From 2d04ce2a883b4ea8ff6ed148cd6d39e08ecf2e1f Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 19 Jul 2023 19:10:43 +0200 Subject: [PATCH 1/6] Remove comments that duplicate the 'msg' call just below Signed-off-by: Gilles Peskine --- tests/scripts/all.sh | 24 ------------------------ 1 file changed, 24 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 5cbf19ed637b..097d6282537e 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2122,7 +2122,6 @@ component_test_psa_crypto_config_accel_aead () { } component_test_psa_crypto_config_no_driver() { - # full plus MBEDTLS_PSA_CRYPTO_CONFIG msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG minus MBEDTLS_PSA_CRYPTO_DRIVERS" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG @@ -2135,7 +2134,6 @@ component_test_psa_crypto_config_no_driver() { } component_test_psa_crypto_config_chachapoly_disabled() { - # full minus MBEDTLS_CHACHAPOLY_C without PSA_WANT_ALG_GCM and PSA_WANT_ALG_CHACHA20_POLY1305 msg "build: full minus MBEDTLS_CHACHAPOLY_C without PSA_WANT_ALG_GCM and PSA_WANT_ALG_CHACHA20_POLY1305" scripts/config.py full scripts/config.py unset MBEDTLS_CHACHAPOLY_C @@ -2149,8 +2147,6 @@ component_test_psa_crypto_config_chachapoly_disabled() { # This should be renamed to test and updated once the accelerator ECDH code is in place and ready to test. component_build_psa_accel_alg_ecdh() { - # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_ECDH - # without MBEDTLS_ECDH_C msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_ECDH without MBEDTLS_ECDH_C" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG @@ -2168,7 +2164,6 @@ component_build_psa_accel_alg_ecdh() { # This should be renamed to test and updated once the accelerator ECC key pair code is in place and ready to test. component_build_psa_accel_key_type_ecc_key_pair() { - # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_KEY_TYPE_ECC_KEY_PAIR msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_KEY_TYPE_ECC_KEY_PAIR" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG @@ -2182,7 +2177,6 @@ component_build_psa_accel_key_type_ecc_key_pair() { # This should be renamed to test and updated once the accelerator ECC public key code is in place and ready to test. component_build_psa_accel_key_type_ecc_public_key() { - # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG @@ -2196,7 +2190,6 @@ component_build_psa_accel_key_type_ecc_public_key() { # This should be renamed to test and updated once the accelerator HMAC code is in place and ready to test. component_build_psa_accel_alg_hmac() { - # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_HMAC msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_HMAC" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG @@ -2208,8 +2201,6 @@ component_build_psa_accel_alg_hmac() { # This should be renamed to test and updated once the accelerator HKDF code is in place and ready to test. component_build_psa_accel_alg_hkdf() { - # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_HKDF - # without MBEDTLS_HKDF_C msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_HKDF without MBEDTLS_HKDF_C" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG @@ -2224,7 +2215,6 @@ component_build_psa_accel_alg_hkdf() { # This should be renamed to test and updated once the accelerator MD2 code is in place and ready to test. component_build_psa_accel_alg_md2() { - # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_MD2 without other hashes msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_MD2 - other hashes" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG @@ -2244,7 +2234,6 @@ component_build_psa_accel_alg_md2() { # This should be renamed to test and updated once the accelerator MD4 code is in place and ready to test. component_build_psa_accel_alg_md4() { - # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_MD4 without other hashes msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_MD4 - other hashes" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG @@ -2264,7 +2253,6 @@ component_build_psa_accel_alg_md4() { # This should be renamed to test and updated once the accelerator MD5 code is in place and ready to test. component_build_psa_accel_alg_md5() { - # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_MD5 without other hashes msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_MD5 - other hashes" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG @@ -2284,7 +2272,6 @@ component_build_psa_accel_alg_md5() { # This should be renamed to test and updated once the accelerator RIPEMD160 code is in place and ready to test. component_build_psa_accel_alg_ripemd160() { - # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_RIPEMD160 without other hashes msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RIPEMD160 - other hashes" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG @@ -2304,7 +2291,6 @@ component_build_psa_accel_alg_ripemd160() { # This should be renamed to test and updated once the accelerator SHA1 code is in place and ready to test. component_build_psa_accel_alg_sha1() { - # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_SHA_1 without other hashes msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_SHA_1 - other hashes" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG @@ -2324,7 +2310,6 @@ component_build_psa_accel_alg_sha1() { # This should be renamed to test and updated once the accelerator SHA224 code is in place and ready to test. component_build_psa_accel_alg_sha224() { - # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_SHA_224 without other hashes msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_SHA_224 - other hashes" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG @@ -2343,7 +2328,6 @@ component_build_psa_accel_alg_sha224() { # This should be renamed to test and updated once the accelerator SHA256 code is in place and ready to test. component_build_psa_accel_alg_sha256() { - # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_SHA_256 without other hashes msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_SHA_256 - other hashes" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG @@ -2363,7 +2347,6 @@ component_build_psa_accel_alg_sha256() { # This should be renamed to test and updated once the accelerator SHA384 code is in place and ready to test. component_build_psa_accel_alg_sha384() { - # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_SHA_384 without other hashes msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_SHA_384 - other hashes" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG @@ -2382,7 +2365,6 @@ component_build_psa_accel_alg_sha384() { # This should be renamed to test and updated once the accelerator SHA512 code is in place and ready to test. component_build_psa_accel_alg_sha512() { - # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_SHA_512 without other hashes msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_SHA_512 - other hashes" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG @@ -2402,7 +2384,6 @@ component_build_psa_accel_alg_sha512() { # This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. component_build_psa_accel_alg_rsa_pkcs1v15_crypt() { - # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_RSA_PKCS1V15_CRYPT msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RSA_PKCS1V15_CRYPT + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG @@ -2418,7 +2399,6 @@ component_build_psa_accel_alg_rsa_pkcs1v15_crypt() { # This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. component_build_psa_accel_alg_rsa_pkcs1v15_sign() { - # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_RSA_PKCS1V15_SIGN and PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RSA_PKCS1V15_SIGN + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG @@ -2434,7 +2414,6 @@ component_build_psa_accel_alg_rsa_pkcs1v15_sign() { # This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. component_build_psa_accel_alg_rsa_oaep() { - # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_RSA_OAEP and PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RSA_OAEP + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG @@ -2450,7 +2429,6 @@ component_build_psa_accel_alg_rsa_oaep() { # This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. component_build_psa_accel_alg_rsa_pss() { - # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_RSA_PSS and PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RSA_PSS + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG @@ -2466,7 +2444,6 @@ component_build_psa_accel_alg_rsa_pss() { # This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. component_build_psa_accel_key_type_rsa_key_pair() { - # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_KEY_TYPE_RSA_KEY_PAIR and PSA_WANT_ALG_RSA_PSS msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR + PSA_WANT_ALG_RSA_PSS" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG @@ -2480,7 +2457,6 @@ component_build_psa_accel_key_type_rsa_key_pair() { # This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. component_build_psa_accel_key_type_rsa_public_key() { - # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY and PSA_WANT_ALG_RSA_PSS msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY + PSA_WANT_ALG_RSA_PSS" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG From d4c85af9cefc5b575854f4489db97728fbe934ba Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 20 Jul 2023 22:19:45 +0200 Subject: [PATCH 2/6] Fix inconsistencies in no-chachapoly test The original goal (https://github.com/Mbed-TLS/mbedtls/pull/5072) was to run a test with ChaChaPoly disabled in PSA. It was actually implemented with GCM also partially disabled (legacy GCM enabled but PSA GCM disabled), which distracted from the objective. It's actually useful to test both with and without GCM, so test both. Don't test inconsistencies between legacy and PSA support because that's not a common case and not one we have particular reasons to test. Signed-off-by: Gilles Peskine --- tests/scripts/all.sh | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 097d6282537e..bd7c6ec9c922 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2133,15 +2133,27 @@ component_test_psa_crypto_config_no_driver() { make test } -component_test_psa_crypto_config_chachapoly_disabled() { - msg "build: full minus MBEDTLS_CHACHAPOLY_C without PSA_WANT_ALG_GCM and PSA_WANT_ALG_CHACHA20_POLY1305" +component_test_aead_chachapoly_disabled() { + msg "build: full minus CHACHAPOLY" scripts/config.py full scripts/config.py unset MBEDTLS_CHACHAPOLY_C - scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_GCM - scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_CHACHA20_POLY1305 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305 make CC=gcc CFLAGS="$ASAN_CFLAGS -O2" LDFLAGS="$ASAN_CFLAGS" - msg "test: full minus MBEDTLS_CHACHAPOLY_C without PSA_WANT_ALG_GCM and PSA_WANT_ALG_CHACHA20_POLY1305" + msg "test: full minus CHACHAPOLY" + make test +} + +component_test_aead_only_ccm() { + msg "build: full minus CHACHAPOLY and GCM" + scripts/config.py full + scripts/config.py unset MBEDTLS_CHACHAPOLY_C + scripts/config.py unset MBEDTLS_GCM_C + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_GCM + make CC=gcc CFLAGS="$ASAN_CFLAGS -O2" LDFLAGS="$ASAN_CFLAGS" + + msg "test: full minus CHACHAPOLY and GCM" make test } From 2e70f1c952a96d0463927615dc478243a7fa2f51 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 20 Jul 2023 19:00:15 +0200 Subject: [PATCH 3/6] Make malloc-0-null a user config file Having a wrapper made it harder to use: incompatible with setting MBEDTLS_CONFIG_FILE, harder to combine with other settings. It was also surprising since it was the only test config that was structured in that way. Signed-off-by: Gilles Peskine --- ...apper-malloc-0-null.h => user-config-malloc-0-null.h} | 9 +-------- tests/scripts/all.sh | 2 +- 2 files changed, 2 insertions(+), 9 deletions(-) rename tests/configs/{config-wrapper-malloc-0-null.h => user-config-malloc-0-null.h} (82%) diff --git a/tests/configs/config-wrapper-malloc-0-null.h b/tests/configs/user-config-malloc-0-null.h similarity index 82% rename from tests/configs/config-wrapper-malloc-0-null.h rename to tests/configs/user-config-malloc-0-null.h index 622ac572b74b..366dfc4d06d6 100644 --- a/tests/configs/config-wrapper-malloc-0-null.h +++ b/tests/configs/user-config-malloc-0-null.h @@ -1,4 +1,4 @@ -/* config.h wrapper that forces calloc(0) to return NULL. +/* config.h modifier that forces calloc(0) to return NULL. * Used for testing. */ /* @@ -18,11 +18,6 @@ * limitations under the License. */ -#ifndef MBEDTLS_CONFIG_H -/* Don't #define MBEDTLS_CONFIG_H, let config.h do it. */ - -#include "mbedtls/config.h" - #include #ifndef MBEDTLS_PLATFORM_STD_CALLOC @@ -37,5 +32,3 @@ static inline void *custom_calloc(size_t nmemb, size_t size) #define MBEDTLS_PLATFORM_MEMORY #define MBEDTLS_PLATFORM_STD_CALLOC custom_calloc #endif - -#endif /* MBEDTLS_CONFIG_H */ diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index bd7c6ec9c922..470cd914bdad 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2822,7 +2822,7 @@ component_test_platform_calloc_macro () { component_test_malloc_0_null () { msg "build: malloc(0) returns NULL (ASan+UBSan build)" scripts/config.py full - make CC=gcc CFLAGS="'-DMBEDTLS_CONFIG_FILE=\"$PWD/tests/configs/config-wrapper-malloc-0-null.h\"' $ASAN_CFLAGS -O" LDFLAGS="$ASAN_CFLAGS" + make CC=gcc CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"$PWD/tests/configs/user-config-malloc-0-null.h\"' $ASAN_CFLAGS -O" LDFLAGS="$ASAN_CFLAGS" msg "test: malloc(0) returns NULL (ASan+UBSan build)" make test From 168be01a781ffdefc00e34fd1e8659cb480cc221 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 19 Jul 2023 19:36:55 +0200 Subject: [PATCH 4/6] Correct some msg messages in full config When MBEDTLS_USE_PSA_CRYPTO is disabled on a base of full, mention it. Don't explicitly mention MBEDTLS_PSA_CRYPTO_CONFIG when also mentioning PSA_WANT_xxx, since PSA_WANT symbols are only meaningful when MBEDTLS_PSA_CRYPTO_CONFIG is enabled. Signed-off-by: Gilles Peskine --- tests/scripts/all.sh | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 470cd914bdad..7da895b1ea07 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2159,7 +2159,7 @@ component_test_aead_only_ccm() { # This should be renamed to test and updated once the accelerator ECDH code is in place and ready to test. component_build_psa_accel_alg_ecdh() { - msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_ECDH without MBEDTLS_ECDH_C" + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_ECDH without MBEDTLS_ECDH_C" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS @@ -2176,7 +2176,7 @@ component_build_psa_accel_alg_ecdh() { # This should be renamed to test and updated once the accelerator ECC key pair code is in place and ready to test. component_build_psa_accel_key_type_ecc_key_pair() { - msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_KEY_TYPE_ECC_KEY_PAIR" + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_KEY_TYPE_ECC_KEY_PAIR" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS @@ -2189,7 +2189,7 @@ component_build_psa_accel_key_type_ecc_key_pair() { # This should be renamed to test and updated once the accelerator ECC public key code is in place and ready to test. component_build_psa_accel_key_type_ecc_public_key() { - msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY" + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS @@ -2202,7 +2202,7 @@ component_build_psa_accel_key_type_ecc_public_key() { # This should be renamed to test and updated once the accelerator HMAC code is in place and ready to test. component_build_psa_accel_alg_hmac() { - msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_HMAC" + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_HMAC" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS @@ -2213,7 +2213,7 @@ component_build_psa_accel_alg_hmac() { # This should be renamed to test and updated once the accelerator HKDF code is in place and ready to test. component_build_psa_accel_alg_hkdf() { - msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_HKDF without MBEDTLS_HKDF_C" + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_HKDF without MBEDTLS_HKDF_C" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS @@ -2227,7 +2227,7 @@ component_build_psa_accel_alg_hkdf() { # This should be renamed to test and updated once the accelerator MD2 code is in place and ready to test. component_build_psa_accel_alg_md2() { - msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_MD2 - other hashes" + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_MD2 - other hashes" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS @@ -2246,7 +2246,7 @@ component_build_psa_accel_alg_md2() { # This should be renamed to test and updated once the accelerator MD4 code is in place and ready to test. component_build_psa_accel_alg_md4() { - msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_MD4 - other hashes" + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_MD4 - other hashes" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS @@ -2265,7 +2265,7 @@ component_build_psa_accel_alg_md4() { # This should be renamed to test and updated once the accelerator MD5 code is in place and ready to test. component_build_psa_accel_alg_md5() { - msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_MD5 - other hashes" + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_MD5 - other hashes" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS @@ -2284,7 +2284,7 @@ component_build_psa_accel_alg_md5() { # This should be renamed to test and updated once the accelerator RIPEMD160 code is in place and ready to test. component_build_psa_accel_alg_ripemd160() { - msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RIPEMD160 - other hashes" + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RIPEMD160 - other hashes" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS @@ -2303,7 +2303,7 @@ component_build_psa_accel_alg_ripemd160() { # This should be renamed to test and updated once the accelerator SHA1 code is in place and ready to test. component_build_psa_accel_alg_sha1() { - msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_SHA_1 - other hashes" + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_1 - other hashes" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS @@ -2322,7 +2322,7 @@ component_build_psa_accel_alg_sha1() { # This should be renamed to test and updated once the accelerator SHA224 code is in place and ready to test. component_build_psa_accel_alg_sha224() { - msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_SHA_224 - other hashes" + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_224 - other hashes" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS @@ -2340,7 +2340,7 @@ component_build_psa_accel_alg_sha224() { # This should be renamed to test and updated once the accelerator SHA256 code is in place and ready to test. component_build_psa_accel_alg_sha256() { - msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_SHA_256 - other hashes" + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_256 - other hashes" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS @@ -2359,7 +2359,7 @@ component_build_psa_accel_alg_sha256() { # This should be renamed to test and updated once the accelerator SHA384 code is in place and ready to test. component_build_psa_accel_alg_sha384() { - msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_SHA_384 - other hashes" + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_384 - other hashes" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS @@ -2377,7 +2377,7 @@ component_build_psa_accel_alg_sha384() { # This should be renamed to test and updated once the accelerator SHA512 code is in place and ready to test. component_build_psa_accel_alg_sha512() { - msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_SHA_512 - other hashes" + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_512 - other hashes" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS @@ -2396,7 +2396,7 @@ component_build_psa_accel_alg_sha512() { # This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. component_build_psa_accel_alg_rsa_pkcs1v15_crypt() { - msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RSA_PKCS1V15_CRYPT + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_PKCS1V15_CRYPT + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS @@ -2411,7 +2411,7 @@ component_build_psa_accel_alg_rsa_pkcs1v15_crypt() { # This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. component_build_psa_accel_alg_rsa_pkcs1v15_sign() { - msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RSA_PKCS1V15_SIGN + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_PKCS1V15_SIGN + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS @@ -2426,7 +2426,7 @@ component_build_psa_accel_alg_rsa_pkcs1v15_sign() { # This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. component_build_psa_accel_alg_rsa_oaep() { - msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RSA_OAEP + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_OAEP + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS @@ -2441,7 +2441,7 @@ component_build_psa_accel_alg_rsa_oaep() { # This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. component_build_psa_accel_alg_rsa_pss() { - msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RSA_PSS + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_PSS + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS @@ -2456,7 +2456,7 @@ component_build_psa_accel_alg_rsa_pss() { # This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. component_build_psa_accel_key_type_rsa_key_pair() { - msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR + PSA_WANT_ALG_RSA_PSS" + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR + PSA_WANT_ALG_RSA_PSS" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS @@ -2469,7 +2469,7 @@ component_build_psa_accel_key_type_rsa_key_pair() { # This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. component_build_psa_accel_key_type_rsa_public_key() { - msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY + PSA_WANT_ALG_RSA_PSS" + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY + PSA_WANT_ALG_RSA_PSS" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS From 56081de77983f9786086d67fcf863c18ddb8a34c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 20 Jul 2023 22:18:23 +0200 Subject: [PATCH 5/6] Simplify the logic in a test Signed-off-by: Gilles Peskine --- tests/suites/test_suite_ssl.function | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 6bcde710ba3b..d1feabed8136 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -1385,19 +1385,16 @@ void ssl_crypt_record_small(int cipher_type, int hash_id, ret = mbedtls_ssl_encrypt_buf(&ssl, t_enc, &rec, mbedtls_test_rnd_std_rand, NULL); - if ((mode == 1 || mode == 2) && seen_success) { - TEST_ASSERT(ret == 0); - } else { - TEST_ASSERT(ret == 0 || ret == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL); - if (ret == 0) { - seen_success = 1; - } - } - - if (ret != 0) { + if (ret == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) { + /* It's ok if the output buffer is too small. We do insist + * on at least one mode succeeding; this is tracked by + * seen_success. */ continue; } + TEST_EQUAL(ret, 0); + seen_success = 1; + #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) if (rec.cid_len != 0) { /* DTLS 1.2 + CID hides the real content type and From 8d77ec2f7d7d1fc674a2a38ff3076569e7340eb5 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 26 Jul 2023 18:45:20 +0200 Subject: [PATCH 6/6] PSA_CRYPTO_DRIVER_TEST_ALL is incompatible with MBEDTLS_PSA_CRYPTO_CONFIG Explain how PSA_CRYPTO_DRIVER_TEST_ALL works and why we have it. Note that it is incompatible with MBEDTLS_PSA_CRYPTO_CONFIG. MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS is in the full config, so there's no need to add it explicitly. Signed-off-by: Gilles Peskine --- tests/configs/user-config-for-test.h | 20 ++++++++++++++++++++ tests/scripts/all.sh | 5 ++--- 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/tests/configs/user-config-for-test.h b/tests/configs/user-config-for-test.h index fbec4f4c603e..ed30be5839bf 100644 --- a/tests/configs/user-config-for-test.h +++ b/tests/configs/user-config-for-test.h @@ -23,11 +23,31 @@ */ #if defined(PSA_CRYPTO_DRIVER_TEST_ALL) +/* PSA_CRYPTO_DRIVER_TEST_ALL activates test drivers while keeping the + * built-in implementations active. Normally setting MBEDTLS_PSA_ACCEL_xxx + * would disable MBEDTLS_PSA_BUILTIN_xxx unless fallback is activated, but + * here we arrange to have both active so that psa_crypto_*.c includes + * the built-in implementations and the driver code can call the built-in + * implementations. + * + * The point of this test mode is to verify that the + * driver entry points are called when they should be in a lightweight + * way, without requiring an actual driver. This is different from builds + * with libtestdriver1, where we make a copy of the library source code + * and use that as an external driver. + */ /* Enable the use of the test driver in the library, and build the generic * part of the test driver. */ #define PSA_CRYPTO_DRIVER_TEST +/* With MBEDTLS_PSA_CRYPTO_CONFIG, if we set up the acceleration, the + * built-in implementations won't be enabled. */ +#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) +#error \ + "PSA_CRYPTO_DRIVER_TEST_ALL sets up a nonstandard configuration that is incompatible with MBEDTLS_PSA_CRYPTO_CONFIG" +#endif + /* Use the accelerator driver for all cryptographic mechanisms for which * the test driver implemented. */ #define MBEDTLS_PSA_ACCEL_KEY_TYPE_AES diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 7da895b1ea07..ae8dae5e9d01 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2916,17 +2916,16 @@ component_test_se_default () { } component_test_psa_crypto_drivers () { - msg "build: MBEDTLS_PSA_CRYPTO_DRIVERS w/ driver hooks" + msg "build: full + test drivers dispatching to builtins" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS - scripts/config.py set MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS loc_cflags="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST_ALL" loc_cflags="${loc_cflags} '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'" loc_cflags="${loc_cflags} -I../tests/include -O2" make CC=gcc CFLAGS="${loc_cflags}" LDFLAGS="$ASAN_CFLAGS" - msg "test: full + MBEDTLS_PSA_CRYPTO_DRIVERS" + msg "test: full + test drivers dispatching to builtins" make test }