mbedtls icon indicating copy to clipboard operation
mbedtls copied to clipboard
verified publisher icon Mbed-TLS

Driver-only hashes: TLS 1.2: `test_suite_ssl`

Open mpg opened this issue 3 years ago • 0 comments

Currently, the common SSL modules have a declared dependency on MBEDTLS_MD_C (in check_config.h), and some parts (TLS 1.2, cookie) have declared dependencies on MBEDTLS_SHA256_C || MBEDTLS_SHA384_C. However, when MBEDTLS_USE_PSA_CRYPTO is enabled, no code in TLS 1.2 uses MD nor the low-level hash modules. So it should be possible to build TLS 1.2 with all hashes provided by drivers and no md.c. This task is about doing that and making sure test_suite_ssl passes good test coverage in a build with driver-only hashes.

  • [x] Adjust declared dependencies in test_suited_ssl (data and function) by replacing MBEDTLS_MD5_C and MBEDTLS_SHAxxx_C with the corresponding MBEDTLS_HAS_ALG_xxx_VIA_MD_OR_PSA macros (see library/legacy_or_psa.h) - depends on #6065 and #6120. Note: after this step, all tests should pass, and test coverage should be unchanged in the default and full config (see last item too).
  • [x] Adjust declared dependencies in ssl_ciphersuites.c, ssl_tls.c, ssl_misc.h and ssl_cookie.c in the same way. Special case: in ssl_cookie.c make sure the definitions of COOKIE_MD_OUTLEN and COOKIE_HMAC_LEN remain correct. (Same note as previous point about testing.)
  • [ ] In check_config.h, for TLS 1.2, change dependencies on MD_C to MD_C || USE_PSA, and dependencies on SHAxxx_C to SHAxxx_C || (USE_PSA && WANT_ALG_SHA_xxx). Adjust the description in mbedtls_config.h with a warning (as in #6141).
  • [ ] In all.sh component component_test_psa_crypto_config_accel_hash_use_psa, stop removing TLS 1.2 from the build.
  • [ ] Fix any build or test failure that may arise in that component.
  • [ ] Check that there is no test gap when comparing that component to a similar software-based config, or when comparing the default & full configs before and after this PR. The template script docs/architecture/psa-migration/outcome-analysis.sh can be used for that, after suitable editing (for example, SUITES='test_suite_ssl').

Depends on: #6065, #6120, #6127 (a lot of TLS tests rely on X.509). Follow-ups: #6128, #6129, #6132

mpg avatar Jul 25 '22 09:07 mpg