Commit graph

961 commits

Author SHA1 Message Date
Przemek Stekiel
68db0d2f67 Optimize one cipher only components and adapt nemes
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-09-29 08:32:25 +02:00
Przemek Stekiel
0cc3466c9e Change testing strategy to default + one cypher only (psa/no psa)
In full config TLS 1.2 is disabled.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-09-28 12:06:57 +02:00
Przemek Stekiel
b0de1c040b Add components to build and test default/full config with legacy-ccm cipher only
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-09-28 11:15:16 +02:00
Przemek Stekiel
9550c05757 Add component to build and test full config with stream cipher only
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-09-28 09:51:55 +02:00
Manuel Pégourié-Gonnard
f3f9e450b6
Merge pull request #6115 from AndrzejKurek/ecjpake-kdf-tls-1-2
Ad-hoc KDF for EC J-PAKE in TLS 1.2
2022-09-28 09:47:32 +02:00
Przemek Stekiel
d582a01073 Make MBEDTLS_SSL_CONTEXT_SERIALIZATION dependent on AEAD
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-09-28 07:59:01 +02:00
Przemek Stekiel
a82290b727 Fix guards for mbedtls_ssl_ticket_write() and mbedtls_ssl_ticket_parse() functions
Both functions are calling mbedtls_cipher_auth_[encrypt/decrypt]_ext() functions. These functions are guarded with MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C flags - make it consistent.
As a result ssl_server2 won't build now with MBEDTLS_SSL_SESSION_TICKETS enabled (mbedtls_cipher_auth_[encrypt/decrypt]_ext() functions not available).
Mark MBEDTLS_SSL_SESSION_TICKETS as dependent on MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C and disable MBEDTLS_SSL_SESSION_TICKETS in stream cipher only build.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-09-27 15:04:14 +02:00
Przemek Stekiel
11c362a050 Add component to build and test default config with stream cipher only
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-09-27 15:04:08 +02:00
Gilles Peskine
f70f4ead7f
Merge pull request #6248 from gilles-peskine-arm/all-sh-force-3.2
Fix all.sh --force
2022-09-23 17:04:00 +02:00
Manuel Pégourié-Gonnard
73f9233a73 Use full config for testing driver-only hashes
Stating from the default config means a few things are implicitly
excluded; starting from the full config makes it all fully explicit.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-09-19 10:47:05 +02:00
Manuel Pégourié-Gonnard
79e1467799 Fix include path for programs
Same problem as #6101, same fix (the second commit of #6111).

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-09-19 09:27:53 +02:00
Gilles Peskine
ef843f2b0c MBEDTLS_PLATFORM_VSNPRINTF_ALT requires MBEDTLS_PLATFORM_C
mbedtls_vsnprintf replacement works like mbedtls_snprintf replacement, so
copy the requirements for MBEDTLS_PLATFORM_VSNPRINTF_ALT.

(MBEDTLS_PLATFORM_xxx_MACRO shouldn't require MBEDTLS_PLATFORM_C, but that's
a separate preexisting problem which I do not try address at this time.)

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-09-18 14:05:23 +02:00
Andrzej Kurek
4ba0e45f8e all.sh: don't build with ECJPAKE_TO_PMS if SHA256 is not available
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-09-14 14:58:49 -04:00
Przemek Stekiel
dcec7ac3e8 test_psa_crypto_config_accel_hash_use_psa: enable tls.1.3 at the end and adapt comment
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-09-13 18:08:54 +02:00
Przemek Stekiel
a4af13a46c test_psa_crypto_config_accel_hash_use_psa: enable TLS 1.3
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-09-13 18:08:54 +02:00
Andrzej Kurek
07e3570f8c Add an ssl-opt.sh run to all.sh for the accel_hash_use_psa config
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-09-12 05:37:46 -04:00
Manuel Pégourié-Gonnard
f6a6a2d815
Merge pull request #6216 from AndrzejKurek/tls-tests-no-md-compat
TLS without MD - compat.sh addition to all.sh hash acceleration tests
2022-09-12 10:23:49 +02:00
Hannes Tschofenig
fd6cca4448 CID update to RFC 9146
The DTLS 1.2 CID specification has been published as RFC 9146. This PR updates the implementation to match the RFC content.

Signed-off-by: Hannes Tschofenig <hannes.tschofenig@arm.com>
2022-09-07 17:15:05 +02:00
Andrzej Kurek
5e0654a324 Add a compat.sh run to psa_crypto_config_accel_hash_use_psa
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-09-04 09:31:17 -04:00
Andrzej Kurek
37a17e890c Enable PKCS5 in no-md builds in all.sh
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-09-02 04:05:33 -04:00
Manuel Pégourié-Gonnard
97fc247d6a
Merge pull request #6232 from AndrzejKurek/pkcs12-no-md
Remove MD dependency from pkcs12 module
2022-09-02 09:43:13 +02:00
Andrzej Kurek
7bd12c5d5e Remove MD dependency from pkcs12 module
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-09-01 08:57:41 -04:00
Gilles Peskine
076f7257e9 Don't remove programs/fuzz/Makefile
Other programs/*/Makefile are only created by CMake, but programs/fuzz has
its own Makefile in the repository. Fixes #6247.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-08-30 21:02:44 +02:00
Gilles Peskine
dd06efbb8d Don't try restoring a file if no backup is available
This caused `all.sh --force` to fail on a clean build tree.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-08-30 21:02:00 +02:00
Manuel Pégourié-Gonnard
bf22a2500b
Merge pull request #6208 from AndrzejKurek/tls-tests-no-md-structured
Remove the dependency on MD from TLS 1.2 tests
2022-08-30 12:34:37 +02:00
Manuel Pégourié-Gonnard
a84ce3fa81
Merge pull request #6111 from superna9999/6101-programs-dont-build-with-libtestdriver-and-use-psa
Programs don't build with libtestdriver and USE_PSA
2022-08-30 12:29:01 +02:00
Andrzej Kurek
180b6b9608 Enable TLS 1.2 tests without MD and with USE_PSA in all.sh
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-08-22 17:46:50 -04:00
Gilles Peskine
e5018c97f9
Merge pull request #6195 from superna9999/6149-driver-only-hashes-ec-j-pake
Driver-only hashes: EC J-PAKE
2022-08-22 17:28:15 +02:00
Neil Armstrong
7b044c1bbf Enable ECJPAKE in test_crypto_full_no_md () & test_psa_crypto_config_accel_hash_use_psa () components
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-08-19 11:49:22 +02:00
Przemek Stekiel
b792cfd423 component_test_psa_crypto_config_accel_hash_use_psa: stop removing all X.509 modules from the build
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-08-19 10:15:56 +02:00
Dave Rodgman
92cd8642fa
Merge pull request #6090 from hanno-arm/fix_bnmul_arm_v7a
Remove encoding width suffix from Arm bignum assembly
2022-08-18 08:48:03 +01:00
Dave Rodgman
03f7a6e086 Add armcc plain armv7-m target; tidy up arg order
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-08-17 14:35:29 +01:00
Manuel Pégourié-Gonnard
7a27e85f5c Fix failure of RSA accel test
Previously MD_C was auto-enabled based on the fact that ALG_RSA_PSS was
requested, but that's no longer the case since the previous commit.

We can fix this in one of two ways: either enable MD_C, or enable all
the PSA_WANT_ALG_SHA_xxx that are needed for test. Go for MD_C because
it's a single line and avoids having to enumerate a list that might grow
in the future.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-08-11 12:47:02 +02:00
Manuel Pégourié-Gonnard
077ba8489d PKCS#1 v2.1 now builds with PSA if no MD_C
Test coverage not there yet, as the entire test_suite_pkcs1_v21 is
skipped so far - dependencies to be adjusted in a future commit.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-08-11 12:47:02 +02:00
Neil Armstrong
d86b8ac111 Fix test_psa_crypto_config_accel_hash_use_psa build when including libtestdriver1 PSA headers from programs
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-08-08 13:56:13 +02:00
Hanno Becker
f0762e929e Enable inline assembly in armcc all.sh component
The test script all.sh contains the component

   component_build_armcc

testing that Mbed TLS builds using Arm Compiler 5 and 6,
on a variety of platforms.

However, the component does not exercise inline assembly
for Arm, since
- MBEDTLS_HAVE_ASM is unset, and
- Some Arm inline assembly is only used if the level of
  optimization is not 0.

This commit changes the test component to ensure that
inline assembly is built by setting MBEDTLS_HAVE_ASM
as well as enabling optimization level 1 (-O1).

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2022-07-15 12:08:19 +01:00
Manuel Pégourié-Gonnard
7b0825d180 Build with SHA-256 accelerated too
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:20 +02:00
Manuel Pégourié-Gonnard
f0f63bc1b6 Test without MD_C
test_suite_pk still passes, with the same number of skipped tests as in
the default config minus PKCS#1v2.1

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:20 +02:00
Manuel Pégourié-Gonnard
525add631e Add component with accelerated hashes and USE_PSA
Currently the test suites are passing because a lot of tests
functions/cases explicitly depend on SHAxxx_C, resulting in them being
skipped in this build. The goal of the next few commits is going to make
them pass and achieve test parity with a non-accelerated build for
selected modules.

Note: compared to the previous component, I'm using 'make tests' not
'make' (ie not building program) because I'm betting build failures
(some header not found) in programs which are not my interest atm.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:19 +02:00
Manuel Pégourié-Gonnard
97ab2a3ae2 Clean up two accel tests in all.sh
- TLS versions earlier than 1.2 have been removed
- fix a copy-paste typo

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:19 +02:00
Manuel Pégourié-Gonnard
46a295422d Build and test RSA PKCS#1v1.5 without MD
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:19 +02:00
Manuel Pégourié-Gonnard
b86279fc63 Build and test PK without MD
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:18 +02:00
Paul Elliott
41aa808a56
Merge pull request #952 from gilles-peskine-arm/stdio_buffering-setbuf
Turn off stdio buffering with setbuf()
2022-07-04 10:12:22 +01:00
Gilles Peskine
6497b5a1d1 Add setbuf platform function
Add a platform function mbedtls_setbuf(), defaulting to setbuf().

The intent is to allow disabling stdio buffering when reading or writing
files with sensitive data, because this exposes the sensitive data to a
subsequent memory disclosure vulnerability.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-06-30 17:01:40 +02:00
Ronald Cron
e3dac4aaa1 tls13: Add Certificate msg parsing tests with invalid vector lengths
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-27 09:28:42 +02:00
Przemek Stekiel
da5f483ad8 all.sh: Fix order of CIPHER dependencies
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-05-12 10:42:20 +02:00
Przemek Stekiel
179d74831f all.sh: add build/test config crypto_full minus CIPHER
Dependency list:

- ['MBEDTLS_CIPHER_C']
- ['MBEDTLS_CMAC_C', 'MBEDTLS_NIST_KW_C', 'MBEDTLS_PKCS12_C', 'MBEDTLS_PKCS5_C', 'MBEDTLS_CCM_C', 'MBEDTLS_GCM_C', 'MBEDTLS_PSA_CRYPTO_C']
- ['MBEDTLS_PSA_CRYPTO_SE_C', 'MBEDTLS_PSA_CRYPTO_STORAGE_C', 'MBEDTLS_USE_PSA_CRYPTO']

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-05-12 10:42:20 +02:00
Przemek Stekiel
10f3a601b4 all.sh: add build/test config full minus CIPHER
Dependency list:
- ['MBEDTLS_CIPHER_C']
- ['MBEDTLS_CMAC_C', 'MBEDTLS_NIST_KW_C', 'MBEDTLS_PKCS12_C', 'MBEDTLS_PKCS5_C', 'MBEDTLS_CCM_C', 'MBEDTLS_GCM_C', 'MBEDTLS_PSA_CRYPTO_C', 'MBEDTLS_SSL_TLS_C', 'MBEDTLS_SSL_TICKET_C']
- ['MBEDTLS_PSA_CRYPTO_SE_C', 'MBEDTLS_PSA_CRYPTO_STORAGE_C', 'MBEDTLS_SSL_PROTO_TLS1_3', 'MBEDTLS_SSL_CLI_C', 'MBEDTLS_SSL_SRV_C', 'MBEDTLS_SSL_DTLS_ANTI_REPLAY', 'MBEDTLS_SSL_DTLS_CONNECTION_ID', 'MBEDTLS_USE_PSA_CRYPTO']

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-05-12 10:42:20 +02:00
Shaun Case
8b0ecbccf4 Redo of PR#5345. Fixed spelling and typographical errors found by CodeSpell.
Signed-off-by: Shaun Case <warmsocks@gmail.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-05-11 21:25:51 +01:00
Manuel Pégourié-Gonnard
42650260a9
Merge pull request #5783 from mprse/md_dep_v3
Fix undeclared dependencies: MD
2022-05-10 10:41:32 +02:00
Przemek Stekiel
d3ba7367c9 component_test_crypto_full_no_md: fix order of disabled features
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-05-06 11:41:56 +02:00
Przemek Stekiel
fe2367af26 all.sh: add build/test config crypto_full minus MD
Dependeny list:
- ['MBEDTLS_MD_C']
- ['MBEDTLS_ECJPAKE_C', 'MBEDTLS_PKCS5_C', 'MBEDTLS_PKCS12_C', 'MBEDTLS_PKCS1_V15', 'MBEDTLS_PKCS1_V21', 'MBEDTLS_HKDF_C', 'MBEDTLS_HMAC_DRBG_C', 'MBEDTLS_PK_C']
- ['MBEDTLS_ECDSA_DETERMINISTIC', 'MBEDTLS_PK_PARSE_C', 'MBEDTLS_PK_WRITE_C', 'MBEDTLS_RSA_C']

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-05-05 12:09:03 +02:00
Gilles Peskine
038108388a
Merge pull request #5654 from gilles-peskine-arm/psa-crypto-config-file
Support alternative MBEDTLS_PSA_CRYPTO_CONFIG_FILE
2022-04-28 18:17:50 +02:00
Manuel Pégourié-Gonnard
ad47487e25
Merge pull request #5742 from superna9999/5669-review-test-incompatible-psa
Fixup or re-enable tests with Use PSA
2022-04-28 09:57:13 +02:00
Neil Armstrong
98136b14e0 Fixup and update comment of disabled USE_PSA_CRYPTO test check in all.sh
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-27 10:00:42 +02:00
Neil Armstrong
882e02ea7a Move and fixup check_test_requires_psa_disabled() into check_test_cases()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-22 16:53:07 +02:00
Gilles Peskine
afbfed9397
Merge pull request #5582 from gilles-peskine-arm/ssl-opt-auto-psk
Run ssl-opt.sh in more reduced configurations
2022-04-21 12:03:53 +02:00
Neil Armstrong
09030a345c Refine component_check_test_requires_psa_disabled change grep options order for better compatibility
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-21 11:17:43 +02:00
Gilles Peskine
a841c2a20f test_cmake_out_of_source: run an ssl-opt test case that exists
component_test_cmake_out_of_source was running the ssl-opt.sh test case
"Fallback SCSV: beginning of list", but this test case was removed in Mbed
TLS 3.0, so ssl-opt.sh was running nothing, which is not an effective test.
In 2.x, the test case was chosen because it uses an additional auxiliary
program tests/scripts/tcp_client.pl. This auxiliary program is no longer
used. So instead, run at least one test case that's sure to exist.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-16 11:31:25 +02:00
Gilles Peskine
7393ec5ccf test_cmake_out_of_source: validate that ssl-opt passed
If the ssl-opt test case was skipped, the test was ineffective.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-16 11:30:24 +02:00
Neil Armstrong
4ad82e4b33 Add component_check_test_requires_psa_disabled used to check if some tests requiring PSA to be disabled are presemt
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-15 13:27:17 +02:00
Gilles Peskine
45e680e651 Explain why we check that a certain feature is enabled
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-13 23:23:21 +02:00
Gilles Peskine
5417d48044 Remove mostly-redundant test build
component_test_CID_no_debug was added specifically to be a non-regression
test for https://github.com/Mbed-TLS/mbedtls/issues/3998. Running compat.sh
in the newly introduced config-ccm-psk-dtls1_2.h is also a non-regression
test for that bug. Therefore component_test_CID_no_debug is redundant for
its primary purpose.

Of course every configuration is different, but the additional coverage from
component_test_CID_no_debug is minimal, unlike config-ccm-psk-dtls1_2.h
which is a plausible real-world configuration.

In mbedtls-2.28, component_test_CID_no_debug was never added, and running
the unit tests in that configuration does not trigger the #3998 bug, only
compat.sh does. So, rather than backport component_test_CID_no_debug to
2.28.2, I am removing it from 3.2.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-13 22:47:17 +02:00
Manuel Pégourié-Gonnard
296787f75c Rm DES from invocations of compat.sh
It no longer makes sense, either in -e or -f: those ciphersuites have
been removed anyway.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-04-13 10:45:10 +02:00
Gilles Peskine
7d904e7127 Test MBEDTLS_PSA_CRYPTO_CONFIG_FILE and MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-07 21:59:53 +02:00
Gilles Peskine
e10df779b7 Test MBEDTLS_USER_CONFIG_FILE as such
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-07 21:59:53 +02:00
Gilles Peskine
f4798279c0 Remove obsolete comment
mbedtls/mbedtls_config.h (formerly mbedtls/config.h) used to be included
directly in many places, so we wanted to test that all of these places
allowed the MBEDTLS_CONFIG_FILE override. Now mbedtls/mbedtls_config.h is
only included via build_info.h, so this is not relevant anymore.

It is no longer particularly useful to test MBEDTLS_CONFIG_FILE with the
full config, but it isn't harmful either, so keep it that way.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-07 21:59:53 +02:00
Gilles Peskine
2003c2f455 Simplify build_mbedtls_config_file
$CONFIG_H no longer includes check_config.h since Mbed TLS 3.0.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-07 21:40:25 +02:00
Gilles Peskine
c82f62e3a5
Merge pull request #4907 from gilles-peskine-arm/config-baremetal-size-3.0
Disable debugging features in the primary code size measurement job
2022-04-04 16:12:58 +02:00
Ronald Cron
0e980e8e84
Merge pull request #5640 from ronald-cron-arm/version-negotiation-2
TLS 1.2/1.3 version negotiation - 2
2022-04-01 12:29:06 +02:00
Dave Rodgman
017a19997a Update references to old Github organisation
Replace references to ARMmbed organisation with the new
org, Mbed-TLS, following project migration.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-03-31 14:43:16 +01:00
Ronald Cron
a980adf4ce
Merge pull request #5637 from ronald-cron-arm/version-negotiation-1
TLS 1.2/1.3 version negotiation - 1
2022-03-31 11:47:16 +02:00
Ronald Cron
f660655b84 TLS: Allow hybrid TLS 1.2/1.3 in default configurations
This implies that when both TLS 1.2 and TLS 1.3
are included in the build all the TLS 1.2 tests
using the default configuration now go through
a version negotiation on the client side.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-29 18:58:31 +02:00
Ronald Cron
de1adee51a Rename ssl_cli/srv.c
Rename ssl_cli.c and ssl_srv.c to reflect the fact
that they are TLS 1.2 specific now. Align there new
names with the TLS 1.3 ones.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-29 14:39:49 +02:00
Tom Cosgrove
226aca195f Fix running of all.sh on macOS
Was getting 'dd: unknown operand status'

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-03-23 21:40:56 +00:00
Tom Cosgrove
87fbfb5d82 SECLIB-667: Accelerate SHA-512 with A64 crypto extensions
Provide an additional pair of #defines, MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
and MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY. At most one of them may be
specified. If used, it is necessary to compile with -march=armv8.2-a+sha3.

The MBEDTLS_SHA512_PROCESS_ALT and MBEDTLS_SHA512_ALT mechanisms
continue to work, and are mutually exclusive with SHA512_USE_A64_CRYPTO.

There should be minimal code size impact if no A64_CRYPTO option is set.

The SHA-512 implementation was originally written by Simon Tatham for PuTTY,
under the MIT licence; dual-licensed as Apache 2 with his kind permission.

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-03-23 21:40:53 +00:00
Manuel Pégourié-Gonnard
f4042f076b
Merge pull request #5573 from superna9999/5176-5177-5178-5179-tsl-record-hmac
TLS record HMAC
2022-03-21 11:36:44 +01:00
Neil Armstrong
0ab7a232b5 Add non-PSA and PSA variant of test_XXXX_constant_flow all.sh tests
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-18 11:10:09 +01:00
Dave Rodgman
2cecd8aaad
Merge pull request #3624 from daxtens/timeless
RFC: Fix builds with MBEDTLS_HAVE_TIME disabled and test
2022-03-15 16:43:19 +00:00
Dave Rodgman
868d38f50f
Merge pull request #5547 from tom-cosgrove-arm/seclib-667-sha256-acceleration-mbedtls-internal
SECLIB-667: Accelerate SHA-256 with A64 crypto extensions
2022-03-14 12:57:37 +00:00
David Horstmann
61faf665e6 Use $PWD instead of $(pwd) for consistency
Change the new baremetal all.sh tests to use $PWD rather than
calling pwd again directly.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2022-03-04 05:07:45 -05:00
Daniel Axtens
814c8133c8 tests: add baremetal full config build
To be able to test utility programs for an absence of time.h, we need a
baremetal config that is not crypto only. Add one.

Signed-off-by: Daniel Axtens <dja@axtens.net>
2022-03-04 05:07:45 -05:00
Daniel Axtens
446af202f6 tests: prevent inclusion of time.h in baremetal compiles
baremetal compiles should not include time.h, as MBEDTLS_HAVE_TIME is
undefined. To test this, provide an overriding include directory that
has a time.h which throws a meaningful error if included.

Signed-off-by: Daniel Axtens <dja@axtens.net>
2022-03-04 05:07:45 -05:00
Tom Cosgrove
f3ebd90a1c SECLIB-667: Accelerate SHA-256 with A64 crypto extensions
Provide an additional pair of #defines, MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
and MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY. At most one of them may be
specified. If used, it is necessary to compile with -march=armv8-a+crypto.

The MBEDTLS_SHA256_PROCESS_ALT and MBEDTLS_SHA256_ALT mechanisms
continue to work, and are mutually exclusive with A64_CRYPTO.

There should be minimal code size impact if no A64_CRYPTO option is set.

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-02-21 08:37:26 +00:00
Jerry Yu
baa4934e7b Add check tests
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:00 +08:00
Jerry Yu
81d5e1feca fix various issues
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:00 +08:00
Jerry Yu
da5af22015 tls13_only: add tls13_only test component
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:00 +08:00
Manuel Pégourié-Gonnard
d81e774083
Merge pull request #5463 from gilles-peskine-arm/cmake-test-suite-enumeration
CMake: generate the list of test suites automatically
2022-02-07 09:48:23 +01:00
Gilles Peskine
827dbd9d35 Remove obsolete calls to if_build_succeeded
This is now a no-op.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-02-04 00:32:58 +01:00
Gilles Peskine
c1247c0cbb Remove obsolete variable restoration or unset at the end of a component
This is no longer useful now that components run in a subshell.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-02-04 00:32:58 +01:00
Gilles Peskine
3bc3409edf Remove obsolete cd at the end of a component
This is no longer useful now that components run in a subshell.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-02-04 00:32:58 +01:00
Gilles Peskine
a300099246 Stop CMake out of source tests running on 16.04 (continued)
The race condition mentioned in the previous commit
"Stop CMake out of source tests running on 16.04"
has also been observed with test_cmake_as_subdirectory and can presumably
happen with test_cmake_as_package and test_cmake_as_package_install as well.
So skip all of these components on Ubuntu 16.04.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-02-04 00:32:58 +01:00
Andrzej Kurek
03e01461ad Make KEY_ID_ENCODES_OWNER compatible with USE_PSA_CRYPTO
Fix library references, tests and programs.
Testing is performed in the already present all.sh test.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-01-03 12:53:24 +01:00
Gilles Peskine
a5c18512b9
Merge pull request #5155 from paul-elliott-arm/pcks12_fix
Fixes for pkcs12 with NULL and/or zero length password
2021-12-13 14:52:36 +01:00
Ronald Cron
6f135e1148 Rename MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL to MBEDTLS_SSL_PROTO_TLS1_3
As we have now a minimal viable implementation of TLS 1.3,
let's remove EXPERIMENTAL from the config option enabling
it.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 13:47:55 +01:00
Ronald Cron
0abf07ca2c Make PSA crypto mandatory for TLS 1.3
As we want to move to PSA for cryptographic operations
let's mandate PSA crypto from the start.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 13:22:21 +01:00
Ronald Cron
fdb0e3f381 ssl-opt.sh: TLS 1.3: Run tests with middlebox compatibility enabled
Run tests with middlebox compatibility enabled but tests
dedicated to middlebox compatibility disabled.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-09 13:40:22 +01:00
Gilles Peskine
392113434a
Merge pull request #5263 from ronald-cron-arm/psa-test-driver_3.x
Forward port to 3.x: Introduce PSA test driver library to test PSA configuration
2021-12-07 12:52:20 +01:00
Ronald Cron
27d47713c9 tests: psa: Remove MD2, MD4 and ARC4 related code
MD2, MD4 and ARC4 are not supported anymore in
3.x.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-07 09:54:36 +01:00
Ronald Cron
3a8714d5d4 all.sh: psa: Add cipher acceleration test component
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-06 07:50:27 +01:00
Ronald Cron
b231245ea8 all.sh: psa: Add hash acceleration test component
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-06 07:50:27 +01:00
Ronald Cron
403c15cb51 all.sh: psa: Add ECDSA and RSA signature acceleration component
Add ECDSA and RSA signature acceleration testing
with signature capabilitites removed from the
Mbed TLS library.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-06 07:50:27 +01:00
Ronald Cron
7975fae6bd Move to separately compiled PSA test driver library
This commit removes the test_psa_crypto_config_basic
all.sh component that can no longer work without
adapting it to the separately compiled test driver
library. This component is replaced by several
components in the following commits to test various
type of acceleration independently.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-06 07:50:27 +01:00
Xiaofei Bai
8b5c3824ee Fix (d)tls1_2 into (d)tls12 in version options
Signed-off-by: Xiaofei Bai <xiaofei.bai@arm.com>
2021-12-02 13:22:18 +00:00
Gilles Peskine
a0e57ef84f
Merge pull request #5131 from gilles-peskine-arm/dlopen-test
dlopen test
2021-11-25 22:03:27 +01:00
Paul Elliott
62dc392ef8 Stop CMake out of source tests running on 16.04
Running the out of source CMake test on Ubuntu 16.04 using more than one
processor (as the CI does) can create a race condition whereby the build
fails to see a generated file, despite that file actually having been
generated. This problem appears to go away with 18.04 or newer, so make
the out of source tests not supported on Ubuntu 16.04

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-11-25 18:03:50 +00:00
Manuel Pégourié-Gonnard
9b9fbda912
Merge pull request #5094 from bensze01/test_psa_compliance
Run the PSA Compliance test suite in all.sh
2021-11-17 14:09:57 +01:00
Gilles Peskine
ca144597e8 Run the dlopen test in shared library builds
Non-regression for the fix in https://github.com/ARMmbed/mbedtls/pull/5126:
libmbedtls and libmbedx509 did not declare their dependencies on libmbedx509
and libmbedcrypto when built with make.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-10 19:05:20 +01:00
Bence Szépkúti
ef0d02ed31 Explain why support_test_psa_compliance is needed
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-11-03 13:17:31 +01:00
Bence Szépkúti
ca9236b0c5 Make the changes easier to backport
The code replaced in this patch was not compatible with the
development_2.x branch.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-10-29 11:37:27 +02:00
Manuel Pégourié-Gonnard
da71054bbc
Merge pull request #5011 from gilles-peskine-arm/test_ssl_o2-3.0
Build with -O2 when running ssl-opt
2021-10-29 09:25:23 +02:00
David Horstmann
a8d1406107 Rename DEV_MODE to GEN_FILES
GEN_FILES is a bit clearer as it describes what the setting
does more precisely.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2021-10-25 13:16:04 +01:00
David Horstmann
d64f4b249c Fix assorted spelling and wording issues
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2021-10-25 13:16:04 +01:00
Manuel Pégourié-Gonnard
9327fb33a6 Fix test_ref_config component of all.sh
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-10-25 13:16:04 +01:00
Manuel Pégourié-Gonnard
bfe54d703d Cleanup: rm all files generated by cmake
Again, unrelated, except I kept noticing.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-10-25 13:16:04 +01:00
Bence Szépkúti
80b31c56eb Run the PSA Compliance test suite in all.sh
This commit adds a component to all.sh which clones, builds and runs the
compliance test suite.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-10-21 10:17:34 +02:00
Gilles Peskine
e7fc7ef38b Always set a build type for cmake when building for testing
Set the build type to Release (-O2) when running CPU-intensive tests (ssl-opt,
or unit tests with debug features). A build type of Check (-Os) would be best
when the main objective of the build is to check for build errors or warnings
and there aren't many tests to run; in this commit there are no such test
cases to change. Only use cmake with no build type (which results in not
passing a -O option, and thus missing some GCC warnings) when exercising cmake
features.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-10-19 21:33:32 +02:00
Gilles Peskine
6210320215
Merge pull request #4989 from AndrzejKurek/remove-ssl-export-keys
Remove MBEDTLS_SSL_EXPORT_KEYS, making it always on
2021-10-18 17:53:56 +02:00
Przemyslaw Stekiel
316c4fa3ce Address review comments
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2021-10-15 08:04:53 +02:00
Przemyslaw Stekiel
1ecfdea002 all.sh: add full - MBEDTLS_CHACHAPOLY_C without PSA_WANT_ALG_GCM and PSA_WANT_ALG_CHACHA20_POLY1305
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2021-10-13 13:27:34 +02:00
Gilles Peskine
f4d2fd4a05 Fix cmake invocation syntax
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-10-08 11:45:47 +02:00
Gilles Peskine
dbf7b7eeb5 Switch cmake -O2 builds around to where we test a lot
Use Release mode (-O2) for component_test_full_cmake_clang which runs SSL
tests.

To have some coverage with Check mode (which enables more compiler warnings
but compiles with -Os), change a few other builds that only run unit tests
at most to Check mode.

Don't add any new builds, to keep the total build volume down. We don't need
extensive coverage of all combinations, just a reasonable set.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-10-07 19:38:32 +02:00
Gilles Peskine
77f0535a93 Clarify a comment
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-10-07 19:27:16 +02:00
Gilles Peskine
cf52222694 Correct support function name
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-10-07 19:25:29 +02:00
Gilles Peskine
bf3ec84b1c
Merge pull request #5003 from gilles-peskine-arm/all.sh-makeflags-nproc
Limit make parallelism to the number of CPUs in all.sh
2021-10-06 19:35:12 +02:00
Gilles Peskine
ff0aee0e7b Build with -O2 when running ssl-opt
SSL testing benefits from faster executables, so use -O2 rather than -O1.
Some builds use -O1, but that's intended for jobs that only run unit tests,
where the build takes longer than the tests.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-10-05 09:36:03 +02:00
Gilles Peskine
050d2fc201 Limit make parallelism to the number of CPUs
Don't default to unbridled -j, which causes a load spike and isn't really
faster.

"Number of CPUs" is implemented here as a reasonable compromise between
portability, correctness and simplicity. This is just a default that can be
overridden by setting MAKEFLAGS in the environment.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-30 18:24:21 +02:00
Gilles Peskine
6b34ac7655
Merge pull request #4955 from gilles-peskine-arm/make-tests-v-development
Facilitate reproducing unit tests from all.sh
2021-09-30 16:08:53 +02:00
Andrzej Kurek
324f72ec9c Fix a bug where the ssl context is used after it's nullified
When not using DEBUG_C, but using the DTLS CID feature -
a null pointer was accessed in ssl_tls.c.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2021-09-29 10:15:52 -04:00
Gilles Peskine
b19be6b5f3
Merge pull request #1638 from dgreen-arm/check-names-rewrite
Rewrite check-names.sh in python
2021-09-27 12:28:53 +02:00
Ronald Cron
27f84fc75c
Merge pull request #4813 from JoeSubbiani/TranslateCiphersuite_dev
Translate ciphersuite names
2021-09-27 08:57:52 +02:00
Yuto Takano
c3a6f63c99 Merge updates from upstream development branch into check-names-rewrite
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-09-24 18:02:56 +01:00
Gilles Peskine
3587dfdce8 Move long -D lists from all.sh to a header file
To facilitate maintenance and to make it easier to reproduce all.sh builds
manually, remove the long, repeated list of -D options from
component_test_psa_crypto_config_basic and component_test_psa_crypto_drivers
and put it in a header file instead.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-20 19:20:04 +02:00
Gilles Peskine
396853ad03 'make test': show failing test cases when cmake does
When building with make, `make test` runs `run-test-suites.pl` which has a
verbose mode that reports the failing test cases, but it didn't provide a
way to enable this verbose mode. With the present commit, you can run `make
test TEST_FLAGS=-v` to use verbose mode.

Base the default for verbose mode on the same environment variable that
`make test` uses when building with CMake: default off, but enabled if
`CTEST_OUTPUT_ON_FAILURE` is true. In particular, verbose mode will now be
on when building from `all.sh`.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-20 18:57:55 +02:00
Jerry Yu
7a5ab044ca Add tls13 test with everst and ecp restartable
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-15 22:06:11 +08:00
Joe Subbiani
a25ffab422 Integrate tests as unit tests into one file
Rather than having the tests seperated into different files, they were integrated
into translate_ciphers.py and can be run from root using:
`python -m unittest tests/scripts/translate_ciphers.py`

test_translate_ciphers_format.sh was originally made as a testing ground before
having the translation tool being implmented into compat.sh. Translating it to
python code makes it redundant and therefore it will be removed.

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-09-03 13:19:50 +01:00
Joe Subbiani
d614c0b197 Include translate ciphers tests in all.sh
To run test_translate_ciphers_names.py and _format.sh in the CI, include
it in all.sh component_check_generate_test_code.

Rename check_generate_test_code to check_test_helpers

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-09-03 13:18:50 +01:00
Gilles Peskine
0bf740ee4f
Merge pull request #4765 from gilles-peskine-arm/all.sh-subshells-3.0
Run all.sh components in a subshell
2021-09-02 10:26:58 +02:00
Gilles Peskine
e36fe81e34 Change our code size reference job to use baremetal_size
In build_arm_none_eabi_gcc_m0plus, use baremetal_size instead of baremetal
as the configuration, i.e. exclude debugging features. This job is the only
one switching to baremetal_size because it's our primary point of reference
for code size evolution, and which is the only job where we display the code
size built with -Os so it's presumably the only job for which we really care
about a meaningful code size report.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-01 20:00:33 +02:00
Manuel Pégourié-Gonnard
e45ee40f7e
Merge pull request #4811 from hanno-arm/tls13_ciphersuite_api
Add TLS 1.3 ciphersuite and key exchange identifiers and API
2021-08-30 09:47:46 +02:00
Manuel Pégourié-Gonnard
4512f21473
Merge pull request #3572 from mpg/add-arm-linux-build
Add arm-linux-gnueabi-gcc build
2021-08-12 13:16:02 +02:00
Hanno Becker
ae336852c5 Add ssl-opt.sh run to TLS 1.3 test in all.sh
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-12 06:28:45 +01:00
Yuto Takano
51efcb143d Rename check-names.py to check_names.py
This is necessary to import check_names from other scripts, which
will inevitably happen in the next few commits to implement the equivalent
of `list-identifiers.sh --internal`.

Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-08-09 11:54:12 +01:00
Yuto Takano
b61f0e1151 Merge upstream 3.0 from 'development' in ARMmbed/mbedtls
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-08-06 21:07:34 +01:00
Darryl Green
4e9b51bc18 Update scripts to use check-names.py
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-08-06 21:04:32 +01:00
Gilles Peskine
80ddb991c2 Add --restore option to clean up but not necessarily run components
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-06 11:51:59 +02:00
Gilles Peskine
03af678911 Documentation improvements
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-06 11:35:17 +02:00
Gilles Peskine
86f6129067 Documentation improvement
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-05 15:11:33 +02:00
Gilles Peskine
7530163f3b Make --quiet more effective when running make generated_files
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-05 15:10:47 +02:00
Gilles Peskine
bf66e2cc8f Documentation improvements
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-03 13:44:28 +02:00
Gilles Peskine
1d475b6398 Disable wildcards when checking for unsupported components
Otherwise $COMMAND_LINE_COMPONENTS would try to expand wildcard patterns
based on files in the current directory.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-03 13:43:36 +02:00
Manuel Pégourié-Gonnard
ae505eeeed Fix missing dependency on Travis
Was getting errors like:

In file included from /usr/include/limits.h:25:0,
                 from /usr/lib/gcc-cross/arm-linux-gnueabi/5/include-fixed/limits.h:168,
                 from /usr/lib/gcc-cross/arm-linux-gnueabi/5/include-fixed/syslimits.h:7,
                 from /usr/lib/gcc-cross/arm-linux-gnueabi/5/include-fixed/limits.h:34,
                 from ../include/mbedtls/check_config.h:30,
                 from ../include/mbedtls/build_info.h:81,
                 from common.h:26,
                 from asn1write.c:20:
/usr/include/features.h:367:25: fatal error: sys/cdefs.h: No such file or directory

There are two packages to choose from: armhf or armel. Since the comment
in all.sh says we're trying to be close to Debian's "armel"
architecture, choose that, and fix a comment that was mentioning
gnueabihf for no apparent reason.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-08-03 11:19:59 +02:00
Manuel Pégourié-Gonnard
3a6c76937a Add arm-linux-gnueabi-gcc build to all.sh
Currently it can't be mandatory, since we can't install the required toolchain
on Jenkins right away.

Also, while at it, remove `SHELL='sh -x'` from the other arm5vte component; it
was a leftover from debugging.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-08-03 11:19:59 +02:00
Gilles Peskine
c111e24292 Improve the detection of keep-going commands
Have simpler patterns related to 'test' (the central objective being to keep
going if 'make test' or 'tests/...' fails, but not if 'make tests' fails).

Add 'cd' as a can't-keep-going command.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-02 23:29:53 +02:00
Gilles Peskine
88a7c2b32e Improve --error-test reporting
Count invocations from 1 to n instead of n to 1.

Explain how changing the loop variable would cause an error if the function
was not executed in a subshell.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-02 23:28:00 +02:00
Gilles Peskine
ec135544c8 Clarify some comments
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-02 23:27:42 +02:00
Hanno Becker
6c53ecc01d all.sh: Run basic TLS 1.3 with and without record padding
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-02 04:54:03 +01:00
Gilles Peskine
568f53a9d8 Don't unconditionally restore **/Makefile
all.sh restores **/Makefile from git in case the version in the worktree was
from doing a cmake in-tree build. Instead of doing this unconditionally, do
it only if the toplevel Makefile seems to have been automatically
generated (by cmake or otherwise, e.g. by mbedtls-prepare-build). This way
all.sh no longer silently wipes changes made to Makefile but not committed yet.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-07-12 18:19:39 +02:00
Gilles Peskine
f83eb82a4d Don't restore *config.h before backing it up
Back up the config files at the beginning of all.sh, rather than before each
component. In particular, create the backup before running cleanup for the
first time. This fixes #3139 (all.sh using a config.h.bak from a previous
job), and makes all.sh more robust against accidentally using a modified
config.h midway through because a component messed with the backup.

Use a different extension (*.all.bak rather than *.bak) for the backups.
This is necessary to ensure that auxiliary scripts such as depends*.pl that
make their own backup don't remove all.sh's backup, which the code from this
commit does not support.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-07-12 18:19:31 +02:00
Gilles Peskine
03ab544832 Generate cpp_cummy_build.cpp dynamically
Generate programs/test/cpp_dummy_build.cpp dynamically instead of
maintaining it manually. This removes the need to update it when the list of
headers changes.

Include all the headers unconditionally except for the ones that cannot be
included directly.

Support this dynamic generation both with make and with cmake.

Adapt all.sh accordingly. Remove the redundant C build from
component_build_default_make_gcc_and_cxx (it was also done in
component_test_default_out_of_box), leaving a component_test_make_cxx. Also
run the C++ program, because why not. Do this in the full configuration
which may catch a bit more problems in headers.

Fixes #2570 for good.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-07-12 18:19:31 +02:00
Gilles Peskine
7238503642 Heed --quiet when running make generated_files
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-07-12 18:19:31 +02:00
Gilles Peskine
88a07457c7 Remove barely-used redirect functions
redirect_out was no longer used and redirect_err was only used to
quiet dd. Change the dd invocation to only print diagnostics on
error (on platforms where this is possible).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-07-12 18:19:31 +02:00
Gilles Peskine
aca0b32132 Keep going after a shell "[" a.k.a. "test" fails
This is necessary to actually keep going and finish the
component-specific cleanup in component_test_cmake_out_of_source if
ssl-opt.err is non-empty.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-07-12 18:19:31 +02:00
Gilles Peskine
c2e22ee271 Remove code that is useless now that components run in a subshell
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-07-08 18:49:19 +02:00
Gilles Peskine
b80f0d20ea Complain if an unsupported component is explicitly requested
In all.sh, when an explicit list of components is specified, error out
if one of the components is not known or not supported. Patterns that
happen to match zero components are still effectively ignored.

Fix #2783

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-07-08 18:49:11 +02:00
Gilles Peskine
a681c59d34 Better not function
In the `not` function, in keep-going mode, arrange to report the
failing command (rather than `"$@"`).

Note that the `!` keyword should not be used, because failures with
`!` are not reported properly.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-07-08 18:48:26 +02:00
Gilles Peskine
fec30cbe8c Fix double reporting when the last command of a function fails
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-07-08 18:44:46 +02:00
Gilles Peskine
1f0cdaf3af Stop dispatching through obsolete functions
Remove the obsolete functions record_status and if_build_succeeded.
They didn't affect error detection, but they made error reporting
worse since $BASH_COMMAND would be the unexpanded "$@".

Keep the function definitions for the sake of pull requests using them
that may still be in flight.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-07-08 18:44:36 +02:00
Gilles Peskine
f7e956c85c component_test_cmake_out_of_source: simplify and fix error handling
Remove ssl-opt.err even if it's empty.

Call cat unconditionally: it'll have no visible effect if the file is
empty.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-07-08 18:07:44 +02:00
Gilles Peskine
3664780f98 Detect errors on the left-hand side of a pipeline
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-07-08 18:07:36 +02:00
Gilles Peskine
ce266c48bb Run each component in a subshell and handle errors more robustly
This commit completely rewrites keep-going mode. Instead of relying
solely on "set -e", which has some subtle limitations (such as being
off anywhere inside a conditional), use an ERR trap to record errors.

Run each component in a subshell. This way a component can set
environment variables, change the current directory, etc., without
affecting other components.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-07-08 18:07:20 +02:00
Gilles Peskine
5d99682a8c Add --error-test option to test error detection and reporting
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-07-08 17:35:19 +02:00
Gilles Peskine
62cf2e8e9f Switch all.sh to bash
This will let us use bash features that are not found in some other sh
implementations, such as DEBUG and ERR traps, "set -o pipefail", etc.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-07-08 17:35:19 +02:00
Bence Szépkúti
414d6bd424 Fix pre-existing typo in comment
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-06-28 14:11:11 +01:00
Bence Szépkúti
bb0cfeb2d4 Rename config.h to mbedtls_config.h
This commit was generated using the following script:

# ========================
#!/bin/sh
git ls-files | grep -v '^ChangeLog' | xargs sed -b -E -i '
s/((check|crypto|full|mbedtls|query)_config)\.h/\1\nh/g
s/config\.h/mbedtls_config.h/g
y/\n/./
'
mv include/mbedtls/config.h include/mbedtls/mbedtls_config.h
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-06-28 09:28:33 +01:00
Dave Rodgman
10bda58b49
Merge pull request #4259 from CJKay/cmake-config
Add CMake package config file
2021-06-25 20:32:13 +01:00
Ronald Cron
3698fa1043
Merge pull request #4673 from gilles-peskine-arm/psa_crypto_spm-from_platform_h
Fix and test the MBEDTLS_PSA_CRYPTO_SPM build
2021-06-25 09:01:08 +02:00
Manuel Pégourié-Gonnard
32750ef5c2
Merge pull request #4685 from mpg/improve-all-sh-robustness
all.sh: Clean up old files before generating them
2021-06-22 11:14:49 +02:00
Manuel Pégourié-Gonnard
a805d57261
Merge pull request #4588 from TRodziewicz/remove_MD2_MD4_RC4_Blowfish_and_XTEA
Remove MD2, MD4, RC4, Blowfish and XTEA
2021-06-22 09:27:41 +02:00
Manuel Pégourié-Gonnard
87db8a2676 Clean up old files before generating them
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-18 13:30:14 +02:00
Gilles Peskine
a354867399 In the SPM test build, fail if a symbol wasn't renamed
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 11:40:51 +02:00
Gilles Peskine
d1dcfd53aa Do a test build with MBEDTLS_PSA_CRYPTO_SPM
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 11:40:51 +02:00
Manuel Pégourié-Gonnard
d51aaad4c9 Remove config option MBEDTLS_ECP_NO_INTERNAL_RNG
It was used to remove the code used when mbedtls_ecp_mul() received a
NULL RNG parameter. This code is no longer relevant (as the RNG may no
longer be NULL) and will be unconditionally removed in the next commit.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
TRodziewicz
10e8cf5fef Remove MD2, MD4, RC4, Blowfish and XTEA
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-16 10:34:25 +02:00
Gilles Peskine
1628a9c140 MBEDTLS_DEBUG_C is compatible with every whole-module ALT except DHM
It would be possible to make SSL debugging compatible with MBEDTLS_DHM_ALT,
but too much low-priority work right now, so don't require it.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:14:28 +02:00
Gilles Peskine
5c3f18d37c MBEDTLS_PK_PARSE_EC_EXTENDED is incompatible with MBEDTLS_ECP_ALT
... unless the alt implementation defines a group structure that's mostly
compatible with the built-in one and supports partially filled group
structures in the same way.

It would be possible to rewrite the SpecifiedECDomain parsing code to avoid
requiring support for partially filled group structures, but that's too
complicated to do now.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:13:02 +02:00
Gilles Peskine
cc73cc55e8 Test the build with whole-module alternative implementations
Use headers defining dummy context types.

The test does not pass yet. I plan to fix this in subsequent commits.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:12:18 +02:00
TRodziewicz
0730cd5d9e Merge branch 'development' into Remove__CHECK_PARAMS_option 2021-06-07 15:41:49 +02:00
Chris Kay
d259e347e6 Add CMake package config file
This change enables automatic detection and consumption of Mbed TLS
library targets from within other CMake projects. By generating an
`MbedTLSConfig.cmake` file, consuming projects receive a more complete
view of these targets, allowing them to be used as dependencies which
properly inherit the transitive dependencies of the libraries.

This is fairly fragile, as it seems Mbed TLS's libraries do not appear
to properly model their dependencies on other targets, including
third-party dependencies. It is, however, sufficient for building and
linking the compiled Mbed TLS libraries when there are no third-party
dependencies involved. Further work is needed for more complex
use-cases, but this will likely meet the needs of most projects.

Resolves #298. Probably useful for #2857.

Signed-off-by: Chris Kay <chris.kay@arm.com>
2021-06-04 16:02:48 +01:00
Manuel Pégourié-Gonnard
f9f9cc217c
Merge pull request #4579 from tom-daubney-arm/rm_ecdh_legacy_context_config_option
Remove `MBEDTLS_ECDH_LEGACY_CONTEXT` config option
2021-06-04 10:02:59 +02:00
Thomas Daubney
42aaf7a718 Removes component_test_new_ecdh_context in all.sh
Commit removes the
component_test_new_new_ecdh_context in all.sh.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-06-01 17:48:40 +01:00
Thomas Daubney
8f4eacaac6 Removes MBEDTLS_ECDH_LEGACY_CONTEXT from config.h
Commit removes the definition of
MBEDTLS_ECDH_LEGACY_CONTEXT from config.h.
Additionally removes the unset calls to
MBEDTLS_ECDH_LEGACY_CONTEXT in all.sh.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-06-01 15:28:26 +01:00
Ronald Cron
875b5fb7fa Refactor optional parameter check tests
Remove tests related to NULL pointers,
keep tests related to invalid enum values.
Remove test code related to MBEDTLS_CHECK_PARAMS.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-27 17:27:14 +02:00
Ronald Cron
142c205ffc
Merge pull request #4513 from Patater/psa-without-genprime-fix
psa: Support RSA signature without MBEDTLS_GENPRIME
2021-05-27 14:19:24 +02:00
TRodziewicz
28126050f2 Removal of constants and functions and a new ChangeLog file
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-24 12:48:12 +02:00
Jaeden Amero
424fa93efd psa: Support RSA signature without MBEDTLS_GENPRIME
On space-constrained platforms, it is a useful configuration to be able
to import/export and perform RSA key pair operations, but to exclude RSA
key generation, potentially saving flash space. It is not possible to
express this with the PSA_WANT_ configuration system at the present
time. However, in previous versions of Mbed TLS (v2.24.0 and earlier) it
was possible to configure a software PSA implementation which was
capable of making RSA signatures but not capable of generating RSA keys.
To do this, one unset MBEDTLS_GENPRIME.

Since the addition of MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR, this
expressivity was lost. Expressing that you wanted to work with RSA key
pairs forced you to include the ability to generate key pairs as well.

Change psa_crypto_rsa.c to only call mbedtls_rsa_gen_key() if
MBEDTLS_GENPRIME is also set. This restores the configuration behavior
present in Mbed TLS v2.24.0 and earlier versions.

It left as a future exercise to add the ability to PSA to be able to
express a desire for a software or accelerator configuration that
includes RSA key pair operations, like signature, but excludes key pair
generation.

Without this change, linker errors will occur when attempts to call,
which doesn't exist when MBEDTLS_GENPRIME is unset.
    psa_crypto_rsa.c.obj: in function `rsa_generate_key':
    psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key'

Fixes #4512

Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
2021-05-20 17:08:59 +01:00
Gilles Peskine
eb30b0cc39 Merge remote-tracking branch 'upstream-public/development' into no-generated-files-3.0
Conflicts: generated files that are removed in this branch and have
changed in development. Resolved by keeping the files removed.
2021-05-20 10:40:48 +02:00
Gilles Peskine
67debb6161 Test check-generated-files.sh
Re-create a component check_generated_files. Unlike the old one, which checked
that the generated files were up-to-date, the job of the new one is to check
that tests/scripts/check-generated-files.sh works (at least to the extent of
not errorring out).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-20 10:37:22 +02:00
Gilles Peskine
1570b59bcc Generate source files before running any components
Now that generated source files are no longer checked in version
control, they must be generated before running any tests.

Do not check the generated files for freshness: it's no longer relevant.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-20 10:37:22 +02:00
Manuel Pégourié-Gonnard
729fa5be88
Merge pull request #4450 from mstarzyk-mobica/remove_null_entropy
Remove MBEDTLS_TEST_NULL_ENTROPY config option.
2021-05-20 09:19:55 +02:00
Ronald Cron
eb3e463380
Merge pull request #4247 from stevew817/dispatch_mac_operations
Dispatch MAC operations through the driver interface
Only API-ABI checking job failing which is expected thus CI OK.
2021-05-11 17:56:50 +02:00
Mateusz Starzyk
72f60dfcc1 Remove MBEDTLS_TEST_NULL_ENTROPY config option.
Building the library without entropy sources negates any and all security
provided by the library.
This option was originally requested a relatively long time ago and it
does not provide any tangible benefit for users any more.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-05-11 13:15:19 +02:00
Steven Cooreman
7515e7535d Add CMAC and HMAC driver testing to all.sh
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:32:32 +02:00
Manuel Pégourié-Gonnard
b548cda1cf
Merge pull request #4397 from TRodziewicz/change_config_h_defaults
Four config.h defaults have been changed.
2021-05-07 12:42:39 +02:00
TRodziewicz
89f98c2556 Removal of wrongly placed unset
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-04-29 14:08:09 +02:00
TRodziewicz
2add5c13ea On second thought changing the way the test is run
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-04-28 16:50:20 +02:00
Tomasz Rodziewicz
e66f49c3ce
Merge branch 'development_3.0' into change_config_h_defaults 2021-04-28 16:37:27 +02:00
Chris Jones
856db5f722 Remove merge conflict marker
Remove a merge conflict marker that was missed in `all.sh` and was causing
building to fail.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-04-27 17:38:24 +01:00
Hanno Becker
c5722d1fb1 Add missing MBEDTLS_X509_REMOVE_INFO guards to ssl-opt.sh
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-04-27 17:20:56 +01:00
Dave Rodgman
12f93f4fc2
Merge pull request #4407 from ARMmbed/dev3_signoffs
Merge development_3.0 into development
2021-04-26 19:48:16 +01:00
TRodziewicz
1f98424508 Correction fixing the test_when_no_ciphersuites_have_mac falure
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-04-23 14:57:39 +02:00
TRodziewicz
7c1d41da52 Correction fixing the test_everest_curve25519_only falure
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-04-23 13:33:44 +02:00
Mateusz Starzyk
a58625f90d Remove optional SHA-1 in the default TLS configuration.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-04-16 18:39:10 +02:00
Steven Cooreman
6801f08973 Implement support for MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
According to the design in psa-driver-interface.md. Compiles without
issue in test_psa_crypto_drivers.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-04-15 15:04:26 +02:00
Mateusz Starzyk
c301bd56f0 Merge branch 'development_3.0' into drop_old_tls_options 2021-04-15 13:55:20 +02:00
Mateusz Starzyk
f5c535139d Remove remaining comments and strings refering to removed features.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-04-15 13:28:52 +02:00
Dave Rodgman
73e3e2cb1a Merge remote-tracking branch 'origin/development' into development_new
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>

Conflicts:
        include/mbedtls/check_config.h: nearby edits
	library/entropy.c: nearby edits
	programs/random/gen_random_havege.c: modification vs. removal
	programs/ssl/ssl_test_lib.h: nearby edits
	programs/test/cpp_dummy_build.cpp: nearby edits
	visualc/VS2010/mbedTLS.vcxproj: automatically generated file,
            regenerated with scripts/generate_visualc_files.pl
2021-04-07 16:31:09 +01:00
Ronald Cron
e6f6301390 psa: Add cipher accelerator flags to test_psa_crypto_drivers
Add cipher accelerator compilation flags to
test_psa_crypto_drivers() all.sh component. The flags
are not necessary currently but may become.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-03-26 15:48:13 +01:00
Ronald Cron
067de3b5ea tests: psa: Test cipher operations by a transparent driver
Test cipher operations by a transparent driver in all.sh
test_psa_crypto_config_basic and
test_psa_crypto_drivers components.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-03-26 15:48:13 +01:00
Mateusz Starzyk
e204dbf272 Drop support for MBEDTLS_SSL_HW_RECORD_ACCEL.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-03-16 12:49:54 +01:00
Mateusz Starzyk
a3a9984a5d Drop support for TLS record-level compression.
Remove option MBEDTLS_ZLIB_SUPPORT.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-03-16 12:49:51 +01:00
Mateusz Starzyk
06b07fb839 Drop support for SSLv3.
Remove options: MBEDTLS_SSL_MINOR_VERSION_0 and
MBEDTLS_SSL_PROTO_SSL3).

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-03-16 12:19:05 +01:00
Steven Cooreman
753f973f87 Use full config during driver testing
Due to the way the test drivers are setup, we require the full setup.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-03-15 12:14:40 +01:00
Steven Cooreman
d50db945c4 Add hash acceleration driver testing
Test hash algorithm functions when called through a transparent
driver in all.sh test_psa_crypto_config_basic and
test_psa_crypto_drivers components.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-03-10 13:03:36 +01:00
Manuel Pégourié-Gonnard
17605f072b
Merge pull request #4151 from ronald-cron-arm/psa-sign_verify-hash
PSA sign and verify hash rework
2021-03-10 10:08:50 +01:00
Dave Rodgman
d6ee36ed04
Merge pull request #4110 from gilles-peskine-arm/psa-external-random-in-mbedtls
Expose the PSA RNG in mbedtls
2021-02-22 14:47:29 +00:00
Ronald Cron
17b3afcc33 tests: psa: Test sign/verify hash by a transparent driver
Test signature and signature verification by a transparent
driver in all.sh test_psa_crypto_config_basic and
test_psa_crypto_drivers components.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-18 15:45:12 +01:00
Gilles Peskine
38c12fd48e In external_rng tests, disable the entropy module
The point of having an external RNG is that you can disable all
built-in RNG functionality: both the entropy part and the DRBG part.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-16 15:46:06 +01:00
Gilles Peskine
8eb2943705 Support mbedtls_psa_get_random() in SSL test programs
The SSL test programs can now use mbedtls_psa_get_random() rather than
entropy+DRBG as a random generator. This happens if
the configuration option MBEDTLS_USE_PSA_CRYPTO is enabled, or if
MBEDTLS_TEST_USE_PSA_CRYPTO_RNG is set at build time.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-16 15:39:48 +01:00
Ronald Cron
761905e7a3 tests: psa config: Extend tests to RSA keys
Extend import/export/generate key through a PSA
transparent driver without software fallback
testing to RSA keys.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-16 09:07:46 +01:00
Ronald Cron
5cd00d28bf
Merge pull request #4092 from ronald-cron-arm/psa-crypto-client
Psa crypto client
2021-02-15 10:46:35 +01:00
Mateusz Starzyk
0fdcc8eee9 Remove Havege module.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-02-11 14:17:07 +01:00
Gilles Peskine
2747d7dc60 Duplicate no-DRBG tests: with and without MBEDTLS_USE_PSA_CRYPTO
Whether MBEDTLS_USE_PSA_CRYPTO is enabled makes a significant
difference with respect to how random generators are used (and, for
no-HMAC_DRBG, how ECDSA signature is dispatched), so test both with
and without it.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-03 15:50:46 +01:00
Ronald Cron
80eaa93b59 tests: psa: Reactivate and expand key management through test driver
The compilation guards in key_management.c are now
accelerator compilation guards (MBEDTLS_PSA_ACCEL_KEY_TYPE_xyz).

As a consequence when running the PSA driver wrapper
tests as part of test_psa_crypto_config_basic
and test_psa_crypto_drivers all.sh components all
key management cryptographic operations were handled by
the software builtin fallback, and not by the test driver
as intended in the first place.

This commits fixes this issue by:
. declaring an accelerator for ECC key pairs in
  test_psa_crypto_config_basic.
. declaring an accelerator for both ECC and RSA
  key pairs in test_psa_crypto_drivers.

It is possible to declare an accelerator for both
ECC and RSA key pairs in test_psa_crypto_drivers
and not in test_psa_crypto_config_basic because
in the case of test_psa_crypto_drivers the new
PSA configuration is not activated. That way,
the builtin fallback software implementation
is present to supply the transparent test driver
when some support is missing in it (mainly
RSA key generation).

Note that the declaration of accelerators does
much more than just "fixing" the execution flow of
driver wrapper tests, it makes all import and public
key export cryptographic operations in all unit
tests being handled by the transparent test driver
(provided that it supports the key type).

One test case related to key generation is
partially disabled. This will be fixed with the
rework of psa_generate_key along the lines
described in psa-crypto-implementation-structure.md.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-02 11:38:50 +01:00
Ronald Cron
336678bccc tests: psa: Test PSA client-only code
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-01 13:17:23 +01:00
Gilles Peskine
a222434952 Test SSL with non-deterministic ECDSA
In component_test_no_hmac_drbg, the fact that HMAC_DRBG is disabled
doesn't affect the SSL code, but the fact that deterministic ECDSA is
disabled does. So run some ECDSA-related SSL tests.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-13 20:31:24 +01:00
Gilles Peskine
ba74904c48 SSL test programs: support HMAC_DRBG
Support HMAC_DRBG in ssl_client2 and ssl_server2, in addition to
CTR_DRBG. CTR_DRBG is still used if present, but it's now possible to
run the SSL test programs with CTR_DRBG disabled.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-13 20:30:03 +01:00
Gilles Peskine
a51e1dbe76
Merge pull request #3895 from gilles-peskine-arm/psa-external-random
Alternative random generator support for PSA
2021-01-06 17:09:11 +01:00
John Durkop
1b7ee05461 Added tests to confirm hash support for crypto config
New tests have been added for all the hash algorithms to
confirm they compile correctly when using PSA_WANT and
accelerator guards.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-11-27 08:51:22 -08:00
Gilles Peskine
c109b37b07 Test MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
Add two builds with MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG to all.sh:
* full minus all DRBG (validates that PSA can work without any of the
  DRBG modules).
* with MBEDTLS_USE_PSA_CRYPTO and no CTR_DRBG (validates that PSA can
  work without CTR_DRBG, and that it works for USE_PSA_CRYPTO).

The goal is to exercise default/full, with/out USE_PSA_CRYPTO, and
with/out deterministic ECDSA (which requires HMAC_DRBG). The choice of
pairing is rather arbitrary.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-23 17:42:54 +01:00
Gilles Peskine
82e57d1611 PSA: support HMAC_DRBG
Support using HMAC_DRBG instead of CTR_DRBG in the PSA subsystem.

Use HMAC_DRBG if CTR_DRBG is available. Choose between SHA-256 and
SHA-512 based on availability.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-23 17:42:54 +01:00
Gilles Peskine
662deb38d6
Merge pull request #3547 from ronald-cron-arm/psa-openless
Openless PSA crypto APIs implementation
2020-11-20 18:48:33 +01:00
Gilles Peskine
9a68810405
Merge pull request #3830 from jdurkop/psa-crypto-config-phase2
Phase 2 support for MBDTLS_PSA_CRYPTO_CONFIG
2020-11-19 09:32:23 +01:00
John Durkop
07cc04a8ad Updates to PSA crypto library based on review comments
Moved new check_crypto_config.h file from include/psa to library
directory and the file is now included from *.c instead of the
crypto_config.h file. Fixed guards in PSA crypto library based
on review comments for new PSA crypto config features.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-11-18 08:09:49 -08:00
John Durkop
6ba40d1faa Corrected guards in PSA library based on review comments
Revised the placement of various new MBEDTLS_PSA_BUILTIN_xxx
guards based on review comments. Corrected guards in psa
test driver to use _ACCEL version instead of _BUILTIN version.
Updated check_config_psa.h to include additional dependency checks
for more algorithms. Renamed some of the new tests to be a little
more clear on the purpose.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-11-12 10:21:40 -08:00
Ronald Cron
c3623dbc76 State PSA_CRYPTO_KEY_ID_ENCODES_OWNER and USE_PSA_CRYPTO incompatibility
Code under MBEDTLS_USE_PSA_CRYPTO define is PSA client
code intended to use key identifiers of type psa_key_id_t.
Thus the MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
configuration option is incompatible with
MBEDTLS_USE_PSA_CRYPTO.

State this in config.h and check_config.h.

As a consequence:
. remove MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER from
  the full configuration, as MBEDTLS_USE_PSA_CRYPTO is
  part of it.

. add a new component in all.sh to keep testing the
  library when MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
  is set.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:00:41 +01:00
John Durkop
9814fa2b08 Minor updates from review comments
Updated macros in config_psa.h that used ECC_xxx to use KEY_TYPE_ECC_xxx
per comments from review. Implemented a check_config_psa.h to help with
dependency checking of features enabled in config_psa.h. Added
check_config_psa.h to visual studio project.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-11-10 06:11:41 -08:00
John Durkop
7fc75eac21 Enable all features in crypto_config.h
In order to pass existing tests like test_psa_crypto_config_basic
and test_psa_crypto_config_no_driver, all the new features need
to be enabled in the default crypto_config.h file. This change
enables those features by default and updates the other new
tests to compensate for everything being enabled by disabling
some features for some of the tests as needed.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-11-10 06:11:41 -08:00
John Durkop
bd069d32e8 Enhanced testing for PSA crypto config features
Updated some of the test names to better reflect what they are testing.
Expanded the testing around RSA feature for PSA crypto config. Updated
the test script to support backing up and restoring the
include/psa/crypto_config.h file so that features can be individually
setup for each unique feature test.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-11-10 06:11:41 -08:00
John Durkop
f4c4cb008c Added additional support for ECP for PSA_CRYPTO_CONFIG
The KEY_TYPE_ECC_KEY_PAIR and KEY_TYPE_ECC_PUBLIC_KEY were previously
being guarded by MBEDTLS_ECP_C in the PSA crypto library code. This change
moves it to the new MBEDTLS_PSA_BUILTIN_xxx and separates KEY_PAIR
and PUBLIC_KEY as needed. Tests have also been added to validate the new
settings.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-11-10 06:11:35 -08:00