Merge pull request #10319 from gilles-peskine-arm/move-check-config-to-library

check_config.h: move to library and test
2026-05-09 11:14:26 +02:00 · 2025-07-29 14:07:33 +00:00
parent bebe631b7f fff4b32324
commit d6f881e8ca
14 changed files with 93 additions and 3 deletions
--- a/tests/scripts/components-basic-checks.sh
+++ b/tests/scripts/components-basic-checks.sh
@@ -123,4 +123,7 @@ component_check_test_helpers () {

    msg "unit test: translate_ciphers.py"
    python3 -m unittest framework/scripts/translate_ciphers.py 2>&1
+
+    msg "unit test: generate_config_checks.py"
+    tests/scripts/test_config_checks.py 2>&1
 }
--- a/tests/scripts/test_config_checks.py
+++ b/tests/scripts/test_config_checks.py
@@ -0,0 +1,63 @@
+#!/usr/bin/env python3
+"""Test the configuration checks generated by generate_config_checks.py.
+"""
+
+## Copyright The Mbed TLS Contributors
+## SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+
+import unittest
+
+import scripts_path # pylint: disable=unused-import
+from mbedtls_framework import unittest_config_checks
+
+
+class MbedtlsTestConfigChecks(unittest_config_checks.TestConfigChecks):
+    """Mbed TLS unit tests for checks generated by config_checks_generator."""
+
+    #pylint: disable=invalid-name # uppercase letters make sense here
+
+    PROJECT_CONFIG_C = 'library/mbedtls_config.c'
+    PROJECT_SPECIFIC_INCLUDE_DIRECTORIES = [
+        'tf-psa-crypto/include',
+        'tf-psa-crypto/drivers/builtin/include',
+    ]
+
+    @unittest.skip("At this time, mbedtls does not go through crypto's check_config.h.")
+    def test_crypto_no_fs_io(self) -> None:
+        """A sample error expected from crypto's check_config.h."""
+        self.bad_case('#undef MBEDTLS_FS_IO',
+                      None,
+                      error=('MBEDTLS_PSA_ITS_FILE_C'))
+
+    def test_mbedtls_no_session_tickets_for_early_data(self) -> None:
+        """An error expected from mbedtls_check_config.h based on the TLS configuration."""
+        self.bad_case(None,
+                      '''
+                      #define MBEDTLS_SSL_EARLY_DATA
+                      #undef MBEDTLS_SSL_SESSION_TICKETS
+                      ''',
+                      error=('MBEDTLS_SSL_EARLY_DATA'))
+
+    def test_mbedtls_no_ecdsa(self) -> None:
+        """An error expected from mbedtls_check_config.h based on crypto+TLS configuration."""
+        self.bad_case('''
+                      #undef PSA_WANT_ALG_ECDSA
+                      #undef PSA_WANT_ALG_DETERMINISTIC_ECDSA
+                      #undef MBEDTLS_ECDSA_C
+                      ''',
+                      '''
+                      #if defined(PSA_WANT_ALG_ECDSA)
+                      #error PSA_WANT_ALG_ECDSA unexpected
+                      #endif
+                      #if defined(PSA_WANT_ALG_DETERMINSTIC_ECDSA)
+                      #error PSA_WANT_ALG_DETERMINSTIC_ECDSA unexpected
+                      #endif
+                      #if defined(MBEDTLS_ECDSA_C)
+                      #error MBEDTLS_ECDSA_C unexpected
+                      #endif
+                      ''',
+                      error=('MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED'))
+
+
+if __name__ == '__main__':
+    unittest.main()
--- a/tests/src/test_helpers/ssl_helpers.c
+++ b/tests/src/test_helpers/ssl_helpers.c
@@ -11,6 +11,8 @@
 #include <test/ssl_helpers.h>
 #include "mbedtls/psa_util.h"

+#include <limits.h>
+
 #if defined(MBEDTLS_SSL_TLS_C)
 int mbedtls_test_random(void *p_rng, unsigned char *output, size_t output_len)
 {