Merge pull request #9062 from tom-daubney-arm/crypto_config-tls1_2_default_stream_cipher_only_use_psa
Make TLS 1.2 components work with PSA_CRYPTO_CONFIG set
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index e3d8401..0bd6d18 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1903,43 +1903,26 @@
}
component_test_tls1_2_default_stream_cipher_only () {
- msg "build: default with only stream cipher"
-
- # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C
- scripts/config.py unset MBEDTLS_GCM_C
- scripts/config.py unset MBEDTLS_CCM_C
- scripts/config.py unset MBEDTLS_CHACHAPOLY_C
- #Disable TLS 1.3 (as no AEAD)
- scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
- # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
- scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
- # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
- scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
- # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
- scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER
- # Modules that depend on AEAD
- scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
- scripts/config.py unset MBEDTLS_SSL_TICKET_C
-
- make
-
- msg "test: default with only stream cipher"
- make test
-
- # Not running ssl-opt.sh because most tests require a non-NULL ciphersuite.
-}
-
-component_test_tls1_2_default_stream_cipher_only_use_psa () {
msg "build: default with only stream cipher use psa"
scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
# Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
+ # Note: The three unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_GCM_C
scripts/config.py unset MBEDTLS_CCM_C
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
#Disable TLS 1.3 (as no AEAD)
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
+ # Disable CBC. Note: When implemented, PSA_WANT_ALG_CBC_MAC will also need to be unset here to fully disable CBC
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7
# Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
+ # Note: The unset below is to be removed for 4.0
scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
# Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
@@ -1958,45 +1941,23 @@
}
component_test_tls1_2_default_cbc_legacy_cipher_only () {
- msg "build: default with only CBC-legacy cipher"
-
- # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
- scripts/config.py unset MBEDTLS_GCM_C
- scripts/config.py unset MBEDTLS_CCM_C
- scripts/config.py unset MBEDTLS_CHACHAPOLY_C
- #Disable TLS 1.3 (as no AEAD)
- scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
- # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
- scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
- # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
- scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
- # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
- scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER
- # Modules that depend on AEAD
- scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
- scripts/config.py unset MBEDTLS_SSL_TICKET_C
-
- make
-
- msg "test: default with only CBC-legacy cipher"
- make test
-
- msg "test: default with only CBC-legacy cipher - ssl-opt.sh (subset)"
- tests/ssl-opt.sh -f "TLS 1.2"
-}
-
-component_test_tls1_2_deafult_cbc_legacy_cipher_only_use_psa () {
msg "build: default with only CBC-legacy cipher use psa"
scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
# Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
+ # Note: The three unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_GCM_C
scripts/config.py unset MBEDTLS_CCM_C
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
#Disable TLS 1.3 (as no AEAD)
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
# Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
- scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
+ scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
# Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
# Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
@@ -2015,45 +1976,23 @@
}
component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () {
- msg "build: default with only CBC-legacy and CBC-EtM ciphers"
-
- # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
- scripts/config.py unset MBEDTLS_GCM_C
- scripts/config.py unset MBEDTLS_CCM_C
- scripts/config.py unset MBEDTLS_CHACHAPOLY_C
- #Disable TLS 1.3 (as no AEAD)
- scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
- # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
- scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
- # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
- scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC
- # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
- scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER
- # Modules that depend on AEAD
- scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
- scripts/config.py unset MBEDTLS_SSL_TICKET_C
-
- make
-
- msg "test: default with only CBC-legacy and CBC-EtM ciphers"
- make test
-
- msg "test: default with only CBC-legacy and CBC-EtM ciphers - ssl-opt.sh (subset)"
- tests/ssl-opt.sh -f "TLS 1.2"
-}
-
-component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only_use_psa () {
msg "build: default with only CBC-legacy and CBC-EtM ciphers use psa"
scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
# Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
+ # Note: The three unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_GCM_C
scripts/config.py unset MBEDTLS_CCM_C
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
#Disable TLS 1.3 (as no AEAD)
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
# Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
- scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
+ scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
# Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC
# Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))