Merge pull request #5385 from AndrzejKurek/use-psa-crypto-reduced-configs

Resolve problems with reduced configs using USE_PSA_CRYPTO

ChangeLog.d/psa_crypto_reduced_configs.txt

@@ -0,0 +1,5 @@
+Changes
+   * Automatically enable MBEDTLS_PK_WRITE_C if MBEDTLS_PK_C and
+     MBEDTLS_USE_PSA_CRYPTO are enabled. This is due to ecdsa_verify_wrap
+     requirements, but will also probably be needed by RSA soon, hence the
+     broader PK_C requirement.

ChangeLog.d/psa_crypto_reduced_configs_bugs.txt

@@ -0,0 +1,3 @@
+Bugfix
+   * Fix several bugs (warnings, compiler and linker errors, test failures)
+     in reduced configurations when MBEDTLS_USE_PSA_CRYPTO is enabled.

configs/config-ccm-psk-tls1_2.h

@@ -83,3 +83,8 @@
  */
 #define MBEDTLS_SSL_IN_CONTENT_LEN             1024
 #define MBEDTLS_SSL_OUT_CONTENT_LEN             1024
+
+/* These defines are present so that the config modifying scripts can enable
+ * them during tests/scripts/test-ref-configs.pl */
+//#define MBEDTLS_USE_PSA_CRYPTO
+//#define MBEDTLS_PSA_CRYPTO_C

configs/config-suite-b.h

@@ -110,3 +110,8 @@
  */
 #define MBEDTLS_SSL_IN_CONTENT_LEN             1024
 #define MBEDTLS_SSL_OUT_CONTENT_LEN             1024
+
+/* These defines are present so that the config modifying scripts can enable
+ * them during tests/scripts/test-ref-configs.pl */
+//#define MBEDTLS_USE_PSA_CRYPTO
+//#define MBEDTLS_PSA_CRYPTO_C

configs/config-thread.h

@@ -85,3 +85,8 @@
 
 /* Save ROM and a few bytes of RAM by specifying our own ciphersuite list */
 #define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8
+
+/* These defines are present so that the config modifying scripts can enable
+ * them during tests/scripts/test-ref-configs.pl */
+//#define MBEDTLS_USE_PSA_CRYPTO
+//#define MBEDTLS_PSA_CRYPTO_C

include/mbedtls/build_info.h

@@ -74,6 +74,9 @@
 #include MBEDTLS_USER_CONFIG_FILE
 #endif
 
+#if defined(MBEDTLS_PK_C) && defined(MBEDTLS_USE_PSA_CRYPTO)
+#define MBEDTLS_PK_WRITE_C
+#endif
 #if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
 #include "mbedtls/config_psa.h"
 #endif

programs/ssl/ssl_client2.c

@@ -692,9 +692,11 @@ int main( int argc, char *argv[] )
     const char *pers = "ssl_client2";
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
     mbedtls_svc_key_id_t slot = MBEDTLS_SVC_KEY_ID_INIT;
     psa_algorithm_t alg = 0;
     psa_key_attributes_t key_attributes;
+#endif
     psa_status_t status;
 #endif
 
@@ -1399,6 +1401,7 @@ int main( int argc, char *argv[] )
         }
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined (MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
         if( opt.psk_opaque != 0 )
         {
             /* Ensure that the chosen ciphersuite is PSK-only; we must know
@@ -1420,6 +1423,7 @@ int main( int argc, char *argv[] )
 #endif /* MBEDTLS_SHA384_C */
                 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
         }
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
     }
 

programs/ssl/ssl_server2.c

@@ -1211,6 +1211,7 @@ static void ssl_async_cancel( mbedtls_ssl_context *ssl )
 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
 static psa_status_t psa_setup_psk_key_slot( mbedtls_svc_key_id_t *slot,
                                             psa_algorithm_t alg,
                                             unsigned char *psk,
@@ -1233,6 +1234,7 @@ static psa_status_t psa_setup_psk_key_slot( mbedtls_svc_key_id_t *slot,
 
     return( PSA_SUCCESS );
 }
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
@@ -2134,6 +2136,7 @@ int main( int argc, char *argv[] )
         }
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
         if( opt.psk_opaque != 0 || opt.psk_list_opaque != 0 )
         {
             /* Ensure that the chosen ciphersuite is PSK-only; we must know
@@ -2155,6 +2158,7 @@ int main( int argc, char *argv[] )
 #endif /* MBEDTLS_SHA384_C */
                 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
         }
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
     }
 

tests/scripts/test-ref-configs.pl

@@ -30,16 +30,20 @@ use strict;
 my %configs = (
     'config-ccm-psk-tls1_2.h' => {
         'compat' => '-m tls12 -f \'^TLS-PSK-WITH-AES-...-CCM-8\'',
+        'test_again_with_use_psa' => 1
     },
     'config-no-entropy.h' => {
     },
     'config-suite-b.h' => {
         'compat' => "-m tls12 -f 'ECDHE-ECDSA.*AES.*GCM' -p mbedTLS",
+        'test_again_with_use_psa' => 1,
     },
     'config-symmetric-only.h' => {
+        'test_again_with_use_psa' => 0, # Uses PSA by default, no need to test it twice
     },
     'config-thread.h' => {
         'opt' => '-f ECJPAKE.*nolog',
+        'test_again_with_use_psa' => 1,
     },
 );
 
@@ -79,18 +83,33 @@ if (!-e "tests/seedfile" || -s "tests/seedfile" < 64) {
     close SEEDFILE or die;
 }
 
-while( my ($conf, $data) = each %configs ) {
+sub perform_test {
+    my $conf = $_[0];
+    my $data = $_[1];
+    my $test_with_psa = $_[2];
+
     system( "cp $config_h.bak $config_h" ) and die;
     system( "make clean" ) and die;
 
     print "\n******************************************\n";
     print "* Testing configuration: $conf\n";
+    if ( $test_with_psa )
+    {
+        print "* ENABLING MBEDTLS_PSA_CRYPTO_C and MBEDTLS_USE_PSA_CRYPTO \n";
+    }
     print "******************************************\n";
+
     $ENV{MBEDTLS_TEST_CONFIGURATION} = $conf;
 
     system( "cp configs/$conf $config_h" )
         and abort "Failed to activate $conf\n";
 
+    if ( $test_with_psa )
+    {
+        system( "scripts/config.py set MBEDTLS_PSA_CRYPTO_C" );
+        system( "scripts/config.py set MBEDTLS_USE_PSA_CRYPTO" );
+    }
+
     system( "CFLAGS='-Os -Werror -Wall -Wextra' make" ) and abort "Failed to build: $conf\n";
     system( "make test" ) and abort "Failed test suite: $conf\n";
 
@@ -119,6 +138,15 @@ while( my ($conf, $data) = each %configs ) {
     }
 }
 
+while( my ($conf, $data) = each %configs ) {
+    my $test_with_psa = $data->{'test_again_with_use_psa'};
+    if ( $test_with_psa )
+    {
+        perform_test( $conf, $data, $test_with_psa );
+    }
+    perform_test( $conf, $data, 0 );
+}
+
 system( "mv $config_h.bak $config_h" ) and warn "$config_h not restored\n";
 system( "make clean" );
 exit 0;

tests/src/psa_exercise_key.c

@@ -764,6 +764,7 @@ int mbedtls_test_psa_exported_key_sanity_check(
 #endif /* MBEDTLS_ECP_C */
 
     {
+        (void) exported;
         TEST_ASSERT( ! "Sanity check not implemented for this key type" );
     }
 

tests/suites/test_suite_psa_crypto.function

@@ -54,7 +54,7 @@ static int mem_is_char( void *buffer, unsigned char c, size_t size )
     }
     return( 1 );
 }
-
+#if defined(MBEDTLS_ASN1_WRITE_C)
 /* Write the ASN.1 INTEGER with the value 2^(bits-1)+x backwards from *p. */
 static int asn1_write_10x( unsigned char **p,
                            unsigned char *start,
@@ -138,6 +138,7 @@ static int construct_fake_rsa_key( unsigned char *buffer,
     }
     return( len );
 }
+#endif /* MBEDTLS_ASN1_WRITE_C */
 
 int exercise_mac_setup( psa_key_type_t key_type,
                         const unsigned char *key_bytes,
@@ -758,7 +759,7 @@ exit:
 }
 /* END_CASE */
 
-/* BEGIN_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_ASN1_WRITE_C */
 void import_rsa_made_up( int bits_arg, int keypair, int expected_status_arg )
 {
     mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;