276 make test
2277}
2278
2279# Test that the given .o file builds with all (valid) combinations of the given options.
2280#
2281# Syntax: build_test_config_combos FILE VALIDATOR_FUNCTION OPT1 OPT2 ...
2282#
2283# The validator function is the name of a function to validate the combination of options.
2284# It may be "" if all combinations are valid.
2285# It receives a string containing a combination of options, as passed to the compiler,
2286# e.g. "-DOPT1 -DOPT2 ...". It must return 0 iff the combination is valid, non-zero if invalid.
Minos Galanakisf78447f2024-07-26 20:49:51 +0100[diff] [blame]2287build_test_config_combos () {
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2288 file=$1
2289 shift
2290 validate_options=$1
2291 shift
2292 options=("$@")
2293
2294 # clear all of the options so that they can be overridden on the clang commandline
2295 for opt in "${options[@]}"; do
2296 ./scripts/config.py unset ${opt}
2297 done
2298
2299 # enter the library directory
2300 cd library
2301
2302 # The most common issue is unused variables/functions, so ensure -Wunused is set.
2303 warning_flags="-Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wasm-operand-widths -Wunused"
2304
2305 # Extract the command generated by the Makefile to build the target file.
2306 # This ensures that we have any include paths, macro definitions, etc
2307 # that may be applied by make.
2308 # Add -fsyntax-only as we only want a syntax check and don't need to generate a file.
2309 compile_cmd="clang \$(LOCAL_CFLAGS) ${warning_flags} -fsyntax-only -c"
2310
2311 makefile=$(TMPDIR=. mktemp)
2312 deps=""
2313
2314 len=${#options[@]}
2315 source_file=../${file%.o}.c
2316
2317 targets=0
2318 echo 'include Makefile' >${makefile}
2319
2320 for ((i = 0; i < $((2**${len})); i++)); do
2321 # generate each of 2^n combinations of options
2322 # each bit of $i is used to determine if options[i] will be set or not
2323 target="t"
2324 clang_args=""
2325 for ((j = 0; j < ${len}; j++)); do
2326 if (((i >> j) & 1)); then
2327 opt=-D${options[$j]}
2328 clang_args="${clang_args} ${opt}"
2329 target="${target}${opt}"
2330 fi
2331 done
2332
2333 # if combination is not known to be invalid, add it to the makefile
2334 if [[ -z $validate_options ]] || $validate_options "${clang_args}"; then
2335 cmd="${compile_cmd} ${clang_args}"
2336 echo "${target}: ${source_file}; $cmd ${source_file}" >> ${makefile}
2337
2338 deps="${deps} ${target}"
2339 ((++targets))
2340 fi
2341 done
2342
2343 echo "build_test_config_combos: ${deps}" >> ${makefile}
2344
2345 # execute all of the commands via Make (probably in parallel)
2346 make -s -f ${makefile} build_test_config_combos
2347 echo "$targets targets checked"
2348
2349 # clean up the temporary makefile
2350 rm ${makefile}
2351}
2352
Minos Galanakisf78447f2024-07-26 20:49:51 +0100[diff] [blame]2353validate_aes_config_variations () {
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2354 if [[ "$1" == *"MBEDTLS_AES_USE_HARDWARE_ONLY"* ]]; then
2355 if [[ !(("$HOSTTYPE" == "aarch64" && "$1" != *"MBEDTLS_AESCE_C"*) || \
2356 ("$HOSTTYPE" == "x86_64" && "$1" != *"MBEDTLS_AESNI_C"*)) ]]; then
2357 return 1
2358 fi
2359 fi
2360 return 0
2361}
2362
Minos Galanakisf78447f2024-07-26 20:49:51 +0100[diff] [blame]2363component_build_aes_variations () {
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2364 # 18s - around 90ms per clang invocation on M1 Pro
2365 #
2366 # aes.o has many #if defined(...) guards that intersect in complex ways.
2367 # Test that all the combinations build cleanly.
2368
2369 MBEDTLS_ROOT_DIR="$PWD"
2370 msg "build: aes.o for all combinations of relevant config options"
2371
2372 build_test_config_combos ${BUILTIN_SRC_PATH}/aes.o validate_aes_config_variations \
Thomas Daubney6cf05f92024-07-18 11:30:22 +0100[diff] [blame]2373 "MBEDTLS_AES_ROM_TABLES" \
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2374 "MBEDTLS_AES_FEWER_TABLES" "MBEDTLS_AES_USE_HARDWARE_ONLY" \
2375 "MBEDTLS_AESNI_C" "MBEDTLS_AESCE_C" "MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH"
2376
2377 cd "$MBEDTLS_ROOT_DIR"
2378 msg "build: aes.o for all combinations of relevant config options + BLOCK_CIPHER_NO_DECRYPT"
2379
2380 # MBEDTLS_BLOCK_CIPHER_NO_DECRYPT is incompatible with ECB in PSA, CBC/XTS/NIST_KW/DES,
2381 # manually set or unset those configurations to check
2382 # MBEDTLS_BLOCK_CIPHER_NO_DECRYPT with various combinations in aes.o.
Ronald Cron54d1eec2024-09-06 09:55:38 +0200[diff] [blame]2383 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2384 scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2385 scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2386 scripts/config.py unset MBEDTLS_NIST_KW_C
Ronald Cron54d1eec2024-09-06 09:55:38 +0200[diff] [blame]2387
2388 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING
2389 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7
2390 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING
2391 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES
Ronald Cron4153ebb2024-09-11 15:32:48 +0200[diff] [blame]2392 # Note: The two unsets below are to be removed for Mbed TLS 4.0
Ronald Cron54d1eec2024-09-06 09:55:38 +0200[diff] [blame]2393 scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
2394 scripts/config.py unset MBEDTLS_DES_C
2395
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2396 build_test_config_combos ${BUILTIN_SRC_PATH}/aes.o validate_aes_config_variations \
Thomas Daubney6cf05f92024-07-18 11:30:22 +0100[diff] [blame]2397 "MBEDTLS_AES_ROM_TABLES" \
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2398 "MBEDTLS_AES_FEWER_TABLES" "MBEDTLS_AES_USE_HARDWARE_ONLY" \
2399 "MBEDTLS_AESNI_C" "MBEDTLS_AESCE_C" "MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH"
2400}
2401
Minos Galanakisf78447f2024-07-26 20:49:51 +0100[diff] [blame]2402component_test_sha3_variations () {
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2403 msg "sha3 loop unroll variations"
2404
2405 # define minimal config sufficient to test SHA3
Ronald Crone7f289e2024-09-06 11:02:47 +0200[diff] [blame]2406 cat > include/mbedtls/mbedtls_config.h << END
2407 #define MBEDTLS_AES_C
2408 #define MBEDTLS_CTR_DRBG_C
2409 #define MBEDTLS_ENTROPY_C
2410 #define MBEDTLS_PSA_CRYPTO_C
2411 #define MBEDTLS_PSA_CRYPTO_CONFIG
2412 #define MBEDTLS_SELF_TEST
2413END
2414
2415 cat > tf-psa-crypto/include/psa/crypto_config.h << END
2416 #define PSA_WANT_ALG_SHA_256 1
2417 #define PSA_WANT_ALG_SHA3_224 1
2418 #define PSA_WANT_ALG_SHA3_256 1
2419 #define PSA_WANT_ALG_SHA3_384 1
2420 #define PSA_WANT_ALG_SHA3_512 1
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2421END
2422
2423 msg "all loops unrolled"
2424 make clean
2425 make -C tests ../tf-psa-crypto/tests/test_suite_shax CFLAGS="-DMBEDTLS_SHA3_THETA_UNROLL=1 -DMBEDTLS_SHA3_PI_UNROLL=1 -DMBEDTLS_SHA3_CHI_UNROLL=1 -DMBEDTLS_SHA3_RHO_UNROLL=1"
2426 ./tf-psa-crypto/tests/test_suite_shax
2427
2428 msg "all loops rolled up"
2429 make clean
2430 make -C tests ../tf-psa-crypto/tests/test_suite_shax CFLAGS="-DMBEDTLS_SHA3_THETA_UNROLL=0 -DMBEDTLS_SHA3_PI_UNROLL=0 -DMBEDTLS_SHA3_CHI_UNROLL=0 -DMBEDTLS_SHA3_RHO_UNROLL=0"
2431 ./tf-psa-crypto/tests/test_suite_shax
2432}
2433
Minos Galanakisf699d512024-08-01 11:32:30 +0100[diff] [blame]2434support_build_aes_aesce_armcc () {
2435 support_build_armcc
2436}
2437
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2438# For timebeing, no aarch64 gcc available in CI and no arm64 CI node.
2439component_build_aes_aesce_armcc () {
2440 msg "Build: AESCE test on arm64 platform without plain C."
2441 scripts/config.py baremetal
2442
2443 # armc[56] don't support SHA-512 intrinsics
2444 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
2445
2446 # Stop armclang warning about feature detection for A64_CRYPTO.
2447 # With this enabled, the library does build correctly under armclang,
2448 # but in baremetal builds (as tested here), feature detection is
2449 # unavailable, and the user is notified via a #warning. So enabling
2450 # this feature would prevent us from building with -Werror on
2451 # armclang. Tracked in #7198.
2452 scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
2453 scripts/config.py set MBEDTLS_HAVE_ASM
2454
2455 msg "AESCE, build with default configuration."
2456 scripts/config.py set MBEDTLS_AESCE_C
2457 scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY
Manuel Pégourié-Gonnard8f08bcd2024-10-01 13:01:54 +0200[diff] [blame]2458 helper_armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto"
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2459
2460 msg "AESCE, build AESCE only"
2461 scripts/config.py set MBEDTLS_AESCE_C
2462 scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY
Manuel Pégourié-Gonnard8f08bcd2024-10-01 13:01:54 +0200[diff] [blame]2463 helper_armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto"
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2464}
2465
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2466component_test_aes_only_128_bit_keys () {
2467 msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH"
2468 scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
2469
2470 make CFLAGS='-O2 -Werror -Wall -Wextra'
2471
2472 msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH"
2473 make test
2474}
2475
2476component_test_no_ctr_drbg_aes_only_128_bit_keys () {
2477 msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH - CTR_DRBG_C"
2478 scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
2479 scripts/config.py unset MBEDTLS_CTR_DRBG_C
2480
2481 make CC=clang CFLAGS='-Werror -Wall -Wextra'
2482
2483 msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH - CTR_DRBG_C"
2484 make test
2485}
2486
2487component_test_aes_only_128_bit_keys_have_builtins () {
2488 msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C"
2489 scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
2490 scripts/config.py unset MBEDTLS_AESNI_C
2491 scripts/config.py unset MBEDTLS_AESCE_C
2492
2493 make CFLAGS='-O2 -Werror -Wall -Wextra'
2494
2495 msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C"
2496 make test
2497
2498 msg "selftest: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C"
2499 programs/test/selftest
2500}
2501
2502component_test_gcm_largetable () {
2503 msg "build: default config + GCM_LARGE_TABLE - AESNI_C - AESCE_C"
2504 scripts/config.py set MBEDTLS_GCM_LARGE_TABLE
2505 scripts/config.py unset MBEDTLS_AESNI_C
2506 scripts/config.py unset MBEDTLS_AESCE_C
2507
2508 make CFLAGS='-O2 -Werror -Wall -Wextra'
2509
2510 msg "test: default config - GCM_LARGE_TABLE - AESNI_C - AESCE_C"
2511 make test
2512}
2513
2514component_test_aes_fewer_tables () {
2515 msg "build: default config with AES_FEWER_TABLES enabled"
2516 scripts/config.py set MBEDTLS_AES_FEWER_TABLES
2517 make CFLAGS='-O2 -Werror -Wall -Wextra'
2518
2519 msg "test: AES_FEWER_TABLES"
2520 make test
2521}
2522
2523component_test_aes_rom_tables () {
2524 msg "build: default config with AES_ROM_TABLES enabled"
2525 scripts/config.py set MBEDTLS_AES_ROM_TABLES
2526 make CFLAGS='-O2 -Werror -Wall -Wextra'
2527
2528 msg "test: AES_ROM_TABLES"
2529 make test
2530}
2531
2532component_test_aes_fewer_tables_and_rom_tables () {
2533 msg "build: default config with AES_ROM_TABLES and AES_FEWER_TABLES enabled"
2534 scripts/config.py set MBEDTLS_AES_FEWER_TABLES
2535 scripts/config.py set MBEDTLS_AES_ROM_TABLES
2536 make CFLAGS='-O2 -Werror -Wall -Wextra'
2537
2538 msg "test: AES_FEWER_TABLES + AES_ROM_TABLES"
2539 make test
2540}
2541
Ronald Cron66040472024-09-06 10:14:38 +0200[diff] [blame]2542# helper for component_test_block_cipher_no_decrypt_aesni() which:
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2543# - enable/disable the list of config options passed from -s/-u respectively.
2544# - build
2545# - test for tests_suite_xxx
2546# - selftest
2547#
2548# Usage: helper_block_cipher_no_decrypt_build_test
2549# [-s set_opts] [-u unset_opts] [-c cflags] [-l ldflags] [option [...]]
2550# Options: -s set_opts the list of config options to enable
2551# -u unset_opts the list of config options to disable
2552# -c cflags the list of options passed to CFLAGS
2553# -l ldflags the list of options passed to LDFLAGS
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2554helper_block_cipher_no_decrypt_build_test () {
2555 while [ $# -gt 0 ]; do
2556 case "$1" in
2557 -s)
2558 shift; local set_opts="$1";;
2559 -u)
2560 shift; local unset_opts="$1";;
2561 -c)
2562 shift; local cflags="-Werror -Wall -Wextra $1";;
2563 -l)
2564 shift; local ldflags="$1";;
2565 esac
2566 shift
2567 done
2568 set_opts="${set_opts:-}"
2569 unset_opts="${unset_opts:-}"
2570 cflags="${cflags:-}"
2571 ldflags="${ldflags:-}"
2572
2573 [ -n "$set_opts" ] && echo "Enabling: $set_opts" && scripts/config.py set-all $set_opts
2574 [ -n "$unset_opts" ] && echo "Disabling: $unset_opts" && scripts/config.py unset-all $unset_opts
2575
2576 msg "build: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}"
2577 make clean
2578 make CFLAGS="-O2 $cflags" LDFLAGS="$ldflags"
2579
2580 # Make sure we don't have mbedtls_xxx_setkey_dec in AES/ARIA/CAMELLIA
2581 not grep mbedtls_aes_setkey_dec ${BUILTIN_SRC_PATH}/aes.o
2582 not grep mbedtls_aria_setkey_dec ${BUILTIN_SRC_PATH}/aria.o
2583 not grep mbedtls_camellia_setkey_dec ${BUILTIN_SRC_PATH}/camellia.o
2584 # Make sure we don't have mbedtls_internal_aes_decrypt in AES
2585 not grep mbedtls_internal_aes_decrypt ${BUILTIN_SRC_PATH}/aes.o
2586 # Make sure we don't have mbedtls_aesni_inverse_key in AESNI
2587 not grep mbedtls_aesni_inverse_key ${BUILTIN_SRC_PATH}/aesni.o
2588
2589 msg "test: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}"
2590 make test
2591
2592 msg "selftest: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}"
2593 programs/test/selftest
2594}
2595
Ronald Cron66040472024-09-06 10:14:38 +0200[diff] [blame]2596# This is a configuration function used in component_test_block_cipher_no_decrypt_xxx:
2597config_block_cipher_no_decrypt () {
2598 scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
2599 scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
2600 scripts/config.py unset MBEDTLS_NIST_KW_C
2601
2602 # Enable support for cryptographic mechanisms through the PSA API.
2603 # Note: XTS, KW are not yet supported via the PSA API in Mbed TLS.
2604 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
2605 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING
2606 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7
2607 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING
2608 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_DES
Ronald Cron4153ebb2024-09-11 15:32:48 +0200[diff] [blame]2609 # Note: The two unsets below are to be removed for Mbed TLS 4.0
Ronald Cron66040472024-09-06 10:14:38 +0200[diff] [blame]2610 scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
2611 scripts/config.py unset MBEDTLS_DES_C
2612}
2613
2614component_test_block_cipher_no_decrypt_aesni () {
2615 # Test BLOCK_CIPHER_NO_DECRYPT with AESNI intrinsics, AESNI assembly and
2616 # AES C implementation on x86_64 and with AESNI intrinsics on x86.
2617
2618 # This consistently causes an llvm crash on clang 3.8, so use gcc
2619 export CC=gcc
2620 config_block_cipher_no_decrypt
2621
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2622 # test AESNI intrinsics
2623 helper_block_cipher_no_decrypt_build_test \
2624 -s "MBEDTLS_AESNI_C" \
2625 -c "-mpclmul -msse2 -maes"
2626
2627 # test AESNI assembly
2628 helper_block_cipher_no_decrypt_build_test \
2629 -s "MBEDTLS_AESNI_C" \
2630 -c "-mno-pclmul -mno-sse2 -mno-aes"
2631
2632 # test AES C implementation
2633 helper_block_cipher_no_decrypt_build_test \
2634 -u "MBEDTLS_AESNI_C"
2635
2636 # test AESNI intrinsics for i386 target
2637 helper_block_cipher_no_decrypt_build_test \
2638 -s "MBEDTLS_AESNI_C" \
2639 -c "-m32 -mpclmul -msse2 -maes" \
2640 -l "-m32"
2641}
2642
Minos Galanakisf699d512024-08-01 11:32:30 +0100[diff] [blame]2643support_test_block_cipher_no_decrypt_aesce_armcc () {
2644 support_build_armcc
2645}
2646
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2647component_test_block_cipher_no_decrypt_aesce_armcc () {
2648 scripts/config.py baremetal
2649
2650 # armc[56] don't support SHA-512 intrinsics
2651 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
2652
2653 # Stop armclang warning about feature detection for A64_CRYPTO.
2654 # With this enabled, the library does build correctly under armclang,
2655 # but in baremetal builds (as tested here), feature detection is
2656 # unavailable, and the user is notified via a #warning. So enabling
2657 # this feature would prevent us from building with -Werror on
2658 # armclang. Tracked in #7198.
2659 scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
2660 scripts/config.py set MBEDTLS_HAVE_ASM
2661
Ronald Cron66040472024-09-06 10:14:38 +0200[diff] [blame]2662 config_block_cipher_no_decrypt
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2663
2664 # test AESCE baremetal build
2665 scripts/config.py set MBEDTLS_AESCE_C
2666 msg "build: default config + BLOCK_CIPHER_NO_DECRYPT with AESCE"
Manuel Pégourié-Gonnard8f08bcd2024-10-01 13:01:54 +0200[diff] [blame]2667 helper_armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto -Werror -Wall -Wextra"
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2668
2669 # Make sure we don't have mbedtls_xxx_setkey_dec in AES/ARIA/CAMELLIA
2670 not grep mbedtls_aes_setkey_dec ${BUILTIN_SRC_PATH}/aes.o
2671 not grep mbedtls_aria_setkey_dec ${BUILTIN_SRC_PATH}/aria.o
2672 not grep mbedtls_camellia_setkey_dec ${BUILTIN_SRC_PATH}/camellia.o
2673 # Make sure we don't have mbedtls_internal_aes_decrypt in AES
2674 not grep mbedtls_internal_aes_decrypt ${BUILTIN_SRC_PATH}/aes.o
2675 # Make sure we don't have mbedtls_aesce_inverse_key and aesce_decrypt_block in AESCE
2676 not grep mbedtls_aesce_inverse_key ${BUILTIN_SRC_PATH}/aesce.o
2677 not grep aesce_decrypt_block ${BUILTIN_SRC_PATH}/aesce.o
2678}
2679
2680component_test_ctr_drbg_aes_256_sha_256 () {
2681 msg "build: full + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)"
2682 scripts/config.py full
2683 scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
2684 scripts/config.py set MBEDTLS_ENTROPY_FORCE_SHA256
2685 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
2686 make
2687
2688 msg "test: full + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)"
2689 make test
2690}
2691
2692component_test_ctr_drbg_aes_128_sha_512 () {
2693 msg "build: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY (ASan build)"
2694 scripts/config.py full
2695 scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
2696 scripts/config.py set MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
2697 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
2698 make
2699
2700 msg "test: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY (ASan build)"
2701 make test
2702}
2703
2704component_test_ctr_drbg_aes_128_sha_256 () {
2705 msg "build: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)"
2706 scripts/config.py full
2707 scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
2708 scripts/config.py set MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
2709 scripts/config.py set MBEDTLS_ENTROPY_FORCE_SHA256
2710 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
2711 make
2712
2713 msg "test: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)"
2714 make test
2715}
2716
2717component_test_se_default () {
2718 msg "build: default config + MBEDTLS_PSA_CRYPTO_SE_C"
2719 scripts/config.py set MBEDTLS_PSA_CRYPTO_SE_C
2720 make CC=clang CFLAGS="$ASAN_CFLAGS -Os" LDFLAGS="$ASAN_CFLAGS"
2721
2722 msg "test: default config + MBEDTLS_PSA_CRYPTO_SE_C"
2723 make test
2724}
2725
Gilles Peskinea9dda7e2024-06-21 11:25:01 +0200[diff] [blame]2726component_test_full_static_keystore () {
2727 msg "build: full config - MBEDTLS_PSA_KEY_STORE_DYNAMIC"
2728 scripts/config.py full
2729 scripts/config.py unset MBEDTLS_PSA_KEY_STORE_DYNAMIC
2730 make CC=clang CFLAGS="$ASAN_CFLAGS -Os" LDFLAGS="$ASAN_CFLAGS"
2731
2732 msg "test: full config - MBEDTLS_PSA_KEY_STORE_DYNAMIC"
2733 make test
2734}
2735
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2736component_test_psa_crypto_drivers () {
Ronald Crona0afbfb2024-10-15 13:20:31 +0200[diff] [blame]2737 # Test dispatch to drivers and fallbacks with
2738 # test_suite_psa_crypto_driver_wrappers test suite. The test drivers that
2739 # are wrappers around the builtin drivers are activated by
2740 # PSA_CRYPTO_DRIVER_TEST.
2741 #
2742 # For the time being, some test cases in test_suite_block_cipher and
2743 # test_suite_md.psa rely on this component to be run at least once by the
2744 # CI. This should disappear as we progress the 4.x work. See
2745 # config_adjust_test_accelerators.h for more information.
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2746 msg "build: full + test drivers dispatching to builtins"
2747 scripts/config.py full
Ronald Cron67cc6a72024-10-14 10:55:24 +0200[diff] [blame]2748 loc_cflags="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_CONFIG_ADJUST_TEST_ACCELERATORS"
Ronald Cronede04b32024-10-16 10:47:15 +0200[diff] [blame]2749 loc_cflags="${loc_cflags} -I../tests/include"
Minos Galanakis471b34c2024-07-26 15:39:24 +0100[diff] [blame]2750
2751 make CC=$ASAN_CC CFLAGS="${loc_cflags}" LDFLAGS="$ASAN_CFLAGS"
2752
2753 msg "test: full + test drivers dispatching to builtins"
2754 make test
2755}
2756
2757component_build_psa_config_file () {
2758 msg "build: make with MBEDTLS_PSA_CRYPTO_CONFIG_FILE" # ~40s
2759 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
2760 cp "$CRYPTO_CONFIG_H" psa_test_config.h
2761 echo '#error "MBEDTLS_PSA_CRYPTO_CONFIG_FILE is not working"' >"$CRYPTO_CONFIG_H"
2762 make CFLAGS="-I '$PWD' -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"'"
2763 # Make sure this feature is enabled. We'll disable it in the next phase.
2764 programs/test/query_compile_time_config MBEDTLS_CMAC_C
2765 make clean
2766
2767 msg "build: make with MBEDTLS_PSA_CRYPTO_CONFIG_FILE + MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE" # ~40s
2768 # In the user config, disable one feature and its dependencies, which will
2769 # reflect on the mbedtls configuration so we can query it with
2770 # query_compile_time_config.
2771 echo '#undef PSA_WANT_ALG_CMAC' >psa_user_config.h
2772 echo '#undef PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128' >> psa_user_config.h
2773 scripts/config.py unset MBEDTLS_CMAC_C
2774 make CFLAGS="-I '$PWD' -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"' -DMBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE='\"psa_user_config.h\"'"
2775 not programs/test/query_compile_time_config MBEDTLS_CMAC_C
2776
2777 rm -f psa_test_config.h psa_user_config.h
2778}
2779
2780component_build_psa_alt_headers () {
2781 msg "build: make with PSA alt headers" # ~20s
2782
2783 # Generate alternative versions of the substitutable headers with the
2784 # same content except different include guards.
2785 make -C tests include/alt-extra/psa/crypto_platform_alt.h include/alt-extra/psa/crypto_struct_alt.h
2786
2787 # Build the library and some programs.
2788 # Don't build the fuzzers to avoid having to go through hoops to set
2789 # a correct include path for programs/fuzz/Makefile.
2790 make CFLAGS="-I ../tests/include/alt-extra -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'" lib
2791 make -C programs -o fuzz CFLAGS="-I ../tests/include/alt-extra -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'"
2792
2793 # Check that we're getting the alternative include guards and not the
2794 # original include guards.
2795 programs/test/query_included_headers | grep -x PSA_CRYPTO_PLATFORM_ALT_H
2796 programs/test/query_included_headers | grep -x PSA_CRYPTO_STRUCT_ALT_H
2797 programs/test/query_included_headers | not grep -x PSA_CRYPTO_PLATFORM_H
2798 programs/test/query_included_headers | not grep -x PSA_CRYPTO_STRUCT_H
2799}
2800
2801component_test_min_mpi_window_size () {
2802 msg "build: Default + MBEDTLS_MPI_WINDOW_SIZE=1 (ASan build)" # ~ 10s
2803 scripts/config.py set MBEDTLS_MPI_WINDOW_SIZE 1
2804 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
2805 make
2806
2807 msg "test: MBEDTLS_MPI_WINDOW_SIZE=1 - main suites (inc. selftests) (ASan build)" # ~ 10s
2808 make test
2809}