From 10eaf68acdbd37a6af4e129d42438cac8c55a09e Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 19 Nov 2025 13:09:56 +0100 Subject: [PATCH 01/11] library: debug: remove mbedtls_debug_print_mpi() This function is no more used anywhere and can be safely removed. Signed-off-by: Valerio Setti --- library/debug.c | 56 -------------------------- library/debug_internal.h | 20 --------- tests/suites/test_suite_debug.data | 21 ---------- tests/suites/test_suite_debug.function | 39 ------------------ 4 files changed, 136 deletions(-) diff --git a/library/debug.c b/library/debug.c index 362c07981c..49188e9f66 100644 --- a/library/debug.c +++ b/library/debug.c @@ -167,57 +167,6 @@ void mbedtls_debug_print_buf(const mbedtls_ssl_context *ssl, int level, } } -#if defined(MBEDTLS_BIGNUM_C) -void mbedtls_debug_print_mpi(const mbedtls_ssl_context *ssl, int level, - const char *file, int line, - const char *text, const mbedtls_mpi *X) -{ - char str[DEBUG_BUF_SIZE]; - size_t bitlen; - size_t idx = 0; - - if (NULL == ssl || - NULL == ssl->conf || - NULL == ssl->conf->f_dbg || - NULL == X || - level > debug_threshold) { - return; - } - - bitlen = mbedtls_mpi_bitlen(X); - - mbedtls_snprintf(str, sizeof(str), "value of '%s' (%u bits) is:\n", - text, (unsigned) bitlen); - debug_send_line(ssl, level, file, line, str); - - if (bitlen == 0) { - str[0] = ' '; str[1] = '0'; str[2] = '0'; - idx = 3; - } else { - int n; - for (n = (int) ((bitlen - 1) / 8); n >= 0; n--) { - size_t limb_offset = n / sizeof(mbedtls_mpi_uint); - size_t offset_in_limb = n % sizeof(mbedtls_mpi_uint); - unsigned char octet = - (X->p[limb_offset] >> (offset_in_limb * 8)) & 0xff; - mbedtls_snprintf(str + idx, sizeof(str) - idx, " %02x", octet); - idx += 3; - /* Wrap lines after 16 octets that each take 3 columns */ - if (idx >= 3 * 16) { - mbedtls_snprintf(str + idx, sizeof(str) - idx, "\n"); - debug_send_line(ssl, level, file, line, str); - idx = 0; - } - } - } - - if (idx != 0) { - mbedtls_snprintf(str + idx, sizeof(str) - idx, "\n"); - debug_send_line(ssl, level, file, line, str); - } -} -#endif /* MBEDTLS_BIGNUM_C */ - #if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_INFO) #if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) || defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) @@ -412,11 +361,6 @@ static void debug_print_pk(const mbedtls_ssl_context *ssl, int level, mbedtls_snprintf(name, sizeof(name), "%s%s", text, items[i].name); name[sizeof(name) - 1] = '\0'; -#if defined(MBEDTLS_RSA_C) - if (items[i].type == MBEDTLS_PK_DEBUG_MPI) { - mbedtls_debug_print_mpi(ssl, level, file, line, name, items[i].value); - } else -#endif /* MBEDTLS_RSA_C */ #if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) if (items[i].type == MBEDTLS_PK_DEBUG_PSA_RSA) { mbedtls_debug_print_psa_rsa(ssl, level, file, line, name, items[i].value); diff --git a/library/debug_internal.h b/library/debug_internal.h index 79a4c4540c..d09e492094 100644 --- a/library/debug_internal.h +++ b/library/debug_internal.h @@ -71,26 +71,6 @@ void mbedtls_debug_print_buf(const mbedtls_ssl_context *ssl, int level, const char *file, int line, const char *text, const unsigned char *buf, size_t len); -#if defined(MBEDTLS_BIGNUM_C) -/** - * \brief Print a MPI variable to the debug output. - * - * \param ssl SSL context - * \param level error level of the debug message - * \param file file the error has occurred in - * \param line line number the error has occurred in - * \param text a name or label for the MPI being output. Normally the - * variable name - * \param X the MPI variable - * - * \attention This function is intended for INTERNAL usage within the - * library only. - */ -void mbedtls_debug_print_mpi(const mbedtls_ssl_context *ssl, int level, - const char *file, int line, - const char *text, const mbedtls_mpi *X); -#endif - #if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_INFO) /** * \brief Print a X.509 certificate structure to the debug output. This diff --git a/tests/suites/test_suite_debug.data b/tests/suites/test_suite_debug.data index 0989e61089..800f0ff63b 100644 --- a/tests/suites/test_suite_debug.data +++ b/tests/suites/test_suite_debug.data @@ -46,27 +46,6 @@ mbedtls_debug_print_buf:"MyFile":999:"Test return value":"000102030405060708090A Debug print buffer #5 mbedtls_debug_print_buf:"MyFile":999:"Test return value":"000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F30":"MyFile(0999)\: dumping 'Test return value' (49 bytes)\nMyFile(0999)\: 0000\: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f ................\nMyFile(0999)\: 0010\: 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................\nMyFile(0999)\: 0020\: 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./\nMyFile(0999)\: 0030\: 30 0\n" -Debug print mbedtls_mpi: 0 (empty representation) -mbedtls_debug_print_mpi:"":"MyFile":999:"VALUE":"MyFile(0999)\: value of 'VALUE' (0 bits) is\:\nMyFile(0999)\: 00\n" - -Debug print mbedtls_mpi: 0 (non-empty representation) -mbedtls_debug_print_mpi:"00000000000000":"MyFile":999:"VALUE":"MyFile(0999)\: value of 'VALUE' (0 bits) is\:\nMyFile(0999)\: 00\n" - -Debug print mbedtls_mpi #2: 3 bits -mbedtls_debug_print_mpi:"00000000000007":"MyFile":999:"VALUE":"MyFile(0999)\: value of 'VALUE' (3 bits) is\:\nMyFile(0999)\: 07\n" - -Debug print mbedtls_mpi: 49 bits -mbedtls_debug_print_mpi:"01020304050607":"MyFile":999:"VALUE":"MyFile(0999)\: value of 'VALUE' (49 bits) is\:\nMyFile(0999)\: 01 02 03 04 05 06 07\n" - -Debug print mbedtls_mpi: 759 bits -mbedtls_debug_print_mpi:"0000000000000000000000000000000000000000000000000000000041379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":"MyFile":999:"VALUE":"MyFile(0999)\: value of 'VALUE' (759 bits) is\:\nMyFile(0999)\: 41 37 9d 00 fe d1 49 1f e1 5d f2 84 df de 4a 14\nMyFile(0999)\: 2f 68 aa 8d 41 20 23 19 5c ee 66 88 3e 62 90 ff\nMyFile(0999)\: e7 03 f4 ea 59 63 bf 21 27 13 ce e4 6b 10 7c 09\nMyFile(0999)\: 18 2b 5e dc d9 55 ad ac 41 8b f4 91 8e 28 89 af\nMyFile(0999)\: 48 e1 09 9d 51 38 30 ce c8 5c 26 ac 1e 15 8b 52\nMyFile(0999)\: 62 0e 33 ba 86 92 f8 93 ef bb 2f 95 8b 44 24\n" - -Debug print mbedtls_mpi: 764 bits #1 -mbedtls_debug_print_mpi:"0941379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":"MyFile":999:"VALUE":"MyFile(0999)\: value of 'VALUE' (764 bits) is\:\nMyFile(0999)\: 09 41 37 9d 00 fe d1 49 1f e1 5d f2 84 df de 4a\nMyFile(0999)\: 14 2f 68 aa 8d 41 20 23 19 5c ee 66 88 3e 62 90\nMyFile(0999)\: ff e7 03 f4 ea 59 63 bf 21 27 13 ce e4 6b 10 7c\nMyFile(0999)\: 09 18 2b 5e dc d9 55 ad ac 41 8b f4 91 8e 28 89\nMyFile(0999)\: af 48 e1 09 9d 51 38 30 ce c8 5c 26 ac 1e 15 8b\nMyFile(0999)\: 52 62 0e 33 ba 86 92 f8 93 ef bb 2f 95 8b 44 24\n" - -Debug print mbedtls_mpi: 764 bits #2 -mbedtls_debug_print_mpi:"0000000000000000000000000000000000000000000000000000000941379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":"MyFile":999:"VALUE":"MyFile(0999)\: value of 'VALUE' (764 bits) is\:\nMyFile(0999)\: 09 41 37 9d 00 fe d1 49 1f e1 5d f2 84 df de 4a\nMyFile(0999)\: 14 2f 68 aa 8d 41 20 23 19 5c ee 66 88 3e 62 90\nMyFile(0999)\: ff e7 03 f4 ea 59 63 bf 21 27 13 ce e4 6b 10 7c\nMyFile(0999)\: 09 18 2b 5e dc d9 55 ad ac 41 8b f4 91 8e 28 89\nMyFile(0999)\: af 48 e1 09 9d 51 38 30 ce c8 5c 26 ac 1e 15 8b\nMyFile(0999)\: 52 62 0e 33 ba 86 92 f8 93 ef bb 2f 95 8b 44 24\n" - Debug print certificate #1 (RSA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_BASE64_C:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_1:!MBEDTLS_X509_REMOVE_INFO mbedtls_debug_print_crt:"../framework/data_files/server1.crt":"MyFile":999:"PREFIX_":"MyFile(0999)\: PREFIX_ #1\:\nMyFile(0999)\: cert. version \: 3\nMyFile(0999)\: serial number \: 01\nMyFile(0999)\: issuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nMyFile(0999)\: subject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nMyFile(0999)\: issued on \: 2019-02-10 14\:44\:06\nMyFile(0999)\: expires on \: 2029-02-10 14\:44\:06\nMyFile(0999)\: signed using \: RSA with SHA1\nMyFile(0999)\: RSA key size \: 2048 bits\nMyFile(0999)\: basic constraints \: CA=false\nMyFile(0999)\: value of 'crt->rsa.N' (2048 bits) is\:\nMyFile(0999)\: a9 02 1f 3d 40 6a d5 55 53 8b fd 36 ee 82 65 2e\nMyFile(0999)\: 15 61 5e 89 bf b8 e8 45 90 db ee 88 16 52 d3 f1\nMyFile(0999)\: 43 50 47 96 12 59 64 87 6b fd 2b e0 46 f9 73 be\nMyFile(0999)\: dd cf 92 e1 91 5b ed 66 a0 6f 89 29 79 45 80 d0\nMyFile(0999)\: 83 6a d5 41 43 77 5f 39 7c 09 04 47 82 b0 57 39\nMyFile(0999)\: 70 ed a3 ec 15 19 1e a8 33 08 47 c1 05 42 a9 fd\nMyFile(0999)\: 4c c3 b4 df dd 06 1f 4d 10 51 40 67 73 13 0f 40\nMyFile(0999)\: f8 6d 81 25 5f 0a b1 53 c6 30 7e 15 39 ac f9 5a\nMyFile(0999)\: ee 7f 92 9e a6 05 5b e7 13 97 85 b5 23 92 d9 d4\nMyFile(0999)\: 24 06 d5 09 25 89 75 07 dd a6 1a 8f 3f 09 19 be\nMyFile(0999)\: ad 65 2c 64 eb 95 9b dc fe 41 5e 17 a6 da 6c 5b\nMyFile(0999)\: 69 cc 02 ba 14 2c 16 24 9c 4a dc cd d0 f7 52 67\nMyFile(0999)\: 73 f1 2d a0 23 fd 7e f4 31 ca 2d 70 ca 89 0b 04\nMyFile(0999)\: db 2e a6 4f 70 6e 9e ce bd 58 89 e2 53 59 9e 6e\nMyFile(0999)\: 5a 92 65 e2 88 3f 0c 94 19 a3 dd e5 e8 9d 95 13\nMyFile(0999)\: ed 29 db ab 70 12 dc 5a ca 6b 17 ab 52 82 54 b1\nMyFile(0999)\: value of 'crt->rsa.E' (17 bits) is\:\nMyFile(0999)\: 01 00 01\n" diff --git a/tests/suites/test_suite_debug.function b/tests/suites/test_suite_debug.function index 1d37137416..05b0112b93 100644 --- a/tests/suites/test_suite_debug.function +++ b/tests/suites/test_suite_debug.function @@ -283,42 +283,3 @@ exit: MD_OR_USE_PSA_DONE(); } /* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_SSL_TLS_C:MBEDTLS_BIGNUM_C */ -void mbedtls_debug_print_mpi(char *value, char *file, int line, - char *prefix, char *result_str) -{ - mbedtls_ssl_context ssl; - mbedtls_ssl_config conf; - struct buffer_data buffer; - mbedtls_mpi val; - - mbedtls_ssl_init(&ssl); - mbedtls_ssl_config_init(&conf); - mbedtls_mpi_init(&val); - MD_OR_USE_PSA_INIT(); - memset(buffer.buf, 0, 2000); - buffer.ptr = buffer.buf; - - TEST_EQUAL(mbedtls_ssl_config_defaults(&conf, - MBEDTLS_SSL_IS_CLIENT, - MBEDTLS_SSL_TRANSPORT_STREAM, - MBEDTLS_SSL_PRESET_DEFAULT), - 0); - mbedtls_ssl_conf_dbg(&conf, string_debug, &buffer); - - TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0); - - TEST_ASSERT(mbedtls_test_read_mpi(&val, value) == 0); - - mbedtls_debug_print_mpi(&ssl, 0, file, line, prefix, &val); - - TEST_ASSERT(strcmp(buffer.buf, result_str) == 0); - -exit: - mbedtls_mpi_free(&val); - mbedtls_ssl_free(&ssl); - mbedtls_ssl_config_free(&conf); - MD_OR_USE_PSA_DONE(); -} -/* END_CASE */ From c6bf9d8200fdb206bcd21ae199fe93279862b843 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 19 Nov 2025 15:21:18 +0100 Subject: [PATCH 02/11] library: debug: use mbedtls_pk_write_pubkey_psa() to write public key Remove usage of mbedtls_pk_debug stuff and related functions (mbedtls_debug_print_psa_rsa(), mbedtls_debug_print_psa_ec(), mbedtls_debug_print_integer() and debug_count_valid_bits()) and use mbedtls_pk_write_pubkey_psa() to get the public key from the PK context. Signed-off-by: Valerio Setti --- library/debug.c | 211 +++--------------------------------------------- 1 file changed, 10 insertions(+), 201 deletions(-) diff --git a/library/debug.c b/library/debug.c index 49188e9f66..3e0ecd545e 100644 --- a/library/debug.c +++ b/library/debug.c @@ -168,211 +168,20 @@ void mbedtls_debug_print_buf(const mbedtls_ssl_context *ssl, int level, } #if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_INFO) - -#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) || defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) -static void mbedtls_debug_print_integer(const mbedtls_ssl_context *ssl, int level, - const char *file, int line, const char *text, - const unsigned char *buf, size_t bitlen) -{ - char str[DEBUG_BUF_SIZE]; - size_t i, len_bytes = PSA_BITS_TO_BYTES(bitlen), idx = 0; - - mbedtls_snprintf(str + idx, sizeof(str) - idx, "value of '%s' (%u bits) is:\n", - text, (unsigned int) bitlen); - - debug_send_line(ssl, level, file, line, str); - - for (i = 0; i < len_bytes; i++) { - if (i >= 4096) { - break; - } - - if (i % 16 == 0) { - if (i > 0) { - mbedtls_snprintf(str + idx, sizeof(str) - idx, "\n"); - debug_send_line(ssl, level, file, line, str); - - idx = 0; - } - } - - idx += mbedtls_snprintf(str + idx, sizeof(str) - idx, " %02x", - (unsigned int) buf[i]); - } - - if (len_bytes > 0) { - mbedtls_snprintf(str + idx, sizeof(str) - idx, "\n"); - debug_send_line(ssl, level, file, line, str); - } -} -#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY || PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY */ - -#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) -static void mbedtls_debug_print_psa_ec(const mbedtls_ssl_context *ssl, int level, - const char *file, int line, - const char *text, const mbedtls_pk_context *pk) -{ - char str[DEBUG_BUF_SIZE]; - const uint8_t *coord_start; - size_t coord_len; - - if (NULL == ssl || - NULL == ssl->conf || - NULL == ssl->conf->f_dbg || - level > debug_threshold) { - return; - } - - /* For the description of pk->pk_raw content please refer to the description - * psa_export_public_key() function. */ - coord_len = (pk->pub_raw_len - 1)/2; - - /* X coordinate */ - coord_start = pk->pub_raw + 1; - mbedtls_snprintf(str, sizeof(str), "%s(X)", text); - mbedtls_debug_print_integer(ssl, level, file, line, str, coord_start, coord_len * 8); - - /* Y coordinate */ - coord_start = coord_start + coord_len; - mbedtls_snprintf(str, sizeof(str), "%s(Y)", text); - mbedtls_debug_print_integer(ssl, level, file, line, str, coord_start, coord_len * 8); -} -#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */ - -#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) -static size_t debug_count_valid_bits(unsigned char **buf, size_t len) -{ - size_t i, bits; - - /* Ignore initial null bytes (if any). */ - while ((len > 0) && (**buf == 0x00)) { - (*buf)++; - len--; - } - - if (len == 0) { - return 0; - } - - bits = len * 8; - - /* Ignore initial null bits (if any). */ - for (i = 7; i > 0; i--) { - if ((**buf & (0x1 << i)) != 0) { - break; - } - bits--; - } - - return bits; -} - -static void mbedtls_debug_print_psa_rsa(const mbedtls_ssl_context *ssl, int level, - const char *file, int line, - const char *text, const mbedtls_pk_context *pk) -{ - char str[DEBUG_BUF_SIZE]; - /* no-check-names will be removed in mbedtls#10229. */ - unsigned char key_der[MBEDTLS_PK_MAX_RSA_PUBKEY_RAW_LEN]; //no-check-names - unsigned char *start_cur; - unsigned char *end_cur; - size_t len, bits; - int ret; - - if (NULL == ssl || - NULL == ssl->conf || - NULL == ssl->conf->f_dbg || - level > debug_threshold) { - return; - } - - if (pk->pub_raw_len > sizeof(key_der)) { - snprintf(str, sizeof(str), - "RSA public key too large: %" MBEDTLS_PRINTF_SIZET " > %" MBEDTLS_PRINTF_SIZET, - pk->pub_raw_len, sizeof(key_der)); - debug_send_line(ssl, level, file, line, str); - return; - } - - memcpy(key_der, pk->pub_raw, pk->pub_raw_len); - start_cur = key_der; - end_cur = key_der + pk->pub_raw_len; - - /* This integer parsing solution should be replaced with mbedtls_asn1_get_integer(). - * See #10238. */ - ret = mbedtls_asn1_get_tag(&start_cur, end_cur, &len, - MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED); - if (ret != 0) { - return; - } - - ret = mbedtls_asn1_get_tag(&start_cur, end_cur, &len, MBEDTLS_ASN1_INTEGER); - if (ret != 0) { - return; - } - - bits = debug_count_valid_bits(&start_cur, len); - if (bits == 0) { - return; - } - len = PSA_BITS_TO_BYTES(bits); - - mbedtls_snprintf(str, sizeof(str), "%s.N", text); - mbedtls_debug_print_integer(ssl, level, file, line, str, start_cur, bits); - - start_cur += len; - - ret = mbedtls_asn1_get_tag(&start_cur, end_cur, &len, MBEDTLS_ASN1_INTEGER); - if (ret != 0) { - return; - } - - bits = debug_count_valid_bits(&start_cur, len); - if (bits == 0) { - return; - } - - mbedtls_snprintf(str, sizeof(str), "%s.E", text); - mbedtls_debug_print_integer(ssl, level, file, line, str, start_cur, bits); -} -#endif /* PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY */ - static void debug_print_pk(const mbedtls_ssl_context *ssl, int level, const char *file, int line, const char *text, const mbedtls_pk_context *pk) { - size_t i; - mbedtls_pk_debug_item items[MBEDTLS_PK_DEBUG_MAX_ITEMS]; - char name[16]; + unsigned char buf[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE]; + size_t buf_len; + int ret; - memset(items, 0, sizeof(items)); - - if (mbedtls_pk_debug(pk, items) != 0) { - debug_send_line(ssl, level, file, line, - "invalid PK context\n"); - return; - } - - for (i = 0; i < MBEDTLS_PK_DEBUG_MAX_ITEMS; i++) { - if (items[i].type == MBEDTLS_PK_DEBUG_NONE) { - return; - } - - mbedtls_snprintf(name, sizeof(name), "%s%s", text, items[i].name); - name[sizeof(name) - 1] = '\0'; - -#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) - if (items[i].type == MBEDTLS_PK_DEBUG_PSA_RSA) { - mbedtls_debug_print_psa_rsa(ssl, level, file, line, name, items[i].value); - } else -#endif /* PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY */ -#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) - if (items[i].type == MBEDTLS_PK_DEBUG_PSA_EC) { - mbedtls_debug_print_psa_ec(ssl, level, file, line, name, items[i].value); - } else -#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */ - { debug_send_line(ssl, level, file, line, - "should not happen\n"); } + ret = mbedtls_pk_write_pubkey_psa(pk, buf, sizeof(buf), &buf_len); + if (ret == 0) { + mbedtls_debug_print_buf(ssl, level, file, line, text, buf, buf_len); + } else { + mbedtls_debug_print_msg(ssl, level, file, line, + "failed to export public key from PK context"); } } @@ -424,7 +233,7 @@ void mbedtls_debug_print_crt(const mbedtls_ssl_context *ssl, int level, mbedtls_x509_crt_info(buf, sizeof(buf) - 1, "", crt); debug_print_line_by_line(ssl, level, file, line, buf); - debug_print_pk(ssl, level, file, line, "crt->", &crt->pk); + debug_print_pk(ssl, level, file, line, "crt->PK", &crt->pk); crt = crt->next; } From f1cb45289bbc10c6543e7c18bb2d0d2eb56a97ab Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 19 Nov 2025 18:20:07 +0100 Subject: [PATCH 03/11] library: debug: improve mbedtls_debug_print_buf() Move single line printing to a separate function named mbedtls_debug_print_buf_one_line(). This accepts one extra parameter 'add_text' to tell if the final text chars are to be printed at the end of the line or not. Add also mbedtls_debug_print_buf_ext() as a generalized version of mbedtls_debug_print_buf() by adding the extra 'add_text' param. debug_print_pk() will now use mbedtls_debug_print_buf_ext() in order not to print chars while dumping the buffer. Signed-off-by: Valerio Setti --- library/debug.c | 92 ++++++++++++++++++++++++++++--------------------- 1 file changed, 52 insertions(+), 40 deletions(-) diff --git a/library/debug.c b/library/debug.c index 3e0ecd545e..561ce5128f 100644 --- a/library/debug.c +++ b/library/debug.c @@ -112,14 +112,41 @@ void mbedtls_debug_print_ret(const mbedtls_ssl_context *ssl, int level, debug_send_line(ssl, level, file, line, str); } -void mbedtls_debug_print_buf(const mbedtls_ssl_context *ssl, int level, - const char *file, int line, const char *text, - const unsigned char *buf, size_t len) +#define MBEDTLS_DEBUG_PRINT_BUF_NO_TEXT 0 +#define MBEDTLS_DEBUG_PRINT_BUF_ADD_TEXT 1 + +static void mbedtls_debug_print_buf_one_line(char *out_buf, size_t out_size, + const unsigned char *in_buf, size_t in_size, + int add_text) { - char str[DEBUG_BUF_SIZE]; - char txt[17]; + char txt[17] = { 0 }; size_t i, idx = 0; + for (i = 0; i < 16; i++) { + if (i < in_size) { + idx += mbedtls_snprintf(out_buf + idx, out_size - idx, " %02x", + (unsigned int) in_buf[i]); + txt[i] = (in_buf[i] > 31 && in_buf[i] < 127) ? in_buf[i] : '.'; + } else { + /* Just add spaces until the end of the line */ + idx += mbedtls_snprintf(out_buf + idx, out_size - idx, " "); + } + } + + if (add_text) { + idx += mbedtls_snprintf(out_buf + idx, out_size - idx, " %s", txt); + } + mbedtls_snprintf(out_buf + idx, out_size - idx, "\n"); +} + +static void mbedtls_debug_print_buf_ext(const mbedtls_ssl_context *ssl, int level, + const char *file, int line, const char *text, + const unsigned char *buf, size_t len, + int add_text) +{ + char str[DEBUG_BUF_SIZE] = { 0 }; + size_t curr_offset = 0, idx = 0, chunk_len; + if (NULL == ssl || NULL == ssl->conf || NULL == ssl->conf->f_dbg || @@ -127,46 +154,30 @@ void mbedtls_debug_print_buf(const mbedtls_ssl_context *ssl, int level, return; } - mbedtls_snprintf(str + idx, sizeof(str) - idx, "dumping '%s' (%u bytes)\n", - text, (unsigned int) len); - + mbedtls_snprintf(str, sizeof(str), "dumping '%s' (%zu bytes)\n", text, len); debug_send_line(ssl, level, file, line, str); - memset(txt, 0, sizeof(txt)); - for (i = 0; i < len; i++) { - if (i >= 4096) { - break; - } - - if (i % 16 == 0) { - if (i > 0) { - mbedtls_snprintf(str + idx, sizeof(str) - idx, " %s\n", txt); - debug_send_line(ssl, level, file, line, str); - - idx = 0; - memset(txt, 0, sizeof(txt)); - } - - idx += mbedtls_snprintf(str + idx, sizeof(str) - idx, "%04x: ", - (unsigned int) i); - - } - - idx += mbedtls_snprintf(str + idx, sizeof(str) - idx, " %02x", - (unsigned int) buf[i]); - txt[i % 16] = (buf[i] > 31 && buf[i] < 127) ? buf[i] : '.'; - } - - if (len > 0) { - for (/* i = i */; i % 16 != 0; i++) { - idx += mbedtls_snprintf(str + idx, sizeof(str) - idx, " "); - } - - mbedtls_snprintf(str + idx, sizeof(str) - idx, " %s\n", txt); + while (len > 0) { + memset(str, 0, sizeof(str)); + idx = mbedtls_snprintf(str, sizeof(str), "%04zx: ", curr_offset); + chunk_len = (len >= 16) ? 16 : len; + mbedtls_debug_print_buf_one_line(str + idx, sizeof(str) - idx, + &buf[curr_offset], chunk_len, + add_text); debug_send_line(ssl, level, file, line, str); + curr_offset += 16; + len -= chunk_len; } } +void mbedtls_debug_print_buf(const mbedtls_ssl_context *ssl, int level, + const char *file, int line, const char *text, + const unsigned char *buf, size_t len) +{ + mbedtls_debug_print_buf_ext(ssl, level, file, line, text, buf, len, + MBEDTLS_DEBUG_PRINT_BUF_ADD_TEXT); +} + #if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_INFO) static void debug_print_pk(const mbedtls_ssl_context *ssl, int level, const char *file, int line, @@ -178,7 +189,8 @@ static void debug_print_pk(const mbedtls_ssl_context *ssl, int level, ret = mbedtls_pk_write_pubkey_psa(pk, buf, sizeof(buf), &buf_len); if (ret == 0) { - mbedtls_debug_print_buf(ssl, level, file, line, text, buf, buf_len); + mbedtls_debug_print_buf_ext(ssl, level, file, line, text, buf, buf_len, + MBEDTLS_DEBUG_PRINT_BUF_NO_TEXT); } else { mbedtls_debug_print_msg(ssl, level, file, line, "failed to export public key from PK context"); From 3c419c1ca36042bf5c630b3e253ba87d8a78112b Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 19 Nov 2025 18:22:33 +0100 Subject: [PATCH 04/11] tests: scripts: adjust CRT dump test data Adjust dumping format of public keys following recent updates to mbedtls_debug_print_crt() and debug_print_pk() Signed-off-by: Valerio Setti --- tests/suites/test_suite_debug.data | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_debug.data b/tests/suites/test_suite_debug.data index 800f0ff63b..0e2163be9f 100644 --- a/tests/suites/test_suite_debug.data +++ b/tests/suites/test_suite_debug.data @@ -48,8 +48,8 @@ mbedtls_debug_print_buf:"MyFile":999:"Test return value":"000102030405060708090A Debug print certificate #1 (RSA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_BASE64_C:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_1:!MBEDTLS_X509_REMOVE_INFO -mbedtls_debug_print_crt:"../framework/data_files/server1.crt":"MyFile":999:"PREFIX_":"MyFile(0999)\: PREFIX_ #1\:\nMyFile(0999)\: cert. version \: 3\nMyFile(0999)\: serial number \: 01\nMyFile(0999)\: issuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nMyFile(0999)\: subject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nMyFile(0999)\: issued on \: 2019-02-10 14\:44\:06\nMyFile(0999)\: expires on \: 2029-02-10 14\:44\:06\nMyFile(0999)\: signed using \: RSA with SHA1\nMyFile(0999)\: RSA key size \: 2048 bits\nMyFile(0999)\: basic constraints \: CA=false\nMyFile(0999)\: value of 'crt->rsa.N' (2048 bits) is\:\nMyFile(0999)\: a9 02 1f 3d 40 6a d5 55 53 8b fd 36 ee 82 65 2e\nMyFile(0999)\: 15 61 5e 89 bf b8 e8 45 90 db ee 88 16 52 d3 f1\nMyFile(0999)\: 43 50 47 96 12 59 64 87 6b fd 2b e0 46 f9 73 be\nMyFile(0999)\: dd cf 92 e1 91 5b ed 66 a0 6f 89 29 79 45 80 d0\nMyFile(0999)\: 83 6a d5 41 43 77 5f 39 7c 09 04 47 82 b0 57 39\nMyFile(0999)\: 70 ed a3 ec 15 19 1e a8 33 08 47 c1 05 42 a9 fd\nMyFile(0999)\: 4c c3 b4 df dd 06 1f 4d 10 51 40 67 73 13 0f 40\nMyFile(0999)\: f8 6d 81 25 5f 0a b1 53 c6 30 7e 15 39 ac f9 5a\nMyFile(0999)\: ee 7f 92 9e a6 05 5b e7 13 97 85 b5 23 92 d9 d4\nMyFile(0999)\: 24 06 d5 09 25 89 75 07 dd a6 1a 8f 3f 09 19 be\nMyFile(0999)\: ad 65 2c 64 eb 95 9b dc fe 41 5e 17 a6 da 6c 5b\nMyFile(0999)\: 69 cc 02 ba 14 2c 16 24 9c 4a dc cd d0 f7 52 67\nMyFile(0999)\: 73 f1 2d a0 23 fd 7e f4 31 ca 2d 70 ca 89 0b 04\nMyFile(0999)\: db 2e a6 4f 70 6e 9e ce bd 58 89 e2 53 59 9e 6e\nMyFile(0999)\: 5a 92 65 e2 88 3f 0c 94 19 a3 dd e5 e8 9d 95 13\nMyFile(0999)\: ed 29 db ab 70 12 dc 5a ca 6b 17 ab 52 82 54 b1\nMyFile(0999)\: value of 'crt->rsa.E' (17 bits) is\:\nMyFile(0999)\: 01 00 01\n" +mbedtls_debug_print_crt:"../framework/data_files/server1.crt":"MyFile":999:"PREFIX_":"MyFile(0999)\: PREFIX_ #1\:\nMyFile(0999)\: cert. version \: 3\nMyFile(0999)\: serial number \: 01\nMyFile(0999)\: issuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nMyFile(0999)\: subject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nMyFile(0999)\: issued on \: 2019-02-10 14\:44\:06\nMyFile(0999)\: expires on \: 2029-02-10 14\:44\:06\nMyFile(0999)\: signed using \: RSA with SHA1\nMyFile(0999)\: RSA key size \: 2048 bits\nMyFile(0999)\: basic constraints \: CA=false\nMyFile(0999)\: dumping 'crt->PK' (270 bytes)\nMyFile(0999)\: 0000\: 30 82 01 0a 02 82 01 01 00 a9 02 1f 3d 40 6a d5\nMyFile(0999)\: 0010\: 55 53 8b fd 36 ee 82 65 2e 15 61 5e 89 bf b8 e8\nMyFile(0999)\: 0020\: 45 90 db ee 88 16 52 d3 f1 43 50 47 96 12 59 64\nMyFile(0999)\: 0030\: 87 6b fd 2b e0 46 f9 73 be dd cf 92 e1 91 5b ed\nMyFile(0999)\: 0040\: 66 a0 6f 89 29 79 45 80 d0 83 6a d5 41 43 77 5f\nMyFile(0999)\: 0050\: 39 7c 09 04 47 82 b0 57 39 70 ed a3 ec 15 19 1e\nMyFile(0999)\: 0060\: a8 33 08 47 c1 05 42 a9 fd 4c c3 b4 df dd 06 1f\nMyFile(0999)\: 0070\: 4d 10 51 40 67 73 13 0f 40 f8 6d 81 25 5f 0a b1\nMyFile(0999)\: 0080\: 53 c6 30 7e 15 39 ac f9 5a ee 7f 92 9e a6 05 5b\nMyFile(0999)\: 0090\: e7 13 97 85 b5 23 92 d9 d4 24 06 d5 09 25 89 75\nMyFile(0999)\: 00a0\: 07 dd a6 1a 8f 3f 09 19 be ad 65 2c 64 eb 95 9b\nMyFile(0999)\: 00b0\: dc fe 41 5e 17 a6 da 6c 5b 69 cc 02 ba 14 2c 16\nMyFile(0999)\: 00c0\: 24 9c 4a dc cd d0 f7 52 67 73 f1 2d a0 23 fd 7e\nMyFile(0999)\: 00d0\: f4 31 ca 2d 70 ca 89 0b 04 db 2e a6 4f 70 6e 9e\nMyFile(0999)\: 00e0\: ce bd 58 89 e2 53 59 9e 6e 5a 92 65 e2 88 3f 0c\nMyFile(0999)\: 00f0\: 94 19 a3 dd e5 e8 9d 95 13 ed 29 db ab 70 12 dc\nMyFile(0999)\: 0100\: 5a ca 6b 17 ab 52 82 54 b1 02 03 01 00 01 \n" Debug print certificate #2 (EC) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_BASE64_C:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256:!MBEDTLS_X509_REMOVE_INFO -mbedtls_debug_print_crt:"../framework/data_files/test-ca2.crt":"MyFile":999:"PREFIX_":"MyFile(0999)\: PREFIX_ #1\:\nMyFile(0999)\: cert. version \: 3\nMyFile(0999)\: serial number \: C1\:43\:E2\:7E\:62\:43\:CC\:E8\nMyFile(0999)\: issuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nMyFile(0999)\: subject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nMyFile(0999)\: issued on \: 2019-02-10 14\:44\:00\nMyFile(0999)\: expires on \: 2029-02-10 14\:44\:00\nMyFile(0999)\: signed using \: ECDSA with SHA256\nMyFile(0999)\: EC key size \: 384 bits\nMyFile(0999)\: basic constraints \: CA=true\nMyFile(0999)\: value of 'crt->eckey.Q(X)' (384 bits) is\:\nMyFile(0999)\: c3 da 2b 34 41 37 58 2f 87 56 fe fc 89 ba 29 43\nMyFile(0999)\: 4b 4e e0 6e c3 0e 57 53 33 39 58 d4 52 b4 91 95\nMyFile(0999)\: 39 0b 23 df 5f 17 24 62 48 fc 1a 95 29 ce 2c 2d\nMyFile(0999)\: value of 'crt->eckey.Q(Y)' (384 bits) is\:\nMyFile(0999)\: 87 c2 88 52 80 af d6 6a ab 21 dd b8 d3 1c 6e 58\nMyFile(0999)\: b8 ca e8 b2 69 8e f3 41 ad 29 c3 b4 5f 75 a7 47\nMyFile(0999)\: 6f d5 19 29 55 69 9a 53 3b 20 b4 66 16 60 33 1e\n" +mbedtls_debug_print_crt:"../framework/data_files/test-ca2.crt":"MyFile":999:"PREFIX_":"MyFile(0999)\: PREFIX_ #1\:\nMyFile(0999)\: cert. version \: 3\nMyFile(0999)\: serial number \: C1\:43\:E2\:7E\:62\:43\:CC\:E8\nMyFile(0999)\: issuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nMyFile(0999)\: subject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nMyFile(0999)\: issued on \: 2019-02-10 14\:44\:00\nMyFile(0999)\: expires on \: 2029-02-10 14\:44\:00\nMyFile(0999)\: signed using \: ECDSA with SHA256\nMyFile(0999)\: EC key size \: 384 bits\nMyFile(0999)\: basic constraints \: CA=true\nMyFile(0999)\: dumping 'crt->PK' (97 bytes)\nMyFile(0999)\: 0000\: 04 c3 da 2b 34 41 37 58 2f 87 56 fe fc 89 ba 29\nMyFile(0999)\: 0010\: 43 4b 4e e0 6e c3 0e 57 53 33 39 58 d4 52 b4 91\nMyFile(0999)\: 0020\: 95 39 0b 23 df 5f 17 24 62 48 fc 1a 95 29 ce 2c\nMyFile(0999)\: 0030\: 2d 87 c2 88 52 80 af d6 6a ab 21 dd b8 d3 1c 6e\nMyFile(0999)\: 0040\: 58 b8 ca e8 b2 69 8e f3 41 ad 29 c3 b4 5f 75 a7\nMyFile(0999)\: 0050\: 47 6f d5 19 29 55 69 9a 53 3b 20 b4 66 16 60 33\nMyFile(0999)\: 0060\: 1e \n" From af62bae5c1308be93cc2550f541ec132c5bae756 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 16 Dec 2025 09:41:41 +0100 Subject: [PATCH 05/11] library: debug: add PK_WRITE_C guard to mbedtls_debug_print_crt() In tf-psa-crypto "mbedtls_pk_write_pubkey_psa()" is only available when MBEDTLS_PK_WRITE_C is defined. Therefore we need to add this guard also in mbedtls to "debug_print_pk" (and indirectly to "mbedtls_debug_print_crt") and the corresponding tests using it. Signed-off-by: Valerio Setti --- library/debug.c | 5 +++-- tests/suites/test_suite_debug.function | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/library/debug.c b/library/debug.c index 561ce5128f..8ac4b0ba54 100644 --- a/library/debug.c +++ b/library/debug.c @@ -178,7 +178,8 @@ void mbedtls_debug_print_buf(const mbedtls_ssl_context *ssl, int level, MBEDTLS_DEBUG_PRINT_BUF_ADD_TEXT); } -#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_INFO) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_INFO) && \ + defined(MBEDTLS_PK_WRITE_C) static void debug_print_pk(const mbedtls_ssl_context *ssl, int level, const char *file, int line, const char *text, const mbedtls_pk_context *pk) @@ -250,6 +251,6 @@ void mbedtls_debug_print_crt(const mbedtls_ssl_context *ssl, int level, crt = crt->next; } } -#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_X509_REMOVE_INFO */ +#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_X509_REMOVE_INFO && MBEDTLS_PK_WRITE_C */ #endif /* MBEDTLS_DEBUG_C */ diff --git a/tests/suites/test_suite_debug.function b/tests/suites/test_suite_debug.function index 05b0112b93..5ec21015fc 100644 --- a/tests/suites/test_suite_debug.function +++ b/tests/suites/test_suite_debug.function @@ -245,7 +245,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_TLS_C:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_TLS_C:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_INFO:MBEDTLS_PK_WRITE_C */ void mbedtls_debug_print_crt(char *crt_file, char *file, int line, char *prefix, char *result_str) { From d040eb823e6a3faad30762927f899fa934225b28 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 16 Dec 2025 14:43:28 +0100 Subject: [PATCH 06/11] include: debug: fix guards for MBEDTLS_SSL_DEBUG_CRT Guards for "mbedtls_debug_print_crt()" were updated in previous commit, but those changes were not applied to MBEDTLS_SSL_DEBUG_CRT therefore causing build failures in the CI. This commit fixes the problem. Signed-off-by: Valerio Setti --- include/mbedtls/debug.h | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/debug.h b/include/mbedtls/debug.h index bdfc597e0c..ecab1023f9 100644 --- a/include/mbedtls/debug.h +++ b/include/mbedtls/debug.h @@ -28,14 +28,13 @@ #define MBEDTLS_SSL_DEBUG_BUF(level, text, buf, len) \ mbedtls_debug_print_buf(ssl, level, __FILE__, __LINE__, text, buf, len) -#if defined(MBEDTLS_X509_CRT_PARSE_C) -#if !defined(MBEDTLS_X509_REMOVE_INFO) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_INFO) && \ + defined(MBEDTLS_PK_WRITE_C) #define MBEDTLS_SSL_DEBUG_CRT(level, text, crt) \ mbedtls_debug_print_crt(ssl, level, __FILE__, __LINE__, text, crt) #else #define MBEDTLS_SSL_DEBUG_CRT(level, text, crt) do { } while (0) -#endif /* MBEDTLS_X509_REMOVE_INFO */ -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_INFO && MBEDTLS_PK_WRITE_C */ #else /* MBEDTLS_DEBUG_C */ From 2af638a1770c1348d8bc255ca015033553c7328d Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 18 Dec 2025 14:56:59 +0100 Subject: [PATCH 07/11] library: debug: fix print format in mbedtls_debug_print_buf_ext() %zu creates problem in MinGW testing. Use MBEDTLS_PRINTF_SIZET intead. Signed-off-by: Valerio Setti --- include/mbedtls/debug.h | 2 ++ library/debug.c | 5 +++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/debug.h b/include/mbedtls/debug.h index ecab1023f9..e11f373831 100644 --- a/include/mbedtls/debug.h +++ b/include/mbedtls/debug.h @@ -89,10 +89,12 @@ #if defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER < 1900) #include #define MBEDTLS_PRINTF_SIZET PRIuPTR + #define MBEDTLS_PRINTF_SIZET_HEX PRIxPTR #define MBEDTLS_PRINTF_LONGLONG "I64d" #else \ /* defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER < 1900) */ #define MBEDTLS_PRINTF_SIZET "zu" + #define MBEDTLS_PRINTF_SIZET_HEX "zx" #define MBEDTLS_PRINTF_LONGLONG "lld" #endif \ /* defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER < 1900) */ diff --git a/library/debug.c b/library/debug.c index 8ac4b0ba54..0721d60a14 100644 --- a/library/debug.c +++ b/library/debug.c @@ -154,12 +154,13 @@ static void mbedtls_debug_print_buf_ext(const mbedtls_ssl_context *ssl, int leve return; } - mbedtls_snprintf(str, sizeof(str), "dumping '%s' (%zu bytes)\n", text, len); + mbedtls_snprintf(str, sizeof(str), "dumping '%s' (%" MBEDTLS_PRINTF_SIZET " bytes)\n", + text, len); debug_send_line(ssl, level, file, line, str); while (len > 0) { memset(str, 0, sizeof(str)); - idx = mbedtls_snprintf(str, sizeof(str), "%04zx: ", curr_offset); + idx = mbedtls_snprintf(str, sizeof(str), "%04" MBEDTLS_PRINTF_SIZET_HEX ": ", curr_offset); chunk_len = (len >= 16) ? 16 : len; mbedtls_debug_print_buf_one_line(str + idx, sizeof(str) - idx, &buf[curr_offset], chunk_len, From ebbaca0a992365c88869df67247a3519b0709b2b Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 7 Jan 2026 18:04:43 +0100 Subject: [PATCH 08/11] library: debug: adjust guards for "mbedtls_debug_print_crt" Keep MBEDTLS_PK_WRITE_C as guard only for "debug_print_pk" but let "mbedtls_debug_print_crt" to work also when MBEDTLS_PK_WRITE_C is disabled. In this case the only public key won't be printed, but the rest of the certificate will be. This commit also updates test coverage by duplicating test cases: now there will be one case for when MBEDTLS_PK_WRITE_C is enabled and another one for !MBEDTLS_PK_WRITE_C. Signed-off-by: Valerio Setti --- include/mbedtls/debug.h | 5 ++--- library/debug.c | 10 +++++++--- tests/suites/test_suite_debug.data | 14 ++++++++++++-- tests/suites/test_suite_debug.function | 2 +- 4 files changed, 22 insertions(+), 9 deletions(-) diff --git a/include/mbedtls/debug.h b/include/mbedtls/debug.h index e11f373831..87ea6c3150 100644 --- a/include/mbedtls/debug.h +++ b/include/mbedtls/debug.h @@ -28,13 +28,12 @@ #define MBEDTLS_SSL_DEBUG_BUF(level, text, buf, len) \ mbedtls_debug_print_buf(ssl, level, __FILE__, __LINE__, text, buf, len) -#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_INFO) && \ - defined(MBEDTLS_PK_WRITE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_INFO) #define MBEDTLS_SSL_DEBUG_CRT(level, text, crt) \ mbedtls_debug_print_crt(ssl, level, __FILE__, __LINE__, text, crt) #else #define MBEDTLS_SSL_DEBUG_CRT(level, text, crt) do { } while (0) -#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_INFO && MBEDTLS_PK_WRITE_C */ +#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_INFO */ #else /* MBEDTLS_DEBUG_C */ diff --git a/library/debug.c b/library/debug.c index 0721d60a14..e622ac9ed4 100644 --- a/library/debug.c +++ b/library/debug.c @@ -179,8 +179,9 @@ void mbedtls_debug_print_buf(const mbedtls_ssl_context *ssl, int level, MBEDTLS_DEBUG_PRINT_BUF_ADD_TEXT); } -#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_INFO) && \ - defined(MBEDTLS_PK_WRITE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_INFO) + +#if defined(MBEDTLS_PK_WRITE_C) static void debug_print_pk(const mbedtls_ssl_context *ssl, int level, const char *file, int line, const char *text, const mbedtls_pk_context *pk) @@ -198,6 +199,7 @@ static void debug_print_pk(const mbedtls_ssl_context *ssl, int level, "failed to export public key from PK context"); } } +#endif /* MBEDTLS_PK_WRITE_C */ static void debug_print_line_by_line(const mbedtls_ssl_context *ssl, int level, const char *file, int line, const char *text) @@ -247,11 +249,13 @@ void mbedtls_debug_print_crt(const mbedtls_ssl_context *ssl, int level, mbedtls_x509_crt_info(buf, sizeof(buf) - 1, "", crt); debug_print_line_by_line(ssl, level, file, line, buf); +#if defined(MBEDTLS_PK_WRITE_C) debug_print_pk(ssl, level, file, line, "crt->PK", &crt->pk); +#endif /* MBEDTLS_PK_WRITE_C */ crt = crt->next; } } -#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_X509_REMOVE_INFO && MBEDTLS_PK_WRITE_C */ +#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_X509_REMOVE_INFO */ #endif /* MBEDTLS_DEBUG_C */ diff --git a/tests/suites/test_suite_debug.data b/tests/suites/test_suite_debug.data index 0e2163be9f..3d72056528 100644 --- a/tests/suites/test_suite_debug.data +++ b/tests/suites/test_suite_debug.data @@ -47,9 +47,19 @@ Debug print buffer #5 mbedtls_debug_print_buf:"MyFile":999:"Test return value":"000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F30":"MyFile(0999)\: dumping 'Test return value' (49 bytes)\nMyFile(0999)\: 0000\: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f ................\nMyFile(0999)\: 0010\: 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................\nMyFile(0999)\: 0020\: 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./\nMyFile(0999)\: 0030\: 30 0\n" Debug print certificate #1 (RSA) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_BASE64_C:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_1:!MBEDTLS_X509_REMOVE_INFO +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_BASE64_C:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_1:!MBEDTLS_X509_REMOVE_INFO:MBEDTLS_PK_WRITE_C mbedtls_debug_print_crt:"../framework/data_files/server1.crt":"MyFile":999:"PREFIX_":"MyFile(0999)\: PREFIX_ #1\:\nMyFile(0999)\: cert. version \: 3\nMyFile(0999)\: serial number \: 01\nMyFile(0999)\: issuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nMyFile(0999)\: subject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nMyFile(0999)\: issued on \: 2019-02-10 14\:44\:06\nMyFile(0999)\: expires on \: 2029-02-10 14\:44\:06\nMyFile(0999)\: signed using \: RSA with SHA1\nMyFile(0999)\: RSA key size \: 2048 bits\nMyFile(0999)\: basic constraints \: CA=false\nMyFile(0999)\: dumping 'crt->PK' (270 bytes)\nMyFile(0999)\: 0000\: 30 82 01 0a 02 82 01 01 00 a9 02 1f 3d 40 6a d5\nMyFile(0999)\: 0010\: 55 53 8b fd 36 ee 82 65 2e 15 61 5e 89 bf b8 e8\nMyFile(0999)\: 0020\: 45 90 db ee 88 16 52 d3 f1 43 50 47 96 12 59 64\nMyFile(0999)\: 0030\: 87 6b fd 2b e0 46 f9 73 be dd cf 92 e1 91 5b ed\nMyFile(0999)\: 0040\: 66 a0 6f 89 29 79 45 80 d0 83 6a d5 41 43 77 5f\nMyFile(0999)\: 0050\: 39 7c 09 04 47 82 b0 57 39 70 ed a3 ec 15 19 1e\nMyFile(0999)\: 0060\: a8 33 08 47 c1 05 42 a9 fd 4c c3 b4 df dd 06 1f\nMyFile(0999)\: 0070\: 4d 10 51 40 67 73 13 0f 40 f8 6d 81 25 5f 0a b1\nMyFile(0999)\: 0080\: 53 c6 30 7e 15 39 ac f9 5a ee 7f 92 9e a6 05 5b\nMyFile(0999)\: 0090\: e7 13 97 85 b5 23 92 d9 d4 24 06 d5 09 25 89 75\nMyFile(0999)\: 00a0\: 07 dd a6 1a 8f 3f 09 19 be ad 65 2c 64 eb 95 9b\nMyFile(0999)\: 00b0\: dc fe 41 5e 17 a6 da 6c 5b 69 cc 02 ba 14 2c 16\nMyFile(0999)\: 00c0\: 24 9c 4a dc cd d0 f7 52 67 73 f1 2d a0 23 fd 7e\nMyFile(0999)\: 00d0\: f4 31 ca 2d 70 ca 89 0b 04 db 2e a6 4f 70 6e 9e\nMyFile(0999)\: 00e0\: ce bd 58 89 e2 53 59 9e 6e 5a 92 65 e2 88 3f 0c\nMyFile(0999)\: 00f0\: 94 19 a3 dd e5 e8 9d 95 13 ed 29 db ab 70 12 dc\nMyFile(0999)\: 0100\: 5a ca 6b 17 ab 52 82 54 b1 02 03 01 00 01 \n" +# Same as above, but with !MBEDTLS_PK_WRITE_C +Debug print certificate #1.1 (RSA) +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_BASE64_C:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_1:!MBEDTLS_X509_REMOVE_INFO:!MBEDTLS_PK_WRITE_C +mbedtls_debug_print_crt:"../framework/data_files/server1.crt":"MyFile":999:"PREFIX_":"MyFile(0999)\: PREFIX_ #1\:\nMyFile(0999)\: cert. version \: 3\nMyFile(0999)\: serial number \: 01\nMyFile(0999)\: issuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nMyFile(0999)\: subject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nMyFile(0999)\: issued on \: 2019-02-10 14\:44\:06\nMyFile(0999)\: expires on \: 2029-02-10 14\:44\:06\nMyFile(0999)\: signed using \: RSA with SHA1\nMyFile(0999)\: RSA key size \: 2048 bits\nMyFile(0999)\: basic constraints \: CA=false\n" + Debug print certificate #2 (EC) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_BASE64_C:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256:!MBEDTLS_X509_REMOVE_INFO +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_BASE64_C:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256:!MBEDTLS_X509_REMOVE_INFO:MBEDTLS_PK_WRITE_C mbedtls_debug_print_crt:"../framework/data_files/test-ca2.crt":"MyFile":999:"PREFIX_":"MyFile(0999)\: PREFIX_ #1\:\nMyFile(0999)\: cert. version \: 3\nMyFile(0999)\: serial number \: C1\:43\:E2\:7E\:62\:43\:CC\:E8\nMyFile(0999)\: issuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nMyFile(0999)\: subject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nMyFile(0999)\: issued on \: 2019-02-10 14\:44\:00\nMyFile(0999)\: expires on \: 2029-02-10 14\:44\:00\nMyFile(0999)\: signed using \: ECDSA with SHA256\nMyFile(0999)\: EC key size \: 384 bits\nMyFile(0999)\: basic constraints \: CA=true\nMyFile(0999)\: dumping 'crt->PK' (97 bytes)\nMyFile(0999)\: 0000\: 04 c3 da 2b 34 41 37 58 2f 87 56 fe fc 89 ba 29\nMyFile(0999)\: 0010\: 43 4b 4e e0 6e c3 0e 57 53 33 39 58 d4 52 b4 91\nMyFile(0999)\: 0020\: 95 39 0b 23 df 5f 17 24 62 48 fc 1a 95 29 ce 2c\nMyFile(0999)\: 0030\: 2d 87 c2 88 52 80 af d6 6a ab 21 dd b8 d3 1c 6e\nMyFile(0999)\: 0040\: 58 b8 ca e8 b2 69 8e f3 41 ad 29 c3 b4 5f 75 a7\nMyFile(0999)\: 0050\: 47 6f d5 19 29 55 69 9a 53 3b 20 b4 66 16 60 33\nMyFile(0999)\: 0060\: 1e \n" + +# Same as above, but with !MBEDTLS_PK_WRITE_C +Debug print certificate #2.1 (EC) +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_BASE64_C:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256:!MBEDTLS_X509_REMOVE_INFO:!MBEDTLS_PK_WRITE_C +mbedtls_debug_print_crt:"../framework/data_files/test-ca2.crt":"MyFile":999:"PREFIX_":"MyFile(0999)\: PREFIX_ #1\:\nMyFile(0999)\: cert. version \: 3\nMyFile(0999)\: serial number \: C1\:43\:E2\:7E\:62\:43\:CC\:E8\nMyFile(0999)\: issuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nMyFile(0999)\: subject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nMyFile(0999)\: issued on \: 2019-02-10 14\:44\:00\nMyFile(0999)\: expires on \: 2029-02-10 14\:44\:00\nMyFile(0999)\: signed using \: ECDSA with SHA256\nMyFile(0999)\: EC key size \: 384 bits\nMyFile(0999)\: basic constraints \: CA=true\n" diff --git a/tests/suites/test_suite_debug.function b/tests/suites/test_suite_debug.function index 5ec21015fc..05b0112b93 100644 --- a/tests/suites/test_suite_debug.function +++ b/tests/suites/test_suite_debug.function @@ -245,7 +245,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_TLS_C:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_INFO:MBEDTLS_PK_WRITE_C */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_TLS_C:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ void mbedtls_debug_print_crt(char *crt_file, char *file, int line, char *prefix, char *result_str) { From 4d62c59a56c9b7108c0d6df84148a090fdf8412d Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 8 Jan 2026 10:26:44 +0100 Subject: [PATCH 09/11] tests: scripts: add new component to test with only pkwrite disabled This is similar to the already existing "component_full_no_pkparse_pkwrite". The biggest difference is that this new component starts from "full" config instead of "crypto_full" because we want to test also some TLS modules, in particular "test_suite_debug" where the new function "mbedtls_pk_write_pubkey_psa" has been introduced. Signed-off-by: Valerio Setti --- .../components-configuration-crypto.sh | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index d1ce15e40a..c50dbd07c4 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -276,6 +276,26 @@ component_full_no_pkparse_pkwrite () { $MAKE_COMMAND test } +component_full_no_pkwrite () { + msg "build: full without pkwrite" + + # Using "full" config here instead of "crypto_full" as in "component_full_no_pkparse_pkwrite" + # because here we would like to run "test_suite_debug" test cases. + scripts/config.py full + scripts/config.py unset MBEDTLS_PK_WRITE_C + # Disable modules that depend on PK_WRITE_C + scripts/config.py unset MBEDTLS_X509_CRT_WRITE_C + scripts/config.py unset MBEDTLS_X509_CSR_WRITE_C + + $MAKE_COMMAND CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" + + # Ensure that PK_WRITE_C was not re-enabled accidentally (additive config). + not grep mbedtls_pk_write_key_der ${BUILTIN_SRC_PATH}/pkwrite.o + + msg "test: full without pkwrite" + $MAKE_COMMAND test +} + component_test_crypto_full_md_light_only () { msg "build: crypto_full with only the light subset of MD" scripts/config.py crypto_full From 059aac8680aada69bd83c3577057aa9d92e213ae Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 8 Jan 2026 14:25:19 +0100 Subject: [PATCH 10/11] tests: scripts: build with cmake in all components using Asan Signed-off-by: Valerio Setti --- .../components-configuration-crypto.sh | 59 ++++++++++++------- 1 file changed, 37 insertions(+), 22 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index c50dbd07c4..11746b0da8 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -234,10 +234,12 @@ component_test_psa_external_rng_no_drbg_use_psa () { scripts/config.py unset MBEDTLS_CTR_DRBG_C scripts/config.py unset MBEDTLS_HMAC_DRBG_C scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA # Requires HMAC_DRBG - $MAKE_COMMAND CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" + + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - main suites" - $MAKE_COMMAND test + make test msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - ssl-opt.sh (subset)" tests/ssl-opt.sh -f 'Default\|opaque' @@ -250,10 +252,12 @@ component_test_psa_external_rng_use_psa_crypto () { scripts/config.py unset MBEDTLS_CTR_DRBG_C scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT - $MAKE_COMMAND CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" + + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG/NV_SEED" - $MAKE_COMMAND test + make test msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG/NV_SEED" tests/ssl-opt.sh -f 'Default\|opaque' @@ -266,14 +270,15 @@ component_full_no_pkparse_pkwrite () { scripts/config.py unset MBEDTLS_PK_PARSE_C scripts/config.py unset MBEDTLS_PK_WRITE_C - $MAKE_COMMAND CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make # Ensure that PK_[PARSE|WRITE]_C were not re-enabled accidentally (additive config). not grep mbedtls_pk_parse_key ${BUILTIN_SRC_PATH}/pkparse.o not grep mbedtls_pk_write_key_der ${BUILTIN_SRC_PATH}/pkwrite.o msg "test: full without pkparse and pkwrite" - $MAKE_COMMAND test + make test } component_full_no_pkwrite () { @@ -287,13 +292,14 @@ component_full_no_pkwrite () { scripts/config.py unset MBEDTLS_X509_CRT_WRITE_C scripts/config.py unset MBEDTLS_X509_CSR_WRITE_C - $MAKE_COMMAND CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make # Ensure that PK_WRITE_C was not re-enabled accidentally (additive config). not grep mbedtls_pk_write_key_der ${BUILTIN_SRC_PATH}/pkwrite.o msg "test: full without pkwrite" - $MAKE_COMMAND test + make test } component_test_crypto_full_md_light_only () { @@ -313,14 +319,15 @@ component_test_crypto_full_md_light_only () { # Note: MD-light is auto-enabled in build_info.h by modules that need it, # which we haven't disabled, so no need to explicitly enable it. - $MAKE_COMMAND CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make # Make sure we don't have the HMAC functions, but the hashing functions not grep mbedtls_md_hmac ${BUILTIN_SRC_PATH}/md.o grep mbedtls_md ${BUILTIN_SRC_PATH}/md.o msg "test: crypto_full with only the light subset of MD" - $MAKE_COMMAND test + make test } component_test_full_no_cipher () { @@ -456,10 +463,11 @@ component_test_everest_curve25519_only () { scripts/config.py unset-all "PSA_WANT_ECC_[0-9A-Z_a-z]*$" scripts/config.py set PSA_WANT_ECC_MONTGOMERY_255 - $MAKE_COMMAND CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make msg "test: Everest ECDH context, only Curve25519" # ~ 50s - $MAKE_COMMAND test + make test } component_test_psa_collect_statuses () { @@ -1286,7 +1294,8 @@ component_test_tfm_config_p256m_driver_accel_ec () { common_tfm_config # Build crypto library - $MAKE_COMMAND CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -I../framework/tests/include/spe" LDFLAGS="$ASAN_CFLAGS" + CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -I../framework/tests/include/spe" cmake -D CMAKE_BUILD_TYPE:String=Asan . + make # Make sure any built-in EC alg was not re-enabled by accident (additive config) not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o @@ -1305,7 +1314,7 @@ component_test_tfm_config_p256m_driver_accel_ec () { # Run the tests msg "test: TF-M config + p256m driver + accel ECDH(E)/ECDSA" - $MAKE_COMMAND test + make test } # Keep this in sync with component_test_tfm_config_p256m_driver_accel_ec() as @@ -1353,10 +1362,11 @@ build_and_test_psa_want_key_pair_partial () { # crypto_config.h so we just disable the one we don't want. scripts/config.py unset "$disabled_psa_want" - $MAKE_COMMAND CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make msg "test: $base_config - ${disabled_psa_want}" - $MAKE_COMMAND test + make test } component_test_psa_ecc_key_pair_no_derive () { @@ -1881,10 +1891,12 @@ component_test_aead_chachapoly_disabled () { msg "build: full minus CHACHAPOLY" scripts/config.py full scripts/config.py unset PSA_WANT_ALG_CHACHA20_POLY1305 - $MAKE_COMMAND CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" + + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make msg "test: full minus CHACHAPOLY" - $MAKE_COMMAND test + make test } component_test_aead_only_ccm () { @@ -1892,10 +1904,12 @@ component_test_aead_only_ccm () { scripts/config.py full scripts/config.py unset PSA_WANT_ALG_CHACHA20_POLY1305 scripts/config.py unset PSA_WANT_ALG_GCM - $MAKE_COMMAND CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" + + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make msg "test: full minus CHACHAPOLY and GCM" - $MAKE_COMMAND test + make test } component_test_ccm_aes_sha256 () { @@ -2345,10 +2359,11 @@ component_test_psa_crypto_drivers () { loc_cflags="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_CONFIG_ADJUST_TEST_ACCELERATORS" loc_cflags="${loc_cflags} -I../framework/tests/include" - $MAKE_COMMAND CC=$ASAN_CC CFLAGS="${loc_cflags}" LDFLAGS="$ASAN_CFLAGS" + CC=$ASAN_CC CFLAGS="${loc_cflags}" cmake -D CMAKE_BUILD_TYPE:String=Asan . + make msg "test: full + test drivers dispatching to builtins" - $MAKE_COMMAND test + make test } component_build_psa_config_file () { From fdccbbb91ff16f2a667e48f9d7f9b9363adc1e6f Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 8 Jan 2026 17:53:56 +0100 Subject: [PATCH 11/11] tests: scripts: configuration-crypto: fix paths after switch to CMake Switching to CMake build caused some failures due to the fact that: - binary objects in tf-psa-crypto are not in the same location as before; - header files from "/include" are no more included when building tf-psa-crypto ojects. This commit fixes both problems. Signed-off-by: Valerio Setti --- tests/scripts/components-configuration-crypto.sh | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 11746b0da8..a1bd9b0f8d 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -9,6 +9,8 @@ #### Configuration Testing - Crypto ################################################################ +CMAKE_BUILTIN_BUILD_DIR="tf-psa-crypto/drivers/builtin/CMakeFiles/builtin.dir/src" + component_test_psa_crypto_key_id_encodes_owner () { msg "build: full config + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan" scripts/config.py full @@ -323,8 +325,8 @@ component_test_crypto_full_md_light_only () { make # Make sure we don't have the HMAC functions, but the hashing functions - not grep mbedtls_md_hmac ${BUILTIN_SRC_PATH}/md.o - grep mbedtls_md ${BUILTIN_SRC_PATH}/md.o + not grep mbedtls_md_hmac ${CMAKE_BUILTIN_BUILD_DIR}/md.c.o + grep mbedtls_md ${CMAKE_BUILTIN_BUILD_DIR}/md.c.o msg "test: crypto_full with only the light subset of MD" make test @@ -2356,8 +2358,8 @@ component_test_psa_crypto_drivers () { # config_adjust_test_accelerators.h for more information. msg "build: full + test drivers dispatching to builtins" scripts/config.py full - loc_cflags="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_CONFIG_ADJUST_TEST_ACCELERATORS" - loc_cflags="${loc_cflags} -I../framework/tests/include" + loc_cflags="-DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_CONFIG_ADJUST_TEST_ACCELERATORS" + loc_cflags="${loc_cflags} -I../framework/tests/include -I${MBEDTLS_ROOT_DIR}/include" CC=$ASAN_CC CFLAGS="${loc_cflags}" cmake -D CMAKE_BUILD_TYPE:String=Asan . make