From 3492807e0b337925011e16d7d79b25e20709d59d Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Wed, 20 Aug 2025 10:26:11 +0100 Subject: [PATCH 1/3] Remove component uses of MBEDTLS_ECDSA_DETERMINISTIC Remove all references to MBEDTLS_ECDSA_DETERMINISTIC from components-configuration-crypto.sh. Replace them with PSA_WANT_ALG_DETERMINISTIC_ECDSA. This is safe because: * MBEDTLS_ECDSA_DETERMINISTIC is only ever unset in components in order to avoid errors from disabling its dependency MBEDTLS_HMAC_DRBG_C. * MBEDTLS_ECDSA_DETERMINISTIC is only ever defined in config_adjust_legacy_from_psa.h, and only if PSA_WANT_ALG_DETERMINISTIC_ECDSA is defined. Therefore PSA_WANT_ALG_DETERMINISTIC_ECDSA's dependencies are a superset of MBEDTLS_ECDSA_DETERMINISTIC's dependencies and must include MBEDTLS_HMAC_DRBG_C, so disabling PSA_WANT_ALG_DETERMINISTIC_ECDSA is a sufficient substitute for disabling MBEDTLS_ECDSA_DETERMINISTIC. Signed-off-by: David Horstmann --- tests/scripts/components-configuration-crypto.sh | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index f7647415c5..4d7fceffe3 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -210,7 +210,7 @@ component_test_no_hmac_drbg_use_psa () { msg "build: Full minus HMAC_DRBG, PSA crypto in TLS" scripts/config.py full scripts/config.py unset MBEDTLS_HMAC_DRBG_C - scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG + scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA # requires HMAC_DRBG CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . make @@ -241,7 +241,7 @@ component_test_psa_external_rng_no_drbg_use_psa () { scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT scripts/config.py unset MBEDTLS_CTR_DRBG_C scripts/config.py unset MBEDTLS_HMAC_DRBG_C - scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG + scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA # Requires HMAC_DRBG make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - main suites" @@ -293,7 +293,6 @@ component_test_crypto_full_md_light_only () { scripts/config.py unset MBEDTLS_HMAC_DRBG_C scripts/config.py unset MBEDTLS_PKCS7_C # Disable indirect dependencies of MD_C - scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # needs HMAC_DRBG scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA # Disable things that would auto-enable MD_C scripts/config.py unset MBEDTLS_PKCS5_C @@ -1656,7 +1655,6 @@ config_psa_crypto_hmac_use_psa () { scripts/config.py unset MBEDTLS_HMAC_DRBG_C scripts/config.py unset MBEDTLS_HKDF_C # Dependencies of HMAC_DRBG - scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_DETERMINISTIC_ECDSA } From 7cbeedc6074b2c2a3e1818185a86c324d68cef30 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Tue, 26 Aug 2025 17:26:45 +0100 Subject: [PATCH 2/3] Remove uses of the -c $CRYPTO_CONFIG_H idiom This is no longer needed as config.py knows where the crypto config file is these days. Signed-off-by: David Horstmann --- .../components-configuration-crypto.sh | 68 +++++++++---------- 1 file changed, 34 insertions(+), 34 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 4d7fceffe3..d422bf8edb 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -82,19 +82,19 @@ component_test_psa_crypto_without_heap() { msg "crypto without heap: build libtestdriver1" # Disable PSA features that cannot be accelerated and whose builtin support # requires calloc/free. - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE - scripts/config.py -c $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_HKDF" - scripts/config.py -c $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_PBKDF2_" - scripts/config.py -c $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_TLS12_" + scripts/config.py unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE + scripts/config.py unset-all "^PSA_WANT_ALG_HKDF" + scripts/config.py unset-all "^PSA_WANT_ALG_PBKDF2_" + scripts/config.py unset-all "^PSA_WANT_ALG_TLS12_" # RSA key support requires ASN1 parse/write support for testing, but ASN1 # is disabled below. - scripts/config.py -c $CRYPTO_CONFIG_H unset-all "^PSA_WANT_KEY_TYPE_RSA_" - scripts/config.py -c $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_RSA_" + scripts/config.py unset-all "^PSA_WANT_KEY_TYPE_RSA_" + scripts/config.py unset-all "^PSA_WANT_ALG_RSA_" # DES requires built-in support for key generation (parity check) so it # cannot be accelerated - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES + scripts/config.py unset PSA_WANT_KEY_TYPE_DES # EC-JPAKE use calloc/free in PSA core - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_JPAKE + scripts/config.py unset PSA_WANT_ALG_JPAKE # Enable p192[k|r]1 curves which are disabled by default in tf-psa-crypto. # This is required to get the proper test coverage otherwise there are # tests in 'test_suite_psa_crypto_op_fail' that would never be executed. @@ -102,7 +102,7 @@ component_test_psa_crypto_without_heap() { scripts/config.py set PSA_WANT_ECC_SECP_R1_192 # Accelerate all PSA features (which are still enabled in CRYPTO_CONFIG_H). - PSA_SYM_LIST=$(./scripts/config.py -c $CRYPTO_CONFIG_H get-all-enabled PSA_WANT) + PSA_SYM_LIST=$(./scripts/config.py get-all-enabled PSA_WANT) loc_accel_list=$(echo $PSA_SYM_LIST | sed 's/PSA_WANT_//g') helper_libtestdriver1_adjust_config crypto @@ -143,7 +143,7 @@ component_test_psa_crypto_without_heap() { component_test_no_rsa_key_pair_generation () { msg "build: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE" - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE + scripts/config.py unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE make msg "test: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE" @@ -210,7 +210,7 @@ component_test_no_hmac_drbg_use_psa () { msg "build: Full minus HMAC_DRBG, PSA crypto in TLS" scripts/config.py full scripts/config.py unset MBEDTLS_HMAC_DRBG_C - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA # requires HMAC_DRBG + scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA # requires HMAC_DRBG CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . make @@ -241,7 +241,7 @@ component_test_psa_external_rng_no_drbg_use_psa () { scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT scripts/config.py unset MBEDTLS_CTR_DRBG_C scripts/config.py unset MBEDTLS_HMAC_DRBG_C - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA # Requires HMAC_DRBG + scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA # Requires HMAC_DRBG make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - main suites" @@ -293,7 +293,7 @@ component_test_crypto_full_md_light_only () { scripts/config.py unset MBEDTLS_HMAC_DRBG_C scripts/config.py unset MBEDTLS_PKCS7_C # Disable indirect dependencies of MD_C - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA + scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA # Disable things that would auto-enable MD_C scripts/config.py unset MBEDTLS_PKCS5_C @@ -318,17 +318,17 @@ component_test_full_no_cipher () { # on CIPHER_C so we disable them. # This does not hold for KEY_TYPE_CHACHA20 and ALG_CHACHA20_POLY1305 # so we keep them enabled. - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CMAC - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7 - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CFB - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CTR - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_OFB - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_STREAM_CIPHER - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES + scripts/config.py unset PSA_WANT_ALG_CCM_STAR_NO_TAG + scripts/config.py unset PSA_WANT_ALG_CMAC + scripts/config.py unset PSA_WANT_ALG_CBC_NO_PADDING + scripts/config.py unset PSA_WANT_ALG_CBC_PKCS7 + scripts/config.py unset PSA_WANT_ALG_CFB + scripts/config.py unset PSA_WANT_ALG_CTR + scripts/config.py unset PSA_WANT_ALG_ECB_NO_PADDING + scripts/config.py unset PSA_WANT_ALG_OFB + scripts/config.py unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 + scripts/config.py unset PSA_WANT_ALG_STREAM_CIPHER + scripts/config.py unset PSA_WANT_KEY_TYPE_DES # The following modules directly depends on CIPHER_C scripts/config.py unset MBEDTLS_NIST_KW_C @@ -433,18 +433,18 @@ component_test_everest_curve25519_only () { msg "build: Everest ECDH context, only Curve25519" # ~ 6 min scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA - scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ALG_ECDH + scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA + scripts/config.py unset PSA_WANT_ALG_ECDSA + scripts/config.py set PSA_WANT_ALG_ECDH scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED scripts/config.py unset MBEDTLS_ECJPAKE_C - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_JPAKE + scripts/config.py unset PSA_WANT_ALG_JPAKE # Disable all curves scripts/config.py unset-all "MBEDTLS_ECP_DP_[0-9A-Z_a-z]*_ENABLED" - scripts/config.py -c $CRYPTO_CONFIG_H unset-all "PSA_WANT_ECC_[0-9A-Z_a-z]*$" - scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ECC_MONTGOMERY_255 + scripts/config.py unset-all "PSA_WANT_ECC_[0-9A-Z_a-z]*$" + scripts/config.py set PSA_WANT_ECC_MONTGOMERY_255 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" @@ -2065,10 +2065,10 @@ component_build_aes_variations () { scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT scripts/config.py unset MBEDTLS_NIST_KW_C - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7 - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES + scripts/config.py unset PSA_WANT_ALG_CBC_NO_PADDING + scripts/config.py unset PSA_WANT_ALG_CBC_PKCS7 + scripts/config.py unset PSA_WANT_ALG_ECB_NO_PADDING + scripts/config.py unset PSA_WANT_KEY_TYPE_DES build_test_config_combos ${BUILTIN_SRC_PATH}/aes.o validate_aes_config_variations \ "MBEDTLS_AES_ROM_TABLES" \ From b907dbc4d3c3bc813d3da3baa96f8217e87480a2 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Wed, 27 Aug 2025 15:19:40 +0100 Subject: [PATCH 3/3] Remove other cases of explicit crypto config file Remove unnecessary passing of the crypto config filename either with the '-f' or '-c' switch, throughout all of the all.sh component files. Signed-off-by: David Horstmann --- .../components-configuration-crypto.sh | 88 +++++++-------- tests/scripts/components-configuration-tls.sh | 100 +++++++++--------- tests/scripts/components-psasim.sh | 2 +- 3 files changed, 95 insertions(+), 95 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index d422bf8edb..24b7d6cbfb 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -356,7 +356,7 @@ component_test_full_no_ccm () { # # Note: also PSA_WANT_ALG_CCM_STAR_NO_TAG is enabled, but it does not cause # PSA_WANT_ALG_CCM to be re-enabled. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM + scripts/config.py unset PSA_WANT_ALG_CCM make @@ -377,17 +377,17 @@ component_test_full_no_ccm_star_no_tag () { # # Note: PSA_WANT_ALG_CCM is enabled, but it does not cause # PSA_WANT_ALG_CCM_STAR_NO_TAG to be re-enabled. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_STREAM_CIPHER - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CTR - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CFB - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_OFB - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING + scripts/config.py unset PSA_WANT_ALG_CCM_STAR_NO_TAG + scripts/config.py unset PSA_WANT_ALG_STREAM_CIPHER + scripts/config.py unset PSA_WANT_ALG_CTR + scripts/config.py unset PSA_WANT_ALG_CFB + scripts/config.py unset PSA_WANT_ALG_OFB + scripts/config.py unset PSA_WANT_ALG_ECB_NO_PADDING # NOTE unsettting PSA_WANT_ALG_ECB_NO_PADDING without unsetting NIST_KW_C will # mean PSA_WANT_ALG_ECB_NO_PADDING is re-enabled, so disabling it also. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset MBEDTLS_NIST_KW_C - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 + scripts/config.py unset MBEDTLS_NIST_KW_C + scripts/config.py unset PSA_WANT_ALG_CBC_NO_PADDING + scripts/config.py unset PSA_WANT_ALG_CBC_PKCS7 make @@ -540,10 +540,10 @@ component_test_psa_crypto_config_ffdh_2048_only () { scripts/config.py full # Disable all DH groups other than 2048. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_3072 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_4096 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_6144 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_8192 + scripts/config.py unset PSA_WANT_DH_RFC7919_3072 + scripts/config.py unset PSA_WANT_DH_RFC7919_4096 + scripts/config.py unset PSA_WANT_DH_RFC7919_6144 + scripts/config.py unset PSA_WANT_DH_RFC7919_8192 make CFLAGS="$ASAN_CFLAGS -Werror" LDFLAGS="$ASAN_CFLAGS" @@ -754,7 +754,7 @@ component_test_psa_crypto_config_accel_ecc_some_key_types () { scripts/config.py unset MBEDTLS_ECP_RESTARTABLE # this is not supported by the driver API yet - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE + scripts/config.py unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE # Build # ----- @@ -848,7 +848,7 @@ common_test_psa_crypto_config_accel_ecc_some_curves () { scripts/config.py unset MBEDTLS_ECP_RESTARTABLE # this is not supported by the driver API yet - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE + scripts/config.py unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE # Build # ----- @@ -1020,7 +1020,7 @@ config_psa_crypto_no_ecp_at_all () { # Disable all the features that auto-enable ECP_LIGHT (see build_info.h) scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE + scripts/config.py unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE # Restartable feature is not yet supported by PSA. Once it will in # the future, the following line could be removed (see issues @@ -1137,12 +1137,12 @@ config_psa_crypto_config_accel_ecc_ffdh_no_bignum () { # Disable all the features that auto-enable ECP_LIGHT (see build_info.h) scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE + scripts/config.py unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE # RSA support is intentionally disabled on this test because RSA_C depends # on BIGNUM_C. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_RSA_[0-9A-Z_a-z]*" - scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_ALG_RSA_[0-9A-Z_a-z]*" + scripts/config.py unset-all "PSA_WANT_KEY_TYPE_RSA_[0-9A-Z_a-z]*" + scripts/config.py unset-all "PSA_WANT_ALG_RSA_[0-9A-Z_a-z]*" scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT # Also disable key exchanges that depend on RSA scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED @@ -1151,9 +1151,9 @@ config_psa_crypto_config_accel_ecc_ffdh_no_bignum () { if [ "$test_target" = "ECC" ]; then # When testing ECC only, we disable FFDH support, both from builtin and # PSA sides. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_FFDH - scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_DH_[0-9A-Z_a-z]*" - scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_DH_RFC7919_[0-9]*" + scripts/config.py unset PSA_WANT_ALG_FFDH + scripts/config.py unset-all "PSA_WANT_KEY_TYPE_DH_[0-9A-Z_a-z]*" + scripts/config.py unset-all "PSA_WANT_DH_RFC7919_[0-9]*" fi # Restartable feature is not yet supported by PSA. Once it will in @@ -1390,7 +1390,7 @@ build_and_test_psa_want_key_pair_partial () { # All the PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy are enabled by default in # crypto_config.h so we just disable the one we don't want. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset "$disabled_psa_want" + scripts/config.py unset "$disabled_psa_want" make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" @@ -1501,9 +1501,9 @@ component_test_new_psa_want_key_pair_symbol () { # Keep only PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC enabled in order to ensure # that proper translations is done in crypto_legacy.h. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE + scripts/config.py unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT + scripts/config.py unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT + scripts/config.py unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE make @@ -1655,7 +1655,7 @@ config_psa_crypto_hmac_use_psa () { scripts/config.py unset MBEDTLS_HMAC_DRBG_C scripts/config.py unset MBEDTLS_HKDF_C # Dependencies of HMAC_DRBG - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_DETERMINISTIC_ECDSA + scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA } component_test_psa_crypto_config_accel_hmac () { @@ -1712,7 +1712,7 @@ component_test_psa_crypto_config_accel_aead () { helper_libtestdriver1_adjust_config "full" # Disable CCM_STAR_NO_TAG because this re-enables CCM_C. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG + scripts/config.py unset PSA_WANT_ALG_CCM_STAR_NO_TAG # Build # ----- @@ -1828,14 +1828,14 @@ common_block_cipher_dispatch () { # legacy key types to be re-enabled in "config_adjust_legacy_from_psa.h". # Keep this also in the reference component in order to skip the same tests # that were skipped in the accelerated one. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CTR - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CFB - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_OFB - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 + scripts/config.py unset PSA_WANT_ALG_CTR + scripts/config.py unset PSA_WANT_ALG_CFB + scripts/config.py unset PSA_WANT_ALG_OFB + scripts/config.py unset PSA_WANT_ALG_CBC_NO_PADDING + scripts/config.py unset PSA_WANT_ALG_CBC_PKCS7 + scripts/config.py unset PSA_WANT_ALG_CMAC + scripts/config.py unset PSA_WANT_ALG_CCM_STAR_NO_TAG + scripts/config.py unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 # Disable direct dependency on AES_C scripts/config.py unset MBEDTLS_NIST_KW_C @@ -1928,7 +1928,7 @@ component_test_full_block_cipher_legacy_dispatch () { component_test_aead_chachapoly_disabled () { msg "build: full minus CHACHAPOLY" scripts/config.py full - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305 + scripts/config.py unset PSA_WANT_ALG_CHACHA20_POLY1305 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" msg "test: full minus CHACHAPOLY" @@ -1938,8 +1938,8 @@ component_test_aead_chachapoly_disabled () { component_test_aead_only_ccm () { msg "build: full minus CHACHAPOLY and GCM" scripts/config.py full - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_GCM + scripts/config.py unset PSA_WANT_ALG_CHACHA20_POLY1305 + scripts/config.py unset PSA_WANT_ALG_GCM make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" msg "test: full minus CHACHAPOLY and GCM" @@ -2279,10 +2279,10 @@ config_block_cipher_no_decrypt () { # Enable support for cryptographic mechanisms through the PSA API. # Note: XTS, KW are not yet supported via the PSA API in Mbed TLS. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_DES + scripts/config.py unset PSA_WANT_ALG_CBC_NO_PADDING + scripts/config.py unset PSA_WANT_ALG_CBC_PKCS7 + scripts/config.py unset PSA_WANT_ALG_ECB_NO_PADDING + scripts/config.py unset PSA_WANT_KEY_TYPE_DES } component_test_block_cipher_no_decrypt_aesni () { diff --git a/tests/scripts/components-configuration-tls.sh b/tests/scripts/components-configuration-tls.sh index c8b2287d71..b74b30477c 100644 --- a/tests/scripts/components-configuration-tls.sh +++ b/tests/scripts/components-configuration-tls.sh @@ -50,15 +50,15 @@ component_test_tls1_2_default_stream_cipher_only () { msg "build: default with only stream cipher use psa" # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305 + scripts/config.py unset PSA_WANT_ALG_CCM + scripts/config.py unset PSA_WANT_ALG_CCM_STAR_NO_TAG + scripts/config.py unset PSA_WANT_ALG_GCM + scripts/config.py unset PSA_WANT_ALG_CHACHA20_POLY1305 #Disable TLS 1.3 (as no AEAD) scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 # Disable CBC. Note: When implemented, PSA_WANT_ALG_CBC_MAC will also need to be unset here to fully disable CBC - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7 + scripts/config.py unset PSA_WANT_ALG_CBC_NO_PADDING + scripts/config.py unset PSA_WANT_ALG_CBC_PKCS7 # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) @@ -79,14 +79,14 @@ component_test_tls1_2_default_cbc_legacy_cipher_only () { msg "build: default with only CBC-legacy cipher use psa" # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305 + scripts/config.py unset PSA_WANT_ALG_CCM + scripts/config.py unset PSA_WANT_ALG_CCM_STAR_NO_TAG + scripts/config.py unset PSA_WANT_ALG_GCM + scripts/config.py unset PSA_WANT_ALG_CHACHA20_POLY1305 #Disable TLS 1.3 (as no AEAD) scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 # Enable CBC-legacy - scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING + scripts/config.py set PSA_WANT_ALG_CBC_NO_PADDING # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) @@ -108,14 +108,14 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () { msg "build: default with only CBC-legacy and CBC-EtM ciphers use psa" # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305 + scripts/config.py unset PSA_WANT_ALG_CCM + scripts/config.py unset PSA_WANT_ALG_CCM_STAR_NO_TAG + scripts/config.py unset PSA_WANT_ALG_GCM + scripts/config.py unset PSA_WANT_ALG_CHACHA20_POLY1305 #Disable TLS 1.3 (as no AEAD) scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 # Enable CBC-legacy - scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING + scripts/config.py set PSA_WANT_ALG_CBC_NO_PADDING # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) @@ -361,10 +361,10 @@ component_test_ssl_alloc_buffer_and_mfl () { component_test_when_no_ciphersuites_have_mac () { msg "build: when no ciphersuites have MAC" - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 + scripts/config.py unset PSA_WANT_ALG_CBC_NO_PADDING + scripts/config.py unset PSA_WANT_ALG_CBC_PKCS7 + scripts/config.py unset PSA_WANT_ALG_CMAC + scripts/config.py unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER @@ -419,22 +419,22 @@ component_test_tls13_only_psk () { scripts/config.py set MBEDTLS_SSL_EARLY_DATA scripts/config.py set MBEDTLS_TEST_HOOKS - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDH - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_OAEP - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_FFDH - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_DH_RFC7919_2048 - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_DH_RFC7919_3072 - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_DH_RFC7919_4096 - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_DH_RFC7919_6144 - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_DH_RFC7919_8192 + scripts/config.py unset PSA_WANT_ALG_ECDH + scripts/config.py unset PSA_WANT_ALG_ECDSA + scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA + scripts/config.py unset PSA_WANT_ALG_RSA_OAEP + scripts/config.py unset PSA_WANT_ALG_RSA_PSS + scripts/config.py unset PSA_WANT_ALG_FFDH + scripts/config.py unset PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY + scripts/config.py unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC + scripts/config.py unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT + scripts/config.py unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT + scripts/config.py unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE + scripts/config.py unset PSA_WANT_DH_RFC7919_2048 + scripts/config.py unset PSA_WANT_DH_RFC7919_3072 + scripts/config.py unset PSA_WANT_DH_RFC7919_4096 + scripts/config.py unset PSA_WANT_DH_RFC7919_6144 + scripts/config.py unset PSA_WANT_DH_RFC7919_8192 # Note: The four unsets below are to be removed for Mbed TLS 4.0 scripts/config.py unset MBEDTLS_ECDH_C scripts/config.py unset MBEDTLS_ECDSA_C @@ -471,7 +471,7 @@ component_test_tls13_only_ephemeral_ffdh () { scripts/config.py unset MBEDTLS_SSL_EARLY_DATA scripts/config.py set MBEDTLS_TEST_HOOKS - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDH + scripts/config.py unset PSA_WANT_ALG_ECDH # Note: The unset below is to be removed for Mbed TLS 4.0 scripts/config.py unset MBEDTLS_ECDH_C @@ -495,10 +495,10 @@ component_test_tls13_only_psk_ephemeral () { scripts/config.py set MBEDTLS_SSL_EARLY_DATA scripts/config.py set MBEDTLS_TEST_HOOKS - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_OAEP - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS + scripts/config.py unset PSA_WANT_ALG_ECDSA + scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA + scripts/config.py unset PSA_WANT_ALG_RSA_OAEP + scripts/config.py unset PSA_WANT_ALG_RSA_PSS # Note: The two unsets below are to be removed for Mbed TLS 4.0 scripts/config.py unset MBEDTLS_ECDSA_C @@ -522,11 +522,11 @@ component_test_tls13_only_psk_ephemeral_ffdh () { scripts/config.py set MBEDTLS_SSL_EARLY_DATA scripts/config.py set MBEDTLS_TEST_HOOKS - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDH - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_OAEP - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS + scripts/config.py unset PSA_WANT_ALG_ECDH + scripts/config.py unset PSA_WANT_ALG_ECDSA + scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA + scripts/config.py unset PSA_WANT_ALG_RSA_OAEP + scripts/config.py unset PSA_WANT_ALG_RSA_PSS # Note: The three unsets below are to be removed for Mbed TLS 4.0 scripts/config.py unset MBEDTLS_ECDH_C scripts/config.py unset MBEDTLS_ECDSA_C @@ -550,10 +550,10 @@ component_test_tls13_only_psk_all () { scripts/config.py set MBEDTLS_SSL_EARLY_DATA scripts/config.py set MBEDTLS_TEST_HOOKS - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_OAEP - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS + scripts/config.py unset PSA_WANT_ALG_ECDSA + scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA + scripts/config.py unset PSA_WANT_ALG_RSA_OAEP + scripts/config.py unset PSA_WANT_ALG_RSA_PSS # Note: The two unsets below are to be removed for Mbed TLS 4.0 scripts/config.py unset MBEDTLS_ECDSA_C diff --git a/tests/scripts/components-psasim.sh b/tests/scripts/components-psasim.sh index ba8ab331d2..a20f917ddb 100644 --- a/tests/scripts/components-psasim.sh +++ b/tests/scripts/components-psasim.sh @@ -78,7 +78,7 @@ component_test_suite_with_psasim() msg "build client library" helper_psasim_config client # PAKE functions are still unsupported from PSASIM - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_JPAKE + scripts/config.py unset PSA_WANT_ALG_JPAKE scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED helper_psasim_build client