TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / ada21b09b51d6ca25922e8062b1a523aaf655314 / . / tests / scripts / components.sh
blob: 2a78026654c6f1a33b7daf3569b50bb76501934c [file] [log] [blame]
Minos Galanakis6aab5b72024-07-25 14:24:37 +0100[diff] [blame]1# components.sh
2#
3# Copyright The Mbed TLS Contributors
4# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
5
6# This file contains the test components that are executed by all.sh
7
8# The functions below are named as follows:
9# * component_XXX: independent components. They can be run in any order.
10# * component_check_XXX: quick tests that aren't worth parallelizing.
11# * component_build_XXX: build things but don't run them.
12# * component_test_XXX: build and test.
13# * component_release_XXX: tests that the CI should skip during PR testing.
14# * support_XXX: if support_XXX exists and returns false then
15# component_XXX is not run by default.
16
17# Each component must start by invoking `msg` with a short informative message.
18#
19# Warning: due to the way bash detects errors, the failure of a command
20# inside 'if' or '!' is not detected. Use the 'not' function instead of '!'.
21#
22# Each component is executed in a separate shell process. The component
23# fails if any command in it returns a non-zero status.
24#
25# The framework in all.sh performs some cleanup tasks after each component.
26# This means that components can assume that the working directory is in a
27# cleaned-up state, and don't need to perform the cleanup themselves.
28# * Run `make clean`.
29# * Restore `include/mbedtls/mbedtls_config.h` from a backup made before running
30# the component.
31# * Check out `Makefile`, `library/Makefile`, `programs/Makefile`,
32# `tests/Makefile` and `programs/fuzz/Makefile` from git.
33# This cleans up after an in-tree use of CMake.
34#
35# The tests are roughly in order from fastest to slowest. This doesn't
36# have to be exact, but in general you should add slower tests towards
37# the end and fast checks near the beginning.
38
39
40################################################################
41#### Build and test many configurations and targets
42################################################################
Minos Galanakisada21b02024-07-26 12:34:19 +0100[diff] [blame^]43
44# Helper function for controlling (start & stop) the psasim server.
45helper_psasim_server() {
46 OPERATION=$1
47 if [ "$OPERATION" == "start" ]; then
48 (
49 cd tests
50 msg "start server in tests"
51 psa-client-server/psasim/test/start_server.sh
52 msg "start server in tf-psa-crypto/tests"
53 cd ../tf-psa-crypto/tests
54 ../../tests/psa-client-server/psasim/test/start_server.sh
55 )
56 else
57 (
58 msg "terminate servers and cleanup"
59 tests/psa-client-server/psasim//test/kill_servers.sh
60
61 # Remove temporary files and logs
62 cd tests
63 rm -f psa_notify_*
64 rm -f psa_service_*
65 rm -f psa_server.log
66
67 cd ../tf-psa-crypto/tests
68 rm -f psa_notify_*
69 rm -f psa_service_*
70 rm -f psa_server.log
71 )
72 fi
73}
74
75################################################################
76#### Basic checks
77################################################################
78
79#
80# Test Suites to be executed
81#
82# The test ordering tries to optimize for the following criteria:
83# 1. Catch possible problems early, by running first tests that run quickly
84# and/or are more likely to fail than others (eg I use Clang most of the
85# time, so start with a GCC build).
86# 2. Minimize total running time, by avoiding useless rebuilds
87#
88# Indicative running times are given for reference.
89
90component_check_recursion () {
91 msg "Check: recursion.pl" # < 1s
92 tests/scripts/recursion.pl library/*.c
93 tests/scripts/recursion.pl ${PSA_CORE_PATH}/*.c
94 tests/scripts/recursion.pl ${BUILTIN_SRC_PATH}/*.c
95}
96
97component_check_generated_files () {
98 msg "Check: check-generated-files, files generated with make" # 2s
99 make generated_files
100 tests/scripts/check-generated-files.sh
101
102 msg "Check: check-generated-files -u, files present" # 2s
103 tests/scripts/check-generated-files.sh -u
104 # Check that the generated files are considered up to date.
105 tests/scripts/check-generated-files.sh
106
107 msg "Check: check-generated-files -u, files absent" # 2s
108 command make neat
109 tests/scripts/check-generated-files.sh -u
110 # Check that the generated files are considered up to date.
111 tests/scripts/check-generated-files.sh
112
113 # This component ends with the generated files present in the source tree.
114 # This is necessary for subsequent components!
115}
116
117component_check_doxy_blocks () {
118 msg "Check: doxygen markup outside doxygen blocks" # < 1s
119 tests/scripts/check-doxy-blocks.pl
120}
121
122component_check_files () {
123 msg "Check: file sanity checks (permissions, encodings)" # < 1s
124 tests/scripts/check_files.py
125}
126
127component_check_changelog () {
128 msg "Check: changelog entries" # < 1s
129 rm -f ChangeLog.new
130 scripts/assemble_changelog.py -o ChangeLog.new
131 if [ -e ChangeLog.new ]; then
132 # Show the diff for information. It isn't an error if the diff is
133 # non-empty.
134 diff -u ChangeLog ChangeLog.new || true
135 rm ChangeLog.new
136 fi
137}
138
139component_check_names () {
140 msg "Check: declared and exported names (builds the library)" # < 3s
141 tests/scripts/check_names.py -v
142}
143
144component_check_test_cases () {
145 msg "Check: test case descriptions" # < 1s
146 if [ $QUIET -eq 1 ]; then
147 opt='--quiet'
148 else
149 opt=''
150 fi
151 tests/scripts/check_test_cases.py -q $opt
152 unset opt
153}
154
155component_check_test_dependencies () {
156 msg "Check: test case dependencies: legacy vs PSA" # < 1s
157 # The purpose of this component is to catch unjustified dependencies on
158 # legacy feature macros (MBEDTLS_xxx) in PSA tests. Generally speaking,
159 # PSA test should use PSA feature macros (PSA_WANT_xxx, more rarely
160 # MBEDTLS_PSA_xxx).
161 #
162 # Most of the time, use of legacy MBEDTLS_xxx macros are mistakes, which
163 # this component is meant to catch. However a few of them are justified,
164 # mostly by the absence of a PSA equivalent, so this component includes a
165 # list of expected exceptions.
166
167 found="check-test-deps-found-$$"
168 expected="check-test-deps-expected-$$"
169
170 # Find legacy dependencies in PSA tests
171 grep 'depends_on' \
172 tf-psa-crypto/tests/suites/test_suite_psa*.data \
173 tf-psa-crypto/tests/suites/test_suite_psa*.function |
174 grep -Eo '!?MBEDTLS_[^: ]*' |
175 grep -v -e MBEDTLS_PSA_ -e MBEDTLS_TEST_ |
176 sort -u > $found
177
178 # Expected ones with justification - keep in sorted order by ASCII table!
179 rm -f $expected
180 # No PSA equivalent - WANT_KEY_TYPE_AES means all sizes
181 echo "!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH" >> $expected
182 # No PSA equivalent - used to skip decryption tests in PSA-ECB, CBC/XTS/NIST_KW/DES
183 echo "!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT" >> $expected
184 # MBEDTLS_ASN1_WRITE_C is used by import_rsa_made_up() in test_suite_psa_crypto
185 # in order to build a fake RSA key of the wanted size based on
186 # PSA_VENDOR_RSA_MAX_KEY_BITS. The legacy module is only used by
187 # the test code and that's probably the most convenient way of achieving
188 # the test's goal.
189 echo "MBEDTLS_ASN1_WRITE_C" >> $expected
190 # No PSA equivalent - we should probably have one in the future.
191 echo "MBEDTLS_ECP_RESTARTABLE" >> $expected
192 # No PSA equivalent - needed by some init tests
193 echo "MBEDTLS_ENTROPY_NV_SEED" >> $expected
194 # No PSA equivalent - required to run threaded tests.
195 echo "MBEDTLS_THREADING_PTHREAD" >> $expected
196
197 # Compare reality with expectation.
198 # We want an exact match, to ensure the above list remains up-to-date.
199 #
200 # The output should be empty. When it's not:
201 # - Each '+' line is a macro that was found but not expected. You want to
202 # find where that macro occurs, and either replace it with PSA macros, or
203 # add it to the exceptions list above with a justification.
204 # - Each '-' line is a macro that was expected but not found; it means the
205 # exceptions list above should be updated by removing that macro.
206 diff -U0 $expected $found
207
208 rm $found $expected
209}
210
211component_check_doxygen_warnings () {
212 msg "Check: doxygen warnings (builds the documentation)" # ~ 3s
213 tests/scripts/doxygen.sh
214}
215
216
217
218################################################################
219#### Build and test many configurations and targets
220################################################################
221
222component_test_default_out_of_box () {
223 msg "build: make, default config (out-of-box)" # ~1min
224 make
225 # Disable fancy stuff
226 unset MBEDTLS_TEST_OUTCOME_FILE
227
228 msg "test: main suites make, default config (out-of-box)" # ~10s
229 make test
230
231 msg "selftest: make, default config (out-of-box)" # ~10s
232 programs/test/selftest
233
234 msg "program demos: make, default config (out-of-box)" # ~10s
235 tests/scripts/run_demos.py
236}
237
238component_test_default_cmake_gcc_asan () {
239 msg "build: cmake, gcc, ASan" # ~ 1 min 50s
240 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
241 make
242
243 msg "test: main suites (inc. selftests) (ASan build)" # ~ 50s
244 make test
245
246 msg "program demos (ASan build)" # ~10s
247 tests/scripts/run_demos.py
248
249 msg "test: selftest (ASan build)" # ~ 10s
250 programs/test/selftest
251
252 msg "test: metatests (GCC, ASan build)"
253 tests/scripts/run-metatests.sh any asan poison
254
255 msg "test: ssl-opt.sh (ASan build)" # ~ 1 min
256 tests/ssl-opt.sh
257
258 msg "test: compat.sh (ASan build)" # ~ 6 min
259 tests/compat.sh
260
261 msg "test: context-info.sh (ASan build)" # ~ 15 sec
262 tests/context-info.sh
263}
264
265component_test_default_cmake_gcc_asan_new_bignum () {
266 msg "build: cmake, gcc, ASan" # ~ 1 min 50s
267 scripts/config.py set MBEDTLS_ECP_WITH_MPI_UINT
268 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
269 make
270
271 msg "test: main suites (inc. selftests) (ASan build)" # ~ 50s
272 make test
273
274 msg "test: selftest (ASan build)" # ~ 10s
275 programs/test/selftest
276
277 msg "test: ssl-opt.sh (ASan build)" # ~ 1 min
278 tests/ssl-opt.sh
279
280 msg "test: compat.sh (ASan build)" # ~ 6 min
281 tests/compat.sh
282
283 msg "test: context-info.sh (ASan build)" # ~ 15 sec
284 tests/context-info.sh
285}
286
287component_test_full_cmake_gcc_asan () {
288 msg "build: full config, cmake, gcc, ASan"
289 scripts/config.py full
290 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
291 make
292
293 msg "test: main suites (inc. selftests) (full config, ASan build)"
294 make test
295
296 msg "test: selftest (full config, ASan build)" # ~ 10s
297 programs/test/selftest
298
299 msg "test: ssl-opt.sh (full config, ASan build)"
300 tests/ssl-opt.sh
301
302 # Note: the next two invocations cover all compat.sh test cases.
303 # We should use the same here and in basic-build-test.sh.
304 msg "test: compat.sh: default version (full config, ASan build)"
305 tests/compat.sh -e 'ARIA\|CHACHA'
306
307 msg "test: compat.sh: next: ARIA, Chacha (full config, ASan build)"
308 env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
309
310 msg "test: context-info.sh (full config, ASan build)" # ~ 15 sec
311 tests/context-info.sh
312}
313
314
315component_test_full_cmake_gcc_asan_new_bignum () {
316 msg "build: full config, cmake, gcc, ASan"
317 scripts/config.py full
318 scripts/config.py set MBEDTLS_ECP_WITH_MPI_UINT
319 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
320 make
321
322 msg "test: main suites (inc. selftests) (full config, new bignum, ASan)"
323 make test
324
325 msg "test: selftest (full config, new bignum, ASan)" # ~ 10s
326 programs/test/selftest
327
328 msg "test: ssl-opt.sh (full config, new bignum, ASan)"
329 tests/ssl-opt.sh
330
331 # Note: the next two invocations cover all compat.sh test cases.
332 # We should use the same here and in basic-build-test.sh.
333 msg "test: compat.sh: default version (full config, new bignum, ASan)"
334 tests/compat.sh -e 'ARIA\|CHACHA'
335
336 msg "test: compat.sh: next: ARIA, Chacha (full config, new bignum, ASan)"
337 env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
338
339 msg "test: context-info.sh (full config, new bignum, ASan)" # ~ 15 sec
340 tests/context-info.sh
341}
342
343component_test_psa_crypto_key_id_encodes_owner () {
344 msg "build: full config + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan"
345 scripts/config.py full
346 scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
347 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
348 make
349
350 msg "test: full config - USE_PSA_CRYPTO + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan"
351 make test
352}
353
354component_test_psa_assume_exclusive_buffers () {
355 msg "build: full config + MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS, cmake, gcc, ASan"
356 scripts/config.py full
357 scripts/config.py set MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS
358 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
359 make
360
361 msg "test: full config + MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS, cmake, gcc, ASan"
362 make test
363}
364
365# check_renamed_symbols HEADER LIB
366# Check that if HEADER contains '#define MACRO ...' then MACRO is not a symbol
367# name is LIB.
368check_renamed_symbols () {
369 ! nm "$2" | sed 's/.* //' |
370 grep -x -F "$(sed -n 's/^ *# *define *\([A-Z_a-z][0-9A-Z_a-z]*\)..*/\1/p' "$1")"
371}
372
373component_build_psa_crypto_spm () {
374 msg "build: full config + PSA_CRYPTO_KEY_ID_ENCODES_OWNER + PSA_CRYPTO_SPM, make, gcc"
375 scripts/config.py full
376 scripts/config.py unset MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
377 scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
378 scripts/config.py set MBEDTLS_PSA_CRYPTO_SPM
379 # We can only compile, not link, since our test and sample programs
380 # aren't equipped for the modified names used when MBEDTLS_PSA_CRYPTO_SPM
381 # is active.
382 make CC=gcc CFLAGS='-Werror -Wall -Wextra -I../tests/include/spe' lib
383
384 # Check that if a symbol is renamed by crypto_spe.h, the non-renamed
385 # version is not present.
386 echo "Checking for renamed symbols in the library"
387 check_renamed_symbols tests/include/spe/crypto_spe.h library/libmbedcrypto.a
388}
389
390component_test_no_rsa_key_pair_generation() {
391 msg "build: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE"
392 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
393 scripts/config.py unset MBEDTLS_GENPRIME
394 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
395 make
396
397 msg "test: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE"
398 make test
399}
400
401component_test_ref_configs () {
402 msg "test/build: ref-configs (ASan build)" # ~ 6 min 20s
403 # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake
404 # want to re-generate generated files that depend on it, quite correctly.
405 # However this doesn't work as the generation script expects a specific
406 # format for mbedtls_config.h, which the other files don't follow. Also,
407 # cmake can't know this, but re-generation is actually not necessary as
408 # the generated files only depend on the list of available options, not
409 # whether they're on or off. So, disable cmake's (over-sensitive here)
410 # dependency resolution for generated files and just rely on them being
411 # present (thanks to pre_generate_files) by turning GEN_FILES off.
412 CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan .
413 tests/scripts/test-ref-configs.pl config-tfm.h
414}
415
416component_test_no_renegotiation () {
417 msg "build: Default + !MBEDTLS_SSL_RENEGOTIATION (ASan build)" # ~ 6 min
418 scripts/config.py unset MBEDTLS_SSL_RENEGOTIATION
419 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
420 make
421
422 msg "test: !MBEDTLS_SSL_RENEGOTIATION - main suites (inc. selftests) (ASan build)" # ~ 50s
423 make test
424
425 msg "test: !MBEDTLS_SSL_RENEGOTIATION - ssl-opt.sh (ASan build)" # ~ 6 min
426 tests/ssl-opt.sh
427}
428
429component_test_no_pem_no_fs () {
430 msg "build: Default + !MBEDTLS_PEM_PARSE_C + !MBEDTLS_FS_IO (ASan build)"
431 scripts/config.py unset MBEDTLS_PEM_PARSE_C
432 scripts/config.py unset MBEDTLS_FS_IO
433 scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C # requires a filesystem
434 scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C # requires PSA ITS
435 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
436 make
437
438 msg "test: !MBEDTLS_PEM_PARSE_C !MBEDTLS_FS_IO - main suites (inc. selftests) (ASan build)" # ~ 50s
439 make test
440
441 msg "test: !MBEDTLS_PEM_PARSE_C !MBEDTLS_FS_IO - ssl-opt.sh (ASan build)" # ~ 6 min
442 tests/ssl-opt.sh
443}
444
445component_test_rsa_no_crt () {
446 msg "build: Default + RSA_NO_CRT (ASan build)" # ~ 6 min
447 scripts/config.py set MBEDTLS_RSA_NO_CRT
448 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
449 make
450
451 msg "test: RSA_NO_CRT - main suites (inc. selftests) (ASan build)" # ~ 50s
452 make test
453
454 msg "test: RSA_NO_CRT - RSA-related part of ssl-opt.sh (ASan build)" # ~ 5s
455 tests/ssl-opt.sh -f RSA
456
457 msg "test: RSA_NO_CRT - RSA-related part of compat.sh (ASan build)" # ~ 3 min
458 tests/compat.sh -t RSA
459
460 msg "test: RSA_NO_CRT - RSA-related part of context-info.sh (ASan build)" # ~ 15 sec
461 tests/context-info.sh
462}
463
464component_test_no_ctr_drbg_classic () {
465 msg "build: Full minus CTR_DRBG, classic crypto in TLS"
466 scripts/config.py full
467 scripts/config.py unset MBEDTLS_CTR_DRBG_C
468 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
469 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
470
471 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
472 make
473
474 msg "test: Full minus CTR_DRBG, classic crypto - main suites"
475 make test
476
477 # In this configuration, the TLS test programs use HMAC_DRBG.
478 # The SSL tests are slow, so run a small subset, just enough to get
479 # confidence that the SSL code copes with HMAC_DRBG.
480 msg "test: Full minus CTR_DRBG, classic crypto - ssl-opt.sh (subset)"
481 tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server'
482
483 msg "test: Full minus CTR_DRBG, classic crypto - compat.sh (subset)"
484 tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL
485}
486
487component_test_no_ctr_drbg_use_psa () {
488 msg "build: Full minus CTR_DRBG, PSA crypto in TLS"
489 scripts/config.py full
490 scripts/config.py unset MBEDTLS_CTR_DRBG_C
491 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
492
493 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
494 make
495
496 msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - main suites"
497 make test
498
499 # In this configuration, the TLS test programs use HMAC_DRBG.
500 # The SSL tests are slow, so run a small subset, just enough to get
501 # confidence that the SSL code copes with HMAC_DRBG.
502 msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)"
503 tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server'
504
505 msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - compat.sh (subset)"
506 tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL
507}
508
509component_test_no_hmac_drbg_classic () {
510 msg "build: Full minus HMAC_DRBG, classic crypto in TLS"
511 scripts/config.py full
512 scripts/config.py unset MBEDTLS_HMAC_DRBG_C
513 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG
514 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
515 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
516
517 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
518 make
519
520 msg "test: Full minus HMAC_DRBG, classic crypto - main suites"
521 make test
522
523 # Normally our ECDSA implementation uses deterministic ECDSA. But since
524 # HMAC_DRBG is disabled in this configuration, randomized ECDSA is used
525 # instead.
526 # Test SSL with non-deterministic ECDSA. Only test features that
527 # might be affected by how ECDSA signature is performed.
528 msg "test: Full minus HMAC_DRBG, classic crypto - ssl-opt.sh (subset)"
529 tests/ssl-opt.sh -f 'Default\|SSL async private: sign'
530
531 # To save time, only test one protocol version, since this part of
532 # the protocol is identical in (D)TLS up to 1.2.
533 msg "test: Full minus HMAC_DRBG, classic crypto - compat.sh (ECDSA)"
534 tests/compat.sh -m tls12 -t 'ECDSA'
535}
536
537component_test_no_hmac_drbg_use_psa () {
538 msg "build: Full minus HMAC_DRBG, PSA crypto in TLS"
539 scripts/config.py full
540 scripts/config.py unset MBEDTLS_HMAC_DRBG_C
541 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG
542 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
543
544 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
545 make
546
547 msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - main suites"
548 make test
549
550 # Normally our ECDSA implementation uses deterministic ECDSA. But since
551 # HMAC_DRBG is disabled in this configuration, randomized ECDSA is used
552 # instead.
553 # Test SSL with non-deterministic ECDSA. Only test features that
554 # might be affected by how ECDSA signature is performed.
555 msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)"
556 tests/ssl-opt.sh -f 'Default\|SSL async private: sign'
557
558 # To save time, only test one protocol version, since this part of
559 # the protocol is identical in (D)TLS up to 1.2.
560 msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - compat.sh (ECDSA)"
561 tests/compat.sh -m tls12 -t 'ECDSA'
562}
563
564component_test_psa_external_rng_no_drbg_classic () {
565 msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto in TLS"
566 scripts/config.py full
567 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
568 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
569 scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
570 scripts/config.py unset MBEDTLS_ENTROPY_C
571 scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
572 scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
573 scripts/config.py unset MBEDTLS_CTR_DRBG_C
574 scripts/config.py unset MBEDTLS_HMAC_DRBG_C
575 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG
576 # When MBEDTLS_USE_PSA_CRYPTO is disabled and there is no DRBG,
577 # the SSL test programs don't have an RNG and can't work. Explicitly
578 # make them use the PSA RNG with -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG.
579 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG" LDFLAGS="$ASAN_CFLAGS"
580
581 msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - main suites"
582 make test
583
584 msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - ssl-opt.sh (subset)"
585 tests/ssl-opt.sh -f 'Default'
586}
587
588component_test_psa_external_rng_no_drbg_use_psa () {
589 msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto in TLS"
590 scripts/config.py full
591 scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
592 scripts/config.py unset MBEDTLS_ENTROPY_C
593 scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
594 scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
595 scripts/config.py unset MBEDTLS_CTR_DRBG_C
596 scripts/config.py unset MBEDTLS_HMAC_DRBG_C
597 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG
598 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
599
600 msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - main suites"
601 make test
602
603 msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - ssl-opt.sh (subset)"
604 tests/ssl-opt.sh -f 'Default\|opaque'
605}
606
607component_test_psa_external_rng_use_psa_crypto () {
608 msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
609 scripts/config.py full
610 scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
611 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
612 scripts/config.py unset MBEDTLS_CTR_DRBG_C
613 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
614
615 msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
616 make test
617
618 msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
619 tests/ssl-opt.sh -f 'Default\|opaque'
620}
621
622component_test_psa_inject_entropy () {
623 msg "build: full + MBEDTLS_PSA_INJECT_ENTROPY"
624 scripts/config.py full
625 scripts/config.py set MBEDTLS_PSA_INJECT_ENTROPY
626 scripts/config.py set MBEDTLS_ENTROPY_NV_SEED
627 scripts/config.py set MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
628 scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
629 scripts/config.py unset MBEDTLS_PLATFORM_STD_NV_SEED_READ
630 scripts/config.py unset MBEDTLS_PLATFORM_STD_NV_SEED_WRITE
631 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'" LDFLAGS="$ASAN_CFLAGS"
632
633 msg "test: full + MBEDTLS_PSA_INJECT_ENTROPY"
634 make test
635}
636
637component_test_sw_inet_pton () {
638 msg "build: default plus MBEDTLS_TEST_SW_INET_PTON"
639
640 # MBEDTLS_TEST_HOOKS required for x509_crt_parse_cn_inet_pton
641 scripts/config.py set MBEDTLS_TEST_HOOKS
642 make CFLAGS="-DMBEDTLS_TEST_SW_INET_PTON"
643
644 msg "test: default plus MBEDTLS_TEST_SW_INET_PTON"
645 make test
646}
647
648component_full_no_pkparse_pkwrite() {
649 msg "build: full without pkparse and pkwrite"
650
651 scripts/config.py crypto_full
652 scripts/config.py unset MBEDTLS_PK_PARSE_C
653 scripts/config.py unset MBEDTLS_PK_WRITE_C
654
655 make CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
656
657 # Ensure that PK_[PARSE|WRITE]_C were not re-enabled accidentally (additive config).
658 not grep mbedtls_pk_parse_key ${BUILTIN_SRC_PATH}/pkparse.o
659 not grep mbedtls_pk_write_key_der ${BUILTIN_SRC_PATH}/pkwrite.o
660
661 msg "test: full without pkparse and pkwrite"
662 make test
663}
664
665component_test_crypto_full_md_light_only () {
666 msg "build: crypto_full with only the light subset of MD"
667 scripts/config.py crypto_full
668
669 # Disable MD
670 scripts/config.py unset MBEDTLS_MD_C
671 # Disable direct dependencies of MD_C
672 scripts/config.py unset MBEDTLS_HKDF_C
673 scripts/config.py unset MBEDTLS_HMAC_DRBG_C
674 scripts/config.py unset MBEDTLS_PKCS7_C
675 # Disable indirect dependencies of MD_C
676 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # needs HMAC_DRBG
677 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
678 # Disable things that would auto-enable MD_C
679 scripts/config.py unset MBEDTLS_PKCS5_C
680
681 # Note: MD-light is auto-enabled in build_info.h by modules that need it,
682 # which we haven't disabled, so no need to explicitly enable it.
683 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
684
685 # Make sure we don't have the HMAC functions, but the hashing functions
686 not grep mbedtls_md_hmac ${BUILTIN_SRC_PATH}/md.o
687 grep mbedtls_md ${BUILTIN_SRC_PATH}/md.o
688
689 msg "test: crypto_full with only the light subset of MD"
690 make test
691}
692
693component_test_full_no_cipher () {
694 msg "build: full no CIPHER"
695
696 scripts/config.py full
697 scripts/config.py unset MBEDTLS_CIPHER_C
698
699 # The built-in implementation of the following algs/key-types depends
700 # on CIPHER_C so we disable them.
701 # This does not hold for KEY_TYPE_CHACHA20 and ALG_CHACHA20_POLY1305
702 # so we keep them enabled.
703 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
704 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CMAC
705 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING
706 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7
707 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CFB
708 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CTR
709 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING
710 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_OFB
711 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
712 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_STREAM_CIPHER
713 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES
714
715 # The following modules directly depends on CIPHER_C
716 scripts/config.py unset MBEDTLS_CMAC_C
717 scripts/config.py unset MBEDTLS_NIST_KW_C
718
719 make
720
721 # Ensure that CIPHER_C was not re-enabled
722 not grep mbedtls_cipher_init ${BUILTIN_SRC_PATH}/cipher.o
723
724 msg "test: full no CIPHER"
725 make test
726}
727
728component_test_full_no_ccm() {
729 msg "build: full no PSA_WANT_ALG_CCM"
730
731 # Full config enables:
732 # - USE_PSA_CRYPTO so that TLS code dispatches cipher/AEAD to PSA
733 # - CRYPTO_CONFIG so that PSA_WANT config symbols are evaluated
734 scripts/config.py full
735
736 # Disable PSA_WANT_ALG_CCM so that CCM is not supported in PSA. CCM_C is still
737 # enabled, but not used from TLS since USE_PSA is set.
738 # This is helpful to ensure that TLS tests below have proper dependencies.
739 #
740 # Note: also PSA_WANT_ALG_CCM_STAR_NO_TAG is enabled, but it does not cause
741 # PSA_WANT_ALG_CCM to be re-enabled.
742 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM
743
744 make
745
746 msg "test: full no PSA_WANT_ALG_CCM"
747 make test
748}
749
750component_test_full_no_ccm_star_no_tag() {
751 msg "build: full no PSA_WANT_ALG_CCM_STAR_NO_TAG"
752
753 # Full config enables CRYPTO_CONFIG so that PSA_WANT config symbols are evaluated
754 scripts/config.py full
755
756 # Disable CCM_STAR_NO_TAG, which is the target of this test, as well as all
757 # other components that enable MBEDTLS_PSA_BUILTIN_CIPHER internal symbol.
758 # This basically disables all unauthenticated ciphers on the PSA side, while
759 # keeping AEADs enabled.
760 #
761 # Note: PSA_WANT_ALG_CCM is enabled, but it does not cause
762 # PSA_WANT_ALG_CCM_STAR_NO_TAG to be re-enabled.
763 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG
764 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_STREAM_CIPHER
765 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CTR
766 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CFB
767 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_OFB
768 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING
769 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING
770 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7
771
772 make
773
774 # Ensure MBEDTLS_PSA_BUILTIN_CIPHER was not enabled
775 not grep mbedtls_psa_cipher ${PSA_CORE_PATH}/psa_crypto_cipher.o
776
777 msg "test: full no PSA_WANT_ALG_CCM_STAR_NO_TAG"
778 make test
779}
780
781component_test_tls1_2_default_stream_cipher_only () {
782 msg "build: default with only stream cipher use psa"
783
784 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
785 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
786 # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
787 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
788 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
789 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
790 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
791 # Note: The three unsets below are to be removed for Mbed TLS 4.0
792 scripts/config.py unset MBEDTLS_GCM_C
793 scripts/config.py unset MBEDTLS_CCM_C
794 scripts/config.py unset MBEDTLS_CHACHAPOLY_C
795 #Disable TLS 1.3 (as no AEAD)
796 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
797 # Disable CBC. Note: When implemented, PSA_WANT_ALG_CBC_MAC will also need to be unset here to fully disable CBC
798 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING
799 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7
800 # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
801 # Note: The unset below is to be removed for 4.0
802 scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
803 # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
804 scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
805 # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
806 scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER
807 # Modules that depend on AEAD
808 scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
809 scripts/config.py unset MBEDTLS_SSL_TICKET_C
810
811 make
812
813 msg "test: default with only stream cipher use psa"
814 make test
815
816 # Not running ssl-opt.sh because most tests require a non-NULL ciphersuite.
817}
818
819component_test_tls1_2_default_cbc_legacy_cipher_only () {
820 msg "build: default with only CBC-legacy cipher use psa"
821
822 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
823 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
824 # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
825 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
826 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
827 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
828 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
829 # Note: The three unsets below are to be removed for Mbed TLS 4.0
830 scripts/config.py unset MBEDTLS_GCM_C
831 scripts/config.py unset MBEDTLS_CCM_C
832 scripts/config.py unset MBEDTLS_CHACHAPOLY_C
833 #Disable TLS 1.3 (as no AEAD)
834 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
835 # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
836 scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
837 # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
838 scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
839 # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
840 scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER
841 # Modules that depend on AEAD
842 scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
843 scripts/config.py unset MBEDTLS_SSL_TICKET_C
844
845 make
846
847 msg "test: default with only CBC-legacy cipher use psa"
848 make test
849
850 msg "test: default with only CBC-legacy cipher use psa - ssl-opt.sh (subset)"
851 tests/ssl-opt.sh -f "TLS 1.2"
852}
853
854component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () {
855 msg "build: default with only CBC-legacy and CBC-EtM ciphers use psa"
856
857 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
858 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
859 # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
860 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
861 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
862 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
863 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
864 # Note: The three unsets below are to be removed for Mbed TLS 4.0
865 scripts/config.py unset MBEDTLS_GCM_C
866 scripts/config.py unset MBEDTLS_CCM_C
867 scripts/config.py unset MBEDTLS_CHACHAPOLY_C
868 #Disable TLS 1.3 (as no AEAD)
869 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
870 # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
871 scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
872 # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
873 scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC
874 # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
875 scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER
876 # Modules that depend on AEAD
877 scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
878 scripts/config.py unset MBEDTLS_SSL_TICKET_C
879
880 make
881
882 msg "test: default with only CBC-legacy and CBC-EtM ciphers use psa"
883 make test
884
885 msg "test: default with only CBC-legacy and CBC-EtM ciphers use psa - ssl-opt.sh (subset)"
886 tests/ssl-opt.sh -f "TLS 1.2"
887}
888
889# We're not aware of any other (open source) implementation of EC J-PAKE in TLS
890# that we could use for interop testing. However, we now have sort of two
891# implementations ourselves: one using PSA, the other not. At least test that
892# these two interoperate with each other.
893component_test_tls1_2_ecjpake_compatibility() {
894 msg "build: TLS1.2 server+client w/ EC-JPAKE w/o USE_PSA"
895 scripts/config.py set MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
896 # Explicitly make lib first to avoid a race condition:
897 # https://github.com/Mbed-TLS/mbedtls/issues/8229
898 make lib
899 make -C programs ssl/ssl_server2 ssl/ssl_client2
900 cp programs/ssl/ssl_server2 s2_no_use_psa
901 cp programs/ssl/ssl_client2 c2_no_use_psa
902
903 msg "build: TLS1.2 server+client w/ EC-JPAKE w/ USE_PSA"
904 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
905 make clean
906 make lib
907 make -C programs ssl/ssl_server2 ssl/ssl_client2
908 make -C programs test/udp_proxy test/query_compile_time_config
909
910 msg "test: server w/o USE_PSA - client w/ USE_PSA, text password"
911 P_SRV=../s2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: working, TLS"
912 msg "test: server w/o USE_PSA - client w/ USE_PSA, opaque password"
913 P_SRV=../s2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: opaque password client only, working, TLS"
914 msg "test: client w/o USE_PSA - server w/ USE_PSA, text password"
915 P_CLI=../c2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: working, TLS"
916 msg "test: client w/o USE_PSA - server w/ USE_PSA, opaque password"
917 P_CLI=../c2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: opaque password server only, working, TLS"
918
919 rm s2_no_use_psa c2_no_use_psa
920}
921
922component_test_everest () {
923 msg "build: Everest ECDH context (ASan build)" # ~ 6 min
924 scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED
925 CC=clang cmake -D CMAKE_BUILD_TYPE:String=Asan .
926 make
927
928 msg "test: Everest ECDH context - main suites (inc. selftests) (ASan build)" # ~ 50s
929 make test
930
931 msg "test: metatests (clang, ASan)"
932 tests/scripts/run-metatests.sh any asan poison
933
934 msg "test: Everest ECDH context - ECDH-related part of ssl-opt.sh (ASan build)" # ~ 5s
935 tests/ssl-opt.sh -f ECDH
936
937 msg "test: Everest ECDH context - compat.sh with some ECDH ciphersuites (ASan build)" # ~ 3 min
938 # Exclude some symmetric ciphers that are redundant here to gain time.
939 tests/compat.sh -f ECDH -V NO -e 'ARIA\|CAMELLIA\|CHACHA'
940}
941
942component_test_everest_curve25519_only () {
943 msg "build: Everest ECDH context, only Curve25519" # ~ 6 min
944 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
945 scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED
946 scripts/config.py unset MBEDTLS_ECDSA_C
947 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
948 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA
949 scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_ECDH
950 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
951 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
952 scripts/config.py unset MBEDTLS_ECJPAKE_C
953 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_JPAKE
954
955 # Disable all curves
956 scripts/config.py unset-all "MBEDTLS_ECP_DP_[0-9A-Z_a-z]*_ENABLED"
957 scripts/config.py -f $CRYPTO_CONFIG_H unset-all "PSA_WANT_ECC_[0-9A-Z_a-z]*$"
958 scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ECC_MONTGOMERY_255
959
960 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
961
962 msg "test: Everest ECDH context, only Curve25519" # ~ 50s
963 make test
964}
965
966component_test_small_ssl_out_content_len () {
967 msg "build: small SSL_OUT_CONTENT_LEN (ASan build)"
968 scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 16384
969 scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 4096
970 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
971 make
972
973 msg "test: small SSL_OUT_CONTENT_LEN - ssl-opt.sh MFL and large packet tests"
974 tests/ssl-opt.sh -f "Max fragment\|Large packet"
975}
976
977component_test_small_ssl_in_content_len () {
978 msg "build: small SSL_IN_CONTENT_LEN (ASan build)"
979 scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 4096
980 scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 16384
981 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
982 make
983
984 msg "test: small SSL_IN_CONTENT_LEN - ssl-opt.sh MFL tests"
985 tests/ssl-opt.sh -f "Max fragment"
986}
987
988component_test_small_ssl_dtls_max_buffering () {
989 msg "build: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #0"
990 scripts/config.py set MBEDTLS_SSL_DTLS_MAX_BUFFERING 1000
991 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
992 make
993
994 msg "test: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #0 - ssl-opt.sh specific reordering test"
995 tests/ssl-opt.sh -f "DTLS reordering: Buffer out-of-order hs msg before reassembling next, free buffered msg"
996}
997
998component_test_small_mbedtls_ssl_dtls_max_buffering () {
999 msg "build: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #1"
1000 scripts/config.py set MBEDTLS_SSL_DTLS_MAX_BUFFERING 190
1001 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
1002 make
1003
1004 msg "test: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #1 - ssl-opt.sh specific reordering test"
1005 tests/ssl-opt.sh -f "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket"
1006}
1007
1008component_test_psa_collect_statuses () {
1009 msg "build+test: psa_collect_statuses" # ~30s
1010 scripts/config.py full
1011 tests/scripts/psa_collect_statuses.py
1012 # Check that psa_crypto_init() succeeded at least once
1013 grep -q '^0:psa_crypto_init:' tests/statuses.log
1014 rm -f tests/statuses.log
1015}
1016
1017component_test_full_cmake_clang () {
1018 msg "build: cmake, full config, clang" # ~ 50s
1019 scripts/config.py full
1020 CC=clang CXX=clang cmake -D CMAKE_BUILD_TYPE:String=Release -D ENABLE_TESTING=On -D TEST_CPP=1 .
1021 make
1022
1023 msg "test: main suites (full config, clang)" # ~ 5s
1024 make test
1025
1026 msg "test: cpp_dummy_build (full config, clang)" # ~ 1s
1027 programs/test/cpp_dummy_build
1028
1029 msg "test: metatests (clang)"
1030 tests/scripts/run-metatests.sh any pthread
1031
1032 msg "program demos (full config, clang)" # ~10s
1033 tests/scripts/run_demos.py
1034
1035 msg "test: psa_constant_names (full config, clang)" # ~ 1s
1036 tests/scripts/test_psa_constant_names.py
1037
1038 msg "test: ssl-opt.sh default, ECJPAKE, SSL async (full config)" # ~ 1s
1039 tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private'
1040}
1041
1042skip_suites_without_constant_flow () {
1043 # Skip the test suites that don't have any constant-flow annotations.
1044 # This will need to be adjusted if we ever start declaring things as
1045 # secret from macros or functions inside tests/include or tests/src.
1046 SKIP_TEST_SUITES=$(
1047 git -C tests/suites grep -L TEST_CF_ 'test_suite_*.function' |
1048 sed 's/test_suite_//; s/\.function$//' |
1049 tr '\n' ,),$(
1050 git -C tf-psa-crypto/tests/suites grep -L TEST_CF_ 'test_suite_*.function' |
1051 sed 's/test_suite_//; s/\.function$//' |
1052 tr '\n' ,)
1053 export SKIP_TEST_SUITES
1054}
1055
1056skip_all_except_given_suite () {
1057 # Skip all but the given test suite
1058 SKIP_TEST_SUITES=$(
1059 ls -1 tests/suites/test_suite_*.function |
1060 grep -v $1.function |
1061 sed 's/tests.suites.test_suite_//; s/\.function$//' |
1062 tr '\n' ,),$(
1063 ls -1 tf-psa-crypto/tests/suites/test_suite_*.function |
1064 grep -v $1.function |
1065 sed 's/tf-psa-crypto.tests.suites.test_suite_//; s/\.function$//' |
1066 tr '\n' ,)
1067 export SKIP_TEST_SUITES
1068}
1069
1070component_test_memsan_constant_flow () {
1071 # This tests both (1) accesses to undefined memory, and (2) branches or
1072 # memory access depending on secret values. To distinguish between those:
1073 # - unset MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN - does the failure persist?
1074 # - or alternatively, change the build type to MemSanDbg, which enables
1075 # origin tracking and nicer stack traces (which are useful for debugging
1076 # anyway), and check if the origin was TEST_CF_SECRET() or something else.
1077 msg "build: cmake MSan (clang), full config minus MBEDTLS_USE_PSA_CRYPTO with constant flow testing"
1078 scripts/config.py full
1079 scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
1080 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
1081 scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm
1082 CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan .
1083 make
1084
1085 msg "test: main suites (full minus MBEDTLS_USE_PSA_CRYPTO, Msan + constant flow)"
1086 make test
1087}
1088
1089component_test_memsan_constant_flow_psa () {
1090 # This tests both (1) accesses to undefined memory, and (2) branches or
1091 # memory access depending on secret values. To distinguish between those:
1092 # - unset MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN - does the failure persist?
1093 # - or alternatively, change the build type to MemSanDbg, which enables
1094 # origin tracking and nicer stack traces (which are useful for debugging
1095 # anyway), and check if the origin was TEST_CF_SECRET() or something else.
1096 msg "build: cmake MSan (clang), full config with constant flow testing"
1097 scripts/config.py full
1098 scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
1099 scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm
1100 CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan .
1101 make
1102
1103 msg "test: main suites (Msan + constant flow)"
1104 make test
1105}
1106
1107component_release_test_valgrind_constant_flow () {
1108 # This tests both (1) everything that valgrind's memcheck usually checks
1109 # (heap buffer overflows, use of uninitialized memory, use-after-free,
1110 # etc.) and (2) branches or memory access depending on secret values,
1111 # which will be reported as uninitialized memory. To distinguish between
1112 # secret and actually uninitialized:
1113 # - unset MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND - does the failure persist?
1114 # - or alternatively, build with debug info and manually run the offending
1115 # test suite with valgrind --track-origins=yes, then check if the origin
1116 # was TEST_CF_SECRET() or something else.
1117 msg "build: cmake release GCC, full config minus MBEDTLS_USE_PSA_CRYPTO with constant flow testing"
1118 scripts/config.py full
1119 scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND
1120 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
1121 skip_suites_without_constant_flow
1122 cmake -D CMAKE_BUILD_TYPE:String=Release .
1123 make
1124
1125 # this only shows a summary of the results (how many of each type)
1126 # details are left in Testing/<date>/DynamicAnalysis.xml
1127 msg "test: some suites (full minus MBEDTLS_USE_PSA_CRYPTO, valgrind + constant flow)"
1128 make memcheck
1129
1130 # Test asm path in constant time module - by default, it will test the plain C
1131 # path under Valgrind or Memsan. Running only the constant_time tests is fast (<1s)
1132 msg "test: valgrind asm constant_time"
1133 scripts/config.py --force set MBEDTLS_TEST_CONSTANT_FLOW_ASM
1134 skip_all_except_given_suite test_suite_constant_time
1135 cmake -D CMAKE_BUILD_TYPE:String=Release .
1136 make clean
1137 make
1138 make memcheck
1139}
1140
1141component_release_test_valgrind_constant_flow_psa () {
1142 # This tests both (1) everything that valgrind's memcheck usually checks
1143 # (heap buffer overflows, use of uninitialized memory, use-after-free,
1144 # etc.) and (2) branches or memory access depending on secret values,
1145 # which will be reported as uninitialized memory. To distinguish between
1146 # secret and actually uninitialized:
1147 # - unset MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND - does the failure persist?
1148 # - or alternatively, build with debug info and manually run the offending
1149 # test suite with valgrind --track-origins=yes, then check if the origin
1150 # was TEST_CF_SECRET() or something else.
1151 msg "build: cmake release GCC, full config with constant flow testing"
1152 scripts/config.py full
1153 scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND
1154 skip_suites_without_constant_flow
1155 cmake -D CMAKE_BUILD_TYPE:String=Release .
1156 make
1157
1158 # this only shows a summary of the results (how many of each type)
1159 # details are left in Testing/<date>/DynamicAnalysis.xml
1160 msg "test: some suites (valgrind + constant flow)"
1161 make memcheck
1162}
1163
1164component_test_tsan () {
1165 msg "build: TSan (clang)"
1166 scripts/config.py full
1167 scripts/config.py set MBEDTLS_THREADING_C
1168 scripts/config.py set MBEDTLS_THREADING_PTHREAD
1169 # Self-tests do not currently use multiple threads.
1170 scripts/config.py unset MBEDTLS_SELF_TEST
1171
1172 # The deprecated MBEDTLS_PSA_CRYPTO_SE_C interface is not thread safe.
1173 scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
1174
1175 CC=clang cmake -D CMAKE_BUILD_TYPE:String=TSan .
1176 make
1177
1178 msg "test: main suites (TSan)"
1179 make test
1180}
1181
1182component_test_default_no_deprecated () {
1183 # Test that removing the deprecated features from the default
1184 # configuration leaves something consistent.
1185 msg "build: make, default + MBEDTLS_DEPRECATED_REMOVED" # ~ 30s
1186 scripts/config.py set MBEDTLS_DEPRECATED_REMOVED
1187 make CFLAGS='-O -Werror -Wall -Wextra'
1188
1189 msg "test: make, default + MBEDTLS_DEPRECATED_REMOVED" # ~ 5s
1190 make test
1191}
1192
1193component_test_full_no_deprecated () {
1194 msg "build: make, full_no_deprecated config" # ~ 30s
1195 scripts/config.py full_no_deprecated
1196 make CFLAGS='-O -Werror -Wall -Wextra'
1197
1198 msg "test: make, full_no_deprecated config" # ~ 5s
1199 make test
1200
1201 msg "test: ensure that X509 has no direct dependency on BIGNUM_C"
1202 not grep mbedtls_mpi library/libmbedx509.a
1203}
1204
1205component_test_full_no_deprecated_deprecated_warning () {
1206 # Test that there is nothing deprecated in "full_no_deprecated".
1207 # A deprecated feature would trigger a warning (made fatal) from
1208 # MBEDTLS_DEPRECATED_WARNING.
1209 msg "build: make, full_no_deprecated config, MBEDTLS_DEPRECATED_WARNING" # ~ 30s
1210 scripts/config.py full_no_deprecated
1211 scripts/config.py unset MBEDTLS_DEPRECATED_REMOVED
1212 scripts/config.py set MBEDTLS_DEPRECATED_WARNING
1213 make CFLAGS='-O -Werror -Wall -Wextra'
1214
1215 msg "test: make, full_no_deprecated config, MBEDTLS_DEPRECATED_WARNING" # ~ 5s
1216 make test
1217}
1218
1219component_test_full_deprecated_warning () {
1220 # Test that when MBEDTLS_DEPRECATED_WARNING is enabled, the build passes
1221 # with only certain whitelisted types of warnings.
1222 msg "build: make, full config + MBEDTLS_DEPRECATED_WARNING, expect warnings" # ~ 30s
1223 scripts/config.py full
1224 scripts/config.py set MBEDTLS_DEPRECATED_WARNING
1225 # Expect warnings from '#warning' directives in check_config.h.
1226 # Note that gcc is required to allow the use of -Wno-error=cpp, which allows us to
1227 # display #warning messages without them being treated as errors.
1228 make CC=gcc CFLAGS='-O -Werror -Wall -Wextra -Wno-error=cpp' lib programs
1229
1230 msg "build: make tests, full config + MBEDTLS_DEPRECATED_WARNING, expect warnings" # ~ 30s
1231 # Set MBEDTLS_TEST_DEPRECATED to enable tests for deprecated features.
1232 # By default those are disabled when MBEDTLS_DEPRECATED_WARNING is set.
1233 # Expect warnings from '#warning' directives in check_config.h and
1234 # from the use of deprecated functions in test suites.
1235 make CC=gcc CFLAGS='-O -Werror -Wall -Wextra -Wno-error=deprecated-declarations -Wno-error=cpp -DMBEDTLS_TEST_DEPRECATED' tests
1236
1237 msg "test: full config + MBEDTLS_TEST_DEPRECATED" # ~ 30s
1238 make test
1239
1240 msg "program demos: full config + MBEDTLS_TEST_DEPRECATED" # ~10s
1241 tests/scripts/run_demos.py
1242}
1243
1244# Check that the specified libraries exist and are empty.
1245are_empty_libraries () {
1246 nm "$@" >/dev/null 2>/dev/null
1247 ! nm "$@" 2>/dev/null | grep -v ':$' | grep .
1248}
1249
1250component_build_crypto_default () {
1251 msg "build: make, crypto only"
1252 scripts/config.py crypto
1253 make CFLAGS='-O1 -Werror'
1254 are_empty_libraries library/libmbedx509.* library/libmbedtls.*
1255}
1256
1257component_build_crypto_full () {
1258 msg "build: make, crypto only, full config"
1259 scripts/config.py crypto_full
1260 make CFLAGS='-O1 -Werror'
1261 are_empty_libraries library/libmbedx509.* library/libmbedtls.*
1262}
1263
1264component_test_crypto_for_psa_service () {
1265 msg "build: make, config for PSA crypto service"
1266 scripts/config.py crypto
1267 scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
1268 # Disable things that are not needed for just cryptography, to
1269 # reach a configuration that would be typical for a PSA cryptography
1270 # service providing all implemented PSA algorithms.
1271 # System stuff
1272 scripts/config.py unset MBEDTLS_ERROR_C
1273 scripts/config.py unset MBEDTLS_TIMING_C
1274 scripts/config.py unset MBEDTLS_VERSION_FEATURES
1275 # Crypto stuff with no PSA interface
1276 scripts/config.py unset MBEDTLS_BASE64_C
1277 # Keep MBEDTLS_CIPHER_C because psa_crypto_cipher, CCM and GCM need it.
1278 scripts/config.py unset MBEDTLS_HKDF_C # PSA's HKDF is independent
1279 # Keep MBEDTLS_MD_C because deterministic ECDSA needs it for HMAC_DRBG.
1280 scripts/config.py unset MBEDTLS_NIST_KW_C
1281 scripts/config.py unset MBEDTLS_PEM_PARSE_C
1282 scripts/config.py unset MBEDTLS_PEM_WRITE_C
1283 scripts/config.py unset MBEDTLS_PKCS12_C
1284 scripts/config.py unset MBEDTLS_PKCS5_C
1285 # MBEDTLS_PK_PARSE_C and MBEDTLS_PK_WRITE_C are actually currently needed
1286 # in PSA code to work with RSA keys. We don't require users to set those:
1287 # they will be reenabled in build_info.h.
1288 scripts/config.py unset MBEDTLS_PK_C
1289 scripts/config.py unset MBEDTLS_PK_PARSE_C
1290 scripts/config.py unset MBEDTLS_PK_WRITE_C
1291 make CFLAGS='-O1 -Werror' all test
1292 are_empty_libraries library/libmbedx509.* library/libmbedtls.*
1293}
1294
1295component_build_crypto_baremetal () {
1296 msg "build: make, crypto only, baremetal config"
1297 scripts/config.py crypto_baremetal
1298 make CFLAGS="-O1 -Werror -I$PWD/tests/include/baremetal-override/"
1299 are_empty_libraries library/libmbedx509.* library/libmbedtls.*
1300}
1301support_build_crypto_baremetal () {
1302 support_build_baremetal "$@"
1303}
1304
1305component_build_baremetal () {
1306 msg "build: make, baremetal config"
1307 scripts/config.py baremetal
1308 make CFLAGS="-O1 -Werror -I$PWD/tests/include/baremetal-override/"
1309}
1310support_build_baremetal () {
1311 # Older Glibc versions include time.h from other headers such as stdlib.h,
1312 # which makes the no-time.h-in-baremetal check fail. Ubuntu 16.04 has this
1313 # problem, Ubuntu 18.04 is ok.
1314 ! grep -q -F time.h /usr/include/x86_64-linux-gnu/sys/types.h
1315}
1316
1317# depends.py family of tests
1318component_test_depends_py_cipher_id () {
1319 msg "test/build: depends.py cipher_id (gcc)"
1320 tests/scripts/depends.py cipher_id --unset-use-psa
1321}
1322
1323component_test_depends_py_cipher_chaining () {
1324 msg "test/build: depends.py cipher_chaining (gcc)"
1325 tests/scripts/depends.py cipher_chaining --unset-use-psa
1326}
1327
1328component_test_depends_py_cipher_padding () {
1329 msg "test/build: depends.py cipher_padding (gcc)"
1330 tests/scripts/depends.py cipher_padding --unset-use-psa
1331}
1332
1333component_test_depends_py_curves () {
1334 msg "test/build: depends.py curves (gcc)"
1335 tests/scripts/depends.py curves --unset-use-psa
1336}
1337
1338component_test_depends_py_hashes () {
1339 msg "test/build: depends.py hashes (gcc)"
1340 tests/scripts/depends.py hashes --unset-use-psa
1341}
1342
1343component_test_depends_py_kex () {
1344 msg "test/build: depends.py kex (gcc)"
1345 tests/scripts/depends.py kex --unset-use-psa
1346}
1347
1348component_test_depends_py_pkalgs () {
1349 msg "test/build: depends.py pkalgs (gcc)"
1350 tests/scripts/depends.py pkalgs --unset-use-psa
1351}
1352
1353# PSA equivalents of the depends.py tests
1354component_test_depends_py_cipher_id_psa () {
1355 msg "test/build: depends.py cipher_id (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
1356 tests/scripts/depends.py cipher_id
1357}
1358
1359component_test_depends_py_cipher_chaining_psa () {
1360 msg "test/build: depends.py cipher_chaining (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
1361 tests/scripts/depends.py cipher_chaining
1362}
1363
1364component_test_depends_py_cipher_padding_psa () {
1365 msg "test/build: depends.py cipher_padding (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
1366 tests/scripts/depends.py cipher_padding
1367}
1368
1369component_test_depends_py_curves_psa () {
1370 msg "test/build: depends.py curves (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
1371 tests/scripts/depends.py curves
1372}
1373
1374component_test_depends_py_hashes_psa () {
1375 msg "test/build: depends.py hashes (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
1376 tests/scripts/depends.py hashes
1377}
1378
1379component_test_depends_py_kex_psa () {
1380 msg "test/build: depends.py kex (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
1381 tests/scripts/depends.py kex
1382}
1383
1384component_test_depends_py_pkalgs_psa () {
1385 msg "test/build: depends.py pkalgs (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
1386 tests/scripts/depends.py pkalgs
1387}
1388
1389component_test_psa_crypto_config_ffdh_2048_only () {
1390 msg "build: full config - only DH 2048"
1391
1392 scripts/config.py full
1393
1394 # Disable all DH groups other than 2048.
1395 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_3072
1396 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_4096
1397 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_6144
1398 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_8192
1399
1400 make CFLAGS="$ASAN_CFLAGS -Werror" LDFLAGS="$ASAN_CFLAGS"
1401
1402 msg "test: full config - only DH 2048"
1403 make test
1404
1405 msg "ssl-opt: full config - only DH 2048"
1406 tests/ssl-opt.sh -f "ffdh"
1407}
1408
1409component_build_no_pk_rsa_alt_support () {
1410 msg "build: !MBEDTLS_PK_RSA_ALT_SUPPORT" # ~30s
1411
1412 scripts/config.py full
1413 scripts/config.py unset MBEDTLS_PK_RSA_ALT_SUPPORT
1414 scripts/config.py set MBEDTLS_RSA_C
1415 scripts/config.py set MBEDTLS_X509_CRT_WRITE_C
1416
1417 # Only compile - this is primarily to test for compile issues
1418 make CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy'
1419}
1420
1421component_build_module_alt () {
1422 msg "build: MBEDTLS_XXX_ALT" # ~30s
1423 scripts/config.py full
1424
1425 # Disable options that are incompatible with some ALT implementations:
1426 # aesni.c references mbedtls_aes_context fields directly.
1427 scripts/config.py unset MBEDTLS_AESNI_C
1428 scripts/config.py unset MBEDTLS_AESCE_C
1429 # MBEDTLS_ECP_RESTARTABLE is documented as incompatible.
1430 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
1431 # You can only have one threading implementation: alt or pthread, not both.
1432 scripts/config.py unset MBEDTLS_THREADING_PTHREAD
1433 # The SpecifiedECDomain parsing code accesses mbedtls_ecp_group fields
1434 # directly and assumes the implementation works with partial groups.
1435 scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED
1436 # MBEDTLS_SHA256_*ALT can't be used with MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*
1437 scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
1438 scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
1439 # MBEDTLS_SHA512_*ALT can't be used with MBEDTLS_SHA512_USE_A64_CRYPTO_*
1440 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
1441 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY
1442
1443 # Enable all MBEDTLS_XXX_ALT for whole modules. Do not enable
1444 # MBEDTLS_XXX_YYY_ALT which are for single functions.
1445 scripts/config.py set-all 'MBEDTLS_([A-Z0-9]*|NIST_KW)_ALT'
1446
1447 # We can only compile, not link, since we don't have any implementations
1448 # suitable for testing with the dummy alt headers.
1449 make CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy' lib
1450}
1451
1452component_test_no_psa_crypto_full_cmake_asan() {
1453 # full minus MBEDTLS_PSA_CRYPTO_C: run the same set of tests as basic-build-test.sh
1454 msg "build: cmake, full config minus PSA crypto, ASan"
1455 scripts/config.py full
1456 scripts/config.py unset MBEDTLS_PSA_CRYPTO_C
1457 scripts/config.py unset MBEDTLS_PSA_CRYPTO_CLIENT
1458 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
1459 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
1460 scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C
1461 scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
1462 scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C
1463 scripts/config.py unset MBEDTLS_LMS_C
1464 scripts/config.py unset MBEDTLS_LMS_PRIVATE
1465 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
1466 make
1467
1468 msg "test: main suites (full minus PSA crypto)"
1469 make test
1470
1471 # Note: ssl-opt.sh has some test cases that depend on
1472 # MBEDTLS_ECP_RESTARTABLE && !MBEDTLS_USE_PSA_CRYPTO
1473 # This is the only component where those tests are not skipped.
1474 msg "test: ssl-opt.sh (full minus PSA crypto)"
1475 tests/ssl-opt.sh
1476
1477 # Note: the next two invocations cover all compat.sh test cases.
1478 # We should use the same here and in basic-build-test.sh.
1479 msg "test: compat.sh: default version (full minus PSA crypto)"
1480 tests/compat.sh -e 'ARIA\|CHACHA'
1481
1482 msg "test: compat.sh: next: ARIA, Chacha (full minus PSA crypto)"
1483 env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
1484}
1485
1486component_test_psa_crypto_config_accel_ecdsa () {
1487 msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA"
1488
1489 # Algorithms and key types to accelerate
1490 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
1491 $(helper_get_psa_key_type_list "ECC") \
1492 $(helper_get_psa_curve_list)"
1493
1494 # Configure
1495 # ---------
1496
1497 # Start from default config (no USE_PSA) + TLS 1.3
1498 helper_libtestdriver1_adjust_config "default"
1499
1500 # Disable the module that's accelerated
1501 scripts/config.py unset MBEDTLS_ECDSA_C
1502
1503 # Disable things that depend on it
1504 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
1505 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
1506
1507 # Build
1508 # -----
1509
1510 # These hashes are needed for some ECDSA signature tests.
1511 loc_extra_list="ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
1512 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
1513
1514 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list"
1515
1516 helper_libtestdriver1_make_main "$loc_accel_list"
1517
1518 # Make sure this was not re-enabled by accident (additive config)
1519 not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o
1520
1521 # Run the tests
1522 # -------------
1523
1524 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA"
1525 make test
1526}
1527
1528component_test_psa_crypto_config_accel_ecdh () {
1529 msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH"
1530
1531 # Algorithms and key types to accelerate
1532 loc_accel_list="ALG_ECDH \
1533 $(helper_get_psa_key_type_list "ECC") \
1534 $(helper_get_psa_curve_list)"
1535
1536 # Configure
1537 # ---------
1538
1539 # Start from default config (no USE_PSA)
1540 helper_libtestdriver1_adjust_config "default"
1541
1542 # Disable the module that's accelerated
1543 scripts/config.py unset MBEDTLS_ECDH_C
1544
1545 # Disable things that depend on it
1546 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
1547 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
1548 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
1549 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
1550 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
1551
1552 # Build
1553 # -----
1554
1555 helper_libtestdriver1_make_drivers "$loc_accel_list"
1556
1557 helper_libtestdriver1_make_main "$loc_accel_list"
1558
1559 # Make sure this was not re-enabled by accident (additive config)
1560 not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
1561
1562 # Run the tests
1563 # -------------
1564
1565 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH"
1566 make test
1567}
1568
1569component_test_psa_crypto_config_accel_ffdh () {
1570 msg "build: full with accelerated FFDH"
1571
1572 # Algorithms and key types to accelerate
1573 loc_accel_list="ALG_FFDH \
1574 $(helper_get_psa_key_type_list "DH") \
1575 $(helper_get_psa_dh_group_list)"
1576
1577 # Configure
1578 # ---------
1579
1580 # start with full (USE_PSA and TLS 1.3)
1581 helper_libtestdriver1_adjust_config "full"
1582
1583 # Disable the module that's accelerated
1584 scripts/config.py unset MBEDTLS_DHM_C
1585
1586 # Disable things that depend on it
1587 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
1588 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
1589
1590 # Build
1591 # -----
1592
1593 helper_libtestdriver1_make_drivers "$loc_accel_list"
1594
1595 helper_libtestdriver1_make_main "$loc_accel_list"
1596
1597 # Make sure this was not re-enabled by accident (additive config)
1598 not grep mbedtls_dhm_ ${BUILTIN_SRC_PATH}/dhm.o
1599
1600 # Run the tests
1601 # -------------
1602
1603 msg "test: full with accelerated FFDH"
1604 make test
1605
1606 msg "ssl-opt: full with accelerated FFDH alg"
1607 tests/ssl-opt.sh -f "ffdh"
1608}
1609
1610component_test_psa_crypto_config_reference_ffdh () {
1611 msg "build: full with non-accelerated FFDH"
1612
1613 # Start with full (USE_PSA and TLS 1.3)
1614 helper_libtestdriver1_adjust_config "full"
1615
1616 # Disable things that are not supported
1617 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
1618 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
1619 make
1620
1621 msg "test suites: full with non-accelerated FFDH alg"
1622 make test
1623
1624 msg "ssl-opt: full with non-accelerated FFDH alg"
1625 tests/ssl-opt.sh -f "ffdh"
1626}
1627
1628component_test_psa_crypto_config_accel_pake() {
1629 msg "build: full with accelerated PAKE"
1630
1631 loc_accel_list="ALG_JPAKE \
1632 $(helper_get_psa_key_type_list "ECC") \
1633 $(helper_get_psa_curve_list)"
1634
1635 # Configure
1636 # ---------
1637
1638 helper_libtestdriver1_adjust_config "full"
1639
1640 # Make built-in fallback not available
1641 scripts/config.py unset MBEDTLS_ECJPAKE_C
1642 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
1643
1644 # Build
1645 # -----
1646
1647 helper_libtestdriver1_make_drivers "$loc_accel_list"
1648
1649 helper_libtestdriver1_make_main "$loc_accel_list"
1650
1651 # Make sure this was not re-enabled by accident (additive config)
1652 not grep mbedtls_ecjpake_init ${BUILTIN_SRC_PATH}/ecjpake.o
1653
1654 # Run the tests
1655 # -------------
1656
1657 msg "test: full with accelerated PAKE"
1658 make test
1659}
1660
1661component_test_psa_crypto_config_accel_ecc_some_key_types () {
1662 msg "build: full with accelerated EC algs and some key types"
1663
1664 # Algorithms and key types to accelerate
1665 # For key types, use an explicitly list to omit GENERATE (and DERIVE)
1666 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
1667 ALG_ECDH \
1668 ALG_JPAKE \
1669 KEY_TYPE_ECC_PUBLIC_KEY \
1670 KEY_TYPE_ECC_KEY_PAIR_BASIC \
1671 KEY_TYPE_ECC_KEY_PAIR_IMPORT \
1672 KEY_TYPE_ECC_KEY_PAIR_EXPORT \
1673 $(helper_get_psa_curve_list)"
1674
1675 # Configure
1676 # ---------
1677
1678 # start with config full for maximum coverage (also enables USE_PSA)
1679 helper_libtestdriver1_adjust_config "full"
1680
1681 # Disable modules that are accelerated - some will be re-enabled
1682 scripts/config.py unset MBEDTLS_ECDSA_C
1683 scripts/config.py unset MBEDTLS_ECDH_C
1684 scripts/config.py unset MBEDTLS_ECJPAKE_C
1685 scripts/config.py unset MBEDTLS_ECP_C
1686
1687 # Disable all curves - those that aren't accelerated should be re-enabled
1688 helper_disable_builtin_curves
1689
1690 # Restartable feature is not yet supported by PSA. Once it will in
1691 # the future, the following line could be removed (see issues
1692 # 6061, 6332 and following ones)
1693 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
1694
1695 # this is not supported by the driver API yet
1696 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
1697
1698 # Build
1699 # -----
1700
1701 # These hashes are needed for some ECDSA signature tests.
1702 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
1703 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
1704 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list"
1705
1706 helper_libtestdriver1_make_main "$loc_accel_list"
1707
1708 # ECP should be re-enabled but not the others
1709 not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
1710 not grep mbedtls_ecdsa ${BUILTIN_SRC_PATH}/ecdsa.o
1711 not grep mbedtls_ecjpake ${BUILTIN_SRC_PATH}/ecjpake.o
1712 grep mbedtls_ecp ${BUILTIN_SRC_PATH}/ecp.o
1713
1714 # Run the tests
1715 # -------------
1716
1717 msg "test suites: full with accelerated EC algs and some key types"
1718 make test
1719}
1720
1721# Run tests with only (non-)Weierstrass accelerated
1722# Common code used in:
1723# - component_test_psa_crypto_config_accel_ecc_weierstrass_curves
1724# - component_test_psa_crypto_config_accel_ecc_non_weierstrass_curves
1725common_test_psa_crypto_config_accel_ecc_some_curves () {
1726 weierstrass=$1
1727 if [ $weierstrass -eq 1 ]; then
1728 desc="Weierstrass"
1729 else
1730 desc="non-Weierstrass"
1731 fi
1732
1733 msg "build: crypto_full minus PK with accelerated EC algs and $desc curves"
1734
1735 # Note: Curves are handled in a special way by the libtestdriver machinery,
1736 # so we only want to include them in the accel list when building the main
1737 # libraries, hence the use of a separate variable.
1738 # Note: the following loop is a modified version of
1739 # helper_get_psa_curve_list that only keeps Weierstrass families.
1740 loc_weierstrass_list=""
1741 loc_non_weierstrass_list=""
1742 for item in $(sed -n 's/^#define PSA_WANT_\(ECC_[0-9A-Z_a-z]*\).*/\1/p' <"$CRYPTO_CONFIG_H"); do
1743 case $item in
1744 ECC_BRAINPOOL*|ECC_SECP*)
1745 loc_weierstrass_list="$loc_weierstrass_list $item"
1746 ;;
1747 *)
1748 loc_non_weierstrass_list="$loc_non_weierstrass_list $item"
1749 ;;
1750 esac
1751 done
1752 if [ $weierstrass -eq 1 ]; then
1753 loc_curve_list=$loc_weierstrass_list
1754 else
1755 loc_curve_list=$loc_non_weierstrass_list
1756 fi
1757
1758 # Algorithms and key types to accelerate
1759 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
1760 ALG_ECDH \
1761 ALG_JPAKE \
1762 $(helper_get_psa_key_type_list "ECC") \
1763 $loc_curve_list"
1764
1765 # Configure
1766 # ---------
1767
1768 # Start with config crypto_full and remove PK_C:
1769 # that's what's supported now, see docs/driver-only-builds.md.
1770 helper_libtestdriver1_adjust_config "crypto_full"
1771 scripts/config.py unset MBEDTLS_PK_C
1772 scripts/config.py unset MBEDTLS_PK_PARSE_C
1773 scripts/config.py unset MBEDTLS_PK_WRITE_C
1774
1775 # Disable modules that are accelerated - some will be re-enabled
1776 scripts/config.py unset MBEDTLS_ECDSA_C
1777 scripts/config.py unset MBEDTLS_ECDH_C
1778 scripts/config.py unset MBEDTLS_ECJPAKE_C
1779 scripts/config.py unset MBEDTLS_ECP_C
1780
1781 # Disable all curves - those that aren't accelerated should be re-enabled
1782 helper_disable_builtin_curves
1783
1784 # Restartable feature is not yet supported by PSA. Once it will in
1785 # the future, the following line could be removed (see issues
1786 # 6061, 6332 and following ones)
1787 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
1788
1789 # this is not supported by the driver API yet
1790 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
1791
1792 # Build
1793 # -----
1794
1795 # These hashes are needed for some ECDSA signature tests.
1796 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
1797 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
1798 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list"
1799
1800 helper_libtestdriver1_make_main "$loc_accel_list"
1801
1802 # We expect ECDH to be re-enabled for the missing curves
1803 grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
1804 # We expect ECP to be re-enabled, however the parts specific to the
1805 # families of curves that are accelerated should be ommited.
1806 # - functions with mxz in the name are specific to Montgomery curves
1807 # - ecp_muladd is specific to Weierstrass curves
1808 ##nm ${BUILTIN_SRC_PATH}/ecp.o | tee ecp.syms
1809 if [ $weierstrass -eq 1 ]; then
1810 not grep mbedtls_ecp_muladd ${BUILTIN_SRC_PATH}/ecp.o
1811 grep mxz ${BUILTIN_SRC_PATH}/ecp.o
1812 else
1813 grep mbedtls_ecp_muladd ${BUILTIN_SRC_PATH}/ecp.o
1814 not grep mxz ${BUILTIN_SRC_PATH}/ecp.o
1815 fi
1816 # We expect ECDSA and ECJPAKE to be re-enabled only when
1817 # Weierstrass curves are not accelerated
1818 if [ $weierstrass -eq 1 ]; then
1819 not grep mbedtls_ecdsa ${BUILTIN_SRC_PATH}/ecdsa.o
1820 not grep mbedtls_ecjpake ${BUILTIN_SRC_PATH}/ecjpake.o
1821 else
1822 grep mbedtls_ecdsa ${BUILTIN_SRC_PATH}/ecdsa.o
1823 grep mbedtls_ecjpake ${BUILTIN_SRC_PATH}/ecjpake.o
1824 fi
1825
1826 # Run the tests
1827 # -------------
1828
1829 msg "test suites: crypto_full minus PK with accelerated EC algs and $desc curves"
1830 make test
1831}
1832
1833component_test_psa_crypto_config_accel_ecc_weierstrass_curves () {
1834 common_test_psa_crypto_config_accel_ecc_some_curves 1
1835}
1836
1837component_test_psa_crypto_config_accel_ecc_non_weierstrass_curves () {
1838 common_test_psa_crypto_config_accel_ecc_some_curves 0
1839}
1840
1841# Auxiliary function to build config for all EC based algorithms (EC-JPAKE,
1842# ECDH, ECDSA) with and without drivers.
1843# The input parameter is a boolean value which indicates:
1844# - 0 keep built-in EC algs,
1845# - 1 exclude built-in EC algs (driver only).
1846#
1847# This is used by the two following components to ensure they always use the
1848# same config, except for the use of driver or built-in EC algorithms:
1849# - component_test_psa_crypto_config_accel_ecc_ecp_light_only;
1850# - component_test_psa_crypto_config_reference_ecc_ecp_light_only.
1851# This supports comparing their test coverage with analyze_outcomes.py.
1852config_psa_crypto_config_ecp_light_only () {
1853 driver_only="$1"
1854 # start with config full for maximum coverage (also enables USE_PSA)
1855 helper_libtestdriver1_adjust_config "full"
1856 if [ "$driver_only" -eq 1 ]; then
1857 # Disable modules that are accelerated
1858 scripts/config.py unset MBEDTLS_ECDSA_C
1859 scripts/config.py unset MBEDTLS_ECDH_C
1860 scripts/config.py unset MBEDTLS_ECJPAKE_C
1861 scripts/config.py unset MBEDTLS_ECP_C
1862 fi
1863
1864 # Restartable feature is not yet supported by PSA. Once it will in
1865 # the future, the following line could be removed (see issues
1866 # 6061, 6332 and following ones)
1867 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
1868}
1869
1870# Keep in sync with component_test_psa_crypto_config_reference_ecc_ecp_light_only
1871component_test_psa_crypto_config_accel_ecc_ecp_light_only () {
1872 msg "build: full with accelerated EC algs"
1873
1874 # Algorithms and key types to accelerate
1875 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
1876 ALG_ECDH \
1877 ALG_JPAKE \
1878 $(helper_get_psa_key_type_list "ECC") \
1879 $(helper_get_psa_curve_list)"
1880
1881 # Configure
1882 # ---------
1883
1884 # Use the same config as reference, only without built-in EC algs
1885 config_psa_crypto_config_ecp_light_only 1
1886
1887 # Do not disable builtin curves because that support is required for:
1888 # - MBEDTLS_PK_PARSE_EC_EXTENDED
1889 # - MBEDTLS_PK_PARSE_EC_COMPRESSED
1890
1891 # Build
1892 # -----
1893
1894 # These hashes are needed for some ECDSA signature tests.
1895 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
1896 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
1897 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list"
1898
1899 helper_libtestdriver1_make_main "$loc_accel_list"
1900
1901 # Make sure any built-in EC alg was not re-enabled by accident (additive config)
1902 not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o
1903 not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
1904 not grep mbedtls_ecjpake_ ${BUILTIN_SRC_PATH}/ecjpake.o
1905 not grep mbedtls_ecp_mul ${BUILTIN_SRC_PATH}/ecp.o
1906
1907 # Run the tests
1908 # -------------
1909
1910 msg "test suites: full with accelerated EC algs"
1911 make test
1912
1913 msg "ssl-opt: full with accelerated EC algs"
1914 tests/ssl-opt.sh
1915}
1916
1917# Keep in sync with component_test_psa_crypto_config_accel_ecc_ecp_light_only
1918component_test_psa_crypto_config_reference_ecc_ecp_light_only () {
1919 msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with non-accelerated EC algs"
1920
1921 config_psa_crypto_config_ecp_light_only 0
1922
1923 make
1924
1925 msg "test suites: full with non-accelerated EC algs"
1926 make test
1927
1928 msg "ssl-opt: full with non-accelerated EC algs"
1929 tests/ssl-opt.sh
1930}
1931
1932# This helper function is used by:
1933# - component_test_psa_crypto_config_accel_ecc_no_ecp_at_all()
1934# - component_test_psa_crypto_config_reference_ecc_no_ecp_at_all()
1935# to ensure that both tests use the same underlying configuration when testing
1936# driver's coverage with analyze_outcomes.py.
1937#
1938# This functions accepts 1 boolean parameter as follows:
1939# - 1: building with accelerated EC algorithms (ECDSA, ECDH, ECJPAKE), therefore
1940# excluding their built-in implementation as well as ECP_C & ECP_LIGHT
1941# - 0: include built-in implementation of EC algorithms.
1942#
1943# PK_C and RSA_C are always disabled to ensure there is no remaining dependency
1944# on the ECP module.
1945config_psa_crypto_no_ecp_at_all () {
1946 driver_only="$1"
1947 # start with full config for maximum coverage (also enables USE_PSA)
1948 helper_libtestdriver1_adjust_config "full"
1949
1950 if [ "$driver_only" -eq 1 ]; then
1951 # Disable modules that are accelerated
1952 scripts/config.py unset MBEDTLS_ECDSA_C
1953 scripts/config.py unset MBEDTLS_ECDH_C
1954 scripts/config.py unset MBEDTLS_ECJPAKE_C
1955 # Disable ECP module (entirely)
1956 scripts/config.py unset MBEDTLS_ECP_C
1957 fi
1958
1959 # Disable all the features that auto-enable ECP_LIGHT (see build_info.h)
1960 scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED
1961 scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED
1962 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
1963
1964 # Restartable feature is not yet supported by PSA. Once it will in
1965 # the future, the following line could be removed (see issues
1966 # 6061, 6332 and following ones)
1967 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
1968}
1969
1970# Build and test a configuration where driver accelerates all EC algs while
1971# all support and dependencies from ECP and ECP_LIGHT are removed on the library
1972# side.
1973#
1974# Keep in sync with component_test_psa_crypto_config_reference_ecc_no_ecp_at_all()
1975component_test_psa_crypto_config_accel_ecc_no_ecp_at_all () {
1976 msg "build: full + accelerated EC algs - ECP"
1977
1978 # Algorithms and key types to accelerate
1979 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
1980 ALG_ECDH \
1981 ALG_JPAKE \
1982 $(helper_get_psa_key_type_list "ECC") \
1983 $(helper_get_psa_curve_list)"
1984
1985 # Configure
1986 # ---------
1987
1988 # Set common configurations between library's and driver's builds
1989 config_psa_crypto_no_ecp_at_all 1
1990 # Disable all the builtin curves. All the required algs are accelerated.
1991 helper_disable_builtin_curves
1992
1993 # Build
1994 # -----
1995
1996 # Things we wanted supported in libtestdriver1, but not accelerated in the main library:
1997 # SHA-1 and all SHA-2/3 variants, as they are used by ECDSA deterministic.
1998 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
1999 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
2000
2001 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list"
2002
2003 helper_libtestdriver1_make_main "$loc_accel_list"
2004
2005 # Make sure any built-in EC alg was not re-enabled by accident (additive config)
2006 not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o
2007 not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
2008 not grep mbedtls_ecjpake_ ${BUILTIN_SRC_PATH}/ecjpake.o
2009 # Also ensure that ECP module was not re-enabled
2010 not grep mbedtls_ecp_ ${BUILTIN_SRC_PATH}/ecp.o
2011
2012 # Run the tests
2013 # -------------
2014
2015 msg "test: full + accelerated EC algs - ECP"
2016 make test
2017
2018 msg "ssl-opt: full + accelerated EC algs - ECP"
2019 tests/ssl-opt.sh
2020}
2021
2022# Reference function used for driver's coverage analysis in analyze_outcomes.py
2023# in conjunction with component_test_psa_crypto_config_accel_ecc_no_ecp_at_all().
2024# Keep in sync with its accelerated counterpart.
2025component_test_psa_crypto_config_reference_ecc_no_ecp_at_all () {
2026 msg "build: full + non accelerated EC algs"
2027
2028 config_psa_crypto_no_ecp_at_all 0
2029
2030 make
2031
2032 msg "test: full + non accelerated EC algs"
2033 make test
2034
2035 msg "ssl-opt: full + non accelerated EC algs"
2036 tests/ssl-opt.sh
2037}
2038
2039# This is a common configuration helper used directly from:
2040# - common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum
2041# - common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum
2042# and indirectly from:
2043# - component_test_psa_crypto_config_accel_ecc_no_bignum
2044# - accelerate all EC algs, disable RSA and FFDH
2045# - component_test_psa_crypto_config_reference_ecc_no_bignum
2046# - this is the reference component of the above
2047# - it still disables RSA and FFDH, but it uses builtin EC algs
2048# - component_test_psa_crypto_config_accel_ecc_ffdh_no_bignum
2049# - accelerate all EC and FFDH algs, disable only RSA
2050# - component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum
2051# - this is the reference component of the above
2052# - it still disables RSA, but it uses builtin EC and FFDH algs
2053#
2054# This function accepts 2 parameters:
2055# $1: a boolean value which states if we are testing an accelerated scenario
2056# or not.
2057# $2: a string value which states which components are tested. Allowed values
2058# are "ECC" or "ECC_DH".
2059config_psa_crypto_config_accel_ecc_ffdh_no_bignum() {
2060 driver_only="$1"
2061 test_target="$2"
2062 # start with full config for maximum coverage (also enables USE_PSA)
2063 helper_libtestdriver1_adjust_config "full"
2064
2065 if [ "$driver_only" -eq 1 ]; then
2066 # Disable modules that are accelerated
2067 scripts/config.py unset MBEDTLS_ECDSA_C
2068 scripts/config.py unset MBEDTLS_ECDH_C
2069 scripts/config.py unset MBEDTLS_ECJPAKE_C
2070 # Disable ECP module (entirely)
2071 scripts/config.py unset MBEDTLS_ECP_C
2072 # Also disable bignum
2073 scripts/config.py unset MBEDTLS_BIGNUM_C
2074 fi
2075
2076 # Disable all the features that auto-enable ECP_LIGHT (see build_info.h)
2077 scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED
2078 scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED
2079 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
2080
2081 # RSA support is intentionally disabled on this test because RSA_C depends
2082 # on BIGNUM_C.
2083 scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_RSA_[0-9A-Z_a-z]*"
2084 scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_ALG_RSA_[0-9A-Z_a-z]*"
2085 scripts/config.py unset MBEDTLS_RSA_C
2086 scripts/config.py unset MBEDTLS_PKCS1_V15
2087 scripts/config.py unset MBEDTLS_PKCS1_V21
2088 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
2089 # Also disable key exchanges that depend on RSA
2090 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
2091 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
2092 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
2093 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
2094 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
2095
2096 if [ "$test_target" = "ECC" ]; then
2097 # When testing ECC only, we disable FFDH support, both from builtin and
2098 # PSA sides, and also disable the key exchanges that depend on DHM.
2099 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_FFDH
2100 scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_DH_[0-9A-Z_a-z]*"
2101 scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_DH_RFC7919_[0-9]*"
2102 scripts/config.py unset MBEDTLS_DHM_C
2103 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
2104 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
2105 else
2106 # When testing ECC and DH instead, we disable DHM and depending key
2107 # exchanges only in the accelerated build
2108 if [ "$driver_only" -eq 1 ]; then
2109 scripts/config.py unset MBEDTLS_DHM_C
2110 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
2111 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
2112 fi
2113 fi
2114
2115 # Restartable feature is not yet supported by PSA. Once it will in
2116 # the future, the following line could be removed (see issues
2117 # 6061, 6332 and following ones)
2118 scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
2119}
2120
2121# Common helper used by:
2122# - component_test_psa_crypto_config_accel_ecc_no_bignum
2123# - component_test_psa_crypto_config_accel_ecc_ffdh_no_bignum
2124#
2125# The goal is to build and test accelerating either:
2126# - ECC only or
2127# - both ECC and FFDH
2128#
2129# It is meant to be used in conjunction with
2130# common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum() for drivers
2131# coverage analysis in the "analyze_outcomes.py" script.
2132common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () {
2133 test_target="$1"
2134
2135 # This is an internal helper to simplify text message handling
2136 if [ "$test_target" = "ECC_DH" ]; then
2137 accel_text="ECC/FFDH"
2138 removed_text="ECP - DH"
2139 else
2140 accel_text="ECC"
2141 removed_text="ECP"
2142 fi
2143
2144 msg "build: full + accelerated $accel_text algs + USE_PSA - $removed_text - BIGNUM"
2145
2146 # By default we accelerate all EC keys/algs
2147 loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
2148 ALG_ECDH \
2149 ALG_JPAKE \
2150 $(helper_get_psa_key_type_list "ECC") \
2151 $(helper_get_psa_curve_list)"
2152 # Optionally we can also add DH to the list of accelerated items
2153 if [ "$test_target" = "ECC_DH" ]; then
2154 loc_accel_list="$loc_accel_list \
2155 ALG_FFDH \
2156 $(helper_get_psa_key_type_list "DH") \
2157 $(helper_get_psa_dh_group_list)"
2158 fi
2159
2160 # Configure
2161 # ---------
2162
2163 # Set common configurations between library's and driver's builds
2164 config_psa_crypto_config_accel_ecc_ffdh_no_bignum 1 "$test_target"
2165 # Disable all the builtin curves. All the required algs are accelerated.
2166 helper_disable_builtin_curves
2167
2168 # Build
2169 # -----
2170
2171 # Things we wanted supported in libtestdriver1, but not accelerated in the main library:
2172 # SHA-1 and all SHA-2/3 variants, as they are used by ECDSA deterministic.
2173 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
2174 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
2175
2176 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list"
2177
2178 helper_libtestdriver1_make_main "$loc_accel_list"
2179
2180 # Make sure any built-in EC alg was not re-enabled by accident (additive config)
2181 not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o
2182 not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
2183 not grep mbedtls_ecjpake_ ${BUILTIN_SRC_PATH}/ecjpake.o
2184 # Also ensure that ECP, RSA, [DHM] or BIGNUM modules were not re-enabled
2185 not grep mbedtls_ecp_ ${BUILTIN_SRC_PATH}/ecp.o
2186 not grep mbedtls_rsa_ ${BUILTIN_SRC_PATH}/rsa.o
2187 not grep mbedtls_mpi_ ${BUILTIN_SRC_PATH}/bignum.o
2188 not grep mbedtls_dhm_ ${BUILTIN_SRC_PATH}/dhm.o
2189
2190 # Run the tests
2191 # -------------
2192
2193 msg "test suites: full + accelerated $accel_text algs + USE_PSA - $removed_text - DHM - BIGNUM"
2194
2195 make test
2196
2197 msg "ssl-opt: full + accelerated $accel_text algs + USE_PSA - $removed_text - BIGNUM"
2198 tests/ssl-opt.sh
2199}
2200
2201# Common helper used by:
2202# - component_test_psa_crypto_config_reference_ecc_no_bignum
2203# - component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum
2204#
2205# The goal is to build and test a reference scenario (i.e. with builtin
2206# components) compared to the ones used in
2207# common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum() above.
2208#
2209# It is meant to be used in conjunction with
2210# common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum() for drivers'
2211# coverage analysis in "analyze_outcomes.py" script.
2212common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () {
2213 test_target="$1"
2214
2215 # This is an internal helper to simplify text message handling
2216 if [ "$test_target" = "ECC_DH" ]; then
2217 accel_text="ECC/FFDH"
2218 else
2219 accel_text="ECC"
2220 fi
2221
2222 msg "build: full + non accelerated $accel_text algs + USE_PSA"
2223
2224 config_psa_crypto_config_accel_ecc_ffdh_no_bignum 0 "$test_target"
2225
2226 make
2227
2228 msg "test suites: full + non accelerated EC algs + USE_PSA"
2229 make test
2230
2231 msg "ssl-opt: full + non accelerated $accel_text algs + USE_PSA"
2232 tests/ssl-opt.sh
2233}
2234
2235component_test_psa_crypto_config_accel_ecc_no_bignum () {
2236 common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum "ECC"
2237}
2238
2239component_test_psa_crypto_config_reference_ecc_no_bignum () {
2240 common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum "ECC"
2241}
2242
2243component_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () {
2244 common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum "ECC_DH"
2245}
2246
2247component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () {
2248 common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum "ECC_DH"
2249}
2250
2251# Helper for setting common configurations between:
2252# - component_test_tfm_config_p256m_driver_accel_ec()
2253# - component_test_tfm_config()
2254common_tfm_config () {
2255 # Enable TF-M config
2256 cp configs/config-tfm.h "$CONFIG_H"
2257 echo "#undef MBEDTLS_PSA_CRYPTO_CONFIG_FILE" >> "$CONFIG_H"
2258 cp configs/ext/crypto_config_profile_medium.h "$CRYPTO_CONFIG_H"
2259
2260 # Other config adjustment to make the tests pass.
2261 # This should probably be adopted upstream.
2262 #
2263 # - USE_PSA_CRYPTO for PK_HAVE_ECC_KEYS
2264 echo "#define MBEDTLS_USE_PSA_CRYPTO" >> "$CONFIG_H"
2265
2266 # Config adjustment for better test coverage in our environment.
2267 # This is not needed just to build and pass tests.
2268 #
2269 # Enable filesystem I/O for the benefit of PK parse/write tests.
2270 echo "#define MBEDTLS_FS_IO" >> "$CONFIG_H"
2271}
2272
2273# Keep this in sync with component_test_tfm_config() as they are both meant
2274# to be used in analyze_outcomes.py for driver's coverage analysis.
2275component_test_tfm_config_p256m_driver_accel_ec () {
2276 msg "build: TF-M config + p256m driver + accel ECDH(E)/ECDSA"
2277
2278 common_tfm_config
2279
2280 # Build crypto library
2281 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -I../tests/include/spe" LDFLAGS="$ASAN_CFLAGS"
2282
2283 # Make sure any built-in EC alg was not re-enabled by accident (additive config)
2284 not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o
2285 not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
2286 not grep mbedtls_ecjpake_ ${BUILTIN_SRC_PATH}/ecjpake.o
2287 # Also ensure that ECP, RSA, DHM or BIGNUM modules were not re-enabled
2288 not grep mbedtls_ecp_ ${BUILTIN_SRC_PATH}/ecp.o
2289 not grep mbedtls_rsa_ ${BUILTIN_SRC_PATH}/rsa.o
2290 not grep mbedtls_dhm_ ${BUILTIN_SRC_PATH}/dhm.o
2291 not grep mbedtls_mpi_ ${BUILTIN_SRC_PATH}/bignum.o
2292 # Check that p256m was built
2293 grep -q p256_ecdsa_ library/libmbedcrypto.a
2294
2295 # In "config-tfm.h" we disabled CIPHER_C tweaking TF-M's configuration
2296 # files, so we want to ensure that it has not be re-enabled accidentally.
2297 not grep mbedtls_cipher ${BUILTIN_SRC_PATH}/cipher.o
2298
2299 # Run the tests
2300 msg "test: TF-M config + p256m driver + accel ECDH(E)/ECDSA"
2301 make test
2302}
2303
2304# Keep this in sync with component_test_tfm_config_p256m_driver_accel_ec() as
2305# they are both meant to be used in analyze_outcomes.py for driver's coverage
2306# analysis.
2307component_test_tfm_config() {
2308 common_tfm_config
2309
2310 # Disable P256M driver, which is on by default, so that analyze_outcomes
2311 # can compare this test with test_tfm_config_p256m_driver_accel_ec
2312 echo "#undef MBEDTLS_PSA_P256M_DRIVER_ENABLED" >> "$CONFIG_H"
2313
2314 msg "build: TF-M config"
2315 make CFLAGS='-Werror -Wall -Wextra -I../tests/include/spe' tests
2316
2317 # Check that p256m was not built
2318 not grep p256_ecdsa_ library/libmbedcrypto.a
2319
2320 # In "config-tfm.h" we disabled CIPHER_C tweaking TF-M's configuration
2321 # files, so we want to ensure that it has not be re-enabled accidentally.
2322 not grep mbedtls_cipher ${BUILTIN_SRC_PATH}/cipher.o
2323
2324 msg "test: TF-M config"
2325 make test
2326}
2327
2328# Common helper for component_full_without_ecdhe_ecdsa() and
2329# component_full_without_ecdhe_ecdsa_and_tls13() which:
2330# - starts from the "full" configuration minus the list of symbols passed in
2331# as 1st parameter
2332# - build
2333# - test only TLS (i.e. test_suite_tls and ssl-opt)
2334build_full_minus_something_and_test_tls () {
2335 symbols_to_disable="$1"
2336
2337 msg "build: full minus something, test TLS"
2338
2339 scripts/config.py full
2340 for sym in $symbols_to_disable; do
2341 echo "Disabling $sym"
2342 scripts/config.py unset $sym
2343 done
2344
2345 make
2346
2347 msg "test: full minus something, test TLS"
2348 ( cd tests; ./test_suite_ssl )
2349
2350 msg "ssl-opt: full minus something, test TLS"
2351 tests/ssl-opt.sh
2352}
2353
2354component_full_without_ecdhe_ecdsa () {
2355 build_full_minus_something_and_test_tls "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED"
2356}
2357
2358component_full_without_ecdhe_ecdsa_and_tls13 () {
2359 build_full_minus_something_and_test_tls "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
2360 MBEDTLS_SSL_PROTO_TLS1_3"
2361}
2362
2363# This is an helper used by:
2364# - component_test_psa_ecc_key_pair_no_derive
2365# - component_test_psa_ecc_key_pair_no_generate
2366# The goal is to test with all PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy symbols
2367# enabled, but one. Input arguments are as follows:
2368# - $1 is the key type under test, i.e. ECC/RSA/DH
2369# - $2 is the key option to be unset (i.e. generate, derive, etc)
2370build_and_test_psa_want_key_pair_partial() {
2371 key_type=$1
2372 unset_option=$2
2373 disabled_psa_want="PSA_WANT_KEY_TYPE_${key_type}_KEY_PAIR_${unset_option}"
2374
2375 msg "build: full - MBEDTLS_USE_PSA_CRYPTO - ${disabled_psa_want}"
2376 scripts/config.py full
2377 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
2378 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
2379
2380 # All the PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy are enabled by default in
2381 # crypto_config.h so we just disable the one we don't want.
2382 scripts/config.py -f "$CRYPTO_CONFIG_H" unset "$disabled_psa_want"
2383
2384 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
2385
2386 msg "test: full - MBEDTLS_USE_PSA_CRYPTO - ${disabled_psa_want}"
2387 make test
2388}
2389
2390component_test_psa_ecc_key_pair_no_derive() {
2391 build_and_test_psa_want_key_pair_partial "ECC" "DERIVE"
2392}
2393
2394component_test_psa_ecc_key_pair_no_generate() {
2395 build_and_test_psa_want_key_pair_partial "ECC" "GENERATE"
2396}
2397
2398config_psa_crypto_accel_rsa () {
2399 driver_only=$1
2400
2401 # Start from crypto_full config (no X.509, no TLS)
2402 helper_libtestdriver1_adjust_config "crypto_full"
2403
2404 if [ "$driver_only" -eq 1 ]; then
2405 # Remove RSA support and its dependencies
2406 scripts/config.py unset MBEDTLS_RSA_C
2407 scripts/config.py unset MBEDTLS_PKCS1_V15
2408 scripts/config.py unset MBEDTLS_PKCS1_V21
2409
2410 # We need PEM parsing in the test library as well to support the import
2411 # of PEM encoded RSA keys.
2412 scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_PEM_PARSE_C
2413 scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_BASE64_C
2414 fi
2415}
2416
2417component_test_psa_crypto_config_accel_rsa_crypto () {
2418 msg "build: crypto_full with accelerated RSA"
2419
2420 loc_accel_list="ALG_RSA_OAEP ALG_RSA_PSS \
2421 ALG_RSA_PKCS1V15_CRYPT ALG_RSA_PKCS1V15_SIGN \
2422 KEY_TYPE_RSA_PUBLIC_KEY \
2423 KEY_TYPE_RSA_KEY_PAIR_BASIC \
2424 KEY_TYPE_RSA_KEY_PAIR_GENERATE \
2425 KEY_TYPE_RSA_KEY_PAIR_IMPORT \
2426 KEY_TYPE_RSA_KEY_PAIR_EXPORT"
2427
2428 # Configure
2429 # ---------
2430
2431 config_psa_crypto_accel_rsa 1
2432
2433 # Build
2434 # -----
2435
2436 # These hashes are needed for unit tests.
2437 loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
2438 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512 ALG_MD5"
2439 helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list"
2440
2441 helper_libtestdriver1_make_main "$loc_accel_list"
2442
2443 # Make sure this was not re-enabled by accident (additive config)
2444 not grep mbedtls_rsa ${BUILTIN_SRC_PATH}/rsa.o
2445
2446 # Run the tests
2447 # -------------
2448
2449 msg "test: crypto_full with accelerated RSA"
2450 make test
2451}
2452
2453component_test_psa_crypto_config_reference_rsa_crypto () {
2454 msg "build: crypto_full with non-accelerated RSA"
2455
2456 # Configure
2457 # ---------
2458 config_psa_crypto_accel_rsa 0
2459
2460 # Build
2461 # -----
2462 make
2463
2464 # Run the tests
2465 # -------------
2466 msg "test: crypto_full with non-accelerated RSA"
2467 make test
2468}
2469
2470# This is a temporary test to verify that full RSA support is present even when
2471# only one single new symbols (PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) is defined.
2472component_test_new_psa_want_key_pair_symbol() {
2473 msg "Build: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC"
2474
2475 # Create a temporary output file unless there is already one set
2476 if [ "$MBEDTLS_TEST_OUTCOME_FILE" ]; then
2477 REMOVE_OUTCOME_ON_EXIT="no"
2478 else
2479 REMOVE_OUTCOME_ON_EXIT="yes"
2480 MBEDTLS_TEST_OUTCOME_FILE="$PWD/out.csv"
2481 export MBEDTLS_TEST_OUTCOME_FILE
2482 fi
2483
2484 # Start from crypto configuration
2485 scripts/config.py crypto
2486
2487 # Remove RSA support and its dependencies
2488 scripts/config.py unset MBEDTLS_PKCS1_V15
2489 scripts/config.py unset MBEDTLS_PKCS1_V21
2490 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
2491 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
2492 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
2493 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
2494 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
2495 scripts/config.py unset MBEDTLS_RSA_C
2496 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
2497
2498 # Enable PSA support
2499 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
2500
2501 # Keep only PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC enabled in order to ensure
2502 # that proper translations is done in crypto_legacy.h.
2503 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
2504 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT
2505 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
2506
2507 make
2508
2509 msg "Test: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC"
2510 make test
2511
2512 # Parse only 1 relevant line from the outcome file, i.e. a test which is
2513 # performing RSA signature.
2514 msg "Verify that 'RSA PKCS1 Sign #1 (SHA512, 1536 bits RSA)' is PASS"
2515 cat $MBEDTLS_TEST_OUTCOME_FILE | grep 'RSA PKCS1 Sign #1 (SHA512, 1536 bits RSA)' | grep -q "PASS"
2516
2517 if [ "$REMOVE_OUTCOME_ON_EXIT" == "yes" ]; then
2518 rm $MBEDTLS_TEST_OUTCOME_FILE
2519 fi
2520}
2521
2522component_test_psa_crypto_config_accel_hash () {
2523 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash"
2524
2525 loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \
2526 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
2527 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
2528
2529 # Configure
2530 # ---------
2531
2532 # Start from default config (no USE_PSA)
2533 helper_libtestdriver1_adjust_config "default"
2534
2535 # Disable the things that are being accelerated
2536 scripts/config.py unset MBEDTLS_MD5_C
2537 scripts/config.py unset MBEDTLS_RIPEMD160_C
2538 scripts/config.py unset MBEDTLS_SHA1_C
2539 scripts/config.py unset MBEDTLS_SHA224_C
2540 scripts/config.py unset MBEDTLS_SHA256_C
2541 scripts/config.py unset MBEDTLS_SHA384_C
2542 scripts/config.py unset MBEDTLS_SHA512_C
2543 scripts/config.py unset MBEDTLS_SHA3_C
2544
2545 # Build
2546 # -----
2547
2548 helper_libtestdriver1_make_drivers "$loc_accel_list"
2549
2550 helper_libtestdriver1_make_main "$loc_accel_list"
2551
2552 # There's a risk of something getting re-enabled via config_psa.h;
2553 # make sure it did not happen. Note: it's OK for MD_C to be enabled.
2554 not grep mbedtls_md5 ${BUILTIN_SRC_PATH}/md5.o
2555 not grep mbedtls_sha1 ${BUILTIN_SRC_PATH}/sha1.o
2556 not grep mbedtls_sha256 ${BUILTIN_SRC_PATH}/sha256.o
2557 not grep mbedtls_sha512 ${BUILTIN_SRC_PATH}/sha512.o
2558 not grep mbedtls_ripemd160 ${BUILTIN_SRC_PATH}/ripemd160.o
2559
2560 # Run the tests
2561 # -------------
2562
2563 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash"
2564 make test
2565}
2566
2567# Auxiliary function to build config for hashes with and without drivers
2568config_psa_crypto_hash_use_psa () {
2569 driver_only="$1"
2570 # start with config full for maximum coverage (also enables USE_PSA)
2571 helper_libtestdriver1_adjust_config "full"
2572 if [ "$driver_only" -eq 1 ]; then
2573 # disable the built-in implementation of hashes
2574 scripts/config.py unset MBEDTLS_MD5_C
2575 scripts/config.py unset MBEDTLS_RIPEMD160_C
2576 scripts/config.py unset MBEDTLS_SHA1_C
2577 scripts/config.py unset MBEDTLS_SHA224_C
2578 scripts/config.py unset MBEDTLS_SHA256_C # see external RNG below
2579 scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
2580 scripts/config.py unset MBEDTLS_SHA384_C
2581 scripts/config.py unset MBEDTLS_SHA512_C
2582 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
2583 scripts/config.py unset MBEDTLS_SHA3_C
2584 fi
2585}
2586
2587# Note that component_test_psa_crypto_config_reference_hash_use_psa
2588# is related to this component and both components need to be kept in sync.
2589# For details please see comments for component_test_psa_crypto_config_reference_hash_use_psa.
2590component_test_psa_crypto_config_accel_hash_use_psa () {
2591 msg "test: full with accelerated hashes"
2592
2593 loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \
2594 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
2595 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
2596
2597 # Configure
2598 # ---------
2599
2600 config_psa_crypto_hash_use_psa 1
2601
2602 # Build
2603 # -----
2604
2605 helper_libtestdriver1_make_drivers "$loc_accel_list"
2606
2607 helper_libtestdriver1_make_main "$loc_accel_list"
2608
2609 # There's a risk of something getting re-enabled via config_psa.h;
2610 # make sure it did not happen. Note: it's OK for MD_C to be enabled.
2611 not grep mbedtls_md5 ${BUILTIN_SRC_PATH}/md5.o
2612 not grep mbedtls_sha1 ${BUILTIN_SRC_PATH}/sha1.o
2613 not grep mbedtls_sha256 ${BUILTIN_SRC_PATH}/sha256.o
2614 not grep mbedtls_sha512 ${BUILTIN_SRC_PATH}/sha512.o
2615 not grep mbedtls_ripemd160 ${BUILTIN_SRC_PATH}/ripemd160.o
2616
2617 # Run the tests
2618 # -------------
2619
2620 msg "test: full with accelerated hashes"
2621 make test
2622
2623 # This is mostly useful so that we can later compare outcome files with
2624 # the reference config in analyze_outcomes.py, to check that the
2625 # dependency declarations in ssl-opt.sh and in TLS code are correct.
2626 msg "test: ssl-opt.sh, full with accelerated hashes"
2627 tests/ssl-opt.sh
2628
2629 # This is to make sure all ciphersuites are exercised, but we don't need
2630 # interop testing (besides, we already got some from ssl-opt.sh).
2631 msg "test: compat.sh, full with accelerated hashes"
2632 tests/compat.sh -p mbedTLS -V YES
2633}
2634
2635# This component provides reference configuration for test_psa_crypto_config_accel_hash_use_psa
2636# without accelerated hash. The outcome from both components are used by the analyze_outcomes.py
2637# script to find regression in test coverage when accelerated hash is used (tests and ssl-opt).
2638# Both components need to be kept in sync.
2639component_test_psa_crypto_config_reference_hash_use_psa() {
2640 msg "test: full without accelerated hashes"
2641
2642 config_psa_crypto_hash_use_psa 0
2643
2644 make
2645
2646 msg "test: full without accelerated hashes"
2647 make test
2648
2649 msg "test: ssl-opt.sh, full without accelerated hashes"
2650 tests/ssl-opt.sh
2651}
2652
2653# Auxiliary function to build config for hashes with and without drivers
2654config_psa_crypto_hmac_use_psa () {
2655 driver_only="$1"
2656 # start with config full for maximum coverage (also enables USE_PSA)
2657 helper_libtestdriver1_adjust_config "full"
2658
2659 if [ "$driver_only" -eq 1 ]; then
2660 # Disable MD_C in order to disable the builtin support for HMAC. MD_LIGHT
2661 # is still enabled though (for ENTROPY_C among others).
2662 scripts/config.py unset MBEDTLS_MD_C
2663 # Disable also the builtin hashes since they are supported by the driver
2664 # and MD module is able to perform PSA dispathing.
2665 scripts/config.py unset-all MBEDTLS_SHA
2666 scripts/config.py unset MBEDTLS_MD5_C
2667 scripts/config.py unset MBEDTLS_RIPEMD160_C
2668 fi
2669
2670 # Direct dependencies of MD_C. We disable them also in the reference
2671 # component to work with the same set of features.
2672 scripts/config.py unset MBEDTLS_PKCS7_C
2673 scripts/config.py unset MBEDTLS_PKCS5_C
2674 scripts/config.py unset MBEDTLS_HMAC_DRBG_C
2675 scripts/config.py unset MBEDTLS_HKDF_C
2676 # Dependencies of HMAC_DRBG
2677 scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC
2678 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
2679}
2680
2681component_test_psa_crypto_config_accel_hmac() {
2682 msg "test: full with accelerated hmac"
2683
2684 loc_accel_list="ALG_HMAC KEY_TYPE_HMAC \
2685 ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \
2686 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
2687 ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
2688
2689 # Configure
2690 # ---------
2691
2692 config_psa_crypto_hmac_use_psa 1
2693
2694 # Build
2695 # -----
2696
2697 helper_libtestdriver1_make_drivers "$loc_accel_list"
2698
2699 helper_libtestdriver1_make_main "$loc_accel_list"
2700
2701 # Ensure that built-in support for HMAC is disabled.
2702 not grep mbedtls_md_hmac ${BUILTIN_SRC_PATH}/md.o
2703
2704 # Run the tests
2705 # -------------
2706
2707 msg "test: full with accelerated hmac"
2708 make test
2709}
2710
2711component_test_psa_crypto_config_reference_hmac() {
2712 msg "test: full without accelerated hmac"
2713
2714 config_psa_crypto_hmac_use_psa 0
2715
2716 make
2717
2718 msg "test: full without accelerated hmac"
2719 make test
2720}
2721
2722component_test_psa_crypto_config_accel_des () {
2723 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated DES"
2724
2725 # Albeit this components aims at accelerating DES which should only support
2726 # CBC and ECB modes, we need to accelerate more than that otherwise DES_C
2727 # would automatically be re-enabled by "config_adjust_legacy_from_psa.c"
2728 loc_accel_list="ALG_ECB_NO_PADDING ALG_CBC_NO_PADDING ALG_CBC_PKCS7 \
2729 ALG_CTR ALG_CFB ALG_OFB ALG_XTS ALG_CMAC \
2730 KEY_TYPE_DES"
2731
2732 # Note: we cannot accelerate all ciphers' key types otherwise we would also
2733 # have to either disable CCM/GCM or accelerate them, but that's out of scope
2734 # of this component. This limitation will be addressed by #8598.
2735
2736 # Configure
2737 # ---------
2738
2739 # Start from the full config
2740 helper_libtestdriver1_adjust_config "full"
2741
2742 # Disable the things that are being accelerated
2743 scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
2744 scripts/config.py unset MBEDTLS_CIPHER_PADDING_PKCS7
2745 scripts/config.py unset MBEDTLS_CIPHER_MODE_CTR
2746 scripts/config.py unset MBEDTLS_CIPHER_MODE_CFB
2747 scripts/config.py unset MBEDTLS_CIPHER_MODE_OFB
2748 scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
2749 scripts/config.py unset MBEDTLS_DES_C
2750 scripts/config.py unset MBEDTLS_CMAC_C
2751
2752 # Build
2753 # -----
2754
2755 helper_libtestdriver1_make_drivers "$loc_accel_list"
2756
2757 helper_libtestdriver1_make_main "$loc_accel_list"
2758
2759 # Make sure this was not re-enabled by accident (additive config)
2760 not grep mbedtls_des* ${BUILTIN_SRC_PATH}/des.o
2761
2762 # Run the tests
2763 # -------------
2764
2765 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated DES"
2766 make test
2767}
2768
2769component_test_psa_crypto_config_accel_aead () {
2770 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated AEAD"
2771
2772 loc_accel_list="ALG_GCM ALG_CCM ALG_CHACHA20_POLY1305 \
2773 KEY_TYPE_AES KEY_TYPE_CHACHA20 KEY_TYPE_ARIA KEY_TYPE_CAMELLIA"
2774
2775 # Configure
2776 # ---------
2777
2778 # Start from full config
2779 helper_libtestdriver1_adjust_config "full"
2780
2781 # Disable things that are being accelerated
2782 scripts/config.py unset MBEDTLS_GCM_C
2783 scripts/config.py unset MBEDTLS_CCM_C
2784 scripts/config.py unset MBEDTLS_CHACHAPOLY_C
2785
2786 # Disable CCM_STAR_NO_TAG because this re-enables CCM_C.
2787 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG
2788
2789 # Build
2790 # -----
2791
2792 helper_libtestdriver1_make_drivers "$loc_accel_list"
2793
2794 helper_libtestdriver1_make_main "$loc_accel_list"
2795
2796 # Make sure this was not re-enabled by accident (additive config)
2797 not grep mbedtls_ccm ${BUILTIN_SRC_PATH}/ccm.o
2798 not grep mbedtls_gcm ${BUILTIN_SRC_PATH}/gcm.o
2799 not grep mbedtls_chachapoly ${BUILTIN_SRC_PATH}/chachapoly.o
2800
2801 # Run the tests
2802 # -------------
2803
2804 msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated AEAD"
2805 make test
2806}
2807
2808# This is a common configuration function used in:
2809# - component_test_psa_crypto_config_accel_cipher_aead_cmac
2810# - component_test_psa_crypto_config_reference_cipher_aead_cmac
2811common_psa_crypto_config_accel_cipher_aead_cmac() {
2812 # Start from the full config
2813 helper_libtestdriver1_adjust_config "full"
2814
2815 scripts/config.py unset MBEDTLS_NIST_KW_C
2816}
2817
2818# The 2 following test components, i.e.
2819# - component_test_psa_crypto_config_accel_cipher_aead_cmac
2820# - component_test_psa_crypto_config_reference_cipher_aead_cmac
2821# are meant to be used together in analyze_outcomes.py script in order to test
2822# driver's coverage for ciphers and AEADs.
2823component_test_psa_crypto_config_accel_cipher_aead_cmac () {
2824 msg "build: full config with accelerated cipher inc. AEAD and CMAC"
2825
2826 loc_accel_list="ALG_ECB_NO_PADDING ALG_CBC_NO_PADDING ALG_CBC_PKCS7 ALG_CTR ALG_CFB \
2827 ALG_OFB ALG_XTS ALG_STREAM_CIPHER ALG_CCM_STAR_NO_TAG \
2828 ALG_GCM ALG_CCM ALG_CHACHA20_POLY1305 ALG_CMAC \
2829 KEY_TYPE_DES KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CHACHA20 KEY_TYPE_CAMELLIA"
2830
2831 # Configure
2832 # ---------
2833
2834 common_psa_crypto_config_accel_cipher_aead_cmac
2835
2836 # Disable the things that are being accelerated
2837 scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
2838 scripts/config.py unset MBEDTLS_CIPHER_PADDING_PKCS7
2839 scripts/config.py unset MBEDTLS_CIPHER_MODE_CTR
2840 scripts/config.py unset MBEDTLS_CIPHER_MODE_CFB
2841 scripts/config.py unset MBEDTLS_CIPHER_MODE_OFB
2842 scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
2843 scripts/config.py unset MBEDTLS_GCM_C
2844 scripts/config.py unset MBEDTLS_CCM_C
2845 scripts/config.py unset MBEDTLS_CHACHAPOLY_C
2846 scripts/config.py unset MBEDTLS_CMAC_C
2847 scripts/config.py unset MBEDTLS_DES_C
2848 scripts/config.py unset MBEDTLS_AES_C
2849 scripts/config.py unset MBEDTLS_ARIA_C
2850 scripts/config.py unset MBEDTLS_CHACHA20_C
2851 scripts/config.py unset MBEDTLS_CAMELLIA_C
2852
2853 # Disable CIPHER_C entirely as all ciphers/AEADs are accelerated and PSA
2854 # does not depend on it.
2855 scripts/config.py unset MBEDTLS_CIPHER_C
2856
2857 # Build
2858 # -----
2859
2860 helper_libtestdriver1_make_drivers "$loc_accel_list"
2861
2862 helper_libtestdriver1_make_main "$loc_accel_list"
2863
2864 # Make sure this was not re-enabled by accident (additive config)
2865 not grep mbedtls_cipher ${BUILTIN_SRC_PATH}/cipher.o
2866 not grep mbedtls_des ${BUILTIN_SRC_PATH}/des.o
2867 not grep mbedtls_aes ${BUILTIN_SRC_PATH}/aes.o
2868 not grep mbedtls_aria ${BUILTIN_SRC_PATH}/aria.o
2869 not grep mbedtls_camellia ${BUILTIN_SRC_PATH}/camellia.o
2870 not grep mbedtls_ccm ${BUILTIN_SRC_PATH}/ccm.o
2871 not grep mbedtls_gcm ${BUILTIN_SRC_PATH}/gcm.o
2872 not grep mbedtls_chachapoly ${BUILTIN_SRC_PATH}/chachapoly.o
2873 not grep mbedtls_cmac ${BUILTIN_SRC_PATH}/cmac.o
2874
2875 # Run the tests
2876 # -------------
2877
2878 msg "test: full config with accelerated cipher inc. AEAD and CMAC"
2879 make test
2880
2881 msg "ssl-opt: full config with accelerated cipher inc. AEAD and CMAC"
2882 tests/ssl-opt.sh
2883
2884 msg "compat.sh: full config with accelerated cipher inc. AEAD and CMAC"
2885 tests/compat.sh -V NO -p mbedTLS
2886}
2887
2888component_test_psa_crypto_config_reference_cipher_aead_cmac () {
2889 msg "build: full config with non-accelerated cipher inc. AEAD and CMAC"
2890 common_psa_crypto_config_accel_cipher_aead_cmac
2891
2892 make
2893
2894 msg "test: full config with non-accelerated cipher inc. AEAD and CMAC"
2895 make test
2896
2897 msg "ssl-opt: full config with non-accelerated cipher inc. AEAD and CMAC"
2898 tests/ssl-opt.sh
2899
2900 msg "compat.sh: full config with non-accelerated cipher inc. AEAD and CMAC"
2901 tests/compat.sh -V NO -p mbedTLS
2902}
2903
2904common_block_cipher_dispatch() {
2905 TEST_WITH_DRIVER="$1"
2906
2907 # Start from the full config
2908 helper_libtestdriver1_adjust_config "full"
2909
2910 if [ "$TEST_WITH_DRIVER" -eq 1 ]; then
2911 # Disable key types that are accelerated (there is no legacy equivalent
2912 # symbol for ECB)
2913 scripts/config.py unset MBEDTLS_AES_C
2914 scripts/config.py unset MBEDTLS_ARIA_C
2915 scripts/config.py unset MBEDTLS_CAMELLIA_C
2916 fi
2917
2918 # Disable cipher's modes that, when not accelerated, cause
2919 # legacy key types to be re-enabled in "config_adjust_legacy_from_psa.h".
2920 # Keep this also in the reference component in order to skip the same tests
2921 # that were skipped in the accelerated one.
2922 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CTR
2923 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CFB
2924 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_OFB
2925 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING
2926 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7
2927 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC
2928 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG
2929 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
2930
2931 # Disable direct dependency on AES_C
2932 scripts/config.py unset MBEDTLS_NIST_KW_C
2933
2934 # Prevent the cipher module from using deprecated PSA path. The reason is
2935 # that otherwise there will be tests relying on "aes_info" (defined in
2936 # "cipher_wrap.c") whose functions are not available when AES_C is
2937 # not defined. ARIA and Camellia are not a problem in this case because
2938 # the PSA path is not tested for these key types.
2939 scripts/config.py set MBEDTLS_DEPRECATED_REMOVED
2940}
2941
2942component_test_full_block_cipher_psa_dispatch () {
2943 msg "build: full + PSA dispatch in block_cipher"
2944
2945 loc_accel_list="ALG_ECB_NO_PADDING \
2946 KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CAMELLIA"
2947
2948 # Configure
2949 # ---------
2950
2951 common_block_cipher_dispatch 1
2952
2953 # Build
2954 # -----
2955
2956 helper_libtestdriver1_make_drivers "$loc_accel_list"
2957
2958 helper_libtestdriver1_make_main "$loc_accel_list"
2959
2960 # Make sure disabled components were not re-enabled by accident (additive
2961 # config)
2962 not grep mbedtls_aes_ ${BUILTIN_SRC_PATH}/aes.o
2963 not grep mbedtls_aria_ ${BUILTIN_SRC_PATH}/aria.o
2964 not grep mbedtls_camellia_ ${BUILTIN_SRC_PATH}/camellia.o
2965
2966 # Run the tests
2967 # -------------
2968
2969 msg "test: full + PSA dispatch in block_cipher"
2970 make test
2971}
2972
2973# This is the reference component of component_test_full_block_cipher_psa_dispatch
2974component_test_full_block_cipher_legacy_dispatch () {
2975 msg "build: full + legacy dispatch in block_cipher"
2976
2977 common_block_cipher_dispatch 0
2978
2979 make
2980
2981 msg "test: full + legacy dispatch in block_cipher"
2982 make test
2983}
2984
2985component_test_aead_chachapoly_disabled() {
2986 msg "build: full minus CHACHAPOLY"
2987 scripts/config.py full
2988 scripts/config.py unset MBEDTLS_CHACHAPOLY_C
2989 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305
2990 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
2991
2992 msg "test: full minus CHACHAPOLY"
2993 make test
2994}
2995
2996component_test_aead_only_ccm() {
2997 msg "build: full minus CHACHAPOLY and GCM"
2998 scripts/config.py full
2999 scripts/config.py unset MBEDTLS_CHACHAPOLY_C
3000 scripts/config.py unset MBEDTLS_GCM_C
3001 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305
3002 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_GCM
3003 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
3004
3005 msg "test: full minus CHACHAPOLY and GCM"
3006 make test
3007}
3008
3009component_test_ccm_aes_sha256() {
3010 msg "build: CCM + AES + SHA256 configuration"
3011
3012 cp "$CONFIG_TEST_DRIVER_H" "$CONFIG_H"
3013 cp configs/crypto-config-ccm-aes-sha256.h "$CRYPTO_CONFIG_H"
3014
3015 make
3016
3017 msg "test: CCM + AES + SHA256 configuration"
3018 make test
3019}
3020
3021support_build_tfm_armcc () {
3022 support_build_armcc
3023}
3024
3025component_build_tfm_armcc() {
3026 # test the TF-M configuration can build cleanly with various warning flags enabled
3027 cp configs/config-tfm.h "$CONFIG_H"
3028
3029 msg "build: TF-M config, armclang armv7-m thumb2"
3030 armc6_build_test "--target=arm-arm-none-eabi -march=armv7-m -mthumb -Os -std=c99 -Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wasm-operand-widths -Wunused -I../tests/include/spe"
3031}
3032
3033component_build_tfm() {
3034 # Check that the TF-M configuration can build cleanly with various
3035 # warning flags enabled. We don't build or run tests, since the
3036 # TF-M configuration needs a TF-M platform. A tweaked version of
3037 # the configuration that works on mainstream platforms is in
3038 # configs/config-tfm.h, tested via test-ref-configs.pl.
3039 cp configs/config-tfm.h "$CONFIG_H"
3040
3041 msg "build: TF-M config, clang, armv7-m thumb2"
3042 make lib CC="clang" CFLAGS="--target=arm-linux-gnueabihf -march=armv7-m -mthumb -Os -std=c99 -Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wasm-operand-widths -Wunused -I../tests/include/spe"
3043
3044 msg "build: TF-M config, gcc native build"
3045 make clean
3046 make lib CC="gcc" CFLAGS="-Os -std=c99 -Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wformat-signedness -Wlogical-op -I../tests/include/spe"
3047}
3048
3049# Test that the given .o file builds with all (valid) combinations of the given options.
3050#
3051# Syntax: build_test_config_combos FILE VALIDATOR_FUNCTION OPT1 OPT2 ...
3052#
3053# The validator function is the name of a function to validate the combination of options.
3054# It may be "" if all combinations are valid.
3055# It receives a string containing a combination of options, as passed to the compiler,
3056# e.g. "-DOPT1 -DOPT2 ...". It must return 0 iff the combination is valid, non-zero if invalid.
3057build_test_config_combos() {
3058 file=$1
3059 shift
3060 validate_options=$1
3061 shift
3062 options=("$@")
3063
3064 # clear all of the options so that they can be overridden on the clang commandline
3065 for opt in "${options[@]}"; do
3066 ./scripts/config.py unset ${opt}
3067 done
3068
3069 # enter the library directory
3070 cd library
3071
3072 # The most common issue is unused variables/functions, so ensure -Wunused is set.
3073 warning_flags="-Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wasm-operand-widths -Wunused"
3074
3075 # Extract the command generated by the Makefile to build the target file.
3076 # This ensures that we have any include paths, macro definitions, etc
3077 # that may be applied by make.
3078 # Add -fsyntax-only as we only want a syntax check and don't need to generate a file.
3079 compile_cmd="clang \$(LOCAL_CFLAGS) ${warning_flags} -fsyntax-only -c"
3080
3081 makefile=$(TMPDIR=. mktemp)
3082 deps=""
3083
3084 len=${#options[@]}
3085 source_file=../${file%.o}.c
3086
3087 targets=0
3088 echo 'include Makefile' >${makefile}
3089
3090 for ((i = 0; i < $((2**${len})); i++)); do
3091 # generate each of 2^n combinations of options
3092 # each bit of $i is used to determine if options[i] will be set or not
3093 target="t"
3094 clang_args=""
3095 for ((j = 0; j < ${len}; j++)); do
3096 if (((i >> j) & 1)); then
3097 opt=-D${options[$j]}
3098 clang_args="${clang_args} ${opt}"
3099 target="${target}${opt}"
3100 fi
3101 done
3102
3103 # if combination is not known to be invalid, add it to the makefile
3104 if [[ -z $validate_options ]] || $validate_options "${clang_args}"; then
3105 cmd="${compile_cmd} ${clang_args}"
3106 echo "${target}: ${source_file}; $cmd ${source_file}" >> ${makefile}
3107
3108 deps="${deps} ${target}"
3109 ((++targets))
3110 fi
3111 done
3112
3113 echo "build_test_config_combos: ${deps}" >> ${makefile}
3114
3115 # execute all of the commands via Make (probably in parallel)
3116 make -s -f ${makefile} build_test_config_combos
3117 echo "$targets targets checked"
3118
3119 # clean up the temporary makefile
3120 rm ${makefile}
3121}
3122
3123validate_aes_config_variations() {
3124 if [[ "$1" == *"MBEDTLS_AES_USE_HARDWARE_ONLY"* ]]; then
3125 if [[ !(("$HOSTTYPE" == "aarch64" && "$1" != *"MBEDTLS_AESCE_C"*) || \
3126 ("$HOSTTYPE" == "x86_64" && "$1" != *"MBEDTLS_AESNI_C"*)) ]]; then
3127 return 1
3128 fi
3129 fi
3130 return 0
3131}
3132
3133component_build_aes_variations() {
3134 # 18s - around 90ms per clang invocation on M1 Pro
3135 #
3136 # aes.o has many #if defined(...) guards that intersect in complex ways.
3137 # Test that all the combinations build cleanly.
3138
3139 MBEDTLS_ROOT_DIR="$PWD"
3140 msg "build: aes.o for all combinations of relevant config options"
3141
3142 build_test_config_combos ${BUILTIN_SRC_PATH}/aes.o validate_aes_config_variations \
3143 "MBEDTLS_AES_SETKEY_ENC_ALT" "MBEDTLS_AES_DECRYPT_ALT" \
3144 "MBEDTLS_AES_ROM_TABLES" "MBEDTLS_AES_ENCRYPT_ALT" "MBEDTLS_AES_SETKEY_DEC_ALT" \
3145 "MBEDTLS_AES_FEWER_TABLES" "MBEDTLS_AES_USE_HARDWARE_ONLY" \
3146 "MBEDTLS_AESNI_C" "MBEDTLS_AESCE_C" "MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH"
3147
3148 cd "$MBEDTLS_ROOT_DIR"
3149 msg "build: aes.o for all combinations of relevant config options + BLOCK_CIPHER_NO_DECRYPT"
3150
3151 # MBEDTLS_BLOCK_CIPHER_NO_DECRYPT is incompatible with ECB in PSA, CBC/XTS/NIST_KW/DES,
3152 # manually set or unset those configurations to check
3153 # MBEDTLS_BLOCK_CIPHER_NO_DECRYPT with various combinations in aes.o.
3154 scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
3155 scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
3156 scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
3157 scripts/config.py unset MBEDTLS_DES_C
3158 scripts/config.py unset MBEDTLS_NIST_KW_C
3159 build_test_config_combos ${BUILTIN_SRC_PATH}/aes.o validate_aes_config_variations \
3160 "MBEDTLS_AES_SETKEY_ENC_ALT" "MBEDTLS_AES_DECRYPT_ALT" \
3161 "MBEDTLS_AES_ROM_TABLES" "MBEDTLS_AES_ENCRYPT_ALT" "MBEDTLS_AES_SETKEY_DEC_ALT" \
3162 "MBEDTLS_AES_FEWER_TABLES" "MBEDTLS_AES_USE_HARDWARE_ONLY" \
3163 "MBEDTLS_AESNI_C" "MBEDTLS_AESCE_C" "MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH"
3164}
3165
3166component_test_no_platform () {
3167 # Full configuration build, without platform support, file IO and net sockets.
3168 # This should catch missing mbedtls_printf definitions, and by disabling file
3169 # IO, it should catch missing '#include <stdio.h>'
3170 msg "build: full config except platform/fsio/net, make, gcc, C99" # ~ 30s
3171 scripts/config.py full_no_platform
3172 scripts/config.py unset MBEDTLS_PLATFORM_C
3173 scripts/config.py unset MBEDTLS_NET_C
3174 scripts/config.py unset MBEDTLS_FS_IO
3175 scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
3176 scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C
3177 scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C
3178 scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
3179 # Note, _DEFAULT_SOURCE needs to be defined for platforms using glibc version >2.19,
3180 # to re-enable platform integration features otherwise disabled in C99 builds
3181 make CC=gcc CFLAGS='-Werror -Wall -Wextra -std=c99 -pedantic -Os -D_DEFAULT_SOURCE' lib programs
3182 make CC=gcc CFLAGS='-Werror -Wall -Wextra -Os' test
3183}
3184
3185component_build_no_std_function () {
3186 # catch compile bugs in _uninit functions
3187 msg "build: full config with NO_STD_FUNCTION, make, gcc" # ~ 30s
3188 scripts/config.py full
3189 scripts/config.py set MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
3190 scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
3191 scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
3192 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Check .
3193 make
3194}
3195
3196component_build_no_ssl_srv () {
3197 msg "build: full config except SSL server, make, gcc" # ~ 30s
3198 scripts/config.py full
3199 scripts/config.py unset MBEDTLS_SSL_SRV_C
3200 make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1'
3201}
3202
3203component_build_no_ssl_cli () {
3204 msg "build: full config except SSL client, make, gcc" # ~ 30s
3205 scripts/config.py full
3206 scripts/config.py unset MBEDTLS_SSL_CLI_C
3207 make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1'
3208}
3209
3210component_build_no_sockets () {
3211 # Note, C99 compliance can also be tested with the sockets support disabled,
3212 # as that requires a POSIX platform (which isn't the same as C99).
3213 msg "build: full config except net_sockets.c, make, gcc -std=c99 -pedantic" # ~ 30s
3214 scripts/config.py full
3215 scripts/config.py unset MBEDTLS_NET_C # getaddrinfo() undeclared, etc.
3216 scripts/config.py set MBEDTLS_NO_PLATFORM_ENTROPY # uses syscall() on GNU/Linux
3217 make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1 -std=c99 -pedantic' lib
3218}
3219
3220component_test_memory_buffer_allocator_backtrace () {
3221 msg "build: default config with memory buffer allocator and backtrace enabled"
3222 scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C
3223 scripts/config.py set MBEDTLS_PLATFORM_MEMORY
3224 scripts/config.py set MBEDTLS_MEMORY_BACKTRACE
3225 scripts/config.py set MBEDTLS_MEMORY_DEBUG
3226 cmake -DCMAKE_BUILD_TYPE:String=Release .
3227 make
3228
3229 msg "test: MBEDTLS_MEMORY_BUFFER_ALLOC_C and MBEDTLS_MEMORY_BACKTRACE"
3230 make test
3231}
3232
3233component_test_memory_buffer_allocator () {
3234 msg "build: default config with memory buffer allocator"
3235 scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C
3236 scripts/config.py set MBEDTLS_PLATFORM_MEMORY
3237 cmake -DCMAKE_BUILD_TYPE:String=Release .
3238 make
3239
3240 msg "test: MBEDTLS_MEMORY_BUFFER_ALLOC_C"
3241 make test
3242
3243 msg "test: ssl-opt.sh, MBEDTLS_MEMORY_BUFFER_ALLOC_C"
3244 # MBEDTLS_MEMORY_BUFFER_ALLOC is slow. Skip tests that tend to time out.
3245 tests/ssl-opt.sh -e '^DTLS proxy'
3246}
3247
3248component_test_no_max_fragment_length () {
3249 # Run max fragment length tests with MFL disabled
3250 msg "build: default config except MFL extension (ASan build)" # ~ 30s
3251 scripts/config.py unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3252 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
3253 make
3254
3255 msg "test: ssl-opt.sh, MFL-related tests"
3256 tests/ssl-opt.sh -f "Max fragment length"
3257}
3258
3259component_test_asan_remove_peer_certificate () {
3260 msg "build: default config with MBEDTLS_SSL_KEEP_PEER_CERTIFICATE disabled (ASan build)"
3261 scripts/config.py unset MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
3262 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
3263 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
3264 make
3265
3266 msg "test: !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE"
3267 make test
3268
3269 msg "test: ssl-opt.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE"
3270 tests/ssl-opt.sh
3271
3272 msg "test: compat.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE"
3273 tests/compat.sh
3274
3275 msg "test: context-info.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE"
3276 tests/context-info.sh
3277}
3278
3279component_test_no_max_fragment_length_small_ssl_out_content_len () {
3280 msg "build: no MFL extension, small SSL_OUT_CONTENT_LEN (ASan build)"
3281 scripts/config.py unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3282 scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 16384
3283 scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 4096
3284 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
3285 make
3286
3287 msg "test: MFL tests (disabled MFL extension case) & large packet tests"
3288 tests/ssl-opt.sh -f "Max fragment length\|Large buffer"
3289
3290 msg "test: context-info.sh (disabled MFL extension case)"
3291 tests/context-info.sh
3292}
3293
3294component_test_variable_ssl_in_out_buffer_len () {
3295 msg "build: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled (ASan build)"
3296 scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
3297 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
3298 make
3299
3300 msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled"
3301 make test
3302
3303 msg "test: ssl-opt.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled"
3304 tests/ssl-opt.sh
3305
3306 msg "test: compat.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled"
3307 tests/compat.sh
3308}
3309
3310component_test_dtls_cid_legacy () {
3311 msg "build: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled (ASan build)"
3312 scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 1
3313
3314 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
3315 make
3316
3317 msg "test: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy)"
3318 make test
3319
3320 msg "test: ssl-opt.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled"
3321 tests/ssl-opt.sh
3322
3323 msg "test: compat.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled"
3324 tests/compat.sh
3325}
3326
3327component_test_ssl_alloc_buffer_and_mfl () {
3328 msg "build: default config with memory buffer allocator and MFL extension"
3329 scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C
3330 scripts/config.py set MBEDTLS_PLATFORM_MEMORY
3331 scripts/config.py set MBEDTLS_MEMORY_DEBUG
3332 scripts/config.py set MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3333 scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
3334 cmake -DCMAKE_BUILD_TYPE:String=Release .
3335 make
3336
3337 msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH, MBEDTLS_MEMORY_BUFFER_ALLOC_C, MBEDTLS_MEMORY_DEBUG and MBEDTLS_SSL_MAX_FRAGMENT_LENGTH"
3338 make test
3339
3340 msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH, MBEDTLS_MEMORY_BUFFER_ALLOC_C, MBEDTLS_MEMORY_DEBUG and MBEDTLS_SSL_MAX_FRAGMENT_LENGTH"
3341 tests/ssl-opt.sh -f "Handshake memory usage"
3342}
3343
3344component_test_when_no_ciphersuites_have_mac () {
3345 msg "build: when no ciphersuites have MAC"
3346 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
3347 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING
3348 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7
3349 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC
3350 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
3351
3352 scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER
3353 scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
3354 scripts/config.py unset MBEDTLS_CMAC_C
3355
3356 make
3357
3358 msg "test: !MBEDTLS_SSL_SOME_SUITES_USE_MAC"
3359 make test
3360
3361 msg "test ssl-opt.sh: !MBEDTLS_SSL_SOME_SUITES_USE_MAC"
3362 tests/ssl-opt.sh -f 'Default\|EtM' -e 'without EtM'
3363}
3364
3365component_test_no_date_time () {
3366 msg "build: default config without MBEDTLS_HAVE_TIME_DATE"
3367 scripts/config.py unset MBEDTLS_HAVE_TIME_DATE
3368 cmake -D CMAKE_BUILD_TYPE:String=Check .
3369 make
3370
3371 msg "test: !MBEDTLS_HAVE_TIME_DATE - main suites"
3372 make test
3373}
3374
3375component_test_platform_calloc_macro () {
3376 msg "build: MBEDTLS_PLATFORM_{CALLOC/FREE}_MACRO enabled (ASan build)"
3377 scripts/config.py set MBEDTLS_PLATFORM_MEMORY
3378 scripts/config.py set MBEDTLS_PLATFORM_CALLOC_MACRO calloc
3379 scripts/config.py set MBEDTLS_PLATFORM_FREE_MACRO free
3380 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
3381 make
3382
3383 msg "test: MBEDTLS_PLATFORM_{CALLOC/FREE}_MACRO enabled (ASan build)"
3384 make test
3385}
3386
3387component_test_malloc_0_null () {
3388 msg "build: malloc(0) returns NULL (ASan+UBSan build)"
3389 scripts/config.py full
3390 make CC=$ASAN_CC CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"$PWD/tests/configs/user-config-malloc-0-null.h\"' $ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
3391
3392 msg "test: malloc(0) returns NULL (ASan+UBSan build)"
3393 make test
3394
3395 msg "selftest: malloc(0) returns NULL (ASan+UBSan build)"
3396 # Just the calloc selftest. "make test" ran the others as part of the
3397 # test suites.
3398 programs/test/selftest calloc
3399
3400 msg "test ssl-opt.sh: malloc(0) returns NULL (ASan+UBSan build)"
3401 # Run a subset of the tests. The choice is a balance between coverage
3402 # and time (including time indirectly wasted due to flaky tests).
3403 # The current choice is to skip tests whose description includes
3404 # "proxy", which is an approximation of skipping tests that use the
3405 # UDP proxy, which tend to be slower and flakier.
3406 tests/ssl-opt.sh -e 'proxy'
3407}
3408
3409support_test_aesni() {
3410 # Check that gcc targets x86_64 (we can build AESNI), and check for
3411 # AESNI support on the host (we can run AESNI).
3412 #
3413 # The name of this function is possibly slightly misleading, but needs to align
3414 # with the name of the corresponding test, component_test_aesni.
3415 #
3416 # In principle 32-bit x86 can support AESNI, but our implementation does not
3417 # support 32-bit x86, so we check for x86-64.
3418 # We can only grep /proc/cpuinfo on Linux, so this also checks for Linux
3419 (gcc -v 2>&1 | grep Target | grep -q x86_64) &&
3420 [[ "$HOSTTYPE" == "x86_64" && "$OSTYPE" == "linux-gnu" ]] &&
3421 (lscpu | grep -qw aes)
3422}
3423
3424component_test_aesni () { # ~ 60s
3425 # This tests the two AESNI implementations (intrinsics and assembly), and also the plain C
3426 # fallback. It also tests the logic that is used to select which implementation(s) to build.
3427 #
3428 # This test does not require the host to have support for AESNI (if it doesn't, the run-time
3429 # AESNI detection will fallback to the plain C implementation, so the tests will instead
3430 # exercise the plain C impl).
3431
3432 msg "build: default config with different AES implementations"
3433 scripts/config.py set MBEDTLS_AESNI_C
3434 scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY
3435 scripts/config.py set MBEDTLS_HAVE_ASM
3436
3437 # test the intrinsics implementation
3438 msg "AES tests, test intrinsics"
3439 make clean
3440 make CC=gcc CFLAGS='-Werror -Wall -Wextra -mpclmul -msse2 -maes'
3441 # check that we built intrinsics - this should be used by default when supported by the compiler
3442 ./programs/test/selftest aes | grep "AESNI code" | grep -q "intrinsics"
3443
3444 # test the asm implementation
3445 msg "AES tests, test assembly"
3446 make clean
3447 make CC=gcc CFLAGS='-Werror -Wall -Wextra -mno-pclmul -mno-sse2 -mno-aes'
3448 # check that we built assembly - this should be built if the compiler does not support intrinsics
3449 ./programs/test/selftest aes | grep "AESNI code" | grep -q "assembly"
3450
3451 # test the plain C implementation
3452 scripts/config.py unset MBEDTLS_AESNI_C
3453 scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY
3454 msg "AES tests, plain C"
3455 make clean
3456 make CC=gcc CFLAGS='-O2 -Werror'
3457 # check that there is no AESNI code present
3458 ./programs/test/selftest aes | not grep -q "AESNI code"
3459 not grep -q "AES note: using AESNI" ./programs/test/selftest
3460 grep -q "AES note: built-in implementation." ./programs/test/selftest
3461
3462 # test the intrinsics implementation
3463 scripts/config.py set MBEDTLS_AESNI_C
3464 scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY
3465 msg "AES tests, test AESNI only"
3466 make clean
3467 make CC=gcc CFLAGS='-Werror -Wall -Wextra -mpclmul -msse2 -maes'
3468 ./programs/test/selftest aes | grep -q "AES note: using AESNI"
3469 ./programs/test/selftest aes | not grep -q "AES note: built-in implementation."
3470 grep -q "AES note: using AESNI" ./programs/test/selftest
3471 not grep -q "AES note: built-in implementation." ./programs/test/selftest
3472}
3473
3474component_test_sha3_variations() {
3475 msg "sha3 loop unroll variations"
3476
3477 # define minimal config sufficient to test SHA3
3478 cat > include/mbedtls/mbedtls_config.h << END
3479 #define MBEDTLS_SELF_TEST
3480 #define MBEDTLS_SHA3_C
3481END
3482
3483 msg "all loops unrolled"
3484 make clean
3485 make -C tests ../tf-psa-crypto/tests/test_suite_shax CFLAGS="-DMBEDTLS_SHA3_THETA_UNROLL=1 -DMBEDTLS_SHA3_PI_UNROLL=1 -DMBEDTLS_SHA3_CHI_UNROLL=1 -DMBEDTLS_SHA3_RHO_UNROLL=1"
3486 ./tf-psa-crypto/tests/test_suite_shax
3487
3488 msg "all loops rolled up"
3489 make clean
3490 make -C tests ../tf-psa-crypto/tests/test_suite_shax CFLAGS="-DMBEDTLS_SHA3_THETA_UNROLL=0 -DMBEDTLS_SHA3_PI_UNROLL=0 -DMBEDTLS_SHA3_CHI_UNROLL=0 -DMBEDTLS_SHA3_RHO_UNROLL=0"
3491 ./tf-psa-crypto/tests/test_suite_shax
3492}
3493
3494support_test_aesni_m32() {
3495 support_test_m32_no_asm && (lscpu | grep -qw aes)
3496}
3497
3498component_test_aesni_m32 () { # ~ 60s
3499 # This tests are duplicated from component_test_aesni for i386 target
3500 #
3501 # AESNI intrinsic code supports i386 and assembly code does not support it.
3502
3503 msg "build: default config with different AES implementations"
3504 scripts/config.py set MBEDTLS_AESNI_C
3505 scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY
3506 scripts/config.py set MBEDTLS_HAVE_ASM
3507
3508 # test the intrinsics implementation with gcc
3509 msg "AES tests, test intrinsics (gcc)"
3510 make clean
3511 make CC=gcc CFLAGS='-m32 -Werror -Wall -Wextra' LDFLAGS='-m32'
3512 # check that we built intrinsics - this should be used by default when supported by the compiler
3513 ./programs/test/selftest aes | grep "AESNI code" | grep -q "intrinsics"
3514 grep -q "AES note: using AESNI" ./programs/test/selftest
3515 grep -q "AES note: built-in implementation." ./programs/test/selftest
3516 grep -q mbedtls_aesni_has_support ./programs/test/selftest
3517
3518 scripts/config.py set MBEDTLS_AESNI_C
3519 scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY
3520 msg "AES tests, test AESNI only"
3521 make clean
3522 make CC=gcc CFLAGS='-m32 -Werror -Wall -Wextra -mpclmul -msse2 -maes' LDFLAGS='-m32'
3523 ./programs/test/selftest aes | grep -q "AES note: using AESNI"
3524 ./programs/test/selftest aes | not grep -q "AES note: built-in implementation."
3525 grep -q "AES note: using AESNI" ./programs/test/selftest
3526 not grep -q "AES note: built-in implementation." ./programs/test/selftest
3527 not grep -q mbedtls_aesni_has_support ./programs/test/selftest
3528}
3529
3530support_test_aesni_m32_clang() {
3531 # clang >= 4 is required to build with target attributes
3532 support_test_aesni_m32 && [[ $(clang_version) -ge 4 ]]
3533}
3534
3535component_test_aesni_m32_clang() {
3536
3537 scripts/config.py set MBEDTLS_AESNI_C
3538 scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY
3539 scripts/config.py set MBEDTLS_HAVE_ASM
3540
3541 # test the intrinsics implementation with clang
3542 msg "AES tests, test intrinsics (clang)"
3543 make clean
3544 make CC=clang CFLAGS='-m32 -Werror -Wall -Wextra' LDFLAGS='-m32'
3545 # check that we built intrinsics - this should be used by default when supported by the compiler
3546 ./programs/test/selftest aes | grep "AESNI code" | grep -q "intrinsics"
3547 grep -q "AES note: using AESNI" ./programs/test/selftest
3548 grep -q "AES note: built-in implementation." ./programs/test/selftest
3549 grep -q mbedtls_aesni_has_support ./programs/test/selftest
3550}
3551
3552# For timebeing, no aarch64 gcc available in CI and no arm64 CI node.
3553component_build_aes_aesce_armcc () {
3554 msg "Build: AESCE test on arm64 platform without plain C."
3555 scripts/config.py baremetal
3556
3557 # armc[56] don't support SHA-512 intrinsics
3558 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
3559
3560 # Stop armclang warning about feature detection for A64_CRYPTO.
3561 # With this enabled, the library does build correctly under armclang,
3562 # but in baremetal builds (as tested here), feature detection is
3563 # unavailable, and the user is notified via a #warning. So enabling
3564 # this feature would prevent us from building with -Werror on
3565 # armclang. Tracked in #7198.
3566 scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
3567 scripts/config.py set MBEDTLS_HAVE_ASM
3568
3569 msg "AESCE, build with default configuration."
3570 scripts/config.py set MBEDTLS_AESCE_C
3571 scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY
3572 armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto"
3573
3574 msg "AESCE, build AESCE only"
3575 scripts/config.py set MBEDTLS_AESCE_C
3576 scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY
3577 armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto"
3578}
3579
3580support_build_aes_armce() {
3581 # clang >= 11 is required to build with AES extensions
3582 [[ $(clang_version) -ge 11 ]]
3583}
3584
3585component_build_aes_armce () {
3586 # Test variations of AES with Armv8 crypto extensions
3587 scripts/config.py set MBEDTLS_AESCE_C
3588 scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY
3589
3590 msg "MBEDTLS_AES_USE_HARDWARE_ONLY, clang, aarch64"
3591 make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a+crypto"
3592
3593 msg "MBEDTLS_AES_USE_HARDWARE_ONLY, clang, arm"
3594 make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm"
3595
3596 msg "MBEDTLS_AES_USE_HARDWARE_ONLY, clang, thumb"
3597 make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb"
3598
3599 scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY
3600
3601 msg "no MBEDTLS_AES_USE_HARDWARE_ONLY, clang, aarch64"
3602 make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a+crypto"
3603
3604 msg "no MBEDTLS_AES_USE_HARDWARE_ONLY, clang, arm"
3605 make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm"
3606
3607 msg "no MBEDTLS_AES_USE_HARDWARE_ONLY, clang, thumb"
3608 make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb"
3609
3610 # test for presence of AES instructions
3611 scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY
3612 msg "clang, test A32 crypto instructions built"
3613 make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S"
3614 grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.o
3615 msg "clang, test T32 crypto instructions built"
3616 make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S"
3617 grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.o
3618 msg "clang, test aarch64 crypto instructions built"
3619 make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S"
3620 grep -E 'aes[a-z]+\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.o
3621
3622 # test for absence of AES instructions
3623 scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY
3624 scripts/config.py unset MBEDTLS_AESCE_C
3625 msg "clang, test A32 crypto instructions not built"
3626 make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S"
3627 not grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.o
3628 msg "clang, test T32 crypto instructions not built"
3629 make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S"
3630 not grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.o
3631 msg "clang, test aarch64 crypto instructions not built"
3632 make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S"
3633 not grep -E 'aes[a-z]+\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.o
3634}
3635
3636support_build_sha_armce() {
3637 # clang >= 4 is required to build with SHA extensions
3638 [[ $(clang_version) -ge 4 ]]
3639}
3640
3641component_build_sha_armce () {
3642 scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
3643
3644
3645 # Test variations of SHA256 Armv8 crypto extensions
3646 scripts/config.py set MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
3647 msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY clang, aarch64"
3648 make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a"
3649 msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY clang, arm"
3650 make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm"
3651 scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
3652
3653
3654 # test the deprecated form of the config option
3655 scripts/config.py set MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY
3656 msg "MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY clang, thumb"
3657 make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb"
3658 scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY
3659
3660 scripts/config.py set MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
3661 msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT clang, aarch64"
3662 make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a"
3663 scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
3664
3665
3666 # test the deprecated form of the config option
3667 scripts/config.py set MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
3668 msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, arm"
3669 make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -std=c99"
3670 msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, thumb"
3671 make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb"
3672 scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
3673
3674
3675 # examine the disassembly for presence of SHA instructions
3676 for opt in MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT; do
3677 scripts/config.py set ${opt}
3678 msg "${opt} clang, test A32 crypto instructions built"
3679 make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S"
3680 grep -E 'sha256[a-z0-9]+.32\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.o
3681
3682 msg "${opt} clang, test T32 crypto instructions built"
3683 make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S"
3684 grep -E 'sha256[a-z0-9]+.32\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.o
3685
3686 msg "${opt} clang, test aarch64 crypto instructions built"
3687 make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S"
3688 grep -E 'sha256[a-z0-9]+\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.o
3689 scripts/config.py unset ${opt}
3690 done
3691
3692
3693 # examine the disassembly for absence of SHA instructions
3694 msg "clang, test A32 crypto instructions not built"
3695 make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S"
3696 not grep -E 'sha256[a-z0-9]+.32\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.o
3697
3698 msg "clang, test T32 crypto instructions not built"
3699 make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S"
3700 not grep -E 'sha256[a-z0-9]+.32\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.o
3701
3702 msg "clang, test aarch64 crypto instructions not built"
3703 make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S"
3704 not grep -E 'sha256[a-z0-9]+\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.o
3705}
3706
3707support_build_aes_aesce_armcc () {
3708 support_build_armcc
3709}
3710
3711component_test_aes_only_128_bit_keys () {
3712 msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH"
3713 scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
3714
3715 make CFLAGS='-O2 -Werror -Wall -Wextra'
3716
3717 msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH"
3718 make test
3719}
3720
3721component_test_no_ctr_drbg_aes_only_128_bit_keys () {
3722 msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH - CTR_DRBG_C"
3723 scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
3724 scripts/config.py unset MBEDTLS_CTR_DRBG_C
3725
3726 make CC=clang CFLAGS='-Werror -Wall -Wextra'
3727
3728 msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH - CTR_DRBG_C"
3729 make test
3730}
3731
3732component_test_aes_only_128_bit_keys_have_builtins () {
3733 msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C"
3734 scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
3735 scripts/config.py unset MBEDTLS_AESNI_C
3736 scripts/config.py unset MBEDTLS_AESCE_C
3737
3738 make CFLAGS='-O2 -Werror -Wall -Wextra'
3739
3740 msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C"
3741 make test
3742
3743 msg "selftest: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C"
3744 programs/test/selftest
3745}
3746
3747component_test_gcm_largetable () {
3748 msg "build: default config + GCM_LARGE_TABLE - AESNI_C - AESCE_C"
3749 scripts/config.py set MBEDTLS_GCM_LARGE_TABLE
3750 scripts/config.py unset MBEDTLS_AESNI_C
3751 scripts/config.py unset MBEDTLS_AESCE_C
3752
3753 make CFLAGS='-O2 -Werror -Wall -Wextra'
3754
3755 msg "test: default config - GCM_LARGE_TABLE - AESNI_C - AESCE_C"
3756 make test
3757}
3758
3759component_test_aes_fewer_tables () {
3760 msg "build: default config with AES_FEWER_TABLES enabled"
3761 scripts/config.py set MBEDTLS_AES_FEWER_TABLES
3762 make CFLAGS='-O2 -Werror -Wall -Wextra'
3763
3764 msg "test: AES_FEWER_TABLES"
3765 make test
3766}
3767
3768component_test_aes_rom_tables () {
3769 msg "build: default config with AES_ROM_TABLES enabled"
3770 scripts/config.py set MBEDTLS_AES_ROM_TABLES
3771 make CFLAGS='-O2 -Werror -Wall -Wextra'
3772
3773 msg "test: AES_ROM_TABLES"
3774 make test
3775}
3776
3777component_test_aes_fewer_tables_and_rom_tables () {
3778 msg "build: default config with AES_ROM_TABLES and AES_FEWER_TABLES enabled"
3779 scripts/config.py set MBEDTLS_AES_FEWER_TABLES
3780 scripts/config.py set MBEDTLS_AES_ROM_TABLES
3781 make CFLAGS='-O2 -Werror -Wall -Wextra'
3782
3783 msg "test: AES_FEWER_TABLES + AES_ROM_TABLES"
3784 make test
3785}
3786
3787# helper for common_block_cipher_no_decrypt() which:
3788# - enable/disable the list of config options passed from -s/-u respectively.
3789# - build
3790# - test for tests_suite_xxx
3791# - selftest
3792#
3793# Usage: helper_block_cipher_no_decrypt_build_test
3794# [-s set_opts] [-u unset_opts] [-c cflags] [-l ldflags] [option [...]]
3795# Options: -s set_opts the list of config options to enable
3796# -u unset_opts the list of config options to disable
3797# -c cflags the list of options passed to CFLAGS
3798# -l ldflags the list of options passed to LDFLAGS
3799helper_block_cipher_no_decrypt_build_test () {
3800 while [ $# -gt 0 ]; do
3801 case "$1" in
3802 -s)
3803 shift; local set_opts="$1";;
3804 -u)
3805 shift; local unset_opts="$1";;
3806 -c)
3807 shift; local cflags="-Werror -Wall -Wextra $1";;
3808 -l)
3809 shift; local ldflags="$1";;
3810 esac
3811 shift
3812 done
3813 set_opts="${set_opts:-}"
3814 unset_opts="${unset_opts:-}"
3815 cflags="${cflags:-}"
3816 ldflags="${ldflags:-}"
3817
3818 [ -n "$set_opts" ] && echo "Enabling: $set_opts" && scripts/config.py set-all $set_opts
3819 [ -n "$unset_opts" ] && echo "Disabling: $unset_opts" && scripts/config.py unset-all $unset_opts
3820
3821 msg "build: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}"
3822 make clean
3823 make CFLAGS="-O2 $cflags" LDFLAGS="$ldflags"
3824
3825 # Make sure we don't have mbedtls_xxx_setkey_dec in AES/ARIA/CAMELLIA
3826 not grep mbedtls_aes_setkey_dec ${BUILTIN_SRC_PATH}/aes.o
3827 not grep mbedtls_aria_setkey_dec ${BUILTIN_SRC_PATH}/aria.o
3828 not grep mbedtls_camellia_setkey_dec ${BUILTIN_SRC_PATH}/camellia.o
3829 # Make sure we don't have mbedtls_internal_aes_decrypt in AES
3830 not grep mbedtls_internal_aes_decrypt ${BUILTIN_SRC_PATH}/aes.o
3831 # Make sure we don't have mbedtls_aesni_inverse_key in AESNI
3832 not grep mbedtls_aesni_inverse_key ${BUILTIN_SRC_PATH}/aesni.o
3833
3834 msg "test: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}"
3835 make test
3836
3837 msg "selftest: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}"
3838 programs/test/selftest
3839}
3840
3841# This is a common configuration function used in:
3842# - component_test_block_cipher_no_decrypt_aesni_legacy()
3843# - component_test_block_cipher_no_decrypt_aesni_use_psa()
3844# in order to test BLOCK_CIPHER_NO_DECRYPT with AESNI intrinsics,
3845# AESNI assembly and AES C implementation on x86_64 and with AESNI intrinsics
3846# on x86.
3847common_block_cipher_no_decrypt () {
3848 # test AESNI intrinsics
3849 helper_block_cipher_no_decrypt_build_test \
3850 -s "MBEDTLS_AESNI_C" \
3851 -c "-mpclmul -msse2 -maes"
3852
3853 # test AESNI assembly
3854 helper_block_cipher_no_decrypt_build_test \
3855 -s "MBEDTLS_AESNI_C" \
3856 -c "-mno-pclmul -mno-sse2 -mno-aes"
3857
3858 # test AES C implementation
3859 helper_block_cipher_no_decrypt_build_test \
3860 -u "MBEDTLS_AESNI_C"
3861
3862 # test AESNI intrinsics for i386 target
3863 helper_block_cipher_no_decrypt_build_test \
3864 -s "MBEDTLS_AESNI_C" \
3865 -c "-m32 -mpclmul -msse2 -maes" \
3866 -l "-m32"
3867}
3868
3869# This is a configuration function used in component_test_block_cipher_no_decrypt_xxx:
3870# usage: 0: no PSA crypto configuration
3871# 1: use PSA crypto configuration
3872config_block_cipher_no_decrypt () {
3873 use_psa=$1
3874
3875 scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
3876 scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
3877 scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
3878 scripts/config.py unset MBEDTLS_DES_C
3879 scripts/config.py unset MBEDTLS_NIST_KW_C
3880
3881 if [ "$use_psa" -eq 1 ]; then
3882 # Enable support for cryptographic mechanisms through the PSA API.
3883 # Note: XTS, KW are not yet supported via the PSA API in Mbed TLS.
3884 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
3885 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING
3886 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7
3887 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING
3888 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_DES
3889 fi
3890}
3891
3892component_test_block_cipher_no_decrypt_aesni () {
3893 # This consistently causes an llvm crash on clang 3.8, so use gcc
3894 export CC=gcc
3895 config_block_cipher_no_decrypt 0
3896 common_block_cipher_no_decrypt
3897}
3898
3899component_test_block_cipher_no_decrypt_aesni_use_psa () {
3900 # This consistently causes an llvm crash on clang 3.8, so use gcc
3901 export CC=gcc
3902 config_block_cipher_no_decrypt 1
3903 common_block_cipher_no_decrypt
3904}
3905
3906support_test_block_cipher_no_decrypt_aesce_armcc () {
3907 support_build_armcc
3908}
3909
3910component_test_block_cipher_no_decrypt_aesce_armcc () {
3911 scripts/config.py baremetal
3912
3913 # armc[56] don't support SHA-512 intrinsics
3914 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
3915
3916 # Stop armclang warning about feature detection for A64_CRYPTO.
3917 # With this enabled, the library does build correctly under armclang,
3918 # but in baremetal builds (as tested here), feature detection is
3919 # unavailable, and the user is notified via a #warning. So enabling
3920 # this feature would prevent us from building with -Werror on
3921 # armclang. Tracked in #7198.
3922 scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
3923 scripts/config.py set MBEDTLS_HAVE_ASM
3924
3925 config_block_cipher_no_decrypt 1
3926
3927 # test AESCE baremetal build
3928 scripts/config.py set MBEDTLS_AESCE_C
3929 msg "build: default config + BLOCK_CIPHER_NO_DECRYPT with AESCE"
3930 armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto -Werror -Wall -Wextra"
3931
3932 # Make sure we don't have mbedtls_xxx_setkey_dec in AES/ARIA/CAMELLIA
3933 not grep mbedtls_aes_setkey_dec ${BUILTIN_SRC_PATH}/aes.o
3934 not grep mbedtls_aria_setkey_dec ${BUILTIN_SRC_PATH}/aria.o
3935 not grep mbedtls_camellia_setkey_dec ${BUILTIN_SRC_PATH}/camellia.o
3936 # Make sure we don't have mbedtls_internal_aes_decrypt in AES
3937 not grep mbedtls_internal_aes_decrypt ${BUILTIN_SRC_PATH}/aes.o
3938 # Make sure we don't have mbedtls_aesce_inverse_key and aesce_decrypt_block in AESCE
3939 not grep mbedtls_aesce_inverse_key ${BUILTIN_SRC_PATH}/aesce.o
3940 not grep aesce_decrypt_block ${BUILTIN_SRC_PATH}/aesce.o
3941}
3942
3943component_test_ctr_drbg_aes_256_sha_256 () {
3944 msg "build: full + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)"
3945 scripts/config.py full
3946 scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
3947 scripts/config.py set MBEDTLS_ENTROPY_FORCE_SHA256
3948 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
3949 make
3950
3951 msg "test: full + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)"
3952 make test
3953}
3954
3955component_test_ctr_drbg_aes_128_sha_512 () {
3956 msg "build: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY (ASan build)"
3957 scripts/config.py full
3958 scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
3959 scripts/config.py set MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
3960 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
3961 make
3962
3963 msg "test: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY (ASan build)"
3964 make test
3965}
3966
3967component_test_ctr_drbg_aes_128_sha_256 () {
3968 msg "build: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)"
3969 scripts/config.py full
3970 scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
3971 scripts/config.py set MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
3972 scripts/config.py set MBEDTLS_ENTROPY_FORCE_SHA256
3973 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
3974 make
3975
3976 msg "test: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)"
3977 make test
3978}
3979
3980component_test_se_default () {
3981 msg "build: default config + MBEDTLS_PSA_CRYPTO_SE_C"
3982 scripts/config.py set MBEDTLS_PSA_CRYPTO_SE_C
3983 make CC=clang CFLAGS="$ASAN_CFLAGS -Os" LDFLAGS="$ASAN_CFLAGS"
3984
3985 msg "test: default config + MBEDTLS_PSA_CRYPTO_SE_C"
3986 make test
3987}
3988
3989component_test_psa_crypto_drivers () {
3990 msg "build: full + test drivers dispatching to builtins"
3991 scripts/config.py full
3992 scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG
3993 loc_cflags="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST_ALL"
3994 loc_cflags="${loc_cflags} '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'"
3995 loc_cflags="${loc_cflags} -I../tests/include -O2"
3996
3997 make CC=$ASAN_CC CFLAGS="${loc_cflags}" LDFLAGS="$ASAN_CFLAGS"
3998
3999 msg "test: full + test drivers dispatching to builtins"
4000 make test
4001}
4002
4003component_test_make_shared () {
4004 msg "build/test: make shared" # ~ 40s
4005 make SHARED=1 all check
4006 ldd programs/util/strerror | grep libmbedcrypto
4007 programs/test/dlopen_demo.sh
4008}
4009
4010component_test_cmake_shared () {
4011 msg "build/test: cmake shared" # ~ 2min
4012 cmake -DUSE_SHARED_MBEDTLS_LIBRARY=On .
4013 make
4014 ldd programs/util/strerror | grep libmbedcrypto
4015 make test
4016 programs/test/dlopen_demo.sh
4017}
4018
4019test_build_opt () {
4020 info=$1 cc=$2; shift 2
4021 $cc --version
4022 for opt in "$@"; do
4023 msg "build/test: $cc $opt, $info" # ~ 30s
4024 make CC="$cc" CFLAGS="$opt -std=c99 -pedantic -Wall -Wextra -Werror"
4025 # We're confident enough in compilers to not run _all_ the tests,
4026 # but at least run the unit tests. In particular, runs with
4027 # optimizations use inline assembly whereas runs with -O0
4028 # skip inline assembly.
4029 make test # ~30s
4030 make clean
4031 done
4032}
4033
4034# For FreeBSD we invoke the function by name so this condition is added
4035# to disable the existing test_clang_opt function for linux.
4036if [[ $(uname) != "Linux" ]]; then
4037 component_test_clang_opt () {
4038 scripts/config.py full
4039 test_build_opt 'full config' clang -O0 -Os -O2
4040 }
4041fi
4042
4043component_test_clang_latest_opt () {
4044 scripts/config.py full
4045 test_build_opt 'full config' "$CLANG_LATEST" -O0 -Os -O2
4046}
4047support_test_clang_latest_opt () {
4048 type "$CLANG_LATEST" >/dev/null 2>/dev/null
4049}
4050
4051component_test_clang_earliest_opt () {
4052 scripts/config.py full
4053 test_build_opt 'full config' "$CLANG_EARLIEST" -O0
4054}
4055support_test_clang_earliest_opt () {
4056 type "$CLANG_EARLIEST" >/dev/null 2>/dev/null
4057}
4058
4059component_test_gcc_latest_opt () {
4060 scripts/config.py full
4061 test_build_opt 'full config' "$GCC_LATEST" -O0 -Os -O2
4062}
4063support_test_gcc_latest_opt () {
4064 type "$GCC_LATEST" >/dev/null 2>/dev/null
4065}
4066
4067component_test_gcc_earliest_opt () {
4068 scripts/config.py full
4069 test_build_opt 'full config' "$GCC_EARLIEST" -O0
4070}
4071support_test_gcc_earliest_opt () {
4072 type "$GCC_EARLIEST" >/dev/null 2>/dev/null
4073}
4074
4075component_build_mbedtls_config_file () {
4076 msg "build: make with MBEDTLS_CONFIG_FILE" # ~40s
4077 scripts/config.py -w full_config.h full
4078 echo '#error "MBEDTLS_CONFIG_FILE is not working"' >"$CONFIG_H"
4079 make CFLAGS="-I '$PWD' -DMBEDTLS_CONFIG_FILE='\"full_config.h\"'"
4080 # Make sure this feature is enabled. We'll disable it in the next phase.
4081 programs/test/query_compile_time_config MBEDTLS_NIST_KW_C
4082 make clean
4083
4084 msg "build: make with MBEDTLS_CONFIG_FILE + MBEDTLS_USER_CONFIG_FILE"
4085 # In the user config, disable one feature (for simplicity, pick a feature
4086 # that nothing else depends on).
4087 echo '#undef MBEDTLS_NIST_KW_C' >user_config.h
4088 make CFLAGS="-I '$PWD' -DMBEDTLS_CONFIG_FILE='\"full_config.h\"' -DMBEDTLS_USER_CONFIG_FILE='\"user_config.h\"'"
4089 not programs/test/query_compile_time_config MBEDTLS_NIST_KW_C
4090
4091 rm -f user_config.h full_config.h
4092}
4093
4094component_build_psa_config_file () {
4095 msg "build: make with MBEDTLS_PSA_CRYPTO_CONFIG_FILE" # ~40s
4096 scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
4097 cp "$CRYPTO_CONFIG_H" psa_test_config.h
4098 echo '#error "MBEDTLS_PSA_CRYPTO_CONFIG_FILE is not working"' >"$CRYPTO_CONFIG_H"
4099 make CFLAGS="-I '$PWD' -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"'"
4100 # Make sure this feature is enabled. We'll disable it in the next phase.
4101 programs/test/query_compile_time_config MBEDTLS_CMAC_C
4102 make clean
4103
4104 msg "build: make with MBEDTLS_PSA_CRYPTO_CONFIG_FILE + MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE" # ~40s
4105 # In the user config, disable one feature and its dependencies, which will
4106 # reflect on the mbedtls configuration so we can query it with
4107 # query_compile_time_config.
4108 echo '#undef PSA_WANT_ALG_CMAC' >psa_user_config.h
4109 echo '#undef PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128' >> psa_user_config.h
4110 scripts/config.py unset MBEDTLS_CMAC_C
4111 make CFLAGS="-I '$PWD' -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"' -DMBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE='\"psa_user_config.h\"'"
4112 not programs/test/query_compile_time_config MBEDTLS_CMAC_C
4113
4114 rm -f psa_test_config.h psa_user_config.h
4115}
4116
4117component_build_psa_alt_headers () {
4118 msg "build: make with PSA alt headers" # ~20s
4119
4120 # Generate alternative versions of the substitutable headers with the
4121 # same content except different include guards.
4122 make -C tests include/alt-extra/psa/crypto_platform_alt.h include/alt-extra/psa/crypto_struct_alt.h
4123
4124 # Build the library and some programs.
4125 # Don't build the fuzzers to avoid having to go through hoops to set
4126 # a correct include path for programs/fuzz/Makefile.
4127 make CFLAGS="-I ../tests/include/alt-extra -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'" lib
4128 make -C programs -o fuzz CFLAGS="-I ../tests/include/alt-extra -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'"
4129
4130 # Check that we're getting the alternative include guards and not the
4131 # original include guards.
4132 programs/test/query_included_headers | grep -x PSA_CRYPTO_PLATFORM_ALT_H
4133 programs/test/query_included_headers | grep -x PSA_CRYPTO_STRUCT_ALT_H
4134 programs/test/query_included_headers | not grep -x PSA_CRYPTO_PLATFORM_H
4135 programs/test/query_included_headers | not grep -x PSA_CRYPTO_STRUCT_H
4136}
4137
4138component_test_m32_no_asm () {
4139 # Build without assembly, so as to use portable C code (in a 32-bit
4140 # build) and not the i386-specific inline assembly.
4141 #
4142 # Note that we require gcc, because clang Asan builds fail to link for
4143 # this target (cannot find libclang_rt.lsan-i386.a - this is a known clang issue).
4144 msg "build: i386, make, gcc, no asm (ASan build)" # ~ 30s
4145 scripts/config.py full
4146 scripts/config.py unset MBEDTLS_HAVE_ASM
4147 scripts/config.py unset MBEDTLS_AESNI_C # AESNI for 32-bit is tested in test_aesni_m32
4148 make CC=gcc CFLAGS="$ASAN_CFLAGS -m32" LDFLAGS="-m32 $ASAN_CFLAGS"
4149
4150 msg "test: i386, make, gcc, no asm (ASan build)"
4151 make test
4152}
4153support_test_m32_no_asm () {
4154 case $(uname -m) in
4155 amd64|x86_64) true;;
4156 *) false;;
4157 esac
4158}
4159
4160component_test_m32_o2 () {
4161 # Build with optimization, to use the i386 specific inline assembly
4162 # and go faster for tests.
4163 msg "build: i386, make, gcc -O2 (ASan build)" # ~ 30s
4164 scripts/config.py full
4165 scripts/config.py unset MBEDTLS_AESNI_C # AESNI for 32-bit is tested in test_aesni_m32
4166 make CC=gcc CFLAGS="$ASAN_CFLAGS -m32" LDFLAGS="-m32 $ASAN_CFLAGS"
4167
4168 msg "test: i386, make, gcc -O2 (ASan build)"
4169 make test
4170
4171 msg "test ssl-opt.sh, i386, make, gcc-O2"
4172 tests/ssl-opt.sh
4173}
4174support_test_m32_o2 () {
4175 support_test_m32_no_asm "$@"
4176}
4177
4178component_test_m32_everest () {
4179 msg "build: i386, Everest ECDH context (ASan build)" # ~ 6 min
4180 scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED
4181 scripts/config.py unset MBEDTLS_AESNI_C # AESNI for 32-bit is tested in test_aesni_m32
4182 make CC=gcc CFLAGS="$ASAN_CFLAGS -m32" LDFLAGS="-m32 $ASAN_CFLAGS"
4183
4184 msg "test: i386, Everest ECDH context - main suites (inc. selftests) (ASan build)" # ~ 50s
4185 make test
4186
4187 msg "test: i386, Everest ECDH context - ECDH-related part of ssl-opt.sh (ASan build)" # ~ 5s
4188 tests/ssl-opt.sh -f ECDH
4189
4190 msg "test: i386, Everest ECDH context - compat.sh with some ECDH ciphersuites (ASan build)" # ~ 3 min
4191 # Exclude some symmetric ciphers that are redundant here to gain time.
4192 tests/compat.sh -f ECDH -V NO -e 'ARIA\|CAMELLIA\|CHACHA'
4193}
4194support_test_m32_everest () {
4195 support_test_m32_no_asm "$@"
4196}
4197
4198component_test_mx32 () {
4199 msg "build: 64-bit ILP32, make, gcc" # ~ 30s
4200 scripts/config.py full
4201 make CC=gcc CFLAGS='-O2 -Werror -Wall -Wextra -mx32' LDFLAGS='-mx32'
4202
4203 msg "test: 64-bit ILP32, make, gcc"
4204 make test
4205}
4206support_test_mx32 () {
4207 case $(uname -m) in
4208 amd64|x86_64) true;;
4209 *) false;;
4210 esac
4211}
4212
4213component_test_min_mpi_window_size () {
4214 msg "build: Default + MBEDTLS_MPI_WINDOW_SIZE=1 (ASan build)" # ~ 10s
4215 scripts/config.py set MBEDTLS_MPI_WINDOW_SIZE 1
4216 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
4217 make
4218
4219 msg "test: MBEDTLS_MPI_WINDOW_SIZE=1 - main suites (inc. selftests) (ASan build)" # ~ 10s
4220 make test
4221}
4222
4223component_test_have_int32 () {
4224 msg "build: gcc, force 32-bit bignum limbs"
4225 scripts/config.py unset MBEDTLS_HAVE_ASM
4226 scripts/config.py unset MBEDTLS_AESNI_C
4227 scripts/config.py unset MBEDTLS_AESCE_C
4228 make CC=gcc CFLAGS='-O2 -Werror -Wall -Wextra -DMBEDTLS_HAVE_INT32'
4229
4230 msg "test: gcc, force 32-bit bignum limbs"
4231 make test
4232}
4233
4234component_test_have_int64 () {
4235 msg "build: gcc, force 64-bit bignum limbs"
4236 scripts/config.py unset MBEDTLS_HAVE_ASM
4237 scripts/config.py unset MBEDTLS_AESNI_C
4238 scripts/config.py unset MBEDTLS_AESCE_C
4239 make CC=gcc CFLAGS='-O2 -Werror -Wall -Wextra -DMBEDTLS_HAVE_INT64'
4240
4241 msg "test: gcc, force 64-bit bignum limbs"
4242 make test
4243}
4244
4245component_test_have_int32_cmake_new_bignum () {
4246 msg "build: gcc, force 32-bit bignum limbs, new bignum interface, test hooks (ASan build)"
4247 scripts/config.py unset MBEDTLS_HAVE_ASM
4248 scripts/config.py unset MBEDTLS_AESNI_C
4249 scripts/config.py unset MBEDTLS_AESCE_C
4250 scripts/config.py set MBEDTLS_TEST_HOOKS
4251 scripts/config.py set MBEDTLS_ECP_WITH_MPI_UINT
4252 make CC=gcc CFLAGS="$ASAN_CFLAGS -Werror -Wall -Wextra -DMBEDTLS_HAVE_INT32" LDFLAGS="$ASAN_CFLAGS"
4253
4254 msg "test: gcc, force 32-bit bignum limbs, new bignum interface, test hooks (ASan build)"
4255 make test
4256}
4257
4258component_test_no_udbl_division () {
4259 msg "build: MBEDTLS_NO_UDBL_DIVISION native" # ~ 10s
4260 scripts/config.py full
4261 scripts/config.py set MBEDTLS_NO_UDBL_DIVISION
4262 make CFLAGS='-Werror -O1'
4263
4264 msg "test: MBEDTLS_NO_UDBL_DIVISION native" # ~ 10s
4265 make test
4266}
4267
4268component_test_no_64bit_multiplication () {
4269 msg "build: MBEDTLS_NO_64BIT_MULTIPLICATION native" # ~ 10s
4270 scripts/config.py full
4271 scripts/config.py set MBEDTLS_NO_64BIT_MULTIPLICATION
4272 make CFLAGS='-Werror -O1'
4273
4274 msg "test: MBEDTLS_NO_64BIT_MULTIPLICATION native" # ~ 10s
4275 make test
4276}
4277
4278component_test_no_strings () {
4279 msg "build: no strings" # ~10s
4280 scripts/config.py full
4281 # Disable options that activate a large amount of string constants.
4282 scripts/config.py unset MBEDTLS_DEBUG_C
4283 scripts/config.py unset MBEDTLS_ERROR_C
4284 scripts/config.py set MBEDTLS_ERROR_STRERROR_DUMMY
4285 scripts/config.py unset MBEDTLS_VERSION_FEATURES
4286 make CFLAGS='-Werror -Os'
4287
4288 msg "test: no strings" # ~ 10s
4289 make test
4290}
4291
4292component_test_no_x509_info () {
4293 msg "build: full + MBEDTLS_X509_REMOVE_INFO" # ~ 10s
4294 scripts/config.pl full
4295 scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests
4296 scripts/config.pl set MBEDTLS_X509_REMOVE_INFO
4297 make CFLAGS='-Werror -O2'
4298
4299 msg "test: full + MBEDTLS_X509_REMOVE_INFO" # ~ 10s
4300 make test
4301
4302 msg "test: ssl-opt.sh, full + MBEDTLS_X509_REMOVE_INFO" # ~ 1 min
4303 tests/ssl-opt.sh
4304}
4305
4306component_build_arm_none_eabi_gcc () {
4307 msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc -O1, baremetal+debug" # ~ 10s
4308 scripts/config.py baremetal
4309 make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -Wall -Wextra -O1' lib
4310
4311 msg "size: ${ARM_NONE_EABI_GCC_PREFIX}gcc -O1, baremetal+debug"
4312 ${ARM_NONE_EABI_GCC_PREFIX}size -t library/*.o
4313 ${ARM_NONE_EABI_GCC_PREFIX}size -t ${PSA_CORE_PATH}/*.o
4314 ${ARM_NONE_EABI_GCC_PREFIX}size -t ${BUILTIN_SRC_PATH}/*.o
4315}
4316
4317component_build_arm_linux_gnueabi_gcc_arm5vte () {
4318 msg "build: ${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc -march=arm5vte, baremetal+debug" # ~ 10s
4319 scripts/config.py baremetal
4320 # Build for a target platform that's close to what Debian uses
4321 # for its "armel" distribution (https://wiki.debian.org/ArmEabiPort).
4322 # See https://github.com/Mbed-TLS/mbedtls/pull/2169 and comments.
4323 # Build everything including programs, see for example
4324 # https://github.com/Mbed-TLS/mbedtls/pull/3449#issuecomment-675313720
4325 make CC="${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc" AR="${ARM_LINUX_GNUEABI_GCC_PREFIX}ar" CFLAGS='-Werror -Wall -Wextra -march=armv5te -O1' LDFLAGS='-march=armv5te'
4326
4327 msg "size: ${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc -march=armv5te -O1, baremetal+debug"
4328 ${ARM_LINUX_GNUEABI_GCC_PREFIX}size -t library/*.o
4329 ${ARM_LINUX_GNUEABI_GCC_PREFIX}size -t ${PSA_CORE_PATH}/*.o
4330 ${ARM_LINUX_GNUEABI_GCC_PREFIX}size -t ${BUILTIN_SRC_PATH}/*.o
4331}
4332support_build_arm_linux_gnueabi_gcc_arm5vte () {
4333 type ${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc >/dev/null 2>&1
4334}
4335
4336component_build_arm_none_eabi_gcc_arm5vte () {
4337 msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc -march=arm5vte, baremetal+debug" # ~ 10s
4338 scripts/config.py baremetal
4339 # This is an imperfect substitute for
4340 # component_build_arm_linux_gnueabi_gcc_arm5vte
4341 # in case the gcc-arm-linux-gnueabi toolchain is not available
4342 make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" CFLAGS='-std=c99 -Werror -Wall -Wextra -march=armv5te -O1' LDFLAGS='-march=armv5te' SHELL='sh -x' lib
4343
4344 msg "size: ${ARM_NONE_EABI_GCC_PREFIX}gcc -march=armv5te -O1, baremetal+debug"
4345 ${ARM_NONE_EABI_GCC_PREFIX}size -t library/*.o
4346 ${ARM_NONE_EABI_GCC_PREFIX}size -t ${PSA_CORE_PATH}/*.o
4347 ${ARM_NONE_EABI_GCC_PREFIX}size -t ${BUILTIN_SRC_PATH}/*.o
4348}
4349
4350component_build_arm_none_eabi_gcc_m0plus () {
4351 msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc -mthumb -mcpu=cortex-m0plus, baremetal_size" # ~ 10s
4352 scripts/config.py baremetal_size
4353 make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -Wall -Wextra -mthumb -mcpu=cortex-m0plus -Os' lib
4354
4355 msg "size: ${ARM_NONE_EABI_GCC_PREFIX}gcc -mthumb -mcpu=cortex-m0plus -Os, baremetal_size"
4356 ${ARM_NONE_EABI_GCC_PREFIX}size -t library/*.o
4357 ${ARM_NONE_EABI_GCC_PREFIX}size -t ${PSA_CORE_PATH}/*.o
4358 ${ARM_NONE_EABI_GCC_PREFIX}size -t ${BUILTIN_SRC_PATH}/*.o
4359 for lib in library/*.a; do
4360 echo "$lib:"
4361 ${ARM_NONE_EABI_GCC_PREFIX}size -t $lib | grep TOTALS
4362 done
4363}
4364
4365component_build_arm_none_eabi_gcc_no_udbl_division () {
4366 msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc -DMBEDTLS_NO_UDBL_DIVISION, make" # ~ 10s
4367 scripts/config.py baremetal
4368 scripts/config.py set MBEDTLS_NO_UDBL_DIVISION
4369 make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -Wall -Wextra' lib
4370 echo "Checking that software 64-bit division is not required"
4371 not grep __aeabi_uldiv library/*.o
4372 not grep __aeabi_uldiv ${PSA_CORE_PATH}/*.o
4373 not grep __aeabi_uldiv ${BUILTIN_SRC_PATH}/*.o
4374}
4375
4376component_build_arm_none_eabi_gcc_no_64bit_multiplication () {
4377 msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc MBEDTLS_NO_64BIT_MULTIPLICATION, make" # ~ 10s
4378 scripts/config.py baremetal
4379 scripts/config.py set MBEDTLS_NO_64BIT_MULTIPLICATION
4380 make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -O1 -march=armv6-m -mthumb' lib
4381 echo "Checking that software 64-bit multiplication is not required"
4382 not grep __aeabi_lmul library/*.o
4383 not grep __aeabi_lmul ${PSA_CORE_PATH}/*.o
4384 not grep __aeabi_lmul ${BUILTIN_SRC_PATH}/*.o
4385}
4386
4387component_build_arm_clang_thumb () {
4388 # ~ 30s
4389
4390 scripts/config.py baremetal
4391
4392 msg "build: clang thumb 2, make"
4393 make clean
4394 make CC="clang" CFLAGS='-std=c99 -Werror -Os --target=arm-linux-gnueabihf -march=armv7-m -mthumb' lib
4395
4396 # Some Thumb 1 asm is sensitive to optimisation level, so test both -O0 and -Os
4397 msg "build: clang thumb 1 -O0, make"
4398 make clean
4399 make CC="clang" CFLAGS='-std=c99 -Werror -O0 --target=arm-linux-gnueabihf -mcpu=arm1136j-s -mthumb' lib
4400
4401 msg "build: clang thumb 1 -Os, make"
4402 make clean
4403 make CC="clang" CFLAGS='-std=c99 -Werror -Os --target=arm-linux-gnueabihf -mcpu=arm1136j-s -mthumb' lib
4404}
4405
4406component_build_armcc () {
4407 msg "build: ARM Compiler 5"
4408 scripts/config.py baremetal
4409 # armc[56] don't support SHA-512 intrinsics
4410 scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
4411
4412 # older versions of armcc/armclang don't support AESCE_C on 32-bit Arm
4413 scripts/config.py unset MBEDTLS_AESCE_C
4414
4415 # Stop armclang warning about feature detection for A64_CRYPTO.
4416 # With this enabled, the library does build correctly under armclang,
4417 # but in baremetal builds (as tested here), feature detection is
4418 # unavailable, and the user is notified via a #warning. So enabling
4419 # this feature would prevent us from building with -Werror on
4420 # armclang. Tracked in #7198.
4421 scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
4422
4423 scripts/config.py set MBEDTLS_HAVE_ASM
4424
4425 make CC="$ARMC5_CC" AR="$ARMC5_AR" WARNING_CFLAGS='--strict --c99' lib
4426
4427 msg "size: ARM Compiler 5"
4428 "$ARMC5_FROMELF" -z library/*.o
4429 "$ARMC5_FROMELF" -z ${PSA_CORE_PATH}/*.o
4430 "$ARMC5_FROMELF" -z ${BUILTIN_SRC_PATH}/*.o
4431
4432 # Compile mostly with -O1 since some Arm inline assembly is disabled for -O0.
4433
4434 # ARM Compiler 6 - Target ARMv7-A
4435 armc6_build_test "-O1 --target=arm-arm-none-eabi -march=armv7-a"
4436
4437 # ARM Compiler 6 - Target ARMv7-M
4438 armc6_build_test "-O1 --target=arm-arm-none-eabi -march=armv7-m"
4439
4440 # ARM Compiler 6 - Target ARMv7-M+DSP
4441 armc6_build_test "-O1 --target=arm-arm-none-eabi -march=armv7-m+dsp"
4442
4443 # ARM Compiler 6 - Target ARMv8-A - AArch32
4444 armc6_build_test "-O1 --target=arm-arm-none-eabi -march=armv8.2-a"
4445
4446 # ARM Compiler 6 - Target ARMv8-M
4447 armc6_build_test "-O1 --target=arm-arm-none-eabi -march=armv8-m.main"
4448
4449 # ARM Compiler 6 - Target Cortex-M0 - no optimisation
4450 armc6_build_test "-O0 --target=arm-arm-none-eabi -mcpu=cortex-m0"
4451
4452 # ARM Compiler 6 - Target Cortex-M0
4453 armc6_build_test "-Os --target=arm-arm-none-eabi -mcpu=cortex-m0"
4454
4455 # ARM Compiler 6 - Target ARMv8.2-A - AArch64
4456 #
4457 # Re-enable MBEDTLS_AESCE_C as this should be supported by the version of armclang
4458 # that we have in our CI
4459 scripts/config.py set MBEDTLS_AESCE_C
4460 armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8.2-a+crypto"
4461}
4462
4463support_build_armcc () {
4464 armc5_cc="$ARMC5_BIN_DIR/armcc"
4465 armc6_cc="$ARMC6_BIN_DIR/armclang"
4466 (check_tools "$armc5_cc" "$armc6_cc" > /dev/null 2>&1)
4467}
4468
4469component_test_tls12_only () {
4470 msg "build: default config without MBEDTLS_SSL_PROTO_TLS1_3, cmake, gcc, ASan"
4471 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
4472 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
4473 make
4474
4475 msg "test: main suites (inc. selftests) (ASan build)"
4476 make test
4477
4478 msg "test: ssl-opt.sh (ASan build)"
4479 tests/ssl-opt.sh
4480
4481 msg "test: compat.sh (ASan build)"
4482 tests/compat.sh
4483}
4484
4485component_test_tls13_only () {
4486 msg "build: default config without MBEDTLS_SSL_PROTO_TLS1_2"
4487 scripts/config.py set MBEDTLS_SSL_EARLY_DATA
4488 scripts/config.py set MBEDTLS_SSL_RECORD_SIZE_LIMIT
4489 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
4490
4491 msg "test: TLS 1.3 only, all key exchange modes enabled"
4492 make test
4493
4494 msg "ssl-opt.sh: TLS 1.3 only, all key exchange modes enabled"
4495 tests/ssl-opt.sh
4496}
4497
4498component_test_tls13_only_psk () {
4499 msg "build: TLS 1.3 only from default, only PSK key exchange mode"
4500 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
4501 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
4502 scripts/config.py unset MBEDTLS_ECDH_C
4503 scripts/config.py unset MBEDTLS_DHM_C
4504 scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C
4505 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
4506 scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION
4507 scripts/config.py unset MBEDTLS_ECDSA_C
4508 scripts/config.py unset MBEDTLS_PKCS1_V21
4509 scripts/config.py unset MBEDTLS_PKCS7_C
4510 scripts/config.py set MBEDTLS_SSL_EARLY_DATA
4511 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
4512
4513 msg "test_suite_ssl: TLS 1.3 only, only PSK key exchange mode enabled"
4514 cd tests; ./test_suite_ssl; cd ..
4515
4516 msg "ssl-opt.sh: TLS 1.3 only, only PSK key exchange mode enabled"
4517 tests/ssl-opt.sh
4518}
4519
4520component_test_tls13_only_ephemeral () {
4521 msg "build: TLS 1.3 only from default, only ephemeral key exchange mode"
4522 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
4523 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
4524 scripts/config.py unset MBEDTLS_SSL_EARLY_DATA
4525 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
4526
4527 msg "test_suite_ssl: TLS 1.3 only, only ephemeral key exchange mode"
4528 cd tests; ./test_suite_ssl; cd ..
4529
4530 msg "ssl-opt.sh: TLS 1.3 only, only ephemeral key exchange mode"
4531 tests/ssl-opt.sh
4532}
4533
4534component_test_tls13_only_ephemeral_ffdh () {
4535 msg "build: TLS 1.3 only from default, only ephemeral ffdh key exchange mode"
4536 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
4537 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
4538 scripts/config.py unset MBEDTLS_SSL_EARLY_DATA
4539 scripts/config.py unset MBEDTLS_ECDH_C
4540
4541 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
4542
4543 msg "test_suite_ssl: TLS 1.3 only, only ephemeral ffdh key exchange mode"
4544 cd tests; ./test_suite_ssl; cd ..
4545
4546 msg "ssl-opt.sh: TLS 1.3 only, only ephemeral ffdh key exchange mode"
4547 tests/ssl-opt.sh
4548}
4549
4550component_test_tls13_only_psk_ephemeral () {
4551 msg "build: TLS 1.3 only from default, only PSK ephemeral key exchange mode"
4552 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
4553 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
4554 scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C
4555 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
4556 scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION
4557 scripts/config.py unset MBEDTLS_ECDSA_C
4558 scripts/config.py unset MBEDTLS_PKCS1_V21
4559 scripts/config.py unset MBEDTLS_PKCS7_C
4560 scripts/config.py set MBEDTLS_SSL_EARLY_DATA
4561 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
4562
4563 msg "test_suite_ssl: TLS 1.3 only, only PSK ephemeral key exchange mode"
4564 cd tests; ./test_suite_ssl; cd ..
4565
4566 msg "ssl-opt.sh: TLS 1.3 only, only PSK ephemeral key exchange mode"
4567 tests/ssl-opt.sh
4568}
4569
4570component_test_tls13_only_psk_ephemeral_ffdh () {
4571 msg "build: TLS 1.3 only from default, only PSK ephemeral ffdh key exchange mode"
4572 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
4573 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
4574 scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C
4575 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
4576 scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION
4577 scripts/config.py unset MBEDTLS_ECDSA_C
4578 scripts/config.py unset MBEDTLS_PKCS1_V21
4579 scripts/config.py unset MBEDTLS_PKCS7_C
4580 scripts/config.py set MBEDTLS_SSL_EARLY_DATA
4581 scripts/config.py unset MBEDTLS_ECDH_C
4582 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
4583
4584 msg "test_suite_ssl: TLS 1.3 only, only PSK ephemeral ffdh key exchange mode"
4585 cd tests; ./test_suite_ssl; cd ..
4586
4587 msg "ssl-opt.sh: TLS 1.3 only, only PSK ephemeral ffdh key exchange mode"
4588 tests/ssl-opt.sh
4589}
4590
4591component_test_tls13_only_psk_all () {
4592 msg "build: TLS 1.3 only from default, without ephemeral key exchange mode"
4593 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
4594 scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C
4595 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
4596 scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION
4597 scripts/config.py unset MBEDTLS_ECDSA_C
4598 scripts/config.py unset MBEDTLS_PKCS1_V21
4599 scripts/config.py unset MBEDTLS_PKCS7_C
4600 scripts/config.py set MBEDTLS_SSL_EARLY_DATA
4601 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
4602
4603 msg "test_suite_ssl: TLS 1.3 only, PSK and PSK ephemeral key exchange modes"
4604 cd tests; ./test_suite_ssl; cd ..
4605
4606 msg "ssl-opt.sh: TLS 1.3 only, PSK and PSK ephemeral key exchange modes"
4607 tests/ssl-opt.sh
4608}
4609
4610component_test_tls13_only_ephemeral_all () {
4611 msg "build: TLS 1.3 only from default, without PSK key exchange mode"
4612 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
4613 scripts/config.py set MBEDTLS_SSL_EARLY_DATA
4614 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
4615
4616 msg "test_suite_ssl: TLS 1.3 only, ephemeral and PSK ephemeral key exchange modes"
4617 cd tests; ./test_suite_ssl; cd ..
4618
4619 msg "ssl-opt.sh: TLS 1.3 only, ephemeral and PSK ephemeral key exchange modes"
4620 tests/ssl-opt.sh
4621}
4622
4623component_test_tls13_no_padding () {
4624 msg "build: default config plus early data minus padding"
4625 scripts/config.py set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1
4626 scripts/config.py set MBEDTLS_SSL_EARLY_DATA
4627 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
4628 make
4629 msg "test: default config plus early data minus padding"
4630 make test
4631 msg "ssl-opt.sh (TLS 1.3 no padding)"
4632 tests/ssl-opt.sh
4633}
4634
4635component_test_tls13_no_compatibility_mode () {
4636 msg "build: default config plus early data minus middlebox compatibility mode"
4637 scripts/config.py unset MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
4638 scripts/config.py set MBEDTLS_SSL_EARLY_DATA
4639 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
4640 make
4641 msg "test: default config plus early data minus middlebox compatibility mode"
4642 make test
4643 msg "ssl-opt.sh (TLS 1.3 no compatibility mode)"
4644 tests/ssl-opt.sh
4645}
4646
4647component_test_full_minus_session_tickets() {
4648 msg "build: full config without session tickets"
4649 scripts/config.py full
4650 scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS
4651 scripts/config.py unset MBEDTLS_SSL_EARLY_DATA
4652 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
4653 make
4654 msg "test: full config without session tickets"
4655 make test
4656 msg "ssl-opt.sh (full config without session tickets)"
4657 tests/ssl-opt.sh
4658}
4659
4660component_build_mingw () {
4661 msg "build: Windows cross build - mingw64, make (Link Library)" # ~ 30s
4662 make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra -maes -msse2 -mpclmul' WINDOWS_BUILD=1 lib programs
4663
4664 # note Make tests only builds the tests, but doesn't run them
4665 make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -maes -msse2 -mpclmul' WINDOWS_BUILD=1 tests
4666 make WINDOWS_BUILD=1 clean
4667
4668 msg "build: Windows cross build - mingw64, make (DLL)" # ~ 30s
4669 make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra -maes -msse2 -mpclmul' WINDOWS_BUILD=1 SHARED=1 lib programs
4670 make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra -maes -msse2 -mpclmul' WINDOWS_BUILD=1 SHARED=1 tests
4671 make WINDOWS_BUILD=1 clean
4672
4673 msg "build: Windows cross build - mingw64, make (Library only, default config without MBEDTLS_AESNI_C)" # ~ 30s
4674 ./scripts/config.py unset MBEDTLS_AESNI_C #
4675 make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 lib
4676 make WINDOWS_BUILD=1 clean
4677}
4678support_build_mingw() {
4679 case $(i686-w64-mingw32-gcc -dumpversion 2>/dev/null) in
4680 [0-5]*|"") false;;
4681 *) true;;
4682 esac
4683}
4684
4685component_test_memsan () {
4686 msg "build: MSan (clang)" # ~ 1 min 20s
4687 scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm
4688 CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan .
4689 make
4690
4691 msg "test: main suites (MSan)" # ~ 10s
4692 make test
4693
4694 msg "test: metatests (MSan)"
4695 tests/scripts/run-metatests.sh any msan
4696
4697 msg "program demos (MSan)" # ~20s
4698 tests/scripts/run_demos.py
4699
4700 msg "test: ssl-opt.sh (MSan)" # ~ 1 min
4701 tests/ssl-opt.sh
4702
4703 # Optional part(s)
4704
4705 if [ "$MEMORY" -gt 0 ]; then
4706 msg "test: compat.sh (MSan)" # ~ 6 min 20s
4707 tests/compat.sh
4708 fi
4709}
4710
4711component_release_test_valgrind () {
4712 msg "build: Release (clang)"
4713 # default config, in particular without MBEDTLS_USE_PSA_CRYPTO
4714 CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release .
4715 make
4716
4717 msg "test: main suites, Valgrind (default config)"
4718 make memcheck
4719
4720 # Optional parts (slow; currently broken on OS X because programs don't
4721 # seem to receive signals under valgrind on OS X).
4722 # These optional parts don't run on the CI.
4723 if [ "$MEMORY" -gt 0 ]; then
4724 msg "test: ssl-opt.sh --memcheck (default config)"
4725 tests/ssl-opt.sh --memcheck
4726 fi
4727
4728 if [ "$MEMORY" -gt 1 ]; then
4729 msg "test: compat.sh --memcheck (default config)"
4730 tests/compat.sh --memcheck
4731 fi
4732
4733 if [ "$MEMORY" -gt 0 ]; then
4734 msg "test: context-info.sh --memcheck (default config)"
4735 tests/context-info.sh --memcheck
4736 fi
4737}
4738
4739component_release_test_valgrind_psa () {
4740 msg "build: Release, full (clang)"
4741 # full config, in particular with MBEDTLS_USE_PSA_CRYPTO
4742 scripts/config.py full
4743 CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release .
4744 make
4745
4746 msg "test: main suites, Valgrind (full config)"
4747 make memcheck
4748}
4749
4750support_test_cmake_out_of_source () {
4751 distrib_id=""
4752 distrib_ver=""
4753 distrib_ver_minor=""
4754 distrib_ver_major=""
4755
4756 # Attempt to parse lsb-release to find out distribution and version. If not
4757 # found this should fail safe (test is supported).
4758 if [[ -f /etc/lsb-release ]]; then
4759
4760 while read -r lsb_line; do
4761 case "$lsb_line" in
4762 "DISTRIB_ID"*) distrib_id=${lsb_line/#DISTRIB_ID=};;
4763 "DISTRIB_RELEASE"*) distrib_ver=${lsb_line/#DISTRIB_RELEASE=};;
4764 esac
4765 done < /etc/lsb-release
4766
4767 distrib_ver_major="${distrib_ver%%.*}"
4768 distrib_ver="${distrib_ver#*.}"
4769 distrib_ver_minor="${distrib_ver%%.*}"
4770 fi
4771
4772 # Running the out of source CMake test on Ubuntu 16.04 using more than one
4773 # processor (as the CI does) can create a race condition whereby the build
4774 # fails to see a generated file, despite that file actually having been
4775 # generated. This problem appears to go away with 18.04 or newer, so make
4776 # the out of source tests unsupported on Ubuntu 16.04.
4777 [ "$distrib_id" != "Ubuntu" ] || [ "$distrib_ver_major" -gt 16 ]
4778}
4779
4780component_test_cmake_out_of_source () {
4781 # Remove existing generated files so that we use the ones cmake
4782 # generates
4783 make neat
4784
4785 msg "build: cmake 'out-of-source' build"
4786 MBEDTLS_ROOT_DIR="$PWD"
4787 mkdir "$OUT_OF_SOURCE_DIR"
4788 cd "$OUT_OF_SOURCE_DIR"
4789 # Note: Explicitly generate files as these are turned off in releases
4790 cmake -D CMAKE_BUILD_TYPE:String=Check -D GEN_FILES=ON "$MBEDTLS_ROOT_DIR"
4791 make
4792
4793 msg "test: cmake 'out-of-source' build"
4794 make test
4795 # Check that ssl-opt.sh can find the test programs.
4796 # Also ensure that there are no error messages such as
4797 # "No such file or directory", which would indicate that some required
4798 # file is missing (ssl-opt.sh tolerates the absence of some files so
4799 # may exit with status 0 but emit errors).
4800 ./tests/ssl-opt.sh -f 'Default' >ssl-opt.out 2>ssl-opt.err
4801 grep PASS ssl-opt.out
4802 cat ssl-opt.err >&2
4803 # If ssl-opt.err is non-empty, record an error and keep going.
4804 [ ! -s ssl-opt.err ]
4805 rm ssl-opt.out ssl-opt.err
4806 cd "$MBEDTLS_ROOT_DIR"
4807 rm -rf "$OUT_OF_SOURCE_DIR"
4808}
4809
4810component_test_cmake_as_subdirectory () {
4811 # Remove existing generated files so that we use the ones CMake
4812 # generates
4813 make neat
4814
4815 msg "build: cmake 'as-subdirectory' build"
4816 cd programs/test/cmake_subproject
4817 # Note: Explicitly generate files as these are turned off in releases
4818 cmake -D GEN_FILES=ON .
4819 make
4820 ./cmake_subproject
4821}
4822support_test_cmake_as_subdirectory () {
4823 support_test_cmake_out_of_source
4824}
4825
4826component_test_cmake_as_package () {
4827 # Remove existing generated files so that we use the ones CMake
4828 # generates
4829 make neat
4830
4831 msg "build: cmake 'as-package' build"
4832 cd programs/test/cmake_package
4833 cmake .
4834 make
4835 ./cmake_package
4836}
4837support_test_cmake_as_package () {
4838 support_test_cmake_out_of_source
4839}
4840
4841component_test_cmake_as_package_install () {
4842 # Remove existing generated files so that we use the ones CMake
4843 # generates
4844 make neat
4845
4846 msg "build: cmake 'as-installed-package' build"
4847 cd programs/test/cmake_package_install
4848 cmake .
4849 make
4850 ./cmake_package_install
4851}
4852support_test_cmake_as_package_install () {
4853 support_test_cmake_out_of_source
4854}
4855
4856component_build_cmake_custom_config_file () {
4857 # Make a copy of config file to use for the in-tree test
4858 cp "$CONFIG_H" include/mbedtls_config_in_tree_copy.h
4859
4860 MBEDTLS_ROOT_DIR="$PWD"
4861 mkdir "$OUT_OF_SOURCE_DIR"
4862 cd "$OUT_OF_SOURCE_DIR"
4863
4864 # Build once to get the generated files (which need an intact config file)
4865 cmake "$MBEDTLS_ROOT_DIR"
4866 make
4867
4868 msg "build: cmake with -DMBEDTLS_CONFIG_FILE"
4869 scripts/config.py -w full_config.h full
4870 echo '#error "cmake -DMBEDTLS_CONFIG_FILE is not working."' > "$MBEDTLS_ROOT_DIR/$CONFIG_H"
4871 cmake -DGEN_FILES=OFF -DMBEDTLS_CONFIG_FILE=full_config.h "$MBEDTLS_ROOT_DIR"
4872 make
4873
4874 msg "build: cmake with -DMBEDTLS_CONFIG_FILE + -DMBEDTLS_USER_CONFIG_FILE"
4875 # In the user config, disable one feature (for simplicity, pick a feature
4876 # that nothing else depends on).
4877 echo '#undef MBEDTLS_NIST_KW_C' >user_config.h
4878
4879 cmake -DGEN_FILES=OFF -DMBEDTLS_CONFIG_FILE=full_config.h -DMBEDTLS_USER_CONFIG_FILE=user_config.h "$MBEDTLS_ROOT_DIR"
4880 make
4881 not programs/test/query_compile_time_config MBEDTLS_NIST_KW_C
4882
4883 rm -f user_config.h full_config.h
4884
4885 cd "$MBEDTLS_ROOT_DIR"
4886 rm -rf "$OUT_OF_SOURCE_DIR"
4887
4888 # Now repeat the test for an in-tree build:
4889
4890 # Restore config for the in-tree test
4891 mv include/mbedtls_config_in_tree_copy.h "$CONFIG_H"
4892
4893 # Build once to get the generated files (which need an intact config)
4894 cmake .
4895 make
4896
4897 msg "build: cmake (in-tree) with -DMBEDTLS_CONFIG_FILE"
4898 scripts/config.py -w full_config.h full
4899 echo '#error "cmake -DMBEDTLS_CONFIG_FILE is not working."' > "$MBEDTLS_ROOT_DIR/$CONFIG_H"
4900 cmake -DGEN_FILES=OFF -DMBEDTLS_CONFIG_FILE=full_config.h .
4901 make
4902
4903 msg "build: cmake (in-tree) with -DMBEDTLS_CONFIG_FILE + -DMBEDTLS_USER_CONFIG_FILE"
4904 # In the user config, disable one feature (for simplicity, pick a feature
4905 # that nothing else depends on).
4906 echo '#undef MBEDTLS_NIST_KW_C' >user_config.h
4907
4908 cmake -DGEN_FILES=OFF -DMBEDTLS_CONFIG_FILE=full_config.h -DMBEDTLS_USER_CONFIG_FILE=user_config.h .
4909 make
4910 not programs/test/query_compile_time_config MBEDTLS_NIST_KW_C
4911
4912 rm -f user_config.h full_config.h
4913}
4914support_build_cmake_custom_config_file () {
4915 support_test_cmake_out_of_source
4916}
4917
4918component_build_cmake_programs_no_testing () {
4919 # Verify that the type of builds performed by oss-fuzz don't get accidentally broken
4920 msg "build: cmake with -DENABLE_PROGRAMS=ON and -DENABLE_TESTING=OFF"
4921 cmake -DENABLE_PROGRAMS=ON -DENABLE_TESTING=OFF .
4922 make
4923}
4924support_build_cmake_programs_no_testing () {
4925 support_test_cmake_out_of_source
4926}
4927
4928component_build_zeroize_checks () {
4929 msg "build: check for obviously wrong calls to mbedtls_platform_zeroize()"
4930
4931 scripts/config.py full
4932
4933 # Only compile - we're looking for sizeof-pointer-memaccess warnings
4934 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-zeroize-memset.h\"' -DMBEDTLS_TEST_DEFINES_ZEROIZE -Werror -Wsizeof-pointer-memaccess"
4935}
4936
4937
4938component_test_zeroize () {
4939 # Test that the function mbedtls_platform_zeroize() is not optimized away by
4940 # different combinations of compilers and optimization flags by using an
4941 # auxiliary GDB script. Unfortunately, GDB does not return error values to the
4942 # system in all cases that the script fails, so we must manually search the
4943 # output to check whether the pass string is present and no failure strings
4944 # were printed.
4945
4946 # Don't try to disable ASLR. We don't care about ASLR here. We do care
4947 # about a spurious message if Gdb tries and fails, so suppress that.
4948 gdb_disable_aslr=
4949 if [ -z "$(gdb -batch -nw -ex 'set disable-randomization off' 2>&1)" ]; then
4950 gdb_disable_aslr='set disable-randomization off'
4951 fi
4952
4953 for optimization_flag in -O2 -O3 -Ofast -Os; do
4954 for compiler in clang gcc; do
4955 msg "test: $compiler $optimization_flag, mbedtls_platform_zeroize()"
4956 make programs CC="$compiler" DEBUG=1 CFLAGS="$optimization_flag"
4957 gdb -ex "$gdb_disable_aslr" -x tests/scripts/test_zeroize.gdb -nw -batch -nx 2>&1 | tee test_zeroize.log
4958 grep "The buffer was correctly zeroized" test_zeroize.log
4959 not grep -i "error" test_zeroize.log
4960 rm -f test_zeroize.log
4961 make clean
4962 done
4963 done
4964}
4965
4966component_test_psa_compliance () {
4967 # The arch tests build with gcc, so require use of gcc here to link properly
4968 msg "build: make, default config (out-of-box), libmbedcrypto.a only"
4969 CC=gcc make -C library libmbedcrypto.a
4970
4971 msg "unit test: test_psa_compliance.py"
4972 CC=gcc ./tests/scripts/test_psa_compliance.py
4973}
4974
4975support_test_psa_compliance () {
4976 # psa-compliance-tests only supports CMake >= 3.10.0
4977 ver="$(cmake --version)"
4978 ver="${ver#cmake version }"
4979 ver_major="${ver%%.*}"
4980
4981 ver="${ver#*.}"
4982 ver_minor="${ver%%.*}"
4983
4984 [ "$ver_major" -eq 3 ] && [ "$ver_minor" -ge 10 ]
4985}
4986
4987component_check_code_style () {
4988 msg "Check C code style"
4989 ./scripts/code_style.py
4990}
4991
4992support_check_code_style() {
4993 case $(uncrustify --version) in
4994 *0.75.1*) true;;
4995 *) false;;
4996 esac
4997}
4998
4999component_check_python_files () {
5000 msg "Lint: Python scripts"
5001 tests/scripts/check-python-files.sh
5002}
5003
5004component_check_test_helpers () {
5005 msg "unit test: generate_test_code.py"
5006 # unittest writes out mundane stuff like number or tests run on stderr.
5007 # Our convention is to reserve stderr for actual errors, and write
5008 # harmless info on stdout so it can be suppress with --quiet.
5009 ./framework/scripts/test_generate_test_code.py 2>&1
5010
5011 msg "unit test: translate_ciphers.py"
5012 python3 -m unittest tests/scripts/translate_ciphers.py 2>&1
5013}
5014
5015component_test_psasim() {
5016 msg "build server library and application"
5017 scripts/config.py crypto
5018 helper_psasim_config server
5019 helper_psasim_build server
5020
5021 helper_psasim_cleanup_before_client
5022
5023 msg "build library for client"
5024 helper_psasim_config client
5025 helper_psasim_build client
5026
5027 msg "build basic psasim client"
5028 make -C tests/psa-client-server/psasim CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" test/psa_client_base
5029 msg "test basic psasim client"
5030 tests/psa-client-server/psasim/test/run_test.sh psa_client_base
5031
5032 msg "build full psasim client"
5033 make -C tests/psa-client-server/psasim CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" test/psa_client_full
5034 msg "test full psasim client"
5035 tests/psa-client-server/psasim/test/run_test.sh psa_client_full
5036
5037 make -C tests/psa-client-server/psasim clean
5038}
5039
5040component_test_suite_with_psasim()
5041{
5042 msg "build server library and application"
5043 helper_psasim_config server
5044 # Modify server's library configuration here (if needed)
5045 helper_psasim_build server
5046
5047 helper_psasim_cleanup_before_client
5048
5049 msg "build client library"
5050 helper_psasim_config client
5051 # PAKE functions are still unsupported from PSASIM
5052 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_JPAKE
5053 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
5054 helper_psasim_build client
5055
5056 msg "build test suites"
5057 make PSASIM=1 CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" tests
5058
5059 helper_psasim_server kill
5060 helper_psasim_server start
5061
5062 # psasim takes an extremely long execution time on some test suites so we
5063 # exclude them from the list.
5064 SKIP_TEST_SUITES="constant_time_hmac,lmots,lms"
5065 export SKIP_TEST_SUITES
5066
5067 msg "run test suites"
5068 make PSASIM=1 test
5069
5070 helper_psasim_server kill
5071}