From d3d0652dcad175ac0c0be67a85c8682f233d4bab Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 31 Jul 2025 21:53:41 +0200 Subject: [PATCH 01/11] Update framework submodule with config_history.py Signed-off-by: Gilles Peskine --- framework | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/framework b/framework index 59d77ef0528..0bfaf0ed972 160000 --- a/framework +++ b/framework @@ -1 +1 @@ -Subproject commit 59d77ef0528f368b7c8cc39870fef6adab5241db +Subproject commit 0bfaf0ed9721b3858e8982698c618ee748b21a7d From 24d058bc6c09118d897cef42c0a7f91fbdbd3b07 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 25 Apr 2025 18:30:35 +0200 Subject: [PATCH 02/11] Enable checks for bad options in the config file Signed-off-by: Gilles Peskine --- include/mbedtls/build_info.h | 5 +++++ library/mbedtls_config.c | 21 +++++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h index e40482a99a4..7b7ff49f5aa 100644 --- a/include/mbedtls/build_info.h +++ b/include/mbedtls/build_info.h @@ -68,6 +68,11 @@ #include MBEDTLS_USER_CONFIG_FILE #endif +/* For the sake of consistency checks in mbedtls_config.c */ +#if defined(MBEDTLS_INCLUDE_AFTER_RAW_CONFIG) +#include MBEDTLS_INCLUDE_AFTER_RAW_CONFIG +#endif + /* Indicate that all configuration files have been read. * It is now time to adjust the configuration (follow through on dependencies, * make PSA and legacy crypto consistent, etc.). diff --git a/library/mbedtls_config.c b/library/mbedtls_config.c index 679f8e36f9a..a3deae31526 100644 --- a/library/mbedtls_config.c +++ b/library/mbedtls_config.c @@ -6,8 +6,29 @@ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ +/* Apply the TF-PSA-Crypto configuration first. We need to do this + * before , because "mbedtls_config_check_before.h" + * needs to run after the crypto config (including derived macros) is + * finalized, but before the user's mbedtls config is applied. This way + * it is possible to differentiate macros set by the user's mbedtls config + * from macros set or derived by the crypto config. */ +#include + +/* Consistency checks on the user's configuration. + * Check that it doesn't define macros that we assume are under full + * control of the library, or options from past major versions that + * no longer have any effect. + * These headers are automatically generated. See + * framework/scripts/mbedtls_framework/config_checks_generator.py + */ +#include "mbedtls_config_check_before.h" +#define MBEDTLS_INCLUDE_AFTER_RAW_CONFIG "mbedtls_config_check_user.h" + #include /* Consistency checks in the configuration: check for incompatible options, * missing options when at least one of a set needs to be enabled, etc. */ +/* Manually written checks */ #include "mbedtls_check_config.h" +/* Automatically generated checks */ +#include "mbedtls_config_check_final.h" From 24273c06db37ad4fa67cf15b0b5df8645c0fab65 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 16 Jul 2025 22:27:09 +0200 Subject: [PATCH 03/11] Checks for crypto options or internal macros set in mbedtls Signed-off-by: Gilles Peskine --- scripts/generate_config_checks.py | 8 ++++++ tests/scripts/test_config_checks.py | 38 +++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+) diff --git a/scripts/generate_config_checks.py b/scripts/generate_config_checks.py index b0dc26b1916..c5d8054207c 100755 --- a/scripts/generate_config_checks.py +++ b/scripts/generate_config_checks.py @@ -7,11 +7,19 @@ from mbedtls_framework.config_checks_generator import * \ #pylint: disable=wildcard-import,unused-wildcard-import +class CryptoInternal(SubprojectInternal): + SUBPROJECT = 'TF-PSA-Crypto' + +class CryptoOption(SubprojectOption): + SUBPROJECT = 'psa/crypto_config.h' + MBEDTLS_CHECKS = BranchData( header_directory='library', header_prefix='mbedtls_', project_cpp_prefix='MBEDTLS', checkers=[ + CryptoInternal('MBEDTLS_MD5_C', 'PSA_WANT_ALG_MD5 in psa/crypto_config.h'), + CryptoOption('MBEDTLS_BASE64_C'), Removed('MBEDTLS_KEY_EXCHANGE_RSA_ENABLED', 'Mbed TLS 4.0'), Removed('MBEDTLS_PADLOCK_C', 'Mbed TLS 4.0'), ], diff --git a/tests/scripts/test_config_checks.py b/tests/scripts/test_config_checks.py index 7403f7ebdbe..911e2d9a586 100755 --- a/tests/scripts/test_config_checks.py +++ b/tests/scripts/test_config_checks.py @@ -55,5 +55,43 @@ def test_mbedtls_no_ecdsa(self) -> None: error=('MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED')) + def test_define_MBEDTLS_MD5_C_redundant(self) -> None: + """Error when redundantly setting a subproject internal option.""" + self.bad_case('#define PSA_WANT_ALG_MD5 1', + '#define MBEDTLS_MD5_C', + error=r'MBEDTLS_MD5_C.* PSA_WANT_ALG_MD5 in psa/crypto_config\.h') + + def test_define_MBEDTLS_MD5_C_added(self) -> None: + """Error when setting a subproject internal option that was disabled.""" + self.bad_case(''' + #undef PSA_WANT_ALG_MD5 + #undef MBEDTLS_MD5_C + ''', + '#define MBEDTLS_MD5_C', + error=r'MBEDTLS_MD5_C.* PSA_WANT_ALG_MD5 in psa/crypto_config\.h') + + def test_define_MBEDTLS_BASE64_C_redundant(self) -> None: + """Ok to redundantly set a subproject option.""" + self.good_case(None, + '#define MBEDTLS_BASE64_C') + + def test_define_MBEDTLS_BASE64_C_added(self) -> None: + """Error when setting a subproject option that was disabled.""" + self.bad_case(''' + #undef MBEDTLS_BASE64_C + #undef MBEDTLS_PEM_PARSE_C + #undef MBEDTLS_PEM_WRITE_C + ''', + '#define MBEDTLS_BASE64_C', + error=r'MBEDTLS_BASE64_C .*psa/crypto_config\.h') + + @unittest.skip("Checks for #undef are not implemented yet.") + def test_define_MBEDTLS_BASE64_C_unset(self) -> None: + """Error when unsetting a subproject option that was enabled.""" + self.bad_case(None, + '#undef MBEDTLS_BASE64_C', + error=r'MBEDTLS_BASE64_C .*psa/crypto_config\.h') + + if __name__ == '__main__': unittest.main() From 8e44a94d395c011fdba40f4bb83f6d648169b048 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 15 Sep 2025 15:27:20 +0200 Subject: [PATCH 04/11] Automatically generate checkers for removed options Read the list of historical config options in 3.6, compare that to 1.0/4.0 and emit the appropriate checkers. Signed-off-by: Gilles Peskine --- scripts/generate_config_checks.py | 29 +++++++++++++++++++++++------ tests/scripts/test_config_checks.py | 4 ++-- 2 files changed, 25 insertions(+), 8 deletions(-) diff --git a/scripts/generate_config_checks.py b/scripts/generate_config_checks.py index c5d8054207c..a2a174bb4cb 100755 --- a/scripts/generate_config_checks.py +++ b/scripts/generate_config_checks.py @@ -3,9 +3,12 @@ """Generate C preprocessor code to check for bad configurations. """ +from typing import Iterator + import framework_scripts_path # pylint: disable=unused-import from mbedtls_framework.config_checks_generator import * \ #pylint: disable=wildcard-import,unused-wildcard-import +from mbedtls_framework import config_history class CryptoInternal(SubprojectInternal): SUBPROJECT = 'TF-PSA-Crypto' @@ -13,16 +16,30 @@ class CryptoInternal(SubprojectInternal): class CryptoOption(SubprojectOption): SUBPROJECT = 'psa/crypto_config.h' +def checkers_for_removed_options() -> Iterator[Checker]: + """Discover removed options. Yield corresponding checkers.""" + history = config_history.ConfigHistory() + old_public = history.options('mbedtls', '3.6') + new_public = history.options('mbedtls', '4.0') + crypto_public = history.options('tfpsacrypto', '1.0') + crypto_internal = history.internal('tfpsacrypto', '1.0') + for option in sorted(old_public - new_public): + if option in crypto_public: + yield CryptoOption(option) + elif option in crypto_internal: + yield CryptoInternal(option) + else: + yield Removed(option, 'Mbed TLS 4.0') + +def all_checkers() -> Iterator[Checker]: + """Yield all checkers.""" + yield from checkers_for_removed_options() + MBEDTLS_CHECKS = BranchData( header_directory='library', header_prefix='mbedtls_', project_cpp_prefix='MBEDTLS', - checkers=[ - CryptoInternal('MBEDTLS_MD5_C', 'PSA_WANT_ALG_MD5 in psa/crypto_config.h'), - CryptoOption('MBEDTLS_BASE64_C'), - Removed('MBEDTLS_KEY_EXCHANGE_RSA_ENABLED', 'Mbed TLS 4.0'), - Removed('MBEDTLS_PADLOCK_C', 'Mbed TLS 4.0'), - ], + checkers=list(all_checkers()), ) if __name__ == '__main__': diff --git a/tests/scripts/test_config_checks.py b/tests/scripts/test_config_checks.py index 911e2d9a586..86fd4db095e 100755 --- a/tests/scripts/test_config_checks.py +++ b/tests/scripts/test_config_checks.py @@ -59,7 +59,7 @@ def test_define_MBEDTLS_MD5_C_redundant(self) -> None: """Error when redundantly setting a subproject internal option.""" self.bad_case('#define PSA_WANT_ALG_MD5 1', '#define MBEDTLS_MD5_C', - error=r'MBEDTLS_MD5_C.* PSA_WANT_ALG_MD5 in psa/crypto_config\.h') + error=r'MBEDTLS_MD5_C is an internal macro') def test_define_MBEDTLS_MD5_C_added(self) -> None: """Error when setting a subproject internal option that was disabled.""" @@ -68,7 +68,7 @@ def test_define_MBEDTLS_MD5_C_added(self) -> None: #undef MBEDTLS_MD5_C ''', '#define MBEDTLS_MD5_C', - error=r'MBEDTLS_MD5_C.* PSA_WANT_ALG_MD5 in psa/crypto_config\.h') + error=r'MBEDTLS_MD5_C is an internal macro') def test_define_MBEDTLS_BASE64_C_redundant(self) -> None: """Ok to redundantly set a subproject option.""" From 379d38de1cfc99d6c5c4f82dc5d9d17557332d98 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 25 Apr 2025 18:30:47 +0200 Subject: [PATCH 05/11] Unit tests for checks for removed options in the config file Signed-off-by: Gilles Peskine --- tests/scripts/test_config_checks.py | 30 ++++++++++++++++++++++++----- 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/tests/scripts/test_config_checks.py b/tests/scripts/test_config_checks.py index 86fd4db095e..dceadf6b7ca 100755 --- a/tests/scripts/test_config_checks.py +++ b/tests/scripts/test_config_checks.py @@ -22,12 +22,23 @@ class MbedtlsTestConfigChecks(unittest_config_checks.TestConfigChecks): 'tf-psa-crypto/drivers/builtin/include', ] + def test_crypto_config_read(self) -> None: + """Check that crypto_config.h is read in crypto.""" + self.bad_case('#error witness', + None, + error='witness') + + def test_mbedtls_config_read(self) -> None: + """Check that mbedtls_config.h is read in crypto.""" + self.bad_case('' + '#error witness', + error='witness') + @unittest.skip("At this time, mbedtls does not go through crypto's check_config.h.") - def test_crypto_no_fs_io(self) -> None: + def test_crypto_undef_MBEDTLS_FS_IO(self) -> None: """A sample error expected from crypto's check_config.h.""" self.bad_case('#undef MBEDTLS_FS_IO', - None, - error=('MBEDTLS_PSA_ITS_FILE_C')) + error='MBEDTLS_PSA_ITS_FILE_C') def test_mbedtls_no_session_tickets_for_early_data(self) -> None: """An error expected from mbedtls_check_config.h based on the TLS configuration.""" @@ -36,7 +47,7 @@ def test_mbedtls_no_session_tickets_for_early_data(self) -> None: #define MBEDTLS_SSL_EARLY_DATA #undef MBEDTLS_SSL_SESSION_TICKETS ''', - error=('MBEDTLS_SSL_EARLY_DATA')) + error='MBEDTLS_SSL_EARLY_DATA') def test_mbedtls_no_ecdsa(self) -> None: """An error expected from mbedtls_check_config.h based on crypto+TLS configuration.""" @@ -52,8 +63,17 @@ def test_mbedtls_no_ecdsa(self) -> None: #error PSA_WANT_ALG_DETERMINSTIC_ECDSA unexpected #endif ''', - error=('MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED')) + error='MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED') + + def test_mbedtls_define_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED(self) -> None: + """Error when setting a removed option.""" + self.bad_case('#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED', + error='MBEDTLS_KEY_EXCHANGE_RSA_ENABLED was removed') + def test_mbedtls_exempt_define_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED(self) -> None: + """Bypassed error when setting a removed option.""" + self.good_case('#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED', + extra_options=['-DMBEDTLS_CONFIG_CHECK_BYPASS']) def test_define_MBEDTLS_MD5_C_redundant(self) -> None: """Error when redundantly setting a subproject internal option.""" From cc1ac1d3dccfc87dacd29743358e36e41c5cd5f4 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 19 Sep 2025 22:03:15 +0200 Subject: [PATCH 06/11] CMake: support generated headers Signed-off-by: Gilles Peskine --- library/CMakeLists.txt | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 063703bfe8c..6c2b6bb0e6e 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -118,6 +118,13 @@ if(GEN_FILES) ${CMAKE_CURRENT_BINARY_DIR}/ssl_debug_helpers_generated.c ${CMAKE_CURRENT_BINARY_DIR}/version_features.c ) + + # List generated headers as sources explicitly. Normally CMake finds + # headers by tracing include directives, but if that happens before the + # generated headers are generated, this process doesn't find them. + list(APPEND src_x509 + ${MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS} + ) endif() if(CMAKE_COMPILER_IS_GNUCC) @@ -237,7 +244,9 @@ foreach(target IN LISTS target_libraries) $ PRIVATE ${MBEDTLS_DIR}/library/ ${MBEDTLS_DIR}/tf-psa-crypto/core - ${MBEDTLS_DIR}/tf-psa-crypto/drivers/builtin/src) + ${MBEDTLS_DIR}/tf-psa-crypto/drivers/builtin/src + # needed for generated headers + ${CMAKE_CURRENT_BINARY_DIR}) set_config_files_compile_definitions(${target}) install( TARGETS ${target} From c45d9ac4c2b6affb87e5128f04c4bcba15ca2b6d Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 19 Sep 2025 22:17:05 +0200 Subject: [PATCH 07/11] Allow setting removed options that are now always on Signed-off-by: Gilles Peskine --- scripts/generate_config_checks.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/scripts/generate_config_checks.py b/scripts/generate_config_checks.py index a2a174bb4cb..bae93c36628 100755 --- a/scripts/generate_config_checks.py +++ b/scripts/generate_config_checks.py @@ -16,6 +16,11 @@ class CryptoInternal(SubprojectInternal): class CryptoOption(SubprojectOption): SUBPROJECT = 'psa/crypto_config.h' +ALWAYS_ENABLED_SINCE_4_0 = frozenset([ + 'MBEDTLS_PSA_CRYPTO_CONFIG', + 'MBEDTLS_USE_PSA_CRYPTO', +]) + def checkers_for_removed_options() -> Iterator[Checker]: """Discover removed options. Yield corresponding checkers.""" history = config_history.ConfigHistory() @@ -24,6 +29,8 @@ def checkers_for_removed_options() -> Iterator[Checker]: crypto_public = history.options('tfpsacrypto', '1.0') crypto_internal = history.internal('tfpsacrypto', '1.0') for option in sorted(old_public - new_public): + if option in ALWAYS_ENABLED_SINCE_4_0: + continue if option in crypto_public: yield CryptoOption(option) elif option in crypto_internal: From 562763b5bde95f1820142205f2a2f93143c26cce Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 22 Sep 2025 16:18:35 +0200 Subject: [PATCH 08/11] Add dependency of mbedtls_config on generated config check headers Fix the build of libmbedx509 when generated files are not already present. Signed-off-by: Gilles Peskine --- library/Makefile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/Makefile b/library/Makefile index a0b6d6eb1d3..9085ab481c6 100644 --- a/library/Makefile +++ b/library/Makefile @@ -346,6 +346,8 @@ $(GENERATED_CONFIG_CHECK_FILES): echo " Gen $(GENERATED_CONFIG_CHECK_FILES)" $(PYTHON) ../scripts/generate_config_checks.py +mbedtls_config.o: $(GENERATED_CONFIG_CHECK_FILES) + TF_PSA_CRYPTO_GENERATED_CONFIG_CHECK_FILES = $(shell $(PYTHON) \ $(TF_PSA_CRYPTO_CORE_PATH)/../scripts/generate_config_checks.py \ --list $(TF_PSA_CRYPTO_CORE_PATH)) From 4bb82fdb16f074204759b133b793752f54bdae68 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 24 Sep 2025 10:30:13 +0200 Subject: [PATCH 09/11] Fix copypasta in documentation Signed-off-by: Gilles Peskine --- tests/scripts/test_config_checks.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/scripts/test_config_checks.py b/tests/scripts/test_config_checks.py index dceadf6b7ca..edaf525f6d4 100755 --- a/tests/scripts/test_config_checks.py +++ b/tests/scripts/test_config_checks.py @@ -23,13 +23,13 @@ class MbedtlsTestConfigChecks(unittest_config_checks.TestConfigChecks): ] def test_crypto_config_read(self) -> None: - """Check that crypto_config.h is read in crypto.""" + """Check that crypto_config.h is read in mbedtls.""" self.bad_case('#error witness', None, error='witness') def test_mbedtls_config_read(self) -> None: - """Check that mbedtls_config.h is read in crypto.""" + """Check that mbedtls_config.h is read in mbedtls.""" self.bad_case('' '#error witness', error='witness') From f7ed4e506fcef9efcd74840c105f51087b20e3f1 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 24 Sep 2025 10:32:55 +0200 Subject: [PATCH 10/11] Add test case for allowing setting an always-on removed option Signed-off-by: Gilles Peskine --- tests/scripts/test_config_checks.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tests/scripts/test_config_checks.py b/tests/scripts/test_config_checks.py index edaf525f6d4..ee624d886f1 100755 --- a/tests/scripts/test_config_checks.py +++ b/tests/scripts/test_config_checks.py @@ -112,6 +112,15 @@ def test_define_MBEDTLS_BASE64_C_unset(self) -> None: '#undef MBEDTLS_BASE64_C', error=r'MBEDTLS_BASE64_C .*psa/crypto_config\.h') + def test_crypto_define_MBEDTLS_USE_PSA_CRYPTO(self) -> None: + """It's ok to set MBEDTLS_USE_PSA_CRYPTO (now effectively always on).""" + self.good_case('#define MBEDTLS_USE_PSA_CRYPTO') + + def test_crypto_define_MBEDTLS_USE_PSA_CRYPTO(self) -> None: + """It's ok to set MBEDTLS_USE_PSA_CRYPTO (now effectively always on).""" + self.good_case(None, + '#define MBEDTLS_USE_PSA_CRYPTO') + if __name__ == '__main__': unittest.main() From 3cee43e8ab8a81a002771d4dbf5d33fa3a6b4dee Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 24 Sep 2025 15:48:58 +0200 Subject: [PATCH 11/11] Be more consistent about method naming Indicate which config file has the most relevant tweak. Duplicate a few test cases so that both the crypto config and the mbedtls config are tested. Signed-off-by: Gilles Peskine --- tests/scripts/test_config_checks.py | 38 ++++++++++++++++++++--------- 1 file changed, 27 insertions(+), 11 deletions(-) diff --git a/tests/scripts/test_config_checks.py b/tests/scripts/test_config_checks.py index ee624d886f1..2c6f6b3c816 100755 --- a/tests/scripts/test_config_checks.py +++ b/tests/scripts/test_config_checks.py @@ -22,6 +22,10 @@ class MbedtlsTestConfigChecks(unittest_config_checks.TestConfigChecks): 'tf-psa-crypto/drivers/builtin/include', ] + ## Method naming convention: + ## * test_crypto_xxx when testing a tweak of crypto_config.h + ## * test_mbedtls_xxx when testing a tweak of mbedtls_config.h + def test_crypto_config_read(self) -> None: """Check that crypto_config.h is read in mbedtls.""" self.bad_case('#error witness', @@ -49,7 +53,7 @@ def test_mbedtls_no_session_tickets_for_early_data(self) -> None: ''', error='MBEDTLS_SSL_EARLY_DATA') - def test_mbedtls_no_ecdsa(self) -> None: + def test_crypto_mbedtls_no_ecdsa(self) -> None: """An error expected from mbedtls_check_config.h based on crypto+TLS configuration.""" self.bad_case(''' #undef PSA_WANT_ALG_ECDSA @@ -65,23 +69,35 @@ def test_mbedtls_no_ecdsa(self) -> None: ''', error='MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED') - def test_mbedtls_define_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED(self) -> None: - """Error when setting a removed option.""" + def test_crypto_define_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED(self) -> None: + """Error when setting a removed option via crypto_config.h.""" self.bad_case('#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED', error='MBEDTLS_KEY_EXCHANGE_RSA_ENABLED was removed') - def test_mbedtls_exempt_define_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED(self) -> None: - """Bypassed error when setting a removed option.""" + def test_mbedtls_define_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED(self) -> None: + """Error when setting a removed option via mbedtls_config.h.""" + self.bad_case(None, + '#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED', + error='MBEDTLS_KEY_EXCHANGE_RSA_ENABLED was removed') + + def test_crypto_exempt_define_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED(self) -> None: + """Bypassed error when setting a removed option via crypto_config.h.""" self.good_case('#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED', extra_options=['-DMBEDTLS_CONFIG_CHECK_BYPASS']) - def test_define_MBEDTLS_MD5_C_redundant(self) -> None: + def test_mbedtls_exempt_define_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED(self) -> None: + """Bypassed error when setting a removed option via mbedtls_config.h.""" + self.good_case(None, + '#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED', + extra_options=['-DMBEDTLS_CONFIG_CHECK_BYPASS']) + + def test_mbedtls_define_MBEDTLS_MD5_C_redundant(self) -> None: """Error when redundantly setting a subproject internal option.""" self.bad_case('#define PSA_WANT_ALG_MD5 1', '#define MBEDTLS_MD5_C', error=r'MBEDTLS_MD5_C is an internal macro') - def test_define_MBEDTLS_MD5_C_added(self) -> None: + def test_mbedtls_define_MBEDTLS_MD5_C_added(self) -> None: """Error when setting a subproject internal option that was disabled.""" self.bad_case(''' #undef PSA_WANT_ALG_MD5 @@ -90,12 +106,12 @@ def test_define_MBEDTLS_MD5_C_added(self) -> None: '#define MBEDTLS_MD5_C', error=r'MBEDTLS_MD5_C is an internal macro') - def test_define_MBEDTLS_BASE64_C_redundant(self) -> None: + def test_mbedtls_define_MBEDTLS_BASE64_C_redundant(self) -> None: """Ok to redundantly set a subproject option.""" self.good_case(None, '#define MBEDTLS_BASE64_C') - def test_define_MBEDTLS_BASE64_C_added(self) -> None: + def test_mbedtls_define_MBEDTLS_BASE64_C_added(self) -> None: """Error when setting a subproject option that was disabled.""" self.bad_case(''' #undef MBEDTLS_BASE64_C @@ -106,7 +122,7 @@ def test_define_MBEDTLS_BASE64_C_added(self) -> None: error=r'MBEDTLS_BASE64_C .*psa/crypto_config\.h') @unittest.skip("Checks for #undef are not implemented yet.") - def test_define_MBEDTLS_BASE64_C_unset(self) -> None: + def test_mbedtls_define_MBEDTLS_BASE64_C_unset(self) -> None: """Error when unsetting a subproject option that was enabled.""" self.bad_case(None, '#undef MBEDTLS_BASE64_C', @@ -116,7 +132,7 @@ def test_crypto_define_MBEDTLS_USE_PSA_CRYPTO(self) -> None: """It's ok to set MBEDTLS_USE_PSA_CRYPTO (now effectively always on).""" self.good_case('#define MBEDTLS_USE_PSA_CRYPTO') - def test_crypto_define_MBEDTLS_USE_PSA_CRYPTO(self) -> None: + def test_mbedtls_define_MBEDTLS_USE_PSA_CRYPTO(self) -> None: """It's ok to set MBEDTLS_USE_PSA_CRYPTO (now effectively always on).""" self.good_case(None, '#define MBEDTLS_USE_PSA_CRYPTO')