Enable USE_PSA_CRYPTO with config.pl full

Previously it was disabled as too experimental, which no longer holds. Also,
this option introduces new APIs, so it's not only about an internal
alternative (as the comment in config.pl used to state) - people who request a
full config should get all of the available APIs.

Adapt all.sh: now all builds with full config will also test this option, and
builds with the default config will test without it. Just to be sure, let's
have a build with full config minus this option.

Update documentation of MBEDTLS_USE_PSA_CRYPTO to reflect the status of the
new APIs it enables in Mbed TLS and why they're still opt-in.
This commit is contained in:
Manuel Pégourié-Gonnard 2019-02-01 12:38:40 +01:00 committed by Andrzej Kurek
parent de7636e2dd
commit 971dea3745
3 changed files with 27 additions and 20 deletions

View file

@ -1726,18 +1726,26 @@
/**
* \def MBEDTLS_USE_PSA_CRYPTO
*
* Make the X.509 and TLS library use PSA for cryptographic operations, see
* #MBEDTLS_PSA_CRYPTO_C.
* Make the X.509 and TLS library use PSA for cryptographic operations, and
* enable new APIs for using keys handled by PSA Crypto.
*
* Note: this option is still in progress, the full X.509 and TLS modules are
* \note This option is still in progress, the full X.509 and TLS modules are
* not covered yet, but parts that are not ported to PSA yet will still work
* as usual, so enabling this option should not break backwards compatibility.
*
* \warning Support for PSA is still an experimental feature.
* Any public API that depends on this option may change
* at any time until this warning is removed.
* \warning The PSA Crypto API is still beta status. While you're welcome to
* experiment using it, incompatible API changes are still possible, and some
* parts may not have reached the same quality as the rest of Mbed TLS yet.
*
* \warning This option enables new Mbed TLS APIs that are dependent on the
* PSA Crypto API, so can't come with the same stability guarantees as the
* rest of the Mbed TLS APIs. You're welcome to experiment with them, but for
* now access to these APIs is opt-in (via enabling the present option), in
* order to clearly differentiate them from the stable Mbed TLS APIs.
*
* Requires: MBEDTLS_PSA_CRYPTO_C.
*
* Uncomment this to enable internal use of PSA Crypto and new associated APIs
*/
//#define MBEDTLS_USE_PSA_CRYPTO

View file

@ -37,9 +37,6 @@
# - this could be enabled if the respective tests were adapted
# MBEDTLS_ZLIB_SUPPORT
# MBEDTLS_PKCS11_C
# MBEDTLS_USE_PSA_CRYPTO
# - experimental, and more an alternative implementation than a feature
# MBEDTLS_PSA_ITS_FILE_C
# MBEDTLS_PSA_CRYPTO_SPM
# MBEDTLS_PSA_INJECT_ENTROPY
# and any symbol beginning _ALT
@ -103,8 +100,6 @@ MBEDTLS_ZLIB_SUPPORT
MBEDTLS_PKCS11_C
MBEDTLS_NO_UDBL_DIVISION
MBEDTLS_NO_64BIT_MULTIPLICATION
MBEDTLS_USE_PSA_CRYPTO
MBEDTLS_PSA_ITS_FILE_C
MBEDTLS_PSA_CRYPTO_SPM
MBEDTLS_PSA_INJECT_ENTROPY
_ALT\s*$

View file

@ -840,6 +840,7 @@ component_test_not_submodule_make () {
scripts/config.pl unset MBEDTLS_USE_PSA_CRYPTO # depends on PSA
scripts/config.pl unset MBEDTLS_PSA_CRYPTO_C # only works from submodule
scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_C # depends on PSA
scripts/config.pl unset MBEDTLS_PSA_ITS_FILE_C # depends on PSA
make CC=gcc CFLAGS='-g' USE_CRYPTO_SUBMODULE=0
msg "test: submodule libmbedcrypto wasn't built (no USE_CRYPTO_SUBMODULE, make)"
@ -863,6 +864,8 @@ component_test_not_submodule_cmake () {
scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests
scripts/config.pl unset MBEDTLS_PSA_CRYPTO_C # only works from submodule
scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_C # depends on PSA
scripts/config.pl unset MBEDTLS_PSA_ITS_FILE_C # depends on PSA
scripts/config.pl unset MBEDTLS_USE_PSA_CRYPTO # depends on PSA
CC=gcc cmake -D CMAKE_BUILD_TYPE=Debug -D USE_CRYPTO_SUBMODULE=Off .
make
@ -880,33 +883,34 @@ component_test_not_submodule_cmake () {
if_build_succeeded tests/ssl-opt.sh
}
component_test_use_psa_crypto_full_cmake_asan() {
# MBEDTLS_USE_PSA_CRYPTO: run the same set of tests as basic-build-test.sh
component_test_no_use_psa_crypto_full_cmake_asan() {
# full minus MBEDTLS_USE_PSA_CRYPTO: run the same set of tests as basic-build-test.sh
msg "build: cmake, full config + MBEDTLS_USE_PSA_CRYPTO, ASan"
scripts/config.pl full
scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests
scripts/config.pl unset MBEDTLS_ECP_RESTARTABLE # restartable ECC not supported through PSA
scripts/config.pl set MBEDTLS_PSA_CRYPTO_C
scripts/config.pl set MBEDTLS_USE_PSA_CRYPTO
scripts/config.pl unset MBEDTLS_USE_PSA_CRYPTO
scripts/config.pl unset MBEDTLS_PSA_ITS_FILE_C
CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
msg "test: main suites (MBEDTLS_USE_PSA_CRYPTO)"
msg "test: main suites (full minus MBEDTLS_USE_PSA_CRYPTO)"
make test
msg "test: ssl-opt.sh (MBEDTLS_USE_PSA_CRYPTO)"
msg "test: ssl-opt.sh (full minus MBEDTLS_USE_PSA_CRYPTO)"
if_build_succeeded tests/ssl-opt.sh
msg "test: compat.sh default (MBEDTLS_USE_PSA_CRYPTO)"
msg "test: compat.sh default (full minus MBEDTLS_USE_PSA_CRYPTO)"
if_build_succeeded tests/compat.sh
msg "test: compat.sh ssl3 (MBEDTLS_USE_PSA_CRYPTO)"
msg "test: compat.sh ssl3 (full minus MBEDTLS_USE_PSA_CRYPTO)"
if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" tests/compat.sh -m 'ssl3'
msg "test: compat.sh RC4, DES & NULL (MBEDTLS_USE_PSA_CRYPTO)"
msg "test: compat.sh RC4, DES & NULL (full minus MBEDTLS_USE_PSA_CRYPTO)"
if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '3DES\|DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR'
msg "test: compat.sh ARIA + ChachaPoly (MBEDTLS_USE_PSA_CRYPTO)"
msg "test: compat.sh ARIA + ChachaPoly (full minus MBEDTLS_USE_PSA_CRYPTO)"
if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
}