• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#! /usr/bin/env bash
2
3# all.sh
4#
5# Copyright The Mbed TLS Contributors
6# SPDX-License-Identifier: Apache-2.0
7#
8# Licensed under the Apache License, Version 2.0 (the "License"); you may
9# not use this file except in compliance with the License.
10# You may obtain a copy of the License at
11#
12# http://www.apache.org/licenses/LICENSE-2.0
13#
14# Unless required by applicable law or agreed to in writing, software
15# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17# See the License for the specific language governing permissions and
18# limitations under the License.
19
20
21
22################################################################
23#### Documentation
24################################################################
25
26# Purpose
27# -------
28#
29# To run all tests possible or available on the platform.
30#
31# Notes for users
32# ---------------
33#
34# Warning: the test is destructive. It includes various build modes and
35# configurations, and can and will arbitrarily change the current CMake
36# configuration. The following files must be committed into git:
37#    * include/mbedtls/mbedtls_config.h
38#    * Makefile, library/Makefile, programs/Makefile, tests/Makefile,
39#      programs/fuzz/Makefile
40# After running this script, the CMake cache will be lost and CMake
41# will no longer be initialised.
42#
43# The script assumes the presence of a number of tools:
44#   * Basic Unix tools (Windows users note: a Unix-style find must be before
45#     the Windows find in the PATH)
46#   * Perl
47#   * GNU Make
48#   * CMake
49#   * GCC and Clang (recent enough for using ASan with gcc and MemSan with clang, or valgrind)
50#   * G++
51#   * arm-gcc and mingw-gcc
52#   * ArmCC 5 and ArmCC 6, unless invoked with --no-armcc
53#   * OpenSSL and GnuTLS command line tools, recent enough for the
54#     interoperability tests. If they don't support old features which we want
55#     to test, then a legacy version of these tools must be present as well
56#     (search for LEGACY below).
57# See the invocation of check_tools below for details.
58#
59# This script must be invoked from the toplevel directory of a git
60# working copy of Mbed TLS.
61#
62# The behavior on an error depends on whether --keep-going (alias -k)
63# is in effect.
64#  * Without --keep-going: the script stops on the first error without
65#    cleaning up. This lets you work in the configuration of the failing
66#    component.
67#  * With --keep-going: the script runs all requested components and
68#    reports failures at the end. In particular the script always cleans
69#    up on exit.
70#
71# Note that the output is not saved. You may want to run
72#   script -c tests/scripts/all.sh
73# or
74#   tests/scripts/all.sh >all.log 2>&1
75#
76# Notes for maintainers
77# ---------------------
78#
79# The bulk of the code is organized into functions that follow one of the
80# following naming conventions:
81#  * pre_XXX: things to do before running the tests, in order.
82#  * component_XXX: independent components. They can be run in any order.
83#      * component_check_XXX: quick tests that aren't worth parallelizing.
84#      * component_build_XXX: build things but don't run them.
85#      * component_test_XXX: build and test.
86#  * support_XXX: if support_XXX exists and returns false then
87#    component_XXX is not run by default.
88#  * post_XXX: things to do after running the tests.
89#  * other: miscellaneous support functions.
90#
91# Each component must start by invoking `msg` with a short informative message.
92#
93# Warning: due to the way bash detects errors, the failure of a command
94# inside 'if' or '!' is not detected. Use the 'not' function instead of '!'.
95#
96# Each component is executed in a separate shell process. The component
97# fails if any command in it returns a non-zero status.
98#
99# The framework performs some cleanup tasks after each component. This
100# means that components can assume that the working directory is in a
101# cleaned-up state, and don't need to perform the cleanup themselves.
102# * Run `make clean`.
103# * Restore `include/mbedtls/mbedtls_config.h` from a backup made before running
104#   the component.
105# * Check out `Makefile`, `library/Makefile`, `programs/Makefile`,
106#   `tests/Makefile` and `programs/fuzz/Makefile` from git.
107#   This cleans up after an in-tree use of CMake.
108#
109# The tests are roughly in order from fastest to slowest. This doesn't
110# have to be exact, but in general you should add slower tests towards
111# the end and fast checks near the beginning.
112
113
114
115################################################################
116#### Initialization and command line parsing
117################################################################
118
119# Abort on errors (even on the left-hand side of a pipe).
120# Treat uninitialised variables as errors.
121set -e -o pipefail -u
122
123# Enable ksh/bash extended file matching patterns
124shopt -s extglob
125
126pre_check_environment () {
127    if [ -d library -a -d include -a -d tests ]; then :; else
128        echo "Must be run from mbed TLS root" >&2
129        exit 1
130    fi
131}
132
133pre_initialize_variables () {
134    CONFIG_H='include/mbedtls/mbedtls_config.h'
135    CRYPTO_CONFIG_H='include/psa/crypto_config.h'
136    CONFIG_TEST_DRIVER_H='tests/include/test/drivers/config_test_driver.h'
137
138    # Files that are clobbered by some jobs will be backed up. Use a different
139    # suffix from auxiliary scripts so that all.sh and auxiliary scripts can
140    # independently decide when to remove the backup file.
141    backup_suffix='.all.bak'
142    # Files clobbered by config.py
143    files_to_back_up="$CONFIG_H $CRYPTO_CONFIG_H $CONFIG_TEST_DRIVER_H"
144    # Files clobbered by in-tree cmake
145    files_to_back_up="$files_to_back_up Makefile library/Makefile programs/Makefile tests/Makefile programs/fuzz/Makefile"
146
147    append_outcome=0
148    MEMORY=0
149    FORCE=0
150    QUIET=0
151    KEEP_GOING=0
152
153    # Seed value used with the --release-test option.
154    #
155    # See also RELEASE_SEED in basic-build-test.sh. Debugging is easier if
156    # both values are kept in sync. If you change the value here because it
157    # breaks some tests, you'll definitely want to change it in
158    # basic-build-test.sh as well.
159    RELEASE_SEED=1
160
161    : ${MBEDTLS_TEST_OUTCOME_FILE=}
162    : ${MBEDTLS_TEST_PLATFORM="$(uname -s | tr -c \\n0-9A-Za-z _)-$(uname -m | tr -c \\n0-9A-Za-z _)"}
163    export MBEDTLS_TEST_OUTCOME_FILE
164    export MBEDTLS_TEST_PLATFORM
165
166    # Default commands, can be overridden by the environment
167    : ${OPENSSL:="openssl"}
168    : ${OPENSSL_LEGACY:="$OPENSSL"}
169    : ${OPENSSL_NEXT:="$OPENSSL"}
170    : ${GNUTLS_CLI:="gnutls-cli"}
171    : ${GNUTLS_SERV:="gnutls-serv"}
172    : ${GNUTLS_LEGACY_CLI:="$GNUTLS_CLI"}
173    : ${GNUTLS_LEGACY_SERV:="$GNUTLS_SERV"}
174    : ${OUT_OF_SOURCE_DIR:=./mbedtls_out_of_source_build}
175    : ${ARMC5_BIN_DIR:=/usr/bin}
176    : ${ARMC6_BIN_DIR:=/usr/bin}
177    : ${ARM_NONE_EABI_GCC_PREFIX:=arm-none-eabi-}
178    : ${ARM_LINUX_GNUEABI_GCC_PREFIX:=arm-linux-gnueabi-}
179
180    # if MAKEFLAGS is not set add the -j option to speed up invocations of make
181    if [ -z "${MAKEFLAGS+set}" ]; then
182        export MAKEFLAGS="-j$(all_sh_nproc)"
183    fi
184
185    # Include more verbose output for failing tests run by CMake or make
186    export CTEST_OUTPUT_ON_FAILURE=1
187
188    # CFLAGS and LDFLAGS for Asan builds that don't use CMake
189    # default to -O2, use -Ox _after_ this if you want another level
190    ASAN_CFLAGS='-O2 -Werror -fsanitize=address,undefined -fno-sanitize-recover=all'
191
192    # Gather the list of available components. These are the functions
193    # defined in this script whose name starts with "component_".
194    # Parse the script with sed. This way we get the functions in the order
195    # they are defined.
196    ALL_COMPONENTS=$(sed -n 's/^ *component_\([0-9A-Z_a-z]*\) *().*/\1/p' <"$0")
197
198    # Exclude components that are not supported on this platform.
199    SUPPORTED_COMPONENTS=
200    for component in $ALL_COMPONENTS; do
201        case $(type "support_$component" 2>&1) in
202            *' function'*)
203                if ! support_$component; then continue; fi;;
204        esac
205        SUPPORTED_COMPONENTS="$SUPPORTED_COMPONENTS $component"
206    done
207}
208
209# Test whether the component $1 is included in the command line patterns.
210is_component_included()
211{
212    # Temporarily disable wildcard expansion so that $COMMAND_LINE_COMPONENTS
213    # only does word splitting.
214    set -f
215    for pattern in $COMMAND_LINE_COMPONENTS; do
216        set +f
217        case ${1#component_} in $pattern) return 0;; esac
218    done
219    set +f
220    return 1
221}
222
223usage()
224{
225    cat <<EOF
226Usage: $0 [OPTION]... [COMPONENT]...
227Run mbedtls release validation tests.
228By default, run all tests. With one or more COMPONENT, run only those.
229COMPONENT can be the name of a component or a shell wildcard pattern.
230
231Examples:
232  $0 "check_*"
233    Run all sanity checks.
234  $0 --no-armcc --except test_memsan
235    Run everything except builds that require armcc and MemSan.
236
237Special options:
238  -h|--help             Print this help and exit.
239  --list-all-components List all available test components and exit.
240  --list-components     List components supported on this platform and exit.
241
242General options:
243  -q|--quiet            Only output component names, and errors if any.
244  -f|--force            Force the tests to overwrite any modified files.
245  -k|--keep-going       Run all tests and report errors at the end.
246  -m|--memory           Additional optional memory tests.
247     --append-outcome   Append to the outcome file (if used).
248     --arm-none-eabi-gcc-prefix=<string>
249                        Prefix for a cross-compiler for arm-none-eabi
250                        (default: "${ARM_NONE_EABI_GCC_PREFIX}")
251     --arm-linux-gnueabi-gcc-prefix=<string>
252                        Prefix for a cross-compiler for arm-linux-gnueabi
253                        (default: "${ARM_LINUX_GNUEABI_GCC_PREFIX}")
254     --armcc            Run ARM Compiler builds (on by default).
255     --restore          First clean up the build tree, restoring backed up
256                        files. Do not run any components unless they are
257                        explicitly specified.
258     --error-test       Error test mode: run a failing function in addition
259                        to any specified component. May be repeated.
260     --except           Exclude the COMPONENTs listed on the command line,
261                        instead of running only those.
262     --no-append-outcome    Write a new outcome file and analyze it (default).
263     --no-armcc         Skip ARM Compiler builds.
264     --no-force         Refuse to overwrite modified files (default).
265     --no-keep-going    Stop at the first error (default).
266     --no-memory        No additional memory tests (default).
267     --no-quiet         Print full output from components.
268     --out-of-source-dir=<path>  Directory used for CMake out-of-source build tests.
269     --outcome-file=<path>  File where test outcomes are written (not done if
270                            empty; default: \$MBEDTLS_TEST_OUTCOME_FILE).
271     --random-seed      Use a random seed value for randomized tests (default).
272  -r|--release-test     Run this script in release mode. This fixes the seed value to ${RELEASE_SEED}.
273  -s|--seed             Integer seed value to use for this test run.
274
275Tool path options:
276     --armc5-bin-dir=<ARMC5_bin_dir_path>       ARM Compiler 5 bin directory.
277     --armc6-bin-dir=<ARMC6_bin_dir_path>       ARM Compiler 6 bin directory.
278     --gnutls-cli=<GnuTLS_cli_path>             GnuTLS client executable to use for most tests.
279     --gnutls-serv=<GnuTLS_serv_path>           GnuTLS server executable to use for most tests.
280     --gnutls-legacy-cli=<GnuTLS_cli_path>      GnuTLS client executable to use for legacy tests.
281     --gnutls-legacy-serv=<GnuTLS_serv_path>    GnuTLS server executable to use for legacy tests.
282     --openssl=<OpenSSL_path>                   OpenSSL executable to use for most tests.
283     --openssl-legacy=<OpenSSL_path>            OpenSSL executable to use for legacy tests..
284     --openssl-next=<OpenSSL_path>              OpenSSL executable to use for recent things like ARIA
285EOF
286}
287
288# Cleanup before/after running a component.
289# Remove built files as well as the cmake cache/config.
290# Does not remove generated source files.
291cleanup()
292{
293    command make clean
294
295    # Remove CMake artefacts
296    find . -name .git -prune -o \
297           -iname CMakeFiles -exec rm -rf {} \+ -o \
298           \( -iname cmake_install.cmake -o \
299              -iname CTestTestfile.cmake -o \
300              -iname CMakeCache.txt -o \
301              -path './cmake/*.cmake' \) -exec rm -f {} \+
302    # Recover files overwritten by in-tree CMake builds
303    rm -f include/Makefile include/mbedtls/Makefile programs/!(fuzz)/Makefile
304
305    # Remove any artifacts from the component_test_cmake_as_subdirectory test.
306    rm -rf programs/test/cmake_subproject/build
307    rm -f programs/test/cmake_subproject/Makefile
308    rm -f programs/test/cmake_subproject/cmake_subproject
309
310    # Remove any artifacts from the component_test_cmake_as_package test.
311    rm -rf programs/test/cmake_package/build
312    rm -f programs/test/cmake_package/Makefile
313    rm -f programs/test/cmake_package/cmake_package
314
315    # Remove any artifacts from the component_test_cmake_as_installed_package test.
316    rm -rf programs/test/cmake_package_install/build
317    rm -f programs/test/cmake_package_install/Makefile
318    rm -f programs/test/cmake_package_install/cmake_package_install
319
320    # Restore files that may have been clobbered by the job
321    for x in $files_to_back_up; do
322        if [[ -e "$x$backup_suffix" ]]; then
323            cp -p "$x$backup_suffix" "$x"
324        fi
325    done
326}
327
328# Final cleanup when this script exits (except when exiting on a failure
329# in non-keep-going mode).
330final_cleanup () {
331    cleanup
332
333    for x in $files_to_back_up; do
334        rm -f "$x$backup_suffix"
335    done
336}
337
338# Executed on exit. May be redefined depending on command line options.
339final_report () {
340    :
341}
342
343fatal_signal () {
344    final_cleanup
345    final_report $1
346    trap - $1
347    kill -$1 $$
348}
349
350trap 'fatal_signal HUP' HUP
351trap 'fatal_signal INT' INT
352trap 'fatal_signal TERM' TERM
353
354# Number of processors on this machine. Used as the default setting
355# for parallel make.
356all_sh_nproc ()
357{
358    {
359        nproc || # Linux
360        sysctl -n hw.ncpuonline || # NetBSD, OpenBSD
361        sysctl -n hw.ncpu || # FreeBSD
362        echo 1
363    } 2>/dev/null
364}
365
366msg()
367{
368    if [ -n "${current_component:-}" ]; then
369        current_section="${current_component#component_}: $1"
370    else
371        current_section="$1"
372    fi
373
374    if [ $QUIET -eq 1 ]; then
375        return
376    fi
377
378    echo ""
379    echo "******************************************************************"
380    echo "* $current_section "
381    printf "* "; date
382    echo "******************************************************************"
383}
384
385armc6_build_test()
386{
387    FLAGS="$1"
388
389    msg "build: ARM Compiler 6 ($FLAGS)"
390    ARM_TOOL_VARIANT="ult" CC="$ARMC6_CC" AR="$ARMC6_AR" CFLAGS="$FLAGS" \
391                    WARNING_CFLAGS='-Werror -xc -std=c99' make lib
392
393    msg "size: ARM Compiler 6 ($FLAGS)"
394    "$ARMC6_FROMELF" -z library/*.o
395
396    make clean
397}
398
399err_msg()
400{
401    echo "$1" >&2
402}
403
404check_tools()
405{
406    for TOOL in "$@"; do
407        if ! `type "$TOOL" >/dev/null 2>&1`; then
408            err_msg "$TOOL not found!"
409            exit 1
410        fi
411    done
412}
413
414pre_parse_command_line () {
415    COMMAND_LINE_COMPONENTS=
416    all_except=0
417    error_test=0
418    restore_first=0
419    no_armcc=
420
421    # Note that legacy options are ignored instead of being omitted from this
422    # list of options, so invocations that worked with previous version of
423    # all.sh will still run and work properly.
424    while [ $# -gt 0 ]; do
425        case "$1" in
426            --append-outcome) append_outcome=1;;
427            --arm-none-eabi-gcc-prefix) shift; ARM_NONE_EABI_GCC_PREFIX="$1";;
428            --arm-linux-gnueabi-gcc-prefix) shift; ARM_LINUX_GNUEABI_GCC_PREFIX="$1";;
429            --armcc) no_armcc=;;
430            --armc5-bin-dir) shift; ARMC5_BIN_DIR="$1";;
431            --armc6-bin-dir) shift; ARMC6_BIN_DIR="$1";;
432            --error-test) error_test=$((error_test + 1));;
433            --except) all_except=1;;
434            --force|-f) FORCE=1;;
435            --gnutls-cli) shift; GNUTLS_CLI="$1";;
436            --gnutls-legacy-cli) shift; GNUTLS_LEGACY_CLI="$1";;
437            --gnutls-legacy-serv) shift; GNUTLS_LEGACY_SERV="$1";;
438            --gnutls-serv) shift; GNUTLS_SERV="$1";;
439            --help|-h) usage; exit;;
440            --keep-going|-k) KEEP_GOING=1;;
441            --list-all-components) printf '%s\n' $ALL_COMPONENTS; exit;;
442            --list-components) printf '%s\n' $SUPPORTED_COMPONENTS; exit;;
443            --memory|-m) MEMORY=1;;
444            --no-append-outcome) append_outcome=0;;
445            --no-armcc) no_armcc=1;;
446            --no-force) FORCE=0;;
447            --no-keep-going) KEEP_GOING=0;;
448            --no-memory) MEMORY=0;;
449            --no-quiet) QUIET=0;;
450            --openssl) shift; OPENSSL="$1";;
451            --openssl-legacy) shift; OPENSSL_LEGACY="$1";;
452            --openssl-next) shift; OPENSSL_NEXT="$1";;
453            --outcome-file) shift; MBEDTLS_TEST_OUTCOME_FILE="$1";;
454            --out-of-source-dir) shift; OUT_OF_SOURCE_DIR="$1";;
455            --quiet|-q) QUIET=1;;
456            --random-seed) unset SEED;;
457            --release-test|-r) SEED=$RELEASE_SEED;;
458            --restore) restore_first=1;;
459            --seed|-s) shift; SEED="$1";;
460            -*)
461                echo >&2 "Unknown option: $1"
462                echo >&2 "Run $0 --help for usage."
463                exit 120
464                ;;
465            *) COMMAND_LINE_COMPONENTS="$COMMAND_LINE_COMPONENTS $1";;
466        esac
467        shift
468    done
469
470    # With no list of components, run everything.
471    if [ -z "$COMMAND_LINE_COMPONENTS" ] && [ $restore_first -eq 0 ]; then
472        all_except=1
473    fi
474
475    # --no-armcc is a legacy option. The modern way is --except '*_armcc*'.
476    # Ignore it if components are listed explicitly on the command line.
477    if [ -n "$no_armcc" ] && [ $all_except -eq 1 ]; then
478        COMMAND_LINE_COMPONENTS="$COMMAND_LINE_COMPONENTS *_armcc*"
479    fi
480
481    # Error out if an explicitly requested component doesn't exist.
482    if [ $all_except -eq 0 ]; then
483        unsupported=0
484        # Temporarily disable wildcard expansion so that $COMMAND_LINE_COMPONENTS
485        # only does word splitting.
486        set -f
487        for component in $COMMAND_LINE_COMPONENTS; do
488            set +f
489            # If the requested name includes a wildcard character, don't
490            # check it. Accept wildcard patterns that don't match anything.
491            case $component in
492                *[*?\[]*) continue;;
493            esac
494            case " $SUPPORTED_COMPONENTS " in
495                *" $component "*) :;;
496                *)
497                    echo >&2 "Component $component was explicitly requested, but is not known or not supported."
498                    unsupported=$((unsupported + 1));;
499            esac
500        done
501        set +f
502        if [ $unsupported -ne 0 ]; then
503            exit 2
504        fi
505    fi
506
507    # Build the list of components to run.
508    RUN_COMPONENTS=
509    for component in $SUPPORTED_COMPONENTS; do
510        if is_component_included "$component"; [ $? -eq $all_except ]; then
511            RUN_COMPONENTS="$RUN_COMPONENTS $component"
512        fi
513    done
514
515    unset all_except
516    unset no_armcc
517}
518
519pre_check_git () {
520    if [ $FORCE -eq 1 ]; then
521        rm -rf "$OUT_OF_SOURCE_DIR"
522        git checkout-index -f -q $CONFIG_H
523        cleanup
524    else
525
526        if [ -d "$OUT_OF_SOURCE_DIR" ]; then
527            echo "Warning - there is an existing directory at '$OUT_OF_SOURCE_DIR'" >&2
528            echo "You can either delete this directory manually, or force the test by rerunning"
529            echo "the script as: $0 --force --out-of-source-dir $OUT_OF_SOURCE_DIR"
530            exit 1
531        fi
532
533        if ! git diff --quiet include/mbedtls/mbedtls_config.h; then
534            err_msg "Warning - the configuration file 'include/mbedtls/mbedtls_config.h' has been edited. "
535            echo "You can either delete or preserve your work, or force the test by rerunning the"
536            echo "script as: $0 --force"
537            exit 1
538        fi
539    fi
540}
541
542pre_restore_files () {
543    # If the makefiles have been generated by a framework such as cmake,
544    # restore them from git. If the makefiles look like modifications from
545    # the ones checked into git, take care not to modify them. Whatever
546    # this function leaves behind is what the script will restore before
547    # each component.
548    case "$(head -n1 Makefile)" in
549        *[Gg]enerated*)
550            git update-index --no-skip-worktree Makefile library/Makefile programs/Makefile tests/Makefile programs/fuzz/Makefile
551            git checkout -- Makefile library/Makefile programs/Makefile tests/Makefile programs/fuzz/Makefile
552            ;;
553    esac
554}
555
556pre_back_up () {
557    for x in $files_to_back_up; do
558        cp -p "$x" "$x$backup_suffix"
559    done
560}
561
562pre_setup_keep_going () {
563    failure_count=0 # Number of failed components
564    last_failure_status=0 # Last failure status in this component
565
566    # See err_trap
567    previous_failure_status=0
568    previous_failed_command=
569    previous_failure_funcall_depth=0
570    unset report_failed_command
571
572    start_red=
573    end_color=
574    if [ -t 1 ]; then
575        case "${TERM:-}" in
576            *color*|cygwin|linux|rxvt*|screen|[Eex]term*)
577                start_red=$(printf '\033[31m')
578                end_color=$(printf '\033[0m')
579                ;;
580        esac
581    fi
582
583    # Keep a summary of failures in a file. We'll print it out at the end.
584    failure_summary_file=$PWD/all-sh-failures-$$.log
585    : >"$failure_summary_file"
586
587    # Whether it makes sense to keep a component going after the specified
588    # command fails (test command) or not (configure or build).
589    # This function normally receives the failing simple command
590    # ($BASH_COMMAND) as an argument, but if $report_failed_command is set,
591    # this is passed instead.
592    # This doesn't have to be 100% accurate: all failures are recorded anyway.
593    # False positives result in running things that can't be expected to
594    # work. False negatives result in things not running after something else
595    # failed even though they might have given useful feedback.
596    can_keep_going_after_failure () {
597        case "$1" in
598            "msg "*) false;;
599            "cd "*) false;;
600            *make*[\ /]tests*) false;; # make tests, make CFLAGS=-I../tests, ...
601            *test*) true;; # make test, tests/stuff, env V=v tests/stuff, ...
602            *make*check*) true;;
603            "grep "*) true;;
604            "[ "*) true;;
605            "! "*) true;;
606            *) false;;
607        esac
608    }
609
610    # This function runs if there is any error in a component.
611    # It must either exit with a nonzero status, or set
612    # last_failure_status to a nonzero value.
613    err_trap () {
614        # Save $? (status of the failing command). This must be the very
615        # first thing, before $? is overridden.
616        last_failure_status=$?
617        failed_command=${report_failed_command-$BASH_COMMAND}
618
619        if [[ $last_failure_status -eq $previous_failure_status &&
620              "$failed_command" == "$previous_failed_command" &&
621              ${#FUNCNAME[@]} == $((previous_failure_funcall_depth - 1)) ]]
622        then
623            # The same command failed twice in a row, but this time one level
624            # less deep in the function call stack. This happens when the last
625            # command of a function returns a nonzero status, and the function
626            # returns that same status. Ignore the second failure.
627            previous_failure_funcall_depth=${#FUNCNAME[@]}
628            return
629        fi
630        previous_failure_status=$last_failure_status
631        previous_failed_command=$failed_command
632        previous_failure_funcall_depth=${#FUNCNAME[@]}
633
634        text="$current_section: $failed_command -> $last_failure_status"
635        echo "${start_red}^^^^$text^^^^${end_color}" >&2
636        echo "$text" >>"$failure_summary_file"
637
638        # If the command is fatal (configure or build command), stop this
639        # component. Otherwise (test command) keep the component running
640        # (run more tests from the same build).
641        if ! can_keep_going_after_failure "$failed_command"; then
642            exit $last_failure_status
643        fi
644    }
645
646    final_report () {
647        if [ $failure_count -gt 0 ]; then
648            echo
649            echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
650            echo "${start_red}FAILED: $failure_count components${end_color}"
651            cat "$failure_summary_file"
652            echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
653        elif [ -z "${1-}" ]; then
654            echo "SUCCESS :)"
655        fi
656        if [ -n "${1-}" ]; then
657            echo "Killed by SIG$1."
658        fi
659        rm -f "$failure_summary_file"
660        if [ $failure_count -gt 0 ]; then
661            exit 1
662        fi
663    }
664}
665
666# record_status() and if_build_succeeded() are kept temporarily for backward
667# compatibility. Don't use them in new components.
668record_status () {
669    "$@"
670}
671if_build_succeeded () {
672    "$@"
673}
674
675# '! true' does not trigger the ERR trap. Arrange to trigger it, with
676# a reasonably informative error message (not just "$@").
677not () {
678    if "$@"; then
679        report_failed_command="! $*"
680        false
681        unset report_failed_command
682    fi
683}
684
685pre_prepare_outcome_file () {
686    case "$MBEDTLS_TEST_OUTCOME_FILE" in
687      [!/]*) MBEDTLS_TEST_OUTCOME_FILE="$PWD/$MBEDTLS_TEST_OUTCOME_FILE";;
688    esac
689    if [ -n "$MBEDTLS_TEST_OUTCOME_FILE" ] && [ "$append_outcome" -eq 0 ]; then
690        rm -f "$MBEDTLS_TEST_OUTCOME_FILE"
691    fi
692}
693
694pre_print_configuration () {
695    if [ $QUIET -eq 1 ]; then
696        return
697    fi
698
699    msg "info: $0 configuration"
700    echo "MEMORY: $MEMORY"
701    echo "FORCE: $FORCE"
702    echo "MBEDTLS_TEST_OUTCOME_FILE: ${MBEDTLS_TEST_OUTCOME_FILE:-(none)}"
703    echo "SEED: ${SEED-"UNSET"}"
704    echo
705    echo "OPENSSL: $OPENSSL"
706    echo "OPENSSL_LEGACY: $OPENSSL_LEGACY"
707    echo "OPENSSL_NEXT: $OPENSSL_NEXT"
708    echo "GNUTLS_CLI: $GNUTLS_CLI"
709    echo "GNUTLS_SERV: $GNUTLS_SERV"
710    echo "GNUTLS_LEGACY_CLI: $GNUTLS_LEGACY_CLI"
711    echo "GNUTLS_LEGACY_SERV: $GNUTLS_LEGACY_SERV"
712    echo "ARMC5_BIN_DIR: $ARMC5_BIN_DIR"
713    echo "ARMC6_BIN_DIR: $ARMC6_BIN_DIR"
714}
715
716# Make sure the tools we need are available.
717pre_check_tools () {
718    # Build the list of variables to pass to output_env.sh.
719    set env
720
721    case " $RUN_COMPONENTS " in
722        # Require OpenSSL and GnuTLS if running any tests (as opposed to
723        # only doing builds). Not all tests run OpenSSL and GnuTLS, but this
724        # is a good enough approximation in practice.
725        *" test_"*)
726            # To avoid setting OpenSSL and GnuTLS for each call to compat.sh
727            # and ssl-opt.sh, we just export the variables they require.
728            export OPENSSL="$OPENSSL"
729            export GNUTLS_CLI="$GNUTLS_CLI"
730            export GNUTLS_SERV="$GNUTLS_SERV"
731            # Avoid passing --seed flag in every call to ssl-opt.sh
732            if [ -n "${SEED-}" ]; then
733                export SEED
734            fi
735            set "$@" OPENSSL="$OPENSSL" OPENSSL_LEGACY="$OPENSSL_LEGACY"
736            set "$@" GNUTLS_CLI="$GNUTLS_CLI" GNUTLS_SERV="$GNUTLS_SERV"
737            set "$@" GNUTLS_LEGACY_CLI="$GNUTLS_LEGACY_CLI"
738            set "$@" GNUTLS_LEGACY_SERV="$GNUTLS_LEGACY_SERV"
739            check_tools "$OPENSSL" "$OPENSSL_LEGACY" "$OPENSSL_NEXT" \
740                        "$GNUTLS_CLI" "$GNUTLS_SERV" \
741                        "$GNUTLS_LEGACY_CLI" "$GNUTLS_LEGACY_SERV"
742            ;;
743    esac
744
745    case " $RUN_COMPONENTS " in
746        *_doxygen[_\ ]*) check_tools "doxygen" "dot";;
747    esac
748
749    case " $RUN_COMPONENTS " in
750        *_arm_none_eabi_gcc[_\ ]*) check_tools "${ARM_NONE_EABI_GCC_PREFIX}gcc";;
751    esac
752
753    case " $RUN_COMPONENTS " in
754        *_mingw[_\ ]*) check_tools "i686-w64-mingw32-gcc";;
755    esac
756
757    case " $RUN_COMPONENTS " in
758        *" test_zeroize "*) check_tools "gdb";;
759    esac
760
761    case " $RUN_COMPONENTS " in
762        *_armcc*)
763            ARMC5_CC="$ARMC5_BIN_DIR/armcc"
764            ARMC5_AR="$ARMC5_BIN_DIR/armar"
765            ARMC5_FROMELF="$ARMC5_BIN_DIR/fromelf"
766            ARMC6_CC="$ARMC6_BIN_DIR/armclang"
767            ARMC6_AR="$ARMC6_BIN_DIR/armar"
768            ARMC6_FROMELF="$ARMC6_BIN_DIR/fromelf"
769            check_tools "$ARMC5_CC" "$ARMC5_AR" "$ARMC5_FROMELF" \
770                        "$ARMC6_CC" "$ARMC6_AR" "$ARMC6_FROMELF";;
771    esac
772
773    # past this point, no call to check_tool, only printing output
774    if [ $QUIET -eq 1 ]; then
775        return
776    fi
777
778    msg "info: output_env.sh"
779    case $RUN_COMPONENTS in
780        *_armcc*)
781            set "$@" ARMC5_CC="$ARMC5_CC" ARMC6_CC="$ARMC6_CC" RUN_ARMCC=1;;
782        *) set "$@" RUN_ARMCC=0;;
783    esac
784    "$@" scripts/output_env.sh
785}
786
787pre_generate_files() {
788    # since make doesn't have proper dependencies, remove any possibly outdate
789    # file that might be around before generating fresh ones
790    make neat
791    if [ $QUIET -eq 1 ]; then
792        make generated_files >/dev/null
793    else
794        make generated_files
795    fi
796}
797
798
799
800################################################################
801#### Basic checks
802################################################################
803
804#
805# Test Suites to be executed
806#
807# The test ordering tries to optimize for the following criteria:
808# 1. Catch possible problems early, by running first tests that run quickly
809#    and/or are more likely to fail than others (eg I use Clang most of the
810#    time, so start with a GCC build).
811# 2. Minimize total running time, by avoiding useless rebuilds
812#
813# Indicative running times are given for reference.
814
815component_check_recursion () {
816    msg "Check: recursion.pl" # < 1s
817    tests/scripts/recursion.pl library/*.c
818}
819
820component_check_generated_files () {
821    msg "Check: check-generated-files, files generated with make" # 2s
822    make generated_files
823    tests/scripts/check-generated-files.sh
824
825    msg "Check: check-generated-files -u, files present" # 2s
826    tests/scripts/check-generated-files.sh -u
827    # Check that the generated files are considered up to date.
828    tests/scripts/check-generated-files.sh
829
830    msg "Check: check-generated-files -u, files absent" # 2s
831    command make neat
832    tests/scripts/check-generated-files.sh -u
833    # Check that the generated files are considered up to date.
834    tests/scripts/check-generated-files.sh
835
836    # This component ends with the generated files present in the source tree.
837    # This is necessary for subsequent components!
838}
839
840component_check_doxy_blocks () {
841    msg "Check: doxygen markup outside doxygen blocks" # < 1s
842    tests/scripts/check-doxy-blocks.pl
843}
844
845component_check_files () {
846    msg "Check: file sanity checks (permissions, encodings)" # < 1s
847    tests/scripts/check_files.py
848}
849
850component_check_changelog () {
851    msg "Check: changelog entries" # < 1s
852    rm -f ChangeLog.new
853    scripts/assemble_changelog.py -o ChangeLog.new
854    if [ -e ChangeLog.new ]; then
855        # Show the diff for information. It isn't an error if the diff is
856        # non-empty.
857        diff -u ChangeLog ChangeLog.new || true
858        rm ChangeLog.new
859    fi
860}
861
862component_check_names () {
863    msg "Check: declared and exported names (builds the library)" # < 3s
864    tests/scripts/check_names.py -v
865}
866
867component_check_test_cases () {
868    msg "Check: test case descriptions" # < 1s
869    if [ $QUIET -eq 1 ]; then
870        opt='--quiet'
871    else
872        opt=''
873    fi
874    tests/scripts/check_test_cases.py -q $opt
875    unset opt
876}
877
878component_check_doxygen_warnings () {
879    msg "Check: doxygen warnings (builds the documentation)" # ~ 3s
880    tests/scripts/doxygen.sh
881}
882
883
884
885################################################################
886#### Build and test many configurations and targets
887################################################################
888
889component_test_default_out_of_box () {
890    msg "build: make, default config (out-of-box)" # ~1min
891    make
892    # Disable fancy stuff
893    unset MBEDTLS_TEST_OUTCOME_FILE
894
895    msg "test: main suites make, default config (out-of-box)" # ~10s
896    make test
897
898    msg "selftest: make, default config (out-of-box)" # ~10s
899    programs/test/selftest
900}
901
902component_test_default_cmake_gcc_asan () {
903    msg "build: cmake, gcc, ASan" # ~ 1 min 50s
904    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
905    make
906
907    msg "test: main suites (inc. selftests) (ASan build)" # ~ 50s
908    make test
909
910    msg "test: selftest (ASan build)" # ~ 10s
911    programs/test/selftest
912
913    msg "test: ssl-opt.sh (ASan build)" # ~ 1 min
914    tests/ssl-opt.sh
915
916    msg "test: compat.sh (ASan build)" # ~ 6 min
917    tests/compat.sh
918
919    msg "test: context-info.sh (ASan build)" # ~ 15 sec
920    tests/context-info.sh
921}
922
923component_test_full_cmake_gcc_asan () {
924    msg "build: full config, cmake, gcc, ASan"
925    scripts/config.py full
926    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
927    make
928
929    msg "test: main suites (inc. selftests) (full config, ASan build)"
930    make test
931
932    msg "test: selftest (ASan build)" # ~ 10s
933    programs/test/selftest
934
935    msg "test: ssl-opt.sh (full config, ASan build)"
936    tests/ssl-opt.sh
937
938    msg "test: compat.sh (full config, ASan build)"
939    tests/compat.sh
940
941    msg "test: context-info.sh (full config, ASan build)" # ~ 15 sec
942    tests/context-info.sh
943
944    msg "test: check direct ECP dependencies in TLS and X.509"
945    docs/architecture/psa-migration/syms.sh full
946
947    # TODO: replace "mbedtls_ecp_curve" with "mbedtls_ecp" also for
948    # "full-tls-external" once Issue6839 is completed
949    not grep mbedtls_ecp_curve full-tls-external
950    not grep mbedtls_ecp full-x509-external
951
952    rm  full-tls-external \
953        full-tls-modules \
954        full-x509-external \
955        full-x509-modules
956}
957
958component_test_psa_crypto_key_id_encodes_owner () {
959    msg "build: full config + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan"
960    scripts/config.py full
961    scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
962    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
963    make
964
965    msg "test: full config - USE_PSA_CRYPTO + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan"
966    make test
967}
968
969# check_renamed_symbols HEADER LIB
970# Check that if HEADER contains '#define MACRO ...' then MACRO is not a symbol
971# name is LIB.
972check_renamed_symbols () {
973    ! nm "$2" | sed 's/.* //' |
974      grep -x -F "$(sed -n 's/^ *# *define  *\([A-Z_a-z][0-9A-Z_a-z]*\)..*/\1/p' "$1")"
975}
976
977component_build_psa_crypto_spm () {
978    msg "build: full config + PSA_CRYPTO_KEY_ID_ENCODES_OWNER + PSA_CRYPTO_SPM, make, gcc"
979    scripts/config.py full
980    scripts/config.py unset MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
981    scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
982    scripts/config.py set MBEDTLS_PSA_CRYPTO_SPM
983    # We can only compile, not link, since our test and sample programs
984    # aren't equipped for the modified names used when MBEDTLS_PSA_CRYPTO_SPM
985    # is active.
986    make CC=gcc CFLAGS='-Werror -Wall -Wextra -I../tests/include/spe' lib
987
988    # Check that if a symbol is renamed by crypto_spe.h, the non-renamed
989    # version is not present.
990    echo "Checking for renamed symbols in the library"
991    check_renamed_symbols tests/include/spe/crypto_spe.h library/libmbedcrypto.a
992}
993
994component_test_psa_crypto_client () {
995    msg "build: default config - PSA_CRYPTO_C + PSA_CRYPTO_CLIENT, make"
996    scripts/config.py unset MBEDTLS_PSA_CRYPTO_C
997    scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C
998    scripts/config.py set MBEDTLS_PSA_CRYPTO_CLIENT
999    scripts/config.py unset MBEDTLS_LMS_C
1000    scripts/config.py unset MBEDTLS_LMS_PRIVATE
1001    make
1002
1003    msg "test: default config - PSA_CRYPTO_C + PSA_CRYPTO_CLIENT, make"
1004    make test
1005}
1006
1007component_test_psa_crypto_rsa_no_genprime() {
1008    msg "build: default config minus MBEDTLS_GENPRIME"
1009    scripts/config.py unset MBEDTLS_GENPRIME
1010    make
1011
1012    msg "test: default config minus MBEDTLS_GENPRIME"
1013    make test
1014}
1015
1016component_test_ref_configs () {
1017    msg "test/build: ref-configs (ASan build)" # ~ 6 min 20s
1018    # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake
1019    # want to re-generate generated files that depend on it, quite correctly.
1020    # However this doesn't work as the generation script expects a specific
1021    # format for mbedtls_config.h, which the other files don't follow. Also,
1022    # cmake can't know this, but re-generation is actually not necessary as
1023    # the generated files only depend on the list of available options, not
1024    # whether they're on or off. So, disable cmake's (over-sensitive here)
1025    # dependency resolution for generated files and just rely on them being
1026    # present (thanks to pre_generate_files) by turning GEN_FILES off.
1027    CC=gcc cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan .
1028    tests/scripts/test-ref-configs.pl
1029}
1030
1031component_test_no_renegotiation () {
1032    msg "build: Default + !MBEDTLS_SSL_RENEGOTIATION (ASan build)" # ~ 6 min
1033    scripts/config.py unset MBEDTLS_SSL_RENEGOTIATION
1034    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
1035    make
1036
1037    msg "test: !MBEDTLS_SSL_RENEGOTIATION - main suites (inc. selftests) (ASan build)" # ~ 50s
1038    make test
1039
1040    msg "test: !MBEDTLS_SSL_RENEGOTIATION - ssl-opt.sh (ASan build)" # ~ 6 min
1041    tests/ssl-opt.sh
1042}
1043
1044component_test_no_pem_no_fs () {
1045    msg "build: Default + !MBEDTLS_PEM_PARSE_C + !MBEDTLS_FS_IO (ASan build)"
1046    scripts/config.py unset MBEDTLS_PEM_PARSE_C
1047    scripts/config.py unset MBEDTLS_FS_IO
1048    scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C # requires a filesystem
1049    scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C # requires PSA ITS
1050    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
1051    make
1052
1053    msg "test: !MBEDTLS_PEM_PARSE_C !MBEDTLS_FS_IO - main suites (inc. selftests) (ASan build)" # ~ 50s
1054    make test
1055
1056    msg "test: !MBEDTLS_PEM_PARSE_C !MBEDTLS_FS_IO - ssl-opt.sh (ASan build)" # ~ 6 min
1057    tests/ssl-opt.sh
1058}
1059
1060component_test_rsa_no_crt () {
1061    msg "build: Default + RSA_NO_CRT (ASan build)" # ~ 6 min
1062    scripts/config.py set MBEDTLS_RSA_NO_CRT
1063    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
1064    make
1065
1066    msg "test: RSA_NO_CRT - main suites (inc. selftests) (ASan build)" # ~ 50s
1067    make test
1068
1069    msg "test: RSA_NO_CRT - RSA-related part of ssl-opt.sh (ASan build)" # ~ 5s
1070    tests/ssl-opt.sh -f RSA
1071
1072    msg "test: RSA_NO_CRT - RSA-related part of compat.sh (ASan build)" # ~ 3 min
1073    tests/compat.sh -t RSA
1074
1075    msg "test: RSA_NO_CRT - RSA-related part of context-info.sh (ASan build)" # ~ 15 sec
1076    tests/context-info.sh
1077}
1078
1079component_test_no_ctr_drbg_classic () {
1080    msg "build: Full minus CTR_DRBG, classic crypto in TLS"
1081    scripts/config.py full
1082    scripts/config.py unset MBEDTLS_CTR_DRBG_C
1083    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
1084    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
1085
1086    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
1087    make
1088
1089    msg "test: Full minus CTR_DRBG, classic crypto - main suites"
1090    make test
1091
1092    # In this configuration, the TLS test programs use HMAC_DRBG.
1093    # The SSL tests are slow, so run a small subset, just enough to get
1094    # confidence that the SSL code copes with HMAC_DRBG.
1095    msg "test: Full minus CTR_DRBG, classic crypto - ssl-opt.sh (subset)"
1096    tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server'
1097
1098    msg "test: Full minus CTR_DRBG, classic crypto - compat.sh (subset)"
1099    tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL
1100}
1101
1102component_test_no_ctr_drbg_use_psa () {
1103    msg "build: Full minus CTR_DRBG, PSA crypto in TLS"
1104    scripts/config.py full
1105    scripts/config.py unset MBEDTLS_CTR_DRBG_C
1106    scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
1107
1108    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
1109    make
1110
1111    msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - main suites"
1112    make test
1113
1114    # In this configuration, the TLS test programs use HMAC_DRBG.
1115    # The SSL tests are slow, so run a small subset, just enough to get
1116    # confidence that the SSL code copes with HMAC_DRBG.
1117    msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)"
1118    tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server'
1119
1120    msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - compat.sh (subset)"
1121    tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL
1122}
1123
1124component_test_no_hmac_drbg_classic () {
1125    msg "build: Full minus HMAC_DRBG, classic crypto in TLS"
1126    scripts/config.py full
1127    scripts/config.py unset MBEDTLS_HMAC_DRBG_C
1128    scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG
1129    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
1130    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
1131
1132    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
1133    make
1134
1135    msg "test: Full minus HMAC_DRBG, classic crypto - main suites"
1136    make test
1137
1138    # Normally our ECDSA implementation uses deterministic ECDSA. But since
1139    # HMAC_DRBG is disabled in this configuration, randomized ECDSA is used
1140    # instead.
1141    # Test SSL with non-deterministic ECDSA. Only test features that
1142    # might be affected by how ECDSA signature is performed.
1143    msg "test: Full minus HMAC_DRBG, classic crypto - ssl-opt.sh (subset)"
1144    tests/ssl-opt.sh -f 'Default\|SSL async private: sign'
1145
1146    # To save time, only test one protocol version, since this part of
1147    # the protocol is identical in (D)TLS up to 1.2.
1148    msg "test: Full minus HMAC_DRBG, classic crypto - compat.sh (ECDSA)"
1149    tests/compat.sh -m tls12 -t 'ECDSA'
1150}
1151
1152component_test_no_hmac_drbg_use_psa () {
1153    msg "build: Full minus HMAC_DRBG, PSA crypto in TLS"
1154    scripts/config.py full
1155    scripts/config.py unset MBEDTLS_HMAC_DRBG_C
1156    scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG
1157    scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
1158
1159    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
1160    make
1161
1162    msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - main suites"
1163    make test
1164
1165    # Normally our ECDSA implementation uses deterministic ECDSA. But since
1166    # HMAC_DRBG is disabled in this configuration, randomized ECDSA is used
1167    # instead.
1168    # Test SSL with non-deterministic ECDSA. Only test features that
1169    # might be affected by how ECDSA signature is performed.
1170    msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)"
1171    tests/ssl-opt.sh -f 'Default\|SSL async private: sign'
1172
1173    # To save time, only test one protocol version, since this part of
1174    # the protocol is identical in (D)TLS up to 1.2.
1175    msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - compat.sh (ECDSA)"
1176    tests/compat.sh -m tls12 -t 'ECDSA'
1177}
1178
1179component_test_psa_external_rng_no_drbg_classic () {
1180    msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto in TLS"
1181    scripts/config.py full
1182    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
1183    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
1184    scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
1185    scripts/config.py unset MBEDTLS_ENTROPY_C
1186    scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
1187    scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
1188    scripts/config.py unset MBEDTLS_CTR_DRBG_C
1189    scripts/config.py unset MBEDTLS_HMAC_DRBG_C
1190    scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG
1191    # When MBEDTLS_USE_PSA_CRYPTO is disabled and there is no DRBG,
1192    # the SSL test programs don't have an RNG and can't work. Explicitly
1193    # make them use the PSA RNG with -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG.
1194    make CFLAGS="$ASAN_CFLAGS -O2 -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG" LDFLAGS="$ASAN_CFLAGS"
1195
1196    msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - main suites"
1197    make test
1198
1199    msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - ssl-opt.sh (subset)"
1200    tests/ssl-opt.sh -f 'Default'
1201}
1202
1203component_test_psa_external_rng_no_drbg_use_psa () {
1204    msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto in TLS"
1205    scripts/config.py full
1206    scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
1207    scripts/config.py unset MBEDTLS_ENTROPY_C
1208    scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
1209    scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
1210    scripts/config.py unset MBEDTLS_CTR_DRBG_C
1211    scripts/config.py unset MBEDTLS_HMAC_DRBG_C
1212    scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG
1213    make CFLAGS="$ASAN_CFLAGS -O2" LDFLAGS="$ASAN_CFLAGS"
1214
1215    msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - main suites"
1216    make test
1217
1218    msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - ssl-opt.sh (subset)"
1219    tests/ssl-opt.sh -f 'Default\|opaque'
1220}
1221
1222component_test_crypto_full_md_light_only () {
1223    msg "build: crypto_full with only the light subset of MD"
1224    scripts/config.py crypto_full
1225    # Disable MD
1226    scripts/config.py unset MBEDTLS_MD_C
1227    # Disable direct dependencies of MD
1228    scripts/config.py unset MBEDTLS_HKDF_C
1229    scripts/config.py unset MBEDTLS_HMAC_DRBG_C
1230    scripts/config.py unset MBEDTLS_PKCS7_C
1231    # Disable indirect dependencies of MD
1232    scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # needs HMAC_DRBG
1233    # Note: MD-light is auto-enabled in build_info.h by modules that need it,
1234    # which we haven't disabled, so no need to explicitly enable it.
1235    make CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
1236
1237    # Make sure we don't have the HMAC functions, but the hashing functions
1238    not grep mbedtls_md_hmac library/md.o
1239    grep mbedtls_md library/md.o
1240
1241    msg "test: crypto_full with only the light subset of MD"
1242    make test
1243}
1244
1245component_test_full_no_cipher () {
1246    msg "build: full minus CIPHER"
1247    scripts/config.py full
1248    scripts/config.py unset MBEDTLS_CIPHER_C
1249    # Direct dependencies
1250    scripts/config.py unset MBEDTLS_CCM_C
1251    scripts/config.py unset MBEDTLS_CMAC_C
1252    scripts/config.py unset MBEDTLS_GCM_C
1253    scripts/config.py unset MBEDTLS_NIST_KW_C
1254    scripts/config.py unset MBEDTLS_PKCS12_C
1255    scripts/config.py unset MBEDTLS_PKCS5_C
1256    scripts/config.py unset MBEDTLS_PSA_CRYPTO_C
1257    scripts/config.py unset MBEDTLS_SSL_TLS_C
1258    scripts/config.py unset MBEDTLS_SSL_TICKET_C
1259    # Indirect dependencies
1260    scripts/config.py unset MBEDTLS_SSL_CLI_C
1261    scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
1262    scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C
1263    scripts/config.py unset MBEDTLS_SSL_DTLS_ANTI_REPLAY
1264    scripts/config.py unset MBEDTLS_SSL_DTLS_CONNECTION_ID
1265    scripts/config.py unset MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT
1266    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
1267    scripts/config.py unset MBEDTLS_SSL_SRV_C
1268    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
1269    scripts/config.py unset MBEDTLS_LMS_C
1270    scripts/config.py unset MBEDTLS_LMS_PRIVATE
1271    make
1272
1273    msg "test: full minus CIPHER"
1274    make test
1275}
1276
1277component_test_crypto_full_no_cipher () {
1278    msg "build: crypto_full minus CIPHER"
1279    scripts/config.py crypto_full
1280    scripts/config.py unset MBEDTLS_CIPHER_C
1281    # Direct dependencies
1282    scripts/config.py unset MBEDTLS_CCM_C
1283    scripts/config.py unset MBEDTLS_CMAC_C
1284    scripts/config.py unset MBEDTLS_GCM_C
1285    scripts/config.py unset MBEDTLS_NIST_KW_C
1286    scripts/config.py unset MBEDTLS_PKCS12_C
1287    scripts/config.py unset MBEDTLS_PKCS5_C
1288    scripts/config.py unset MBEDTLS_PSA_CRYPTO_C
1289    # Indirect dependencies
1290    scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
1291    scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C
1292    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
1293    scripts/config.py unset MBEDTLS_LMS_C
1294    scripts/config.py unset MBEDTLS_LMS_PRIVATE
1295    make
1296
1297    msg "test: crypto_full minus CIPHER"
1298    make test
1299}
1300
1301component_test_full_no_bignum () {
1302    msg "build: full minus bignum"
1303    scripts/config.py full
1304    scripts/config.py unset MBEDTLS_BIGNUM_C
1305    # Direct dependencies of bignum
1306    scripts/config.py unset MBEDTLS_ECP_C
1307    scripts/config.py unset MBEDTLS_RSA_C
1308    scripts/config.py unset MBEDTLS_DHM_C
1309    # Direct dependencies of ECP
1310    scripts/config.py unset MBEDTLS_ECDH_C
1311    scripts/config.py unset MBEDTLS_ECDSA_C
1312    scripts/config.py unset MBEDTLS_ECJPAKE_C
1313    scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
1314    # Indirect dependencies of ECP
1315    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
1316    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
1317    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
1318    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
1319    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
1320    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
1321    scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
1322    scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
1323    # Direct dependencies of DHM
1324    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
1325    # Direct dependencies of RSA
1326    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
1327    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
1328    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
1329    scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
1330    # PK and its dependencies
1331    scripts/config.py unset MBEDTLS_PK_C
1332    scripts/config.py unset MBEDTLS_PK_PARSE_C
1333    scripts/config.py unset MBEDTLS_PK_WRITE_C
1334    scripts/config.py unset MBEDTLS_X509_USE_C
1335    scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C
1336    scripts/config.py unset MBEDTLS_X509_CRL_PARSE_C
1337    scripts/config.py unset MBEDTLS_X509_CSR_PARSE_C
1338    scripts/config.py unset MBEDTLS_X509_CREATE_C
1339    scripts/config.py unset MBEDTLS_X509_CRT_WRITE_C
1340    scripts/config.py unset MBEDTLS_X509_CSR_WRITE_C
1341    scripts/config.py unset MBEDTLS_PKCS7_C
1342    scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION
1343    scripts/config.py unset MBEDTLS_SSL_ASYNC_PRIVATE
1344    scripts/config.py unset MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
1345
1346    make
1347
1348    msg "test: full minus bignum"
1349    make test
1350}
1351
1352component_test_tls1_2_default_stream_cipher_only () {
1353    msg "build: default with only stream cipher"
1354
1355    # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C
1356    scripts/config.py unset MBEDTLS_GCM_C
1357    scripts/config.py unset MBEDTLS_CCM_C
1358    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
1359    # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
1360    scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
1361    # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1362    scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
1363    # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
1364    scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER
1365    # Modules that depend on AEAD
1366    scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
1367    scripts/config.py unset MBEDTLS_SSL_TICKET_C
1368
1369    make
1370
1371    msg "test: default with only stream cipher"
1372    make test
1373
1374    # Not running ssl-opt.sh because most tests require a non-NULL ciphersuite.
1375}
1376
1377component_test_tls1_2_default_stream_cipher_only_use_psa () {
1378    msg "build: default with only stream cipher use psa"
1379
1380    scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
1381    # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
1382    scripts/config.py unset MBEDTLS_GCM_C
1383    scripts/config.py unset MBEDTLS_CCM_C
1384    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
1385    # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
1386    scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
1387    # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1388    scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
1389    # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
1390    scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER
1391    # Modules that depend on AEAD
1392    scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
1393    scripts/config.py unset MBEDTLS_SSL_TICKET_C
1394
1395    make
1396
1397    msg "test: default with only stream cipher use psa"
1398    make test
1399
1400    # Not running ssl-opt.sh because most tests require a non-NULL ciphersuite.
1401}
1402
1403component_test_tls1_2_default_cbc_legacy_cipher_only () {
1404    msg "build: default with only CBC-legacy cipher"
1405
1406    # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
1407    scripts/config.py unset MBEDTLS_GCM_C
1408    scripts/config.py unset MBEDTLS_CCM_C
1409    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
1410    # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
1411    scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
1412    # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1413    scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
1414    # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
1415    scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER
1416    # Modules that depend on AEAD
1417    scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
1418    scripts/config.py unset MBEDTLS_SSL_TICKET_C
1419
1420    make
1421
1422    msg "test: default with only CBC-legacy cipher"
1423    make test
1424
1425    msg "test: default with only CBC-legacy cipher - ssl-opt.sh (subset)"
1426    tests/ssl-opt.sh -f "TLS 1.2"
1427}
1428
1429component_test_tls1_2_deafult_cbc_legacy_cipher_only_use_psa () {
1430    msg "build: default with only CBC-legacy cipher use psa"
1431
1432    scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
1433    # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
1434    scripts/config.py unset MBEDTLS_GCM_C
1435    scripts/config.py unset MBEDTLS_CCM_C
1436    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
1437    # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
1438    scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
1439    # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1440    scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
1441    # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
1442    scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER
1443    # Modules that depend on AEAD
1444    scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
1445    scripts/config.py unset MBEDTLS_SSL_TICKET_C
1446
1447    make
1448
1449    msg "test: default with only CBC-legacy cipher use psa"
1450    make test
1451
1452    msg "test: default with only CBC-legacy cipher use psa - ssl-opt.sh (subset)"
1453    tests/ssl-opt.sh -f "TLS 1.2"
1454}
1455
1456component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () {
1457    msg "build: default with only CBC-legacy and CBC-EtM ciphers"
1458
1459    # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
1460    scripts/config.py unset MBEDTLS_GCM_C
1461    scripts/config.py unset MBEDTLS_CCM_C
1462    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
1463    # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
1464    scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
1465    # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1466    scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC
1467    # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
1468    scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER
1469    # Modules that depend on AEAD
1470    scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
1471    scripts/config.py unset MBEDTLS_SSL_TICKET_C
1472
1473    make
1474
1475    msg "test: default with only CBC-legacy and CBC-EtM ciphers"
1476    make test
1477
1478    msg "test: default with only CBC-legacy and CBC-EtM ciphers - ssl-opt.sh (subset)"
1479    tests/ssl-opt.sh -f "TLS 1.2"
1480}
1481
1482component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only_use_psa () {
1483    msg "build: default with only CBC-legacy and CBC-EtM ciphers use psa"
1484
1485    scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
1486    # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
1487    scripts/config.py unset MBEDTLS_GCM_C
1488    scripts/config.py unset MBEDTLS_CCM_C
1489    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
1490    # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
1491    scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
1492    # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1493    scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC
1494    # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
1495    scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER
1496    # Modules that depend on AEAD
1497    scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
1498    scripts/config.py unset MBEDTLS_SSL_TICKET_C
1499
1500    make
1501
1502    msg "test: default with only CBC-legacy and CBC-EtM ciphers use psa"
1503    make test
1504
1505    msg "test: default with only CBC-legacy and CBC-EtM ciphers use psa - ssl-opt.sh (subset)"
1506    tests/ssl-opt.sh -f "TLS 1.2"
1507}
1508
1509# We're not aware of any other (open source) implementation of EC J-PAKE in TLS
1510# that we could use for interop testing. However, we now have sort of two
1511# implementations ourselves: one using PSA, the other not. At least test that
1512# these two interoperate with each other.
1513component_test_tls1_2_ecjpake_compatibility() {
1514    msg "build: TLS1.2 server+client w/ EC-JPAKE w/o USE_PSA"
1515    scripts/config.py set MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
1516    make -C programs ssl/ssl_server2 ssl/ssl_client2
1517    cp programs/ssl/ssl_server2 s2_no_use_psa
1518    cp programs/ssl/ssl_client2 c2_no_use_psa
1519
1520    msg "build: TLS1.2 server+client w/ EC-JPAKE w/ USE_PSA"
1521    scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
1522    make clean
1523    make -C programs ssl/ssl_server2 ssl/ssl_client2
1524    make -C programs test/udp_proxy test/query_compile_time_config
1525
1526    msg "test: server w/o USE_PSA - client w/ USE_PSA, text password"
1527    P_SRV=../s2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: working, TLS"
1528    msg "test: server w/o USE_PSA - client w/ USE_PSA, opaque password"
1529    P_SRV=../s2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: opaque password client only, working, TLS"
1530    msg "test: client w/o USE_PSA - server w/ USE_PSA, text password"
1531    P_CLI=../c2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: working, TLS"
1532    msg "test: client w/o USE_PSA - server w/ USE_PSA, opaque password"
1533    P_CLI=../c2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: opaque password server only, working, TLS"
1534
1535    rm s2_no_use_psa c2_no_use_psa
1536}
1537
1538component_test_psa_external_rng_use_psa_crypto () {
1539    msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
1540    scripts/config.py full
1541    scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
1542    scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
1543    scripts/config.py unset MBEDTLS_CTR_DRBG_C
1544    make CFLAGS="$ASAN_CFLAGS -O2" LDFLAGS="$ASAN_CFLAGS"
1545
1546    msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
1547    make test
1548
1549    msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
1550    tests/ssl-opt.sh -f 'Default\|opaque'
1551}
1552
1553component_test_everest () {
1554    msg "build: Everest ECDH context (ASan build)" # ~ 6 min
1555    scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED
1556    CC=clang cmake -D CMAKE_BUILD_TYPE:String=Asan .
1557    make
1558
1559    msg "test: Everest ECDH context - main suites (inc. selftests) (ASan build)" # ~ 50s
1560    make test
1561
1562    msg "test: Everest ECDH context - ECDH-related part of ssl-opt.sh (ASan build)" # ~ 5s
1563    tests/ssl-opt.sh -f ECDH
1564
1565    msg "test: Everest ECDH context - compat.sh with some ECDH ciphersuites (ASan build)" # ~ 3 min
1566    # Exclude some symmetric ciphers that are redundant here to gain time.
1567    tests/compat.sh -f ECDH -V NO -e 'ARIA\|CAMELLIA\|CHACHA'
1568}
1569
1570component_test_everest_curve25519_only () {
1571    msg "build: Everest ECDH context, only Curve25519" # ~ 6 min
1572    scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED
1573    scripts/config.py unset MBEDTLS_ECDSA_C
1574    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
1575    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
1576    scripts/config.py unset MBEDTLS_ECJPAKE_C
1577    # Disable all curves
1578    for c in $(sed -n 's/#define \(MBEDTLS_ECP_DP_[0-9A-Z_a-z]*_ENABLED\).*/\1/p' <"$CONFIG_H"); do
1579        scripts/config.py unset "$c"
1580    done
1581    scripts/config.py set MBEDTLS_ECP_DP_CURVE25519_ENABLED
1582
1583    make CFLAGS="$ASAN_CFLAGS -O2" LDFLAGS="$ASAN_CFLAGS"
1584
1585    msg "test: Everest ECDH context, only Curve25519" # ~ 50s
1586    make test
1587}
1588
1589component_test_small_ssl_out_content_len () {
1590    msg "build: small SSL_OUT_CONTENT_LEN (ASan build)"
1591    scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 16384
1592    scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 4096
1593    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
1594    make
1595
1596    msg "test: small SSL_OUT_CONTENT_LEN - ssl-opt.sh MFL and large packet tests"
1597    tests/ssl-opt.sh -f "Max fragment\|Large packet"
1598}
1599
1600component_test_small_ssl_in_content_len () {
1601    msg "build: small SSL_IN_CONTENT_LEN (ASan build)"
1602    scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 4096
1603    scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 16384
1604    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
1605    make
1606
1607    msg "test: small SSL_IN_CONTENT_LEN - ssl-opt.sh MFL tests"
1608    tests/ssl-opt.sh -f "Max fragment"
1609}
1610
1611component_test_small_ssl_dtls_max_buffering () {
1612    msg "build: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #0"
1613    scripts/config.py set MBEDTLS_SSL_DTLS_MAX_BUFFERING 1000
1614    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
1615    make
1616
1617    msg "test: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #0 - ssl-opt.sh specific reordering test"
1618    tests/ssl-opt.sh -f "DTLS reordering: Buffer out-of-order hs msg before reassembling next, free buffered msg"
1619}
1620
1621component_test_small_mbedtls_ssl_dtls_max_buffering () {
1622    msg "build: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #1"
1623    scripts/config.py set MBEDTLS_SSL_DTLS_MAX_BUFFERING 190
1624    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
1625    make
1626
1627    msg "test: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #1 - ssl-opt.sh specific reordering test"
1628    tests/ssl-opt.sh -f "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket"
1629}
1630
1631component_test_psa_collect_statuses () {
1632  msg "build+test: psa_collect_statuses" # ~30s
1633  scripts/config.py full
1634  tests/scripts/psa_collect_statuses.py
1635  # Check that psa_crypto_init() succeeded at least once
1636  grep -q '^0:psa_crypto_init:' tests/statuses.log
1637  rm -f tests/statuses.log
1638}
1639
1640component_test_full_cmake_clang () {
1641    msg "build: cmake, full config, clang" # ~ 50s
1642    scripts/config.py full
1643    CC=clang CXX=clang cmake -D CMAKE_BUILD_TYPE:String=Release -D ENABLE_TESTING=On -D TEST_CPP=1 .
1644    make
1645
1646    msg "test: main suites (full config, clang)" # ~ 5s
1647    make test
1648
1649    msg "test: cpp_dummy_build (full config, clang)" # ~ 1s
1650    programs/test/cpp_dummy_build
1651
1652    msg "test: psa_constant_names (full config, clang)" # ~ 1s
1653    tests/scripts/test_psa_constant_names.py
1654
1655    msg "test: ssl-opt.sh default, ECJPAKE, SSL async (full config)" # ~ 1s
1656    tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private'
1657
1658    msg "test: compat.sh NULL (full config)" # ~ 2 min
1659    env OPENSSL="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '^$' -f 'NULL'
1660
1661    msg "test: compat.sh ARIA + ChachaPoly"
1662    env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
1663}
1664
1665skip_suites_without_constant_flow () {
1666    # Skip the test suites that don't have any constant-flow annotations.
1667    # This will need to be adjusted if we ever start declaring things as
1668    # secret from macros or functions inside tests/include or tests/src.
1669    SKIP_TEST_SUITES=$(
1670        git -C tests/suites grep -L TEST_CF_ 'test_suite_*.function' |
1671            sed 's/test_suite_//; s/\.function$//' |
1672            tr '\n' ,)
1673    export SKIP_TEST_SUITES
1674}
1675
1676component_test_memsan_constant_flow () {
1677    # This tests both (1) accesses to undefined memory, and (2) branches or
1678    # memory access depending on secret values. To distinguish between those:
1679    # - unset MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN - does the failure persist?
1680    # - or alternatively, change the build type to MemSanDbg, which enables
1681    # origin tracking and nicer stack traces (which are useful for debugging
1682    # anyway), and check if the origin was TEST_CF_SECRET() or something else.
1683    msg "build: cmake MSan (clang), full config minus MBEDTLS_USE_PSA_CRYPTO with constant flow testing"
1684    scripts/config.py full
1685    scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
1686    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
1687    scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm
1688    CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan .
1689    make
1690
1691    msg "test: main suites (full minus MBEDTLS_USE_PSA_CRYPTO, Msan + constant flow)"
1692    make test
1693}
1694
1695component_test_memsan_constant_flow_psa () {
1696    # This tests both (1) accesses to undefined memory, and (2) branches or
1697    # memory access depending on secret values. To distinguish between those:
1698    # - unset MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN - does the failure persist?
1699    # - or alternatively, change the build type to MemSanDbg, which enables
1700    # origin tracking and nicer stack traces (which are useful for debugging
1701    # anyway), and check if the origin was TEST_CF_SECRET() or something else.
1702    msg "build: cmake MSan (clang), full config with constant flow testing"
1703    scripts/config.py full
1704    scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
1705    scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm
1706    CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan .
1707    make
1708
1709    msg "test: main suites (Msan + constant flow)"
1710    make test
1711}
1712
1713component_test_valgrind_constant_flow () {
1714    # This tests both (1) everything that valgrind's memcheck usually checks
1715    # (heap buffer overflows, use of uninitialized memory, use-after-free,
1716    # etc.) and (2) branches or memory access depending on secret values,
1717    # which will be reported as uninitialized memory. To distinguish between
1718    # secret and actually uninitialized:
1719    # - unset MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND - does the failure persist?
1720    # - or alternatively, build with debug info and manually run the offending
1721    # test suite with valgrind --track-origins=yes, then check if the origin
1722    # was TEST_CF_SECRET() or something else.
1723    msg "build: cmake release GCC, full config minus MBEDTLS_USE_PSA_CRYPTO with constant flow testing"
1724    scripts/config.py full
1725    scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND
1726    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
1727    skip_suites_without_constant_flow
1728    cmake -D CMAKE_BUILD_TYPE:String=Release .
1729    make
1730
1731    # this only shows a summary of the results (how many of each type)
1732    # details are left in Testing/<date>/DynamicAnalysis.xml
1733    msg "test: some suites (full minus MBEDTLS_USE_PSA_CRYPTO, valgrind + constant flow)"
1734    make memcheck
1735}
1736
1737component_test_valgrind_constant_flow_psa () {
1738    # This tests both (1) everything that valgrind's memcheck usually checks
1739    # (heap buffer overflows, use of uninitialized memory, use-after-free,
1740    # etc.) and (2) branches or memory access depending on secret values,
1741    # which will be reported as uninitialized memory. To distinguish between
1742    # secret and actually uninitialized:
1743    # - unset MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND - does the failure persist?
1744    # - or alternatively, build with debug info and manually run the offending
1745    # test suite with valgrind --track-origins=yes, then check if the origin
1746    # was TEST_CF_SECRET() or something else.
1747    msg "build: cmake release GCC, full config with constant flow testing"
1748    scripts/config.py full
1749    scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND
1750    skip_suites_without_constant_flow
1751    cmake -D CMAKE_BUILD_TYPE:String=Release .
1752    make
1753
1754    # this only shows a summary of the results (how many of each type)
1755    # details are left in Testing/<date>/DynamicAnalysis.xml
1756    msg "test: some suites (valgrind + constant flow)"
1757    make memcheck
1758}
1759
1760component_test_default_no_deprecated () {
1761    # Test that removing the deprecated features from the default
1762    # configuration leaves something consistent.
1763    msg "build: make, default + MBEDTLS_DEPRECATED_REMOVED" # ~ 30s
1764    scripts/config.py set MBEDTLS_DEPRECATED_REMOVED
1765    make CC=gcc CFLAGS='-O -Werror -Wall -Wextra'
1766
1767    msg "test: make, default + MBEDTLS_DEPRECATED_REMOVED" # ~ 5s
1768    make test
1769}
1770
1771component_test_full_no_deprecated () {
1772    msg "build: make, full_no_deprecated config" # ~ 30s
1773    scripts/config.py full_no_deprecated
1774    make CC=gcc CFLAGS='-O -Werror -Wall -Wextra'
1775
1776    msg "test: make, full_no_deprecated config" # ~ 5s
1777    make test
1778
1779    msg "test: ensure that X509 has no direct dependency on BIGNUM_C"
1780    not grep mbedtls_mpi library/libmbedx509.a
1781}
1782
1783component_test_full_no_deprecated_deprecated_warning () {
1784    # Test that there is nothing deprecated in "full_no_deprecated".
1785    # A deprecated feature would trigger a warning (made fatal) from
1786    # MBEDTLS_DEPRECATED_WARNING.
1787    msg "build: make, full_no_deprecated config, MBEDTLS_DEPRECATED_WARNING" # ~ 30s
1788    scripts/config.py full_no_deprecated
1789    scripts/config.py unset MBEDTLS_DEPRECATED_REMOVED
1790    scripts/config.py set MBEDTLS_DEPRECATED_WARNING
1791    make CC=gcc CFLAGS='-O -Werror -Wall -Wextra'
1792
1793    msg "test: make, full_no_deprecated config, MBEDTLS_DEPRECATED_WARNING" # ~ 5s
1794    make test
1795}
1796
1797component_test_full_deprecated_warning () {
1798    # Test that when MBEDTLS_DEPRECATED_WARNING is enabled, the build passes
1799    # with only certain whitelisted types of warnings.
1800    msg "build: make, full config + MBEDTLS_DEPRECATED_WARNING, expect warnings" # ~ 30s
1801    scripts/config.py full
1802    scripts/config.py set MBEDTLS_DEPRECATED_WARNING
1803    # Expect warnings from '#warning' directives in check_config.h.
1804    make CC=gcc CFLAGS='-O -Werror -Wall -Wextra -Wno-error=cpp' lib programs
1805
1806    msg "build: make tests, full config + MBEDTLS_DEPRECATED_WARNING, expect warnings" # ~ 30s
1807    # Set MBEDTLS_TEST_DEPRECATED to enable tests for deprecated features.
1808    # By default those are disabled when MBEDTLS_DEPRECATED_WARNING is set.
1809    # Expect warnings from '#warning' directives in check_config.h and
1810    # from the use of deprecated functions in test suites.
1811    make CC=gcc CFLAGS='-O -Werror -Wall -Wextra -Wno-error=deprecated-declarations -Wno-error=cpp -DMBEDTLS_TEST_DEPRECATED' tests
1812
1813    msg "test: full config + MBEDTLS_TEST_DEPRECATED" # ~ 30s
1814    make test
1815}
1816
1817# Check that the specified libraries exist and are empty.
1818are_empty_libraries () {
1819  nm "$@" >/dev/null 2>/dev/null
1820  ! nm "$@" 2>/dev/null | grep -v ':$' | grep .
1821}
1822
1823component_build_crypto_default () {
1824  msg "build: make, crypto only"
1825  scripts/config.py crypto
1826  make CFLAGS='-O1 -Werror'
1827  are_empty_libraries library/libmbedx509.* library/libmbedtls.*
1828}
1829
1830component_build_crypto_full () {
1831  msg "build: make, crypto only, full config"
1832  scripts/config.py crypto_full
1833  make CFLAGS='-O1 -Werror'
1834  are_empty_libraries library/libmbedx509.* library/libmbedtls.*
1835}
1836
1837component_test_crypto_for_psa_service () {
1838  msg "build: make, config for PSA crypto service"
1839  scripts/config.py crypto
1840  scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
1841  # Disable things that are not needed for just cryptography, to
1842  # reach a configuration that would be typical for a PSA cryptography
1843  # service providing all implemented PSA algorithms.
1844  # System stuff
1845  scripts/config.py unset MBEDTLS_ERROR_C
1846  scripts/config.py unset MBEDTLS_TIMING_C
1847  scripts/config.py unset MBEDTLS_VERSION_FEATURES
1848  # Crypto stuff with no PSA interface
1849  scripts/config.py unset MBEDTLS_BASE64_C
1850  # Keep MBEDTLS_CIPHER_C because psa_crypto_cipher, CCM and GCM need it.
1851  scripts/config.py unset MBEDTLS_HKDF_C # PSA's HKDF is independent
1852  # Keep MBEDTLS_MD_C because deterministic ECDSA needs it for HMAC_DRBG.
1853  scripts/config.py unset MBEDTLS_NIST_KW_C
1854  scripts/config.py unset MBEDTLS_PEM_PARSE_C
1855  scripts/config.py unset MBEDTLS_PEM_WRITE_C
1856  scripts/config.py unset MBEDTLS_PKCS12_C
1857  scripts/config.py unset MBEDTLS_PKCS5_C
1858  # MBEDTLS_PK_PARSE_C and MBEDTLS_PK_WRITE_C are actually currently needed
1859  # in PSA code to work with RSA keys. We don't require users to set those:
1860  # they will be reenabled in build_info.h.
1861  scripts/config.py unset MBEDTLS_PK_C
1862  scripts/config.py unset MBEDTLS_PK_PARSE_C
1863  scripts/config.py unset MBEDTLS_PK_WRITE_C
1864  make CFLAGS='-O1 -Werror' all test
1865  are_empty_libraries library/libmbedx509.* library/libmbedtls.*
1866}
1867
1868component_build_crypto_baremetal () {
1869  msg "build: make, crypto only, baremetal config"
1870  scripts/config.py crypto_baremetal
1871  make CFLAGS="-O1 -Werror -I$PWD/tests/include/baremetal-override/"
1872  are_empty_libraries library/libmbedx509.* library/libmbedtls.*
1873}
1874support_build_crypto_baremetal () {
1875    support_build_baremetal "$@"
1876}
1877
1878component_build_baremetal () {
1879  msg "build: make, baremetal config"
1880  scripts/config.py baremetal
1881  make CFLAGS="-O1 -Werror -I$PWD/tests/include/baremetal-override/"
1882}
1883support_build_baremetal () {
1884    # Older Glibc versions include time.h from other headers such as stdlib.h,
1885    # which makes the no-time.h-in-baremetal check fail. Ubuntu 16.04 has this
1886    # problem, Ubuntu 18.04 is ok.
1887    ! grep -q -F time.h /usr/include/x86_64-linux-gnu/sys/types.h
1888}
1889
1890# depends.py family of tests
1891component_test_depends_py_cipher_id () {
1892    msg "test/build: depends.py cipher_id (gcc)"
1893    tests/scripts/depends.py cipher_id --unset-use-psa
1894}
1895
1896component_test_depends_py_cipher_chaining () {
1897    msg "test/build: depends.py cipher_chaining (gcc)"
1898    tests/scripts/depends.py cipher_chaining --unset-use-psa
1899}
1900
1901component_test_depends_py_cipher_padding () {
1902    msg "test/build: depends.py cipher_padding (gcc)"
1903    tests/scripts/depends.py cipher_padding --unset-use-psa
1904}
1905
1906component_test_depends_py_curves () {
1907    msg "test/build: depends.py curves (gcc)"
1908    tests/scripts/depends.py curves --unset-use-psa
1909}
1910
1911component_test_depends_py_hashes () {
1912    msg "test/build: depends.py hashes (gcc)"
1913    tests/scripts/depends.py hashes --unset-use-psa
1914}
1915
1916component_test_depends_py_kex () {
1917    msg "test/build: depends.py kex (gcc)"
1918    tests/scripts/depends.py kex --unset-use-psa
1919}
1920
1921component_test_depends_py_pkalgs () {
1922    msg "test/build: depends.py pkalgs (gcc)"
1923    tests/scripts/depends.py pkalgs --unset-use-psa
1924}
1925
1926# PSA equivalents of the depends.py tests
1927component_test_depends_py_cipher_id_psa () {
1928    msg "test/build: depends.py cipher_id (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
1929    tests/scripts/depends.py cipher_id
1930}
1931
1932component_test_depends_py_cipher_chaining_psa () {
1933    msg "test/build: depends.py cipher_chaining (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
1934    tests/scripts/depends.py cipher_chaining
1935}
1936
1937component_test_depends_py_cipher_padding_psa () {
1938    msg "test/build: depends.py cipher_padding (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
1939    tests/scripts/depends.py cipher_padding
1940}
1941
1942component_test_depends_py_curves_psa () {
1943    msg "test/build: depends.py curves (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
1944    tests/scripts/depends.py curves
1945}
1946
1947component_test_depends_py_hashes_psa () {
1948    msg "test/build: depends.py hashes (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
1949    tests/scripts/depends.py hashes
1950}
1951
1952component_test_depends_py_kex_psa () {
1953    msg "test/build: depends.py kex (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
1954    tests/scripts/depends.py kex
1955}
1956
1957component_test_depends_py_pkalgs_psa () {
1958    msg "test/build: depends.py pkalgs (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
1959    tests/scripts/depends.py pkalgs
1960}
1961
1962component_build_no_pk_rsa_alt_support () {
1963    msg "build: !MBEDTLS_PK_RSA_ALT_SUPPORT" # ~30s
1964
1965    scripts/config.py full
1966    scripts/config.py unset MBEDTLS_PK_RSA_ALT_SUPPORT
1967    scripts/config.py set MBEDTLS_RSA_C
1968    scripts/config.py set MBEDTLS_X509_CRT_WRITE_C
1969
1970    # Only compile - this is primarily to test for compile issues
1971    make CC=gcc CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy'
1972}
1973
1974component_build_module_alt () {
1975    msg "build: MBEDTLS_XXX_ALT" # ~30s
1976    scripts/config.py full
1977
1978    # Disable options that are incompatible with some ALT implementations:
1979    # aesni.c and padlock.c reference mbedtls_aes_context fields directly.
1980    scripts/config.py unset MBEDTLS_AESNI_C
1981    scripts/config.py unset MBEDTLS_PADLOCK_C
1982    scripts/config.py unset MBEDTLS_AESCE_C
1983    # MBEDTLS_ECP_RESTARTABLE is documented as incompatible.
1984    scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
1985    # You can only have one threading implementation: alt or pthread, not both.
1986    scripts/config.py unset MBEDTLS_THREADING_PTHREAD
1987    # The SpecifiedECDomain parsing code accesses mbedtls_ecp_group fields
1988    # directly and assumes the implementation works with partial groups.
1989    scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED
1990    # MBEDTLS_SHA256_*ALT can't be used with MBEDTLS_SHA256_USE_A64_CRYPTO_*
1991    scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
1992    scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY
1993    # MBEDTLS_SHA512_*ALT can't be used with MBEDTLS_SHA512_USE_A64_CRYPTO_*
1994    scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
1995    scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY
1996
1997    # Enable all MBEDTLS_XXX_ALT for whole modules. Do not enable
1998    # MBEDTLS_XXX_YYY_ALT which are for single functions.
1999    scripts/config.py set-all 'MBEDTLS_([A-Z0-9]*|NIST_KW)_ALT'
2000    scripts/config.py unset MBEDTLS_DHM_ALT #incompatible with MBEDTLS_DEBUG_C
2001
2002    # We can only compile, not link, since we don't have any implementations
2003    # suitable for testing with the dummy alt headers.
2004    make CC=gcc CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy' lib
2005}
2006
2007component_build_dhm_alt () {
2008    msg "build: MBEDTLS_DHM_ALT" # ~30s
2009    scripts/config.py full
2010    scripts/config.py set MBEDTLS_DHM_ALT
2011    # debug.c currently references mbedtls_dhm_context fields directly.
2012    scripts/config.py unset MBEDTLS_DEBUG_C
2013    # We can only compile, not link, since we don't have any implementations
2014    # suitable for testing with the dummy alt headers.
2015    make CC=gcc CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy' lib
2016}
2017
2018component_test_no_use_psa_crypto_full_cmake_asan() {
2019    # full minus MBEDTLS_USE_PSA_CRYPTO: run the same set of tests as basic-build-test.sh
2020    msg "build: cmake, full config minus MBEDTLS_USE_PSA_CRYPTO, ASan"
2021    scripts/config.py full
2022    scripts/config.py unset MBEDTLS_PSA_CRYPTO_C
2023    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
2024    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
2025    scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C
2026    scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
2027    scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C
2028    scripts/config.py unset MBEDTLS_LMS_C
2029    scripts/config.py unset MBEDTLS_LMS_PRIVATE
2030    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
2031    make
2032
2033    msg "test: main suites (full minus MBEDTLS_USE_PSA_CRYPTO)"
2034    make test
2035
2036    # Note: ssl-opt.sh has some test cases that depend on
2037    # MBEDTLS_ECP_RESTARTABLE && !MBEDTLS_USE_PSA_CRYPTO
2038    # This is the only component where those tests are not skipped.
2039    msg "test: ssl-opt.sh (full minus MBEDTLS_USE_PSA_CRYPTO)"
2040    tests/ssl-opt.sh
2041
2042    msg "test: compat.sh default (full minus MBEDTLS_USE_PSA_CRYPTO)"
2043    tests/compat.sh
2044
2045    msg "test: compat.sh NULL (full minus MBEDTLS_USE_PSA_CRYPTO)"
2046    env OPENSSL="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -f 'NULL'
2047
2048    msg "test: compat.sh ARIA + ChachaPoly (full minus MBEDTLS_USE_PSA_CRYPTO)"
2049    env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
2050}
2051
2052component_test_psa_crypto_config_accel_ecdsa () {
2053    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA"
2054
2055    # Algorithms and key types to accelerate
2056    loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA KEY_TYPE_ECC_KEY_PAIR KEY_TYPE_ECC_PUBLIC_KEY"
2057
2058    # Configure and build the test driver library
2059    # -------------------------------------------
2060
2061    # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having
2062    # partial support for cipher operations in the driver test library.
2063    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
2064    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
2065
2066    loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
2067    # These hashes are needed for some ECDSA signature tests.
2068    loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_224"
2069    loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_256"
2070    loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_384"
2071    loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_512"
2072    make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"
2073
2074    # Configure and build the main libraries
2075    # --------------------------------------
2076
2077    # Start from default config (no USE_PSA) + driver support + TLS 1.3
2078    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
2079    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
2080    scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3
2081
2082    # Disable the module that's accelerated
2083    scripts/config.py unset MBEDTLS_ECDSA_C
2084
2085    # Disable things that depend on it
2086    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
2087    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
2088
2089    # Build the library
2090    loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
2091    make CFLAGS="$ASAN_CFLAGS -O -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
2092
2093    # Make sure this was not re-enabled by accident (additive config)
2094    not grep mbedtls_ecdsa_ library/ecdsa.o
2095
2096    # Run the tests
2097    # -------------
2098
2099    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA"
2100    make test
2101}
2102
2103# Auxiliary function to build config for ECDSA with and without drivers
2104config_psa_crypto_config_ecdsa_use_psa () {
2105    DRIVER_ONLY="$1"
2106    # start with config full for maximum coverage (also enables USE_PSA)
2107    scripts/config.py full
2108    # enable support for drivers and configuring PSA-only algorithms
2109    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
2110    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
2111    if [ "$DRIVER_ONLY" -eq 1 ]; then
2112        # Disable the module that's accelerated
2113        scripts/config.py unset MBEDTLS_ECDSA_C
2114    fi
2115    # Restartable feature is not yet supported by PSA. Once it will in
2116    # the future, the following line could be removed (see issues
2117    # 6061, 6332 and following ones)
2118    scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
2119    # Dynamic secure element support is a deprecated feature and needs to be disabled here.
2120    # This is done to have the same form of psa_key_attributes_s for libdriver and library.
2121    scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
2122}
2123
2124# Keep in sync with component_test_psa_crypto_config_reference_ecdsa_use_psa
2125component_test_psa_crypto_config_accel_ecdsa_use_psa () {
2126    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA + USE_PSA"
2127
2128    # Algorithms and key types to accelerate
2129    loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA KEY_TYPE_ECC_KEY_PAIR KEY_TYPE_ECC_PUBLIC_KEY"
2130
2131    # Configure and build the test driver library
2132    # -------------------------------------------
2133
2134    # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having
2135    # partial support for cipher operations in the driver test library.
2136    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
2137    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
2138
2139    loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
2140    # SHA-1 and all variants of SHA-2 are needed for ECDSA and X.509 tests
2141    loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_1"
2142    loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_224"
2143    loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_256"
2144    loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_384"
2145    loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_512"
2146    make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"
2147
2148    # Configure and build the main libraries with drivers enabled
2149    # -----------------------------------------------------------
2150
2151    # Use the same config as reference, only without built-in ECDSA
2152    config_psa_crypto_config_ecdsa_use_psa 1
2153
2154    # Build the library
2155    loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
2156    make CFLAGS="$ASAN_CFLAGS -O -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
2157
2158    # Make sure ECDSA was not re-enabled by accident (additive config)
2159    not grep mbedtls_ecdsa_ library/ecdsa.o
2160
2161    # Run the tests
2162    # -------------
2163
2164    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA + USE_PSA"
2165    make test
2166
2167    msg "test: ssl-opt.sh"
2168    tests/ssl-opt.sh
2169}
2170
2171# Keep in sync with component_test_psa_crypto_config_accel_ecdsa_use_psa.
2172# Used by tests/scripts/analyze_outcomes.py for comparison purposes.
2173component_test_psa_crypto_config_reference_ecdsa_use_psa () {
2174    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA + USE_PSA"
2175
2176    # To be aligned with the accel component that needs this
2177    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
2178    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
2179
2180    config_psa_crypto_config_ecdsa_use_psa 0
2181
2182    make
2183
2184    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA + USE_PSA"
2185    make test
2186
2187    msg "test: ssl-opt.sh"
2188    tests/ssl-opt.sh
2189}
2190
2191component_test_psa_crypto_config_accel_ecdh () {
2192    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH"
2193
2194    # Algorithms and key types to accelerate
2195    loc_accel_list="ALG_ECDH KEY_TYPE_ECC_KEY_PAIR KEY_TYPE_ECC_PUBLIC_KEY"
2196
2197    # Configure and build the test driver library
2198    # -------------------------------------------
2199
2200    # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having
2201    # partial support for cipher operations in the driver test library.
2202    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
2203    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
2204
2205    loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
2206    make -C tests libtestdriver1.a CFLAGS=" $ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"
2207
2208    # Configure and build the main libraries
2209    # --------------------------------------
2210
2211    # Start from default config (no USE_PSA or TLS 1.3) + driver support
2212    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
2213    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
2214
2215    # Disable the module that's accelerated
2216    scripts/config.py unset MBEDTLS_ECDH_C
2217
2218    # Disable things that depend on it
2219    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
2220    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
2221    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
2222    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
2223    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
2224
2225    # Build the main library
2226    loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
2227    make CFLAGS="$ASAN_CFLAGS -O -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
2228
2229    # Make sure this was not re-enabled by accident (additive config)
2230    not grep mbedtls_ecdh_ library/ecdh.o
2231
2232    # Run the tests
2233    # -------------
2234
2235    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH"
2236    make test
2237}
2238
2239# Auxiliary function to build config for ECDH with and without drivers.
2240#
2241# This is used by the two following components to ensure they always use the
2242# same config, except for the use of driver or built-in ECDH:
2243# - component_test_psa_crypto_config_accel_ecdh_use_psa;
2244# - component_test_psa_crypto_config_reference_ecdh_use_psa.
2245# This support comparing their test coverage with analyze_outcomes.py.
2246config_psa_crypto_config_ecdh_use_psa () {
2247    DRIVER_ONLY="$1"
2248    # start with config full for maximum coverage (also enables USE_PSA)
2249    scripts/config.py full
2250    # enable support for drivers and configuring PSA-only algorithms
2251    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
2252    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
2253    if [ "$DRIVER_ONLY" -eq 1 ]; then
2254        # Disable the module that's accelerated
2255        scripts/config.py unset MBEDTLS_ECDH_C
2256    fi
2257    # Disable things that depend on it (regardless of driver or built-in)
2258    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
2259    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
2260    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
2261    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
2262    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
2263
2264    scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
2265    scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
2266    # Note: the above two lines should be enough, but currently there's a bug
2267    # that prevents tests from passing TLS 1.3 with only PSK (no ephemeral)
2268    # when TLS 1.2 is also enabled, see #6848.
2269    # So, as a temporary measure disable all of TLS 1.3.
2270    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
2271
2272    # Restartable feature is not yet supported by PSA. Once it will in
2273    # the future, the following line could be removed (see issues
2274    # 6061, 6332 and following ones)
2275    scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
2276}
2277
2278# Keep in sync with component_test_psa_crypto_config_reference_ecdh_use_psa
2279component_test_psa_crypto_config_accel_ecdh_use_psa () {
2280    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH + USE_PSA"
2281
2282    # Algorithms and key types to accelerate
2283    loc_accel_list="ALG_ECDH KEY_TYPE_ECC_KEY_PAIR KEY_TYPE_ECC_PUBLIC_KEY"
2284
2285    # Configure and build the test driver library
2286    # -------------------------------------------
2287
2288    # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having
2289    # partial support for cipher operations in the driver test library.
2290    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
2291    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
2292
2293    loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
2294    make -C tests libtestdriver1.a CFLAGS=" $ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"
2295
2296    # Configure and build the main libraries
2297    # --------------------------------------
2298
2299    # Use the same config as reference, only without built-in ECDH
2300    config_psa_crypto_config_ecdh_use_psa 1
2301
2302    # Build the main library
2303    loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
2304    make CFLAGS="$ASAN_CFLAGS -O -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
2305
2306    # Make sure this was not re-enabled by accident (additive config)
2307    not grep mbedtls_ecdh_ library/ecdh.o
2308
2309    # Run the tests
2310    # -------------
2311
2312    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH + USE_PSA"
2313    make test
2314
2315    msg "test: ssl-opt.sh"
2316    tests/ssl-opt.sh
2317}
2318
2319# Keep in sync with component_test_psa_crypto_config_accel_ecdh_use_psa.
2320# Used by tests/scripts/analyze_outcomes.py for comparison purposes.
2321component_test_psa_crypto_config_reference_ecdh_use_psa () {
2322    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with reference ECDH + USE_PSA"
2323
2324    # To be aligned with the accel component that needs this
2325    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
2326    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
2327
2328    config_psa_crypto_config_ecdh_use_psa 0
2329
2330    make
2331
2332    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with reference ECDH + USE_PSA"
2333    make test
2334
2335    msg "test: ssl-opt.sh"
2336    tests/ssl-opt.sh
2337}
2338
2339# Auxiliary function to build config for EC JPAKE with and without drivers.
2340#
2341# This is used by the two following components to ensure they always use the
2342# same config, except for the use of driver or built-in ECJPAKE:
2343# - component_test_psa_crypto_config_accel_ecjpake_use_psa;
2344# - component_test_psa_crypto_config_reference_ecjpake_use_psa.
2345# This support comparing their test coverage with analyze_outcomes.py.
2346config_psa_crypto_config_ecjpake_use_psa () {
2347    DRIVER_ONLY="$1"
2348    # start with config full for maximum coverage (also enables USE_PSA)
2349    scripts/config.py full
2350    # enable support for drivers and configuring PSA-only algorithms
2351    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
2352    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
2353    if [ "$DRIVER_ONLY" -eq 1 ]; then
2354        # Disable the module that's accelerated
2355        scripts/config.py unset MBEDTLS_ECJPAKE_C
2356    fi
2357
2358    # Dynamic secure element support is a deprecated feature and needs to be disabled here.
2359    # This is done to have the same form of psa_key_attributes_s for libdriver and library.
2360    scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
2361}
2362
2363# Keep in sync with component_test_psa_crypto_config_reference_ecjpake_use_psa
2364component_test_psa_crypto_config_accel_ecjpake_use_psa () {
2365    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECJPAKE + USE_PSA"
2366
2367    # Algorithms and key types to accelerate
2368    loc_accel_list="ALG_JPAKE KEY_TYPE_ECC_KEY_PAIR KEY_TYPE_ECC_PUBLIC_KEY"
2369
2370    # Configure and build the test driver library
2371    # -------------------------------------------
2372
2373    # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having
2374    # partial support for cipher operations in the driver test library.
2375    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
2376    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
2377
2378    loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
2379    make -C tests libtestdriver1.a CFLAGS=" $ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"
2380
2381    # Configure and build the main libraries
2382    # --------------------------------------
2383
2384    # Use the same config as reference, only without built-in JPAKE
2385    config_psa_crypto_config_ecjpake_use_psa 1
2386
2387    # Build the main library
2388    loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
2389    make CFLAGS="$ASAN_CFLAGS -O -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
2390
2391    # Make sure this was not re-enabled by accident (additive config)
2392    not grep mbedtls_ecjpake_ library/ecjpake.o
2393
2394    # Run the tests
2395    # -------------
2396
2397    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated JPAKE + USE_PSA"
2398    make test
2399
2400    msg "test: ssl-opt.sh"
2401    tests/ssl-opt.sh
2402}
2403
2404# Keep in sync with component_test_psa_crypto_config_accel_ecjpake_use_psa.
2405# Used by tests/scripts/analyze_outcomes.py for comparison purposes.
2406component_test_psa_crypto_config_reference_ecjpake_use_psa () {
2407    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with reference ECJPAKE + USE_PSA"
2408
2409    # To be aligned with the accel component that needs this
2410    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
2411    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
2412
2413    config_psa_crypto_config_ecjpake_use_psa 0
2414
2415    make
2416
2417    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with reference ECJPAKE + USE_PSA"
2418    make test
2419
2420    msg "test: ssl-opt.sh"
2421    tests/ssl-opt.sh
2422}
2423
2424component_test_psa_crypto_config_accel_ecc () {
2425    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECC"
2426
2427    # Algorithms and key types to accelerate
2428    loc_accel_list="ALG_ECDH ALG_ECDSA ALG_DETERMINISTIC_ECDSA ALG_JPAKE KEY_TYPE_ECC_KEY_PAIR KEY_TYPE_ECC_PUBLIC_KEY"
2429
2430    # Configure and build the test driver library
2431    # --------------------------------------------
2432
2433    # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having
2434    # partial support for cipher operations in the driver test library.
2435    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
2436    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
2437
2438    loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
2439    # These hashes are needed for some ECDSA signature tests.
2440    loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_224"
2441    loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_256"
2442    loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_384"
2443    loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_512"
2444    make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"
2445
2446    # Configure and build the main libraries
2447    # ---------------------------------------
2448
2449    # start with default + driver support
2450    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
2451    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
2452
2453    # disable modules for which we have drivers
2454    scripts/config.py unset MBEDTLS_ECDSA_C
2455    scripts/config.py unset MBEDTLS_ECDH_C
2456    scripts/config.py unset MBEDTLS_ECJPAKE_C
2457
2458    # dependencies
2459    #scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 # not in default anyway
2460    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
2461    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
2462    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
2463    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
2464    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
2465
2466    # build and link with test drivers
2467    loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
2468    make CFLAGS="$ASAN_CFLAGS -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
2469
2470    # make sure these were not auto-re-enabled by accident
2471    not grep mbedtls_ecdh_ library/ecdh.o
2472    not grep mbedtls_ecdsa_ library/ecdsa.o
2473    not grep mbedtls_ecjpake_ library/ecjpake.o
2474
2475    # Run the tests
2476    # -------------
2477
2478    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECC"
2479    make test
2480}
2481
2482component_test_psa_crypto_config_accel_rsa_signature () {
2483    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated RSA signature"
2484
2485    # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having
2486    # partial support for cipher operations in the driver test library.
2487    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
2488    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
2489
2490    # It seems it is not possible to remove only the support for RSA signature
2491    # in the library. Thus we have to remove all RSA support (signature and
2492    # encryption/decryption). AS there is no driver support for asymmetric
2493    # encryption/decryption so far remove RSA encryption/decryption from the
2494    # application algorithm list.
2495    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RSA_OAEP
2496    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
2497
2498    # Make sure both the library and the test library support the SHA hash
2499    # algorithms and only those ones (SHA256 is included by default). That way:
2500    # - the test library can compute the RSA signatures even in the case of a
2501    #   composite RSA signature algorithm based on a SHA hash (no other hash
2502    #   used in the unit tests).
2503    # - the dependency of RSA signature tests on PSA_WANT_ALG_SHA_xyz is
2504    #   fulfilled as the hash SHA algorithm is supported by the library, and
2505    #   thus the tests are run, not skipped.
2506    # - when testing a signature key with an algorithm wildcard built from
2507    #   PSA_ALG_ANY_HASH as algorithm to test with the key, the chosen hash
2508    #   algorithm based on the hashes supported by the library is also
2509    #   supported by the test library.
2510    # Disabled unwanted hashes here, we'll enable hashes we want in loc_accel_flags.
2511    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_MD5
2512    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RIPEMD160_C
2513
2514    # We need PEM parsing in the test library as well to support the import
2515    # of PEM encoded RSA keys.
2516    scripts/config.py -f tests/include/test/drivers/config_test_driver.h set MBEDTLS_PEM_PARSE_C
2517    scripts/config.py -f tests/include/test/drivers/config_test_driver.h set MBEDTLS_BASE64_C
2518
2519    loc_accel_list="ALG_RSA_PKCS1V15_SIGN ALG_RSA_PSS KEY_TYPE_RSA_KEY_PAIR KEY_TYPE_RSA_PUBLIC_KEY"
2520    loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
2521    # These hashes are needed for some RSA-PSS signature tests.
2522    loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_1"
2523    loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_224"
2524    loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_256"
2525    loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_384"
2526    loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_512"
2527    make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"
2528
2529    # Mbed TLS library build
2530    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
2531    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
2532
2533    # Remove RSA support and its dependencies
2534    scripts/config.py unset MBEDTLS_PKCS1_V15
2535    scripts/config.py unset MBEDTLS_PKCS1_V21
2536    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
2537    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
2538    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
2539    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
2540    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
2541    scripts/config.py unset MBEDTLS_RSA_C
2542    scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
2543
2544    scripts/config.py unset MBEDTLS_MD5_C
2545    scripts/config.py unset MBEDTLS_RIPEMD160_C
2546    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1
2547    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_1
2548    scripts/config.py unset MBEDTLS_SSL_CBC_RECORD_SPLITTING
2549
2550    loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
2551    make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
2552
2553    not grep mbedtls_rsa_rsassa_pkcs1_v15_sign library/rsa.o
2554    not grep mbedtls_rsa_rsassa_pss_sign_ext library/rsa.o
2555
2556    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated RSA signature"
2557    make test
2558}
2559
2560component_test_psa_crypto_config_accel_hash () {
2561    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash"
2562
2563    # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having
2564    # partial support for cipher operations in the driver test library.
2565    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
2566    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
2567
2568    loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512"
2569    loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
2570    make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"
2571
2572    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
2573    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
2574    scripts/config.py unset MBEDTLS_MD5_C
2575    scripts/config.py unset MBEDTLS_RIPEMD160_C
2576    scripts/config.py unset MBEDTLS_SHA1_C
2577    # Don't unset MBEDTLS_SHA256_C as it is needed by PSA crypto core.
2578    scripts/config.py unset MBEDTLS_SHA384_C
2579    scripts/config.py unset MBEDTLS_SHA512_C
2580    loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
2581    make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
2582
2583    not grep mbedtls_sha512_init library/sha512.o
2584    not grep mbedtls_sha1_init library/sha1.o
2585
2586    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash"
2587    make test
2588}
2589
2590component_test_psa_crypto_config_accel_hash_keep_builtins () {
2591    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated+builtin hash"
2592    # This component ensures that all the test cases for
2593    # md_psa_dynamic_dispatch with legacy+driver in test_suite_md are run.
2594
2595    # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having
2596    # partial support for cipher operations in the driver test library.
2597    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
2598    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
2599
2600    loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512"
2601    loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
2602    make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"
2603
2604    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
2605    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
2606    loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
2607    make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
2608
2609    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated+builtin hash"
2610    make test
2611}
2612
2613# Auxiliary function to build config for hashes with and without drivers
2614config_psa_crypto_hash_use_psa () {
2615    DRIVER_ONLY="$1"
2616    # start with config full for maximum coverage (also enables USE_PSA)
2617    scripts/config.py full
2618    # enable support for drivers and configuring PSA-only algorithms
2619    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
2620    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
2621    if [ "$DRIVER_ONLY" -eq 1 ]; then
2622        # disable the built-in implementation of hashes
2623        scripts/config.py unset MBEDTLS_MD5_C
2624        scripts/config.py unset MBEDTLS_RIPEMD160_C
2625        scripts/config.py unset MBEDTLS_SHA1_C
2626        scripts/config.py unset MBEDTLS_SHA224_C
2627        scripts/config.py unset MBEDTLS_SHA256_C # see external RNG below
2628        scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
2629        scripts/config.py unset MBEDTLS_SHA384_C
2630        scripts/config.py unset MBEDTLS_SHA512_C
2631        scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
2632    fi
2633    # Use an external RNG as currently internal RNGs depend on entropy.c
2634    # which in turn hard-depends on SHA256_C (or SHA512_C).
2635    # See component_test_psa_external_rng_no_drbg_use_psa.
2636    scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
2637    scripts/config.py unset MBEDTLS_ENTROPY_C
2638    scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED # depends on ENTROPY_C
2639    scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT # depends on former
2640    # Also unset MD_C and things that depend on it.
2641    if [ "$DRIVER_ONLY" -eq 1 ]; then
2642        scripts/config.py unset MBEDTLS_MD_C
2643    fi
2644    scripts/config.py unset MBEDTLS_HKDF_C # has independent PSA implementation
2645    scripts/config.py unset MBEDTLS_HMAC_DRBG_C
2646    scripts/config.py unset MBEDTLS_PKCS7_C
2647    scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC
2648    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
2649
2650    # Dynamic secure element support is a deprecated feature and needs to be disabled here.
2651    # This is done to have the same form of psa_key_attributes_s for libdriver and library.
2652    scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
2653}
2654
2655# Note that component_test_psa_crypto_config_reference_hash_use_psa
2656# is related to this component and both components need to be kept in sync.
2657# For details please see comments for component_test_psa_crypto_config_reference_hash_use_psa.
2658component_test_psa_crypto_config_accel_hash_use_psa () {
2659    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash and USE_PSA"
2660
2661    # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having
2662    # partial support for cipher operations in the driver test library.
2663    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
2664    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
2665
2666    loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512"
2667    loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
2668    make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"
2669
2670    config_psa_crypto_hash_use_psa 1
2671
2672    loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
2673    make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" all
2674
2675    # There's a risk of something getting re-enabled via config_psa.h;
2676    # make sure it did not happen. Note: it's OK for MD_LIGHT to be enabled,
2677    # but not the full MD_C (for now), so check mbedtls_md_hmac for that.
2678    not grep mbedtls_md_hmac library/md.o
2679    not grep mbedtls_md5 library/md5.o
2680    not grep mbedtls_sha1 library/sha1.o
2681    not grep mbedtls_sha256 library/sha256.o
2682    not grep mbedtls_sha512 library/sha512.o
2683    not grep mbedtls_ripemd160 library/ripemd160.o
2684
2685    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash and USE_PSA"
2686    make test
2687
2688    # This is mostly useful so that we can later compare outcome files with
2689    # the reference config in analyze_outcomes.py, to check that the
2690    # dependency declarations in ssl-opt.sh and in TLS code are correct.
2691    msg "test: ssl-opt.sh, MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash and USE_PSA"
2692    tests/ssl-opt.sh
2693
2694    # This is to make sure all ciphersuites are exercised, but we don't need
2695    # interop testing (besides, we already got some from ssl-opt.sh).
2696    msg "test: compat.sh, MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash and USE_PSA"
2697    tests/compat.sh -p mbedTLS -V YES
2698}
2699
2700# This component provides reference configuration for test_psa_crypto_config_accel_hash_use_psa
2701# without accelerated hash. The outcome from both components are used by the analyze_outcomes.py
2702# script to find regression in test coverage when accelerated hash is used (tests and ssl-opt).
2703# Both components need to be kept in sync.
2704component_test_psa_crypto_config_reference_hash_use_psa() {
2705    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA"
2706
2707    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
2708    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
2709
2710    config_psa_crypto_hash_use_psa 0
2711
2712    make
2713
2714    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA"
2715    make test
2716
2717    msg "test: ssl-opt.sh, MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA"
2718    tests/ssl-opt.sh
2719}
2720
2721component_test_psa_crypto_config_accel_cipher () {
2722    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated cipher"
2723
2724    loc_accel_list="ALG_CBC_NO_PADDING ALG_CBC_PKCS7 ALG_CTR ALG_CFB ALG_OFB ALG_XTS KEY_TYPE_DES"
2725    loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
2726    make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"
2727
2728    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
2729    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
2730
2731    # There is no intended accelerator support for ALG STREAM_CIPHER and
2732    # ALG_ECB_NO_PADDING. Therefore, asking for them in the build implies the
2733    # inclusion of the Mbed TLS cipher operations. As we want to test here with
2734    # cipher operations solely supported by accelerators, disabled those
2735    # PSA configuration options.
2736    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
2737    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
2738    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_CMAC
2739
2740    scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
2741    scripts/config.py unset MBEDTLS_CIPHER_PADDING_PKCS7
2742    scripts/config.py unset MBEDTLS_CIPHER_MODE_CTR
2743    scripts/config.py unset MBEDTLS_CIPHER_MODE_CFB
2744    scripts/config.py unset MBEDTLS_CIPHER_MODE_OFB
2745    scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
2746    scripts/config.py unset MBEDTLS_DES_C
2747
2748    loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
2749    make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
2750
2751    not grep mbedtls_des* library/des.o
2752
2753    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated cipher"
2754    make test
2755}
2756
2757component_test_psa_crypto_config_accel_aead () {
2758    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated AEAD"
2759
2760    # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having
2761    # partial support for cipher operations in the driver test library.
2762    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
2763    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
2764
2765    loc_accel_list="ALG_GCM ALG_CCM ALG_CHACHA20_POLY1305 KEY_TYPE_AES KEY_TYPE_CHACHA20 KEY_TYPE_ARIA KEY_TYPE_CAMELLIA"
2766    loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
2767    make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"
2768
2769    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
2770    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
2771
2772    scripts/config.py unset MBEDTLS_GCM_C
2773    scripts/config.py unset MBEDTLS_CCM_C
2774    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
2775    # Features that depend on AEAD
2776    scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
2777    scripts/config.py unset MBEDTLS_SSL_TICKET_C
2778
2779    loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
2780    make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
2781
2782    # There's a risk of something getting re-enabled via config_psa.h
2783    # make sure it did not happen.
2784    not grep mbedtls_ccm library/ccm.o
2785    not grep mbedtls_gcm library/gcm.o
2786    not grep mbedtls_chachapoly library/chachapoly.o
2787
2788    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated AEAD"
2789    make test
2790}
2791
2792component_test_psa_crypto_config_accel_pake() {
2793    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated PAKE"
2794
2795    # Start with full
2796    scripts/config.py full
2797
2798    # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having
2799    # partial support for cipher operations in the driver test library.
2800    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
2801    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
2802
2803    loc_accel_list="ALG_JPAKE"
2804    loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
2805    make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"
2806
2807    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
2808    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
2809
2810    # Make build-in fallback not available
2811    scripts/config.py unset MBEDTLS_ECJPAKE_C
2812    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
2813
2814    # Dynamic secure element support is a deprecated feature and needs to be disabled here.
2815    # This is done to have the same form of psa_key_attributes_s for libdriver and library.
2816    scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
2817
2818    loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
2819    make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
2820
2821    not grep mbedtls_ecjpake_init library/ecjpake.o
2822
2823    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated PAKE"
2824    make test
2825}
2826
2827component_test_psa_crypto_config_no_driver() {
2828    # full plus MBEDTLS_PSA_CRYPTO_CONFIG
2829    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG minus MBEDTLS_PSA_CRYPTO_DRIVERS"
2830    scripts/config.py full
2831    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
2832    scripts/config.py unset MBEDTLS_PSA_CRYPTO_DRIVERS
2833    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
2834    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
2835    make CC=gcc CFLAGS="$ASAN_CFLAGS -O2" LDFLAGS="$ASAN_CFLAGS"
2836
2837    msg "test: full + MBEDTLS_PSA_CRYPTO_CONFIG minus MBEDTLS_PSA_CRYPTO_DRIVERS"
2838    make test
2839}
2840
2841component_test_psa_crypto_config_chachapoly_disabled() {
2842    # full minus MBEDTLS_CHACHAPOLY_C without PSA_WANT_ALG_GCM and PSA_WANT_ALG_CHACHA20_POLY1305
2843    msg "build: full minus MBEDTLS_CHACHAPOLY_C without PSA_WANT_ALG_GCM and PSA_WANT_ALG_CHACHA20_POLY1305"
2844    scripts/config.py full
2845    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
2846    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_GCM
2847    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_CHACHA20_POLY1305
2848    make CC=gcc CFLAGS="$ASAN_CFLAGS -O2" LDFLAGS="$ASAN_CFLAGS"
2849
2850    msg "test: full minus MBEDTLS_CHACHAPOLY_C without PSA_WANT_ALG_GCM and PSA_WANT_ALG_CHACHA20_POLY1305"
2851    make test
2852}
2853
2854# This should be renamed to test and updated once the accelerator ECDH code is in place and ready to test.
2855component_build_psa_accel_alg_ecdh() {
2856    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_ECDH
2857    # without MBEDTLS_ECDH_C
2858    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_ECDH without MBEDTLS_ECDH_C"
2859    scripts/config.py full
2860    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
2861    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
2862    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
2863    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
2864    scripts/config.py unset MBEDTLS_ECDH_C
2865    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
2866    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
2867    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
2868    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
2869    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
2870    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
2871    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_ECDH -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
2872}
2873
2874# This should be renamed to test and updated once the accelerator ECC key pair code is in place and ready to test.
2875component_build_psa_accel_key_type_ecc_key_pair() {
2876    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
2877    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_KEY_TYPE_ECC_KEY_PAIR"
2878    scripts/config.py full
2879    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
2880    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
2881    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
2882    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
2883    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_KEY_TYPE_ECC_KEY_PAIR 1
2884    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 1
2885    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
2886    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
2887}
2888
2889# This should be renamed to test and updated once the accelerator ECC public key code is in place and ready to test.
2890component_build_psa_accel_key_type_ecc_public_key() {
2891    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY
2892    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY"
2893    scripts/config.py full
2894    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
2895    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
2896    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
2897    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
2898    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 1
2899    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
2900    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
2901    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
2902}
2903
2904# This should be renamed to test and updated once the accelerator HMAC code is in place and ready to test.
2905component_build_psa_accel_alg_hmac() {
2906    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_HMAC
2907    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_HMAC"
2908    scripts/config.py full
2909    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
2910    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
2911    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
2912    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
2913    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
2914    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_HMAC -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
2915}
2916
2917# This should be renamed to test and updated once the accelerator HKDF code is in place and ready to test.
2918component_build_psa_accel_alg_hkdf() {
2919    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_HKDF
2920    # without MBEDTLS_HKDF_C
2921    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_HKDF without MBEDTLS_HKDF_C"
2922    scripts/config.py full
2923    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
2924    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
2925    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
2926    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
2927    scripts/config.py unset MBEDTLS_HKDF_C
2928    # Make sure to unset TLS1_3 since it requires HKDF_C and will not build properly without it.
2929    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
2930    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
2931    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_HKDF -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
2932}
2933
2934# This should be renamed to test and updated once the accelerator MD5 code is in place and ready to test.
2935component_build_psa_accel_alg_md5() {
2936    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_MD5 without other hashes
2937    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_MD5 - other hashes"
2938    scripts/config.py full
2939    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
2940    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
2941    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
2942    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
2943    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RIPEMD160
2944    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_1
2945    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_224
2946    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_256
2947    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_384
2948    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_512
2949    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
2950    scripts/config.py unset MBEDTLS_LMS_C
2951    scripts/config.py unset MBEDTLS_LMS_PRIVATE
2952    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
2953    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_MD5 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
2954}
2955
2956# This should be renamed to test and updated once the accelerator RIPEMD160 code is in place and ready to test.
2957component_build_psa_accel_alg_ripemd160() {
2958    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_RIPEMD160 without other hashes
2959    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RIPEMD160 - other hashes"
2960    scripts/config.py full
2961    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
2962    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
2963    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
2964    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
2965    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_MD5
2966    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_1
2967    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_224
2968    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_256
2969    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_384
2970    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_512
2971    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
2972    scripts/config.py unset MBEDTLS_LMS_C
2973    scripts/config.py unset MBEDTLS_LMS_PRIVATE
2974    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
2975    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RIPEMD160 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
2976}
2977
2978# This should be renamed to test and updated once the accelerator SHA1 code is in place and ready to test.
2979component_build_psa_accel_alg_sha1() {
2980    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_SHA_1 without other hashes
2981    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_SHA_1 - other hashes"
2982    scripts/config.py full
2983    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
2984    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
2985    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
2986    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
2987    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_MD5
2988    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RIPEMD160
2989    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_224
2990    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_256
2991    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_384
2992    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_512
2993    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
2994    scripts/config.py unset MBEDTLS_LMS_C
2995    scripts/config.py unset MBEDTLS_LMS_PRIVATE
2996    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
2997    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_1 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
2998}
2999
3000# This should be renamed to test and updated once the accelerator SHA224 code is in place and ready to test.
3001component_build_psa_accel_alg_sha224() {
3002    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_SHA_224 without other hashes
3003    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_SHA_224 - other hashes"
3004    scripts/config.py full
3005    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
3006    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
3007    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
3008    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
3009    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_MD5
3010    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RIPEMD160
3011    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_1
3012    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_384
3013    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_512
3014    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
3015    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
3016    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_224 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
3017}
3018
3019# This should be renamed to test and updated once the accelerator SHA256 code is in place and ready to test.
3020component_build_psa_accel_alg_sha256() {
3021    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_SHA_256 without other hashes
3022    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_SHA_256 - other hashes"
3023    scripts/config.py full
3024    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
3025    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
3026    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
3027    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
3028    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_MD5
3029    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RIPEMD160
3030    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_1
3031    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_224
3032    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_384
3033    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_512
3034    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
3035    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_256 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
3036}
3037
3038# This should be renamed to test and updated once the accelerator SHA384 code is in place and ready to test.
3039component_build_psa_accel_alg_sha384() {
3040    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_SHA_384 without other hashes
3041    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_SHA_384 - other hashes"
3042    scripts/config.py full
3043    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
3044    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
3045    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
3046    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
3047    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_MD5
3048    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RIPEMD160
3049    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_1
3050    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_224
3051    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_256
3052    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
3053    scripts/config.py unset MBEDTLS_LMS_C
3054    scripts/config.py unset MBEDTLS_LMS_PRIVATE
3055    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
3056    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_384 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
3057}
3058
3059# This should be renamed to test and updated once the accelerator SHA512 code is in place and ready to test.
3060component_build_psa_accel_alg_sha512() {
3061    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_SHA_512 without other hashes
3062    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_SHA_512 - other hashes"
3063    scripts/config.py full
3064    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
3065    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
3066    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
3067    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
3068    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_MD5
3069    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RIPEMD160
3070    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_1
3071    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_224
3072    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_256
3073    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_384
3074    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
3075    scripts/config.py unset MBEDTLS_LMS_C
3076    scripts/config.py unset MBEDTLS_LMS_PRIVATE
3077    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
3078    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_512 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
3079}
3080
3081# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
3082component_build_psa_accel_alg_rsa_pkcs1v15_crypt() {
3083    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
3084    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RSA_PKCS1V15_CRYPT + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY"
3085    scripts/config.py full
3086    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
3087    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
3088    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
3089    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
3090    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 1
3091    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RSA_PKCS1V15_SIGN
3092    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RSA_OAEP
3093    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RSA_PSS
3094    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
3095    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
3096}
3097
3098# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
3099component_build_psa_accel_alg_rsa_pkcs1v15_sign() {
3100    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_RSA_PKCS1V15_SIGN and PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
3101    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RSA_PKCS1V15_SIGN + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY"
3102    scripts/config.py full
3103    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
3104    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
3105    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
3106    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
3107    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ALG_RSA_PKCS1V15_SIGN 1
3108    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
3109    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RSA_OAEP
3110    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RSA_PSS
3111    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
3112    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
3113}
3114
3115# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
3116component_build_psa_accel_alg_rsa_oaep() {
3117    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_RSA_OAEP and PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
3118    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RSA_OAEP + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY"
3119    scripts/config.py full
3120    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
3121    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
3122    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
3123    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
3124    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ALG_RSA_OAEP 1
3125    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
3126    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RSA_PKCS1V15_SIGN
3127    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RSA_PSS
3128    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
3129    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_OAEP -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
3130}
3131
3132# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
3133component_build_psa_accel_alg_rsa_pss() {
3134    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_RSA_PSS and PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
3135    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RSA_PSS + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY"
3136    scripts/config.py full
3137    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
3138    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
3139    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
3140    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
3141    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ALG_RSA_PSS 1
3142    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
3143    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RSA_PKCS1V15_SIGN
3144    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RSA_OAEP
3145    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
3146    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PSS -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
3147}
3148
3149# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
3150component_build_psa_accel_key_type_rsa_key_pair() {
3151    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_KEY_TYPE_RSA_KEY_PAIR and PSA_WANT_ALG_RSA_PSS
3152    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR + PSA_WANT_ALG_RSA_PSS"
3153    scripts/config.py full
3154    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
3155    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
3156    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
3157    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
3158    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ALG_RSA_PSS 1
3159    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR 1
3160    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
3161    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
3162}
3163
3164# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
3165component_build_psa_accel_key_type_rsa_public_key() {
3166    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY and PSA_WANT_ALG_RSA_PSS
3167    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY + PSA_WANT_ALG_RSA_PSS"
3168    scripts/config.py full
3169    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
3170    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
3171    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
3172    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
3173    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ALG_RSA_PSS 1
3174    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1
3175    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
3176    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
3177}
3178
3179component_test_no_platform () {
3180    # Full configuration build, without platform support, file IO and net sockets.
3181    # This should catch missing mbedtls_printf definitions, and by disabling file
3182    # IO, it should catch missing '#include <stdio.h>'
3183    msg "build: full config except platform/fsio/net, make, gcc, C99" # ~ 30s
3184    scripts/config.py full
3185    scripts/config.py unset MBEDTLS_PLATFORM_C
3186    scripts/config.py unset MBEDTLS_NET_C
3187    scripts/config.py unset MBEDTLS_PLATFORM_MEMORY
3188    scripts/config.py unset MBEDTLS_PLATFORM_PRINTF_ALT
3189    scripts/config.py unset MBEDTLS_PLATFORM_FPRINTF_ALT
3190    scripts/config.py unset MBEDTLS_PLATFORM_SNPRINTF_ALT
3191    scripts/config.py unset MBEDTLS_PLATFORM_VSNPRINTF_ALT
3192    scripts/config.py unset MBEDTLS_PLATFORM_TIME_ALT
3193    scripts/config.py unset MBEDTLS_PLATFORM_EXIT_ALT
3194    scripts/config.py unset MBEDTLS_PLATFORM_SETBUF_ALT
3195    scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
3196    scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
3197    scripts/config.py unset MBEDTLS_FS_IO
3198    scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
3199    scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C
3200    scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C
3201    # Note, _DEFAULT_SOURCE needs to be defined for platforms using glibc version >2.19,
3202    # to re-enable platform integration features otherwise disabled in C99 builds
3203    make CC=gcc CFLAGS='-Werror -Wall -Wextra -std=c99 -pedantic -Os -D_DEFAULT_SOURCE' lib programs
3204    make CC=gcc CFLAGS='-Werror -Wall -Wextra -Os' test
3205}
3206
3207component_build_no_std_function () {
3208    # catch compile bugs in _uninit functions
3209    msg "build: full config with NO_STD_FUNCTION, make, gcc" # ~ 30s
3210    scripts/config.py full
3211    scripts/config.py set MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
3212    scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
3213    scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
3214    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Check .
3215    make
3216}
3217
3218component_build_no_ssl_srv () {
3219    msg "build: full config except SSL server, make, gcc" # ~ 30s
3220    scripts/config.py full
3221    scripts/config.py unset MBEDTLS_SSL_SRV_C
3222    make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1'
3223}
3224
3225component_build_no_ssl_cli () {
3226    msg "build: full config except SSL client, make, gcc" # ~ 30s
3227    scripts/config.py full
3228    scripts/config.py unset MBEDTLS_SSL_CLI_C
3229    make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1'
3230}
3231
3232component_build_no_sockets () {
3233    # Note, C99 compliance can also be tested with the sockets support disabled,
3234    # as that requires a POSIX platform (which isn't the same as C99).
3235    msg "build: full config except net_sockets.c, make, gcc -std=c99 -pedantic" # ~ 30s
3236    scripts/config.py full
3237    scripts/config.py unset MBEDTLS_NET_C # getaddrinfo() undeclared, etc.
3238    scripts/config.py set MBEDTLS_NO_PLATFORM_ENTROPY # uses syscall() on GNU/Linux
3239    make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1 -std=c99 -pedantic' lib
3240}
3241
3242component_test_memory_buffer_allocator_backtrace () {
3243    msg "build: default config with memory buffer allocator and backtrace enabled"
3244    scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C
3245    scripts/config.py set MBEDTLS_PLATFORM_MEMORY
3246    scripts/config.py set MBEDTLS_MEMORY_BACKTRACE
3247    scripts/config.py set MBEDTLS_MEMORY_DEBUG
3248    CC=gcc cmake -DCMAKE_BUILD_TYPE:String=Release .
3249    make
3250
3251    msg "test: MBEDTLS_MEMORY_BUFFER_ALLOC_C and MBEDTLS_MEMORY_BACKTRACE"
3252    make test
3253}
3254
3255component_test_memory_buffer_allocator () {
3256    msg "build: default config with memory buffer allocator"
3257    scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C
3258    scripts/config.py set MBEDTLS_PLATFORM_MEMORY
3259    CC=gcc cmake -DCMAKE_BUILD_TYPE:String=Release .
3260    make
3261
3262    msg "test: MBEDTLS_MEMORY_BUFFER_ALLOC_C"
3263    make test
3264
3265    msg "test: ssl-opt.sh, MBEDTLS_MEMORY_BUFFER_ALLOC_C"
3266    # MBEDTLS_MEMORY_BUFFER_ALLOC is slow. Skip tests that tend to time out.
3267    tests/ssl-opt.sh -e '^DTLS proxy'
3268}
3269
3270component_test_no_max_fragment_length () {
3271    # Run max fragment length tests with MFL disabled
3272    msg "build: default config except MFL extension (ASan build)" # ~ 30s
3273    scripts/config.py unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3274    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
3275    make
3276
3277    msg "test: ssl-opt.sh, MFL-related tests"
3278    tests/ssl-opt.sh -f "Max fragment length"
3279}
3280
3281component_test_asan_remove_peer_certificate () {
3282    msg "build: default config with MBEDTLS_SSL_KEEP_PEER_CERTIFICATE disabled (ASan build)"
3283    scripts/config.py unset MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
3284    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
3285    make
3286
3287    msg "test: !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE"
3288    make test
3289
3290    msg "test: ssl-opt.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE"
3291    tests/ssl-opt.sh
3292
3293    msg "test: compat.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE"
3294    tests/compat.sh
3295
3296    msg "test: context-info.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE"
3297    tests/context-info.sh
3298}
3299
3300component_test_no_max_fragment_length_small_ssl_out_content_len () {
3301    msg "build: no MFL extension, small SSL_OUT_CONTENT_LEN (ASan build)"
3302    scripts/config.py unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3303    scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 16384
3304    scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 4096
3305    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
3306    make
3307
3308    msg "test: MFL tests (disabled MFL extension case) & large packet tests"
3309    tests/ssl-opt.sh -f "Max fragment length\|Large buffer"
3310
3311    msg "test: context-info.sh (disabled MFL extension case)"
3312    tests/context-info.sh
3313}
3314
3315component_test_variable_ssl_in_out_buffer_len () {
3316    msg "build: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled (ASan build)"
3317    scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
3318    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
3319    make
3320
3321    msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled"
3322    make test
3323
3324    msg "test: ssl-opt.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled"
3325    tests/ssl-opt.sh
3326
3327    msg "test: compat.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled"
3328    tests/compat.sh
3329}
3330
3331component_test_dtls_cid_legacy () {
3332    msg "build: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled (ASan build)"
3333    scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 1
3334
3335    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
3336    make
3337
3338    msg "test: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy)"
3339    make test
3340
3341    msg "test: ssl-opt.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled"
3342    tests/ssl-opt.sh
3343
3344    msg "test: compat.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled"
3345    tests/compat.sh
3346}
3347
3348component_test_ssl_alloc_buffer_and_mfl () {
3349    msg "build: default config with memory buffer allocator and MFL extension"
3350    scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C
3351    scripts/config.py set MBEDTLS_PLATFORM_MEMORY
3352    scripts/config.py set MBEDTLS_MEMORY_DEBUG
3353    scripts/config.py set MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3354    scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
3355    CC=gcc cmake -DCMAKE_BUILD_TYPE:String=Release .
3356    make
3357
3358    msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH, MBEDTLS_MEMORY_BUFFER_ALLOC_C, MBEDTLS_MEMORY_DEBUG and MBEDTLS_SSL_MAX_FRAGMENT_LENGTH"
3359    make test
3360
3361    msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH, MBEDTLS_MEMORY_BUFFER_ALLOC_C, MBEDTLS_MEMORY_DEBUG and MBEDTLS_SSL_MAX_FRAGMENT_LENGTH"
3362    tests/ssl-opt.sh -f "Handshake memory usage"
3363}
3364
3365component_test_when_no_ciphersuites_have_mac () {
3366    msg "build: when no ciphersuites have MAC"
3367    scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER
3368    scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
3369    scripts/config.py unset MBEDTLS_CMAC_C
3370    make
3371
3372    msg "test: !MBEDTLS_SSL_SOME_MODES_USE_MAC"
3373    make test
3374
3375    msg "test ssl-opt.sh: !MBEDTLS_SSL_SOME_MODES_USE_MAC"
3376    tests/ssl-opt.sh -f 'Default\|EtM' -e 'without EtM'
3377}
3378
3379component_test_no_date_time () {
3380    msg "build: default config without MBEDTLS_HAVE_TIME_DATE"
3381    scripts/config.py unset MBEDTLS_HAVE_TIME_DATE
3382    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Check .
3383    make
3384
3385    msg "test: !MBEDTLS_HAVE_TIME_DATE - main suites"
3386    make test
3387}
3388
3389component_test_platform_calloc_macro () {
3390    msg "build: MBEDTLS_PLATFORM_{CALLOC/FREE}_MACRO enabled (ASan build)"
3391    scripts/config.py set MBEDTLS_PLATFORM_MEMORY
3392    scripts/config.py set MBEDTLS_PLATFORM_CALLOC_MACRO calloc
3393    scripts/config.py set MBEDTLS_PLATFORM_FREE_MACRO   free
3394    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
3395    make
3396
3397    msg "test: MBEDTLS_PLATFORM_{CALLOC/FREE}_MACRO enabled (ASan build)"
3398    make test
3399}
3400
3401component_test_malloc_0_null () {
3402    msg "build: malloc(0) returns NULL (ASan+UBSan build)"
3403    scripts/config.py full
3404    make CC=gcc CFLAGS="'-DMBEDTLS_CONFIG_FILE=\"$PWD/tests/configs/config-wrapper-malloc-0-null.h\"' $ASAN_CFLAGS -O" LDFLAGS="$ASAN_CFLAGS"
3405
3406    msg "test: malloc(0) returns NULL (ASan+UBSan build)"
3407    make test
3408
3409    msg "selftest: malloc(0) returns NULL (ASan+UBSan build)"
3410    # Just the calloc selftest. "make test" ran the others as part of the
3411    # test suites.
3412    programs/test/selftest calloc
3413
3414    msg "test ssl-opt.sh: malloc(0) returns NULL (ASan+UBSan build)"
3415    # Run a subset of the tests. The choice is a balance between coverage
3416    # and time (including time indirectly wasted due to flaky tests).
3417    # The current choice is to skip tests whose description includes
3418    # "proxy", which is an approximation of skipping tests that use the
3419    # UDP proxy, which tend to be slower and flakier.
3420    tests/ssl-opt.sh -e 'proxy'
3421}
3422
3423component_test_aes_fewer_tables () {
3424    msg "build: default config with AES_FEWER_TABLES enabled"
3425    scripts/config.py set MBEDTLS_AES_FEWER_TABLES
3426    make CC=gcc CFLAGS='-Werror -Wall -Wextra'
3427
3428    msg "test: AES_FEWER_TABLES"
3429    make test
3430}
3431
3432component_test_aes_rom_tables () {
3433    msg "build: default config with AES_ROM_TABLES enabled"
3434    scripts/config.py set MBEDTLS_AES_ROM_TABLES
3435    make CC=gcc CFLAGS='-Werror -Wall -Wextra'
3436
3437    msg "test: AES_ROM_TABLES"
3438    make test
3439}
3440
3441component_test_aes_fewer_tables_and_rom_tables () {
3442    msg "build: default config with AES_ROM_TABLES and AES_FEWER_TABLES enabled"
3443    scripts/config.py set MBEDTLS_AES_FEWER_TABLES
3444    scripts/config.py set MBEDTLS_AES_ROM_TABLES
3445    make CC=gcc CFLAGS='-Werror -Wall -Wextra'
3446
3447    msg "test: AES_FEWER_TABLES + AES_ROM_TABLES"
3448    make test
3449}
3450
3451component_test_ctr_drbg_aes_256_sha_256 () {
3452    msg "build: full + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)"
3453    scripts/config.py full
3454    scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
3455    scripts/config.py set MBEDTLS_ENTROPY_FORCE_SHA256
3456    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
3457    make
3458
3459    msg "test: full + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)"
3460    make test
3461}
3462
3463component_test_ctr_drbg_aes_128_sha_512 () {
3464    msg "build: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY (ASan build)"
3465    scripts/config.py full
3466    scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
3467    scripts/config.py set MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
3468    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
3469    make
3470
3471    msg "test: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY (ASan build)"
3472    make test
3473}
3474
3475component_test_ctr_drbg_aes_128_sha_256 () {
3476    msg "build: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)"
3477    scripts/config.py full
3478    scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
3479    scripts/config.py set MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
3480    scripts/config.py set MBEDTLS_ENTROPY_FORCE_SHA256
3481    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
3482    make
3483
3484    msg "test: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)"
3485    make test
3486}
3487
3488component_test_se_default () {
3489    msg "build: default config + MBEDTLS_PSA_CRYPTO_SE_C"
3490    scripts/config.py set MBEDTLS_PSA_CRYPTO_SE_C
3491    make CC=clang CFLAGS="$ASAN_CFLAGS -Os" LDFLAGS="$ASAN_CFLAGS"
3492
3493    msg "test: default config + MBEDTLS_PSA_CRYPTO_SE_C"
3494    make test
3495}
3496
3497component_test_psa_crypto_drivers () {
3498    msg "build: MBEDTLS_PSA_CRYPTO_DRIVERS w/ driver hooks"
3499    scripts/config.py full
3500    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
3501    scripts/config.py set MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
3502    loc_cflags="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST_ALL"
3503    loc_cflags="${loc_cflags} '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'"
3504    loc_cflags="${loc_cflags} -I../tests/include -O2"
3505
3506    make CC=gcc CFLAGS="${loc_cflags}" LDFLAGS="$ASAN_CFLAGS"
3507
3508    msg "test: full + MBEDTLS_PSA_CRYPTO_DRIVERS"
3509    make test
3510}
3511
3512component_test_make_shared () {
3513    msg "build/test: make shared" # ~ 40s
3514    make SHARED=1 all check
3515    ldd programs/util/strerror | grep libmbedcrypto
3516    programs/test/dlopen_demo.sh
3517}
3518
3519component_test_cmake_shared () {
3520    msg "build/test: cmake shared" # ~ 2min
3521    cmake -DUSE_SHARED_MBEDTLS_LIBRARY=On .
3522    make
3523    ldd programs/util/strerror | grep libmbedcrypto
3524    make test
3525    programs/test/dlopen_demo.sh
3526}
3527
3528test_build_opt () {
3529    info=$1 cc=$2; shift 2
3530    for opt in "$@"; do
3531          msg "build/test: $cc $opt, $info" # ~ 30s
3532          make CC="$cc" CFLAGS="$opt -std=c99 -pedantic -Wall -Wextra -Werror"
3533          # We're confident enough in compilers to not run _all_ the tests,
3534          # but at least run the unit tests. In particular, runs with
3535          # optimizations use inline assembly whereas runs with -O0
3536          # skip inline assembly.
3537          make test # ~30s
3538          make clean
3539    done
3540}
3541
3542component_test_clang_opt () {
3543    scripts/config.py full
3544    test_build_opt 'full config' clang -O0 -Os -O2
3545}
3546
3547component_test_gcc_opt () {
3548    scripts/config.py full
3549    test_build_opt 'full config' gcc -O0 -Os -O2
3550}
3551
3552component_build_mbedtls_config_file () {
3553    msg "build: make with MBEDTLS_CONFIG_FILE" # ~40s
3554    scripts/config.py -w full_config.h full
3555    echo '#error "MBEDTLS_CONFIG_FILE is not working"' >"$CONFIG_H"
3556    make CFLAGS="-I '$PWD' -DMBEDTLS_CONFIG_FILE='\"full_config.h\"'"
3557    # Make sure this feature is enabled. We'll disable it in the next phase.
3558    programs/test/query_compile_time_config MBEDTLS_NIST_KW_C
3559    make clean
3560
3561    msg "build: make with MBEDTLS_CONFIG_FILE + MBEDTLS_USER_CONFIG_FILE"
3562    # In the user config, disable one feature (for simplicity, pick a feature
3563    # that nothing else depends on).
3564    echo '#undef MBEDTLS_NIST_KW_C' >user_config.h
3565    make CFLAGS="-I '$PWD' -DMBEDTLS_CONFIG_FILE='\"full_config.h\"' -DMBEDTLS_USER_CONFIG_FILE='\"user_config.h\"'"
3566    not programs/test/query_compile_time_config MBEDTLS_NIST_KW_C
3567
3568    rm -f user_config.h full_config.h
3569}
3570
3571component_build_psa_config_file () {
3572    msg "build: make with MBEDTLS_PSA_CRYPTO_CONFIG_FILE" # ~40s
3573    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
3574    cp "$CRYPTO_CONFIG_H" psa_test_config.h
3575    echo '#error "MBEDTLS_PSA_CRYPTO_CONFIG_FILE is not working"' >"$CRYPTO_CONFIG_H"
3576    make CFLAGS="-I '$PWD' -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"'"
3577    # Make sure this feature is enabled. We'll disable it in the next phase.
3578    programs/test/query_compile_time_config MBEDTLS_CMAC_C
3579    make clean
3580
3581    msg "build: make with MBEDTLS_PSA_CRYPTO_CONFIG_FILE + MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE" # ~40s
3582    # In the user config, disable one feature, which will reflect on the
3583    # mbedtls configuration so we can query it with query_compile_time_config.
3584    echo '#undef PSA_WANT_ALG_CMAC' >psa_user_config.h
3585    scripts/config.py unset MBEDTLS_CMAC_C
3586    make CFLAGS="-I '$PWD' -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"' -DMBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE='\"psa_user_config.h\"'"
3587    not programs/test/query_compile_time_config MBEDTLS_CMAC_C
3588
3589    rm -f psa_test_config.h psa_user_config.h
3590}
3591
3592component_build_psa_alt_headers () {
3593    msg "build: make with PSA alt headers" # ~20s
3594
3595    # Generate alternative versions of the substitutable headers with the
3596    # same content except different include guards.
3597    make -C tests include/alt-extra/psa/crypto_platform_alt.h include/alt-extra/psa/crypto_struct_alt.h
3598
3599    # Build the library and some programs.
3600    # Don't build the fuzzers to avoid having to go through hoops to set
3601    # a correct include path for programs/fuzz/Makefile.
3602    make CFLAGS="-I ../tests/include/alt-extra -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'" lib
3603    make -C programs -o fuzz CFLAGS="-I ../tests/include/alt-extra -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'"
3604
3605    # Check that we're getting the alternative include guards and not the
3606    # original include guards.
3607    programs/test/query_included_headers | grep -x PSA_CRYPTO_PLATFORM_ALT_H
3608    programs/test/query_included_headers | grep -x PSA_CRYPTO_STRUCT_ALT_H
3609    programs/test/query_included_headers | not grep -x PSA_CRYPTO_PLATFORM_H
3610    programs/test/query_included_headers | not grep -x PSA_CRYPTO_STRUCT_H
3611}
3612
3613component_test_m32_o0 () {
3614    # Build without optimization, so as to use portable C code (in a 32-bit
3615    # build) and not the i386-specific inline assembly.
3616    msg "build: i386, make, gcc -O0 (ASan build)" # ~ 30s
3617    scripts/config.py full
3618    make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O0" LDFLAGS="-m32 $ASAN_CFLAGS"
3619
3620    msg "test: i386, make, gcc -O0 (ASan build)"
3621    make test
3622}
3623support_test_m32_o0 () {
3624    case $(uname -m) in
3625        amd64|x86_64) true;;
3626        *) false;;
3627    esac
3628}
3629
3630component_test_m32_o2 () {
3631    # Build with optimization, to use the i386 specific inline assembly
3632    # and go faster for tests.
3633    msg "build: i386, make, gcc -O2 (ASan build)" # ~ 30s
3634    scripts/config.py full
3635    make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O2" LDFLAGS="-m32 $ASAN_CFLAGS"
3636
3637    msg "test: i386, make, gcc -O2 (ASan build)"
3638    make test
3639
3640    msg "test ssl-opt.sh, i386, make, gcc-O2"
3641    tests/ssl-opt.sh
3642}
3643support_test_m32_o2 () {
3644    support_test_m32_o0 "$@"
3645}
3646
3647component_test_m32_everest () {
3648    msg "build: i386, Everest ECDH context (ASan build)" # ~ 6 min
3649    scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED
3650    make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O2" LDFLAGS="-m32 $ASAN_CFLAGS"
3651
3652    msg "test: i386, Everest ECDH context - main suites (inc. selftests) (ASan build)" # ~ 50s
3653    make test
3654
3655    msg "test: i386, Everest ECDH context - ECDH-related part of ssl-opt.sh (ASan build)" # ~ 5s
3656    tests/ssl-opt.sh -f ECDH
3657
3658    msg "test: i386, Everest ECDH context - compat.sh with some ECDH ciphersuites (ASan build)" # ~ 3 min
3659    # Exclude some symmetric ciphers that are redundant here to gain time.
3660    tests/compat.sh -f ECDH -V NO -e 'ARIA\|CAMELLIA\|CHACHA'
3661}
3662support_test_m32_everest () {
3663    support_test_m32_o0 "$@"
3664}
3665
3666component_test_mx32 () {
3667    msg "build: 64-bit ILP32, make, gcc" # ~ 30s
3668    scripts/config.py full
3669    make CC=gcc CFLAGS='-Werror -Wall -Wextra -mx32' LDFLAGS='-mx32'
3670
3671    msg "test: 64-bit ILP32, make, gcc"
3672    make test
3673}
3674support_test_mx32 () {
3675    case $(uname -m) in
3676        amd64|x86_64) true;;
3677        *) false;;
3678    esac
3679}
3680
3681component_test_min_mpi_window_size () {
3682    msg "build: Default + MBEDTLS_MPI_WINDOW_SIZE=1 (ASan build)" # ~ 10s
3683    scripts/config.py set MBEDTLS_MPI_WINDOW_SIZE 1
3684    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
3685    make
3686
3687    msg "test: MBEDTLS_MPI_WINDOW_SIZE=1 - main suites (inc. selftests) (ASan build)" # ~ 10s
3688    make test
3689}
3690
3691component_test_have_int32 () {
3692    msg "build: gcc, force 32-bit bignum limbs"
3693    scripts/config.py unset MBEDTLS_HAVE_ASM
3694    scripts/config.py unset MBEDTLS_AESNI_C
3695    scripts/config.py unset MBEDTLS_PADLOCK_C
3696    scripts/config.py unset MBEDTLS_AESCE_C
3697    make CC=gcc CFLAGS='-Werror -Wall -Wextra -DMBEDTLS_HAVE_INT32'
3698
3699    msg "test: gcc, force 32-bit bignum limbs"
3700    make test
3701}
3702
3703component_test_have_int64 () {
3704    msg "build: gcc, force 64-bit bignum limbs"
3705    scripts/config.py unset MBEDTLS_HAVE_ASM
3706    scripts/config.py unset MBEDTLS_AESNI_C
3707    scripts/config.py unset MBEDTLS_PADLOCK_C
3708    scripts/config.py unset MBEDTLS_AESCE_C
3709    make CC=gcc CFLAGS='-Werror -Wall -Wextra -DMBEDTLS_HAVE_INT64'
3710
3711    msg "test: gcc, force 64-bit bignum limbs"
3712    make test
3713}
3714
3715component_test_no_udbl_division () {
3716    msg "build: MBEDTLS_NO_UDBL_DIVISION native" # ~ 10s
3717    scripts/config.py full
3718    scripts/config.py set MBEDTLS_NO_UDBL_DIVISION
3719    make CFLAGS='-Werror -O1'
3720
3721    msg "test: MBEDTLS_NO_UDBL_DIVISION native" # ~ 10s
3722    make test
3723}
3724
3725component_test_no_64bit_multiplication () {
3726    msg "build: MBEDTLS_NO_64BIT_MULTIPLICATION native" # ~ 10s
3727    scripts/config.py full
3728    scripts/config.py set MBEDTLS_NO_64BIT_MULTIPLICATION
3729    make CFLAGS='-Werror -O1'
3730
3731    msg "test: MBEDTLS_NO_64BIT_MULTIPLICATION native" # ~ 10s
3732    make test
3733}
3734
3735component_test_no_strings () {
3736    msg "build: no strings" # ~10s
3737    scripts/config.py full
3738    # Disable options that activate a large amount of string constants.
3739    scripts/config.py unset MBEDTLS_DEBUG_C
3740    scripts/config.py unset MBEDTLS_ERROR_C
3741    scripts/config.py set MBEDTLS_ERROR_STRERROR_DUMMY
3742    scripts/config.py unset MBEDTLS_VERSION_FEATURES
3743    make CFLAGS='-Werror -Os'
3744
3745    msg "test: no strings" # ~ 10s
3746    make test
3747}
3748
3749component_test_no_x509_info () {
3750    msg "build: full + MBEDTLS_X509_REMOVE_INFO" # ~ 10s
3751    scripts/config.pl full
3752    scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests
3753    scripts/config.pl set MBEDTLS_X509_REMOVE_INFO
3754    make CFLAGS='-Werror -O2'
3755
3756    msg "test: full + MBEDTLS_X509_REMOVE_INFO" # ~ 10s
3757    make test
3758
3759    msg "test: ssl-opt.sh, full + MBEDTLS_X509_REMOVE_INFO" # ~ 1 min
3760    tests/ssl-opt.sh
3761}
3762
3763component_build_arm_none_eabi_gcc () {
3764    msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc -O1, baremetal+debug" # ~ 10s
3765    scripts/config.py baremetal
3766    make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -Wall -Wextra -O1' lib
3767
3768    msg "size: ${ARM_NONE_EABI_GCC_PREFIX}gcc -O1, baremetal+debug"
3769    ${ARM_NONE_EABI_GCC_PREFIX}size library/*.o
3770}
3771
3772component_build_arm_linux_gnueabi_gcc_arm5vte () {
3773    msg "build: ${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc -march=arm5vte, baremetal+debug" # ~ 10s
3774    scripts/config.py baremetal
3775    # Build for a target platform that's close to what Debian uses
3776    # for its "armel" distribution (https://wiki.debian.org/ArmEabiPort).
3777    # See https://github.com/Mbed-TLS/mbedtls/pull/2169 and comments.
3778    # Build everything including programs, see for example
3779    # https://github.com/Mbed-TLS/mbedtls/pull/3449#issuecomment-675313720
3780    make CC="${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc" AR="${ARM_LINUX_GNUEABI_GCC_PREFIX}ar" CFLAGS='-Werror -Wall -Wextra -march=armv5te -O1' LDFLAGS='-march=armv5te'
3781
3782    msg "size: ${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc -march=armv5te -O1, baremetal+debug"
3783    ${ARM_LINUX_GNUEABI_GCC_PREFIX}size library/*.o
3784}
3785support_build_arm_linux_gnueabi_gcc_arm5vte () {
3786    type ${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc >/dev/null 2>&1
3787}
3788
3789component_build_arm_none_eabi_gcc_arm5vte () {
3790    msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc -march=arm5vte, baremetal+debug" # ~ 10s
3791    scripts/config.py baremetal
3792    # This is an imperfect substitute for
3793    # component_build_arm_linux_gnueabi_gcc_arm5vte
3794    # in case the gcc-arm-linux-gnueabi toolchain is not available
3795    make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" CFLAGS='-std=c99 -Werror -Wall -Wextra -march=armv5te -O1' LDFLAGS='-march=armv5te' SHELL='sh -x' lib
3796
3797    msg "size: ${ARM_NONE_EABI_GCC_PREFIX}gcc -march=armv5te -O1, baremetal+debug"
3798    ${ARM_NONE_EABI_GCC_PREFIX}size library/*.o
3799}
3800
3801component_build_arm_none_eabi_gcc_m0plus () {
3802    msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc -mthumb -mcpu=cortex-m0plus, baremetal_size" # ~ 10s
3803    scripts/config.py baremetal_size
3804    make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -Wall -Wextra -mthumb -mcpu=cortex-m0plus -Os' lib
3805
3806    msg "size: ${ARM_NONE_EABI_GCC_PREFIX}gcc -mthumb -mcpu=cortex-m0plus -Os, baremetal_size"
3807    ${ARM_NONE_EABI_GCC_PREFIX}size library/*.o
3808}
3809
3810component_build_arm_none_eabi_gcc_no_udbl_division () {
3811    msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc -DMBEDTLS_NO_UDBL_DIVISION, make" # ~ 10s
3812    scripts/config.py baremetal
3813    scripts/config.py set MBEDTLS_NO_UDBL_DIVISION
3814    make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -Wall -Wextra' lib
3815    echo "Checking that software 64-bit division is not required"
3816    not grep __aeabi_uldiv library/*.o
3817}
3818
3819component_build_arm_none_eabi_gcc_no_64bit_multiplication () {
3820    msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc MBEDTLS_NO_64BIT_MULTIPLICATION, make" # ~ 10s
3821    scripts/config.py baremetal
3822    scripts/config.py set MBEDTLS_NO_64BIT_MULTIPLICATION
3823    make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -O1 -march=armv6-m -mthumb' lib
3824    echo "Checking that software 64-bit multiplication is not required"
3825    not grep __aeabi_lmul library/*.o
3826}
3827
3828component_build_armcc () {
3829    msg "build: ARM Compiler 5"
3830    scripts/config.py baremetal
3831    # armc[56] don't support SHA-512 intrinsics
3832    scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
3833
3834    # Stop armclang warning about feature detection for A64_CRYPTO.
3835    # With this enabled, the library does build correctly under armclang,
3836    # but in baremetal builds (as tested here), feature detection is
3837    # unavailable, and the user is notified via a #warning. So enabling
3838    # this feature would prevent us from building with -Werror on
3839    # armclang. Tracked in #7198.
3840    scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
3841
3842    scripts/config.py set MBEDTLS_HAVE_ASM
3843
3844    make CC="$ARMC5_CC" AR="$ARMC5_AR" WARNING_CFLAGS='--strict --c99' lib
3845
3846    msg "size: ARM Compiler 5"
3847    "$ARMC5_FROMELF" -z library/*.o
3848
3849    make clean
3850
3851    # Compile with -O1 since some Arm inline assembly is disabled for -O0.
3852
3853    # ARM Compiler 6 - Target ARMv7-A
3854    armc6_build_test "-O1 --target=arm-arm-none-eabi -march=armv7-a"
3855
3856    # ARM Compiler 6 - Target ARMv7-M
3857    armc6_build_test "-O1 --target=arm-arm-none-eabi -march=armv7-m"
3858
3859    # ARM Compiler 6 - Target ARMv7-M+DSP
3860    armc6_build_test "-O1 --target=arm-arm-none-eabi -march=armv7-m+dsp"
3861
3862    # ARM Compiler 6 - Target ARMv8-A - AArch32
3863    armc6_build_test "-O1 --target=arm-arm-none-eabi -march=armv8.2-a"
3864
3865    # ARM Compiler 6 - Target ARMv8-M
3866    armc6_build_test "-O1 --target=arm-arm-none-eabi -march=armv8-m.main"
3867
3868    # ARM Compiler 6 - Target ARMv8.2-A - AArch64
3869    armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8.2-a+crypto"
3870}
3871support_build_armcc () {
3872    armc5_cc="$ARMC5_BIN_DIR/armcc"
3873    armc6_cc="$ARMC6_BIN_DIR/armclang"
3874    (check_tools "$armc5_cc" "$armc6_cc" > /dev/null 2>&1)
3875}
3876
3877component_test_tls13_only () {
3878    msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3, without MBEDTLS_SSL_PROTO_TLS1_2"
3879    scripts/config.py set MBEDTLS_SSL_EARLY_DATA
3880    make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
3881
3882    msg "test: TLS 1.3 only, all key exchange modes enabled"
3883    make test
3884
3885    msg "ssl-opt.sh: TLS 1.3 only, all key exchange modes enabled"
3886    tests/ssl-opt.sh
3887}
3888
3889component_test_tls13_only_psk () {
3890    msg "build: TLS 1.3 only from default, only PSK key exchange mode"
3891    scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
3892    scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
3893    scripts/config.py unset MBEDTLS_ECDH_C
3894    scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C
3895    scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
3896    scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION
3897    scripts/config.py unset MBEDTLS_ECDSA_C
3898    scripts/config.py unset MBEDTLS_PKCS1_V21
3899    scripts/config.py unset MBEDTLS_PKCS7_C
3900    scripts/config.py set   MBEDTLS_SSL_EARLY_DATA
3901    make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
3902
3903    msg "test_suite_ssl: TLS 1.3 only, only PSK key exchange mode enabled"
3904    cd tests; ./test_suite_ssl; cd ..
3905
3906    msg "ssl-opt.sh: TLS 1.3 only, only PSK key exchange mode enabled"
3907    tests/ssl-opt.sh
3908}
3909
3910component_test_tls13_only_ephemeral () {
3911    msg "build: TLS 1.3 only from default, only ephemeral key exchange mode"
3912    scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
3913    scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
3914    scripts/config.py unset MBEDTLS_SSL_EARLY_DATA
3915    make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
3916
3917    msg "test_suite_ssl: TLS 1.3 only, only ephemeral key exchange mode"
3918    cd tests; ./test_suite_ssl; cd ..
3919
3920    msg "ssl-opt.sh: TLS 1.3 only, only ephemeral key exchange mode"
3921    tests/ssl-opt.sh
3922}
3923
3924component_test_tls13_only_psk_ephemeral () {
3925    msg "build: TLS 1.3 only from default, only PSK ephemeral key exchange mode"
3926    scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
3927    scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
3928    scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C
3929    scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
3930    scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION
3931    scripts/config.py unset MBEDTLS_ECDSA_C
3932    scripts/config.py unset MBEDTLS_PKCS1_V21
3933    scripts/config.py unset MBEDTLS_PKCS7_C
3934    scripts/config.py set   MBEDTLS_SSL_EARLY_DATA
3935    make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
3936
3937    msg "test_suite_ssl: TLS 1.3 only, only PSK ephemeral key exchange mode"
3938    cd tests; ./test_suite_ssl; cd ..
3939
3940    msg "ssl-opt.sh: TLS 1.3 only, only PSK ephemeral key exchange mode"
3941    tests/ssl-opt.sh
3942}
3943
3944component_test_tls13_only_psk_all () {
3945    msg "build: TLS 1.3 only from default, without ephemeral key exchange mode"
3946    scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
3947    scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C
3948    scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
3949    scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION
3950    scripts/config.py unset MBEDTLS_ECDSA_C
3951    scripts/config.py unset MBEDTLS_PKCS1_V21
3952    scripts/config.py unset MBEDTLS_PKCS7_C
3953    scripts/config.py set   MBEDTLS_SSL_EARLY_DATA
3954    make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
3955
3956    msg "test_suite_ssl: TLS 1.3 only, PSK and PSK ephemeral key exchange modes"
3957    cd tests; ./test_suite_ssl; cd ..
3958
3959    msg "ssl-opt.sh: TLS 1.3 only, PSK and PSK ephemeral key exchange modes"
3960    tests/ssl-opt.sh
3961}
3962
3963component_test_tls13_only_ephemeral_all () {
3964    msg "build: TLS 1.3 only from default, without PSK key exchange mode"
3965    scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
3966    scripts/config.py set   MBEDTLS_SSL_EARLY_DATA
3967    make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
3968
3969    msg "test_suite_ssl: TLS 1.3 only, ephemeral and PSK ephemeral key exchange modes"
3970    cd tests; ./test_suite_ssl; cd ..
3971
3972    msg "ssl-opt.sh: TLS 1.3 only, ephemeral and PSK ephemeral key exchange modes"
3973    tests/ssl-opt.sh
3974}
3975
3976component_test_tls13 () {
3977    msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3 enabled, without padding"
3978    scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3
3979    scripts/config.py set MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
3980    scripts/config.py set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1
3981    scripts/config.py set MBEDTLS_SSL_EARLY_DATA
3982    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
3983    make
3984    msg "test: default config with MBEDTLS_SSL_PROTO_TLS1_3 enabled, without padding"
3985    make test
3986    msg "ssl-opt.sh (TLS 1.3)"
3987    tests/ssl-opt.sh
3988}
3989
3990component_test_tls13_no_compatibility_mode () {
3991    msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3 enabled, without padding"
3992    scripts/config.py set   MBEDTLS_SSL_PROTO_TLS1_3
3993    scripts/config.py unset MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
3994    scripts/config.py set   MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1
3995    scripts/config.py set   MBEDTLS_SSL_EARLY_DATA
3996    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
3997    make
3998    msg "test: default config with MBEDTLS_SSL_PROTO_TLS1_3 enabled, without padding"
3999    make test
4000    msg "ssl-opt.sh (TLS 1.3 no compatibility mode)"
4001    tests/ssl-opt.sh
4002}
4003
4004component_test_tls13_only_record_size_limit () {
4005    msg "build: TLS 1.3 only from default, record size limit extension enabled"
4006    scripts/config.py set MBEDTLS_SSL_RECORD_SIZE_LIMIT
4007    make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
4008
4009    msg "test_suite_ssl: TLS 1.3 only, record size limit extension enabled"
4010    cd tests; ./test_suite_ssl; cd ..
4011
4012    msg "ssl-opt.sh: (TLS 1.3 only, record size limit extension tests only)"
4013    # Both the server and the client will currently abort the handshake when they encounter the
4014    # record size limit extension. There is no way to prevent gnutls-cli from sending the extension
4015    # which makes all G_NEXT_CLI + P_SRV tests fail. Thus, run only the tests for the this extension.
4016    tests/ssl-opt.sh -f "Record Size Limit"
4017}
4018
4019component_build_mingw () {
4020    msg "build: Windows cross build - mingw64, make (Link Library)" # ~ 30s
4021    make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 lib programs
4022
4023    # note Make tests only builds the tests, but doesn't run them
4024    make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror' WINDOWS_BUILD=1 tests
4025    make WINDOWS_BUILD=1 clean
4026
4027    msg "build: Windows cross build - mingw64, make (DLL)" # ~ 30s
4028    make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 SHARED=1 lib programs
4029    make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 SHARED=1 tests
4030    make WINDOWS_BUILD=1 clean
4031}
4032support_build_mingw() {
4033    case $(i686-w64-mingw32-gcc -dumpversion 2>/dev/null) in
4034        [0-5]*|"") false;;
4035        *) true;;
4036    esac
4037}
4038
4039component_test_memsan () {
4040    msg "build: MSan (clang)" # ~ 1 min 20s
4041    scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm
4042    CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan .
4043    make
4044
4045    msg "test: main suites (MSan)" # ~ 10s
4046    make test
4047
4048    msg "test: ssl-opt.sh (MSan)" # ~ 1 min
4049    tests/ssl-opt.sh
4050
4051    # Optional part(s)
4052
4053    if [ "$MEMORY" -gt 0 ]; then
4054        msg "test: compat.sh (MSan)" # ~ 6 min 20s
4055        tests/compat.sh
4056    fi
4057}
4058
4059component_test_valgrind () {
4060    msg "build: Release (clang)"
4061    # default config, in particular without MBEDTLS_USE_PSA_CRYPTO
4062    CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release .
4063    make
4064
4065    msg "test: main suites, Valgrind (default config)"
4066    make memcheck
4067
4068    # Optional parts (slow; currently broken on OS X because programs don't
4069    # seem to receive signals under valgrind on OS X).
4070    # These optional parts don't run on the CI.
4071    if [ "$MEMORY" -gt 0 ]; then
4072        msg "test: ssl-opt.sh --memcheck (default config)"
4073        tests/ssl-opt.sh --memcheck
4074    fi
4075
4076    if [ "$MEMORY" -gt 1 ]; then
4077        msg "test: compat.sh --memcheck (default config)"
4078        tests/compat.sh --memcheck
4079    fi
4080
4081    if [ "$MEMORY" -gt 0 ]; then
4082        msg "test: context-info.sh --memcheck (default config)"
4083        tests/context-info.sh --memcheck
4084    fi
4085}
4086
4087component_test_valgrind_psa () {
4088    msg "build: Release, full (clang)"
4089    # full config, in particular with MBEDTLS_USE_PSA_CRYPTO
4090    scripts/config.py full
4091    CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release .
4092    make
4093
4094    msg "test: main suites, Valgrind (full config)"
4095    make memcheck
4096}
4097
4098support_test_cmake_out_of_source () {
4099    distrib_id=""
4100    distrib_ver=""
4101    distrib_ver_minor=""
4102    distrib_ver_major=""
4103
4104    # Attempt to parse lsb-release to find out distribution and version. If not
4105    # found this should fail safe (test is supported).
4106    if [[ -f /etc/lsb-release ]]; then
4107
4108        while read -r lsb_line; do
4109            case "$lsb_line" in
4110                "DISTRIB_ID"*) distrib_id=${lsb_line/#DISTRIB_ID=};;
4111                "DISTRIB_RELEASE"*) distrib_ver=${lsb_line/#DISTRIB_RELEASE=};;
4112            esac
4113        done < /etc/lsb-release
4114
4115        distrib_ver_major="${distrib_ver%%.*}"
4116        distrib_ver="${distrib_ver#*.}"
4117        distrib_ver_minor="${distrib_ver%%.*}"
4118    fi
4119
4120    # Running the out of source CMake test on Ubuntu 16.04 using more than one
4121    # processor (as the CI does) can create a race condition whereby the build
4122    # fails to see a generated file, despite that file actually having been
4123    # generated. This problem appears to go away with 18.04 or newer, so make
4124    # the out of source tests unsupported on Ubuntu 16.04.
4125    [ "$distrib_id" != "Ubuntu" ] || [ "$distrib_ver_major" -gt 16 ]
4126}
4127
4128component_test_cmake_out_of_source () {
4129    msg "build: cmake 'out-of-source' build"
4130    MBEDTLS_ROOT_DIR="$PWD"
4131    mkdir "$OUT_OF_SOURCE_DIR"
4132    cd "$OUT_OF_SOURCE_DIR"
4133    cmake -D CMAKE_BUILD_TYPE:String=Check "$MBEDTLS_ROOT_DIR"
4134    make
4135
4136    msg "test: cmake 'out-of-source' build"
4137    make test
4138    # Check that ssl-opt.sh can find the test programs.
4139    # Also ensure that there are no error messages such as
4140    # "No such file or directory", which would indicate that some required
4141    # file is missing (ssl-opt.sh tolerates the absence of some files so
4142    # may exit with status 0 but emit errors).
4143    ./tests/ssl-opt.sh -f 'Default' >ssl-opt.out 2>ssl-opt.err
4144    grep PASS ssl-opt.out
4145    cat ssl-opt.err >&2
4146    # If ssl-opt.err is non-empty, record an error and keep going.
4147    [ ! -s ssl-opt.err ]
4148    rm ssl-opt.out ssl-opt.err
4149    cd "$MBEDTLS_ROOT_DIR"
4150    rm -rf "$OUT_OF_SOURCE_DIR"
4151}
4152
4153component_test_cmake_as_subdirectory () {
4154    msg "build: cmake 'as-subdirectory' build"
4155    cd programs/test/cmake_subproject
4156    cmake .
4157    make
4158    ./cmake_subproject
4159}
4160support_test_cmake_as_subdirectory () {
4161    support_test_cmake_out_of_source
4162}
4163
4164component_test_cmake_as_package () {
4165    msg "build: cmake 'as-package' build"
4166    cd programs/test/cmake_package
4167    cmake .
4168    make
4169    ./cmake_package
4170}
4171support_test_cmake_as_package () {
4172    support_test_cmake_out_of_source
4173}
4174
4175component_test_cmake_as_package_install () {
4176    msg "build: cmake 'as-installed-package' build"
4177    cd programs/test/cmake_package_install
4178    cmake .
4179    make
4180    ./cmake_package_install
4181}
4182support_test_cmake_as_package_install () {
4183    support_test_cmake_out_of_source
4184}
4185
4186component_test_zeroize () {
4187    # Test that the function mbedtls_platform_zeroize() is not optimized away by
4188    # different combinations of compilers and optimization flags by using an
4189    # auxiliary GDB script. Unfortunately, GDB does not return error values to the
4190    # system in all cases that the script fails, so we must manually search the
4191    # output to check whether the pass string is present and no failure strings
4192    # were printed.
4193
4194    # Don't try to disable ASLR. We don't care about ASLR here. We do care
4195    # about a spurious message if Gdb tries and fails, so suppress that.
4196    gdb_disable_aslr=
4197    if [ -z "$(gdb -batch -nw -ex 'set disable-randomization off' 2>&1)" ]; then
4198        gdb_disable_aslr='set disable-randomization off'
4199    fi
4200
4201    for optimization_flag in -O2 -O3 -Ofast -Os; do
4202        for compiler in clang gcc; do
4203            msg "test: $compiler $optimization_flag, mbedtls_platform_zeroize()"
4204            make programs CC="$compiler" DEBUG=1 CFLAGS="$optimization_flag"
4205            gdb -ex "$gdb_disable_aslr" -x tests/scripts/test_zeroize.gdb -nw -batch -nx 2>&1 | tee test_zeroize.log
4206            grep "The buffer was correctly zeroized" test_zeroize.log
4207            not grep -i "error" test_zeroize.log
4208            rm -f test_zeroize.log
4209            make clean
4210        done
4211    done
4212}
4213
4214component_test_psa_compliance () {
4215    msg "build: make, default config (out-of-box), libmbedcrypto.a only"
4216    make -C library libmbedcrypto.a
4217
4218    msg "unit test: test_psa_compliance.py"
4219    ./tests/scripts/test_psa_compliance.py
4220}
4221
4222support_test_psa_compliance () {
4223    # psa-compliance-tests only supports CMake >= 3.10.0
4224    ver="$(cmake --version)"
4225    ver="${ver#cmake version }"
4226    ver_major="${ver%%.*}"
4227
4228    ver="${ver#*.}"
4229    ver_minor="${ver%%.*}"
4230
4231    [ "$ver_major" -eq 3 ] && [ "$ver_minor" -ge 10 ]
4232}
4233
4234component_check_code_style () {
4235    msg "Check C code style"
4236    ./scripts/code_style.py
4237}
4238
4239support_check_code_style() {
4240    case $(uncrustify --version) in
4241        *0.75.1*) true;;
4242        *) false;;
4243    esac
4244}
4245
4246component_check_python_files () {
4247    msg "Lint: Python scripts"
4248    tests/scripts/check-python-files.sh
4249}
4250
4251component_check_test_helpers () {
4252    msg "unit test: generate_test_code.py"
4253    # unittest writes out mundane stuff like number or tests run on stderr.
4254    # Our convention is to reserve stderr for actual errors, and write
4255    # harmless info on stdout so it can be suppress with --quiet.
4256    ./tests/scripts/test_generate_test_code.py 2>&1
4257
4258    msg "unit test: translate_ciphers.py"
4259    python3 -m unittest tests/scripts/translate_ciphers.py 2>&1
4260}
4261
4262################################################################
4263#### Termination
4264################################################################
4265
4266post_report () {
4267    msg "Done, cleaning up"
4268    final_cleanup
4269
4270    final_report
4271}
4272
4273
4274
4275################################################################
4276#### Run all the things
4277################################################################
4278
4279# Function invoked by --error-test to test error reporting.
4280pseudo_component_error_test () {
4281    msg "Testing error reporting $error_test_i"
4282    if [ $KEEP_GOING -ne 0 ]; then
4283        echo "Expect three failing commands."
4284    fi
4285    # If the component doesn't run in a subshell, changing error_test_i to an
4286    # invalid integer will cause an error in the loop that runs this function.
4287    error_test_i=this_should_not_be_used_since_the_component_runs_in_a_subshell
4288    # Expected error: 'grep non_existent /dev/null -> 1'
4289    grep non_existent /dev/null
4290    # Expected error: '! grep -q . tests/scripts/all.sh -> 1'
4291    not grep -q . "$0"
4292    # Expected error: 'make unknown_target -> 2'
4293    make unknown_target
4294    false "this should not be executed"
4295}
4296
4297# Run one component and clean up afterwards.
4298run_component () {
4299    current_component="$1"
4300    export MBEDTLS_TEST_CONFIGURATION="$current_component"
4301
4302    # Unconditionally create a seedfile that's sufficiently long.
4303    # Do this before each component, because a previous component may
4304    # have messed it up or shortened it.
4305    local dd_cmd
4306    dd_cmd=(dd if=/dev/urandom of=./tests/seedfile bs=64 count=1)
4307    case $OSTYPE in
4308        linux*|freebsd*|openbsd*) dd_cmd+=(status=none)
4309    esac
4310    "${dd_cmd[@]}"
4311
4312    # Run the component in a subshell, with error trapping and output
4313    # redirection set up based on the relevant options.
4314    if [ $KEEP_GOING -eq 1 ]; then
4315        # We want to keep running if the subshell fails, so 'set -e' must
4316        # be off when the subshell runs.
4317        set +e
4318    fi
4319    (
4320        if [ $QUIET -eq 1 ]; then
4321            # msg() will be silenced, so just print the component name here.
4322            echo "${current_component#component_}"
4323            exec >/dev/null
4324        fi
4325        if [ $KEEP_GOING -eq 1 ]; then
4326            # Keep "set -e" off, and run an ERR trap instead to record failures.
4327            set -E
4328            trap err_trap ERR
4329        fi
4330        # The next line is what runs the component
4331        "$@"
4332        if [ $KEEP_GOING -eq 1 ]; then
4333            trap - ERR
4334            exit $last_failure_status
4335        fi
4336    )
4337    component_status=$?
4338    if [ $KEEP_GOING -eq 1 ]; then
4339        set -e
4340        if [ $component_status -ne 0 ]; then
4341            failure_count=$((failure_count + 1))
4342        fi
4343    fi
4344
4345    # Restore the build tree to a clean state.
4346    cleanup
4347    unset current_component
4348}
4349
4350# Preliminary setup
4351pre_check_environment
4352pre_initialize_variables
4353pre_parse_command_line "$@"
4354
4355pre_check_git
4356pre_restore_files
4357pre_back_up
4358
4359build_status=0
4360if [ $KEEP_GOING -eq 1 ]; then
4361    pre_setup_keep_going
4362fi
4363pre_prepare_outcome_file
4364pre_print_configuration
4365pre_check_tools
4366cleanup
4367pre_generate_files
4368
4369# Run the requested tests.
4370for ((error_test_i=1; error_test_i <= error_test; error_test_i++)); do
4371    run_component pseudo_component_error_test
4372done
4373unset error_test_i
4374for component in $RUN_COMPONENTS; do
4375    run_component "component_$component"
4376done
4377
4378# We're done.
4379post_report
4380