diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index dcc844c4f..cbeda8293 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2289,6 +2289,140 @@ component_test_psa_crypto_config_reference_all_ec_algs_use_psa () { tests/ssl-opt.sh } +# This helper function is used by: +# - component_test_psa_crypto_full_accel_all_ec_algs_no_ecp_use_psa() +# - component_test_psa_crypto_full_reference_all_ec_algs_no_ecp_use_psa() +# to ensure that both tests use the same underlying configuration when testing +# driver's coverage with analyze_outcomes.py. +# +# This functions accepts 1 boolean parameter as follows: +# - 1: building with accelerated EC algorithms (ECDSA, ECDH, ECJPAKE), therefore +# excluding their built-in implementation as well as ECP_C & ECP_LIGHT +# - 0: include built-in implementation of EC algorithms. +# +# PK_C and RSA_C are always disabled to ensure there is no remaining dependency +# on the ECP module. +config_psa_crypto_full_all_ec_algs_no_ecp_use_psa () { + DRIVER_ONLY="$1" + # start with crypto_full config for maximum coverage (also enables USE_PSA), + # but excluding X509, TLS and key exchanges + scripts/config.py crypto_full + # enable support for drivers and configuring PSA-only algorithms + scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG + if [ "$DRIVER_ONLY" -eq 1 ]; then + # Disable modules that are accelerated + scripts/config.py unset MBEDTLS_ECDSA_C + scripts/config.py unset MBEDTLS_ECDH_C + scripts/config.py unset MBEDTLS_ECJPAKE_C + # Disable ECP module (entirely) + scripts/config.py unset MBEDTLS_ECP_C + scripts/config.py unset MBEDTLS_ECP_LIGHT + fi + + # Disable PK module since it depends on ECP + scripts/config.py unset MBEDTLS_PK_C + scripts/config.py unset MBEDTLS_PK_PARSE_C + scripts/config.py unset MBEDTLS_PK_WRITE_C + # Disable also RSA_C that would re-enable PK + scripts/config.py unset MBEDTLS_RSA_C + scripts/config.py unset MBEDTLS_PKCS1_V15 + scripts/config.py unset MBEDTLS_PKCS1_V21 + scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT + # Disable also key exchanges that depend on RSA for completeness + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED + + # Restartable feature is not yet supported by PSA. Once it will in + # the future, the following line could be removed (see issues + # 6061, 6332 and following ones) + scripts/config.py unset MBEDTLS_ECP_RESTARTABLE + # Dynamic secure element support is a deprecated feature and needs to be disabled here. + # This is done to have the same form of psa_key_attributes_s for libdriver and library. + scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C + + # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having + # partial support for cipher operations in the driver test library. + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING + + # Disable PSA_WANT symbols that would re-enable PK + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY + for ALG in $(sed -n 's/^#define \(PSA_WANT_ALG_RSA_[0-9A-Z_a-z]*\).*/\1/p' <"$CRYPTO_CONFIG_H"); do + scripts/config.py -f include/psa/crypto_config.h unset $ALG + done +} + +# Build and test a configuration where driver accelerates all EC algs while +# all support and dependencies from ECP and ECP_LIGHT are removed on the library +# side. +# +# Keep in sync with component_test_psa_crypto_full_reference_all_ec_algs_no_ecp_use_psa() +component_test_psa_crypto_full_accel_all_ec_algs_no_ecp_use_psa () { + msg "build: crypto_full + accelerated EC algs + USE_PSA - ECP" + + # Algorithms and key types to accelerate + loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ + ALG_ECDH \ + ALG_JPAKE \ + KEY_TYPE_ECC_KEY_PAIR KEY_TYPE_ECC_PUBLIC_KEY" + + # Set common configurations between library's and driver's builds + config_psa_crypto_full_all_ec_algs_no_ecp_use_psa 1 + + # Configure and build the test driver library + # ------------------------------------------- + + # Things we wanted supported in libtestdriver1, but not accelerated in the main library: + # SHA-1 and all SHA-2 variants, as they are used by ECDSA deterministic. + loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512" + loc_accel_flags=$( echo "$loc_accel_list $loc_extra_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) + make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" + + # Configure and build the main libraries with drivers enabled + # ----------------------------------------------------------- + + # Build the library + loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" + loc_symbols="-DPSA_CRYPTO_DRIVER_TEST \ + -DMBEDTLS_TEST_LIBTESTDRIVER1" + make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests $loc_symbols $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" + + # Make sure any built-in EC alg was not re-enabled by accident (additive config) + not grep mbedtls_ecdsa_ library/ecdsa.o + not grep mbedtls_ecdh_ library/ecdh.o + not grep mbedtls_ecjpake_ library/ecjpake.o + # Also ensure that ECP or RSA modules were not re-enabled + not grep mbedtls_ecp_ library/ecp.o + not grep mbedtls_rsa_ library/rsa.o + + # Run the tests + # ------------- + + msg "test suites: crypto_full + accelerated EC algs + USE_PSA - ECP" + make test +} + +# Reference function used for driver's coverage analysis in analyze_outcomes.py +# in conjunction with component_test_psa_crypto_full_accel_all_ec_algs_no_ecp_use_psa(). +# Keep in sync with its accelerated counterpart. +component_test_psa_crypto_full_reference_all_ec_algs_no_ecp_use_psa () { + msg "build: crypto_full + non accelerated EC algs + USE_PSA" + + config_psa_crypto_full_all_ec_algs_no_ecp_use_psa 0 + + make + + # Esure that the RSA module was not re-enabled + not grep mbedtls_rsa_ library/rsa.o + + msg "test suites: crypto_full + non accelerated EC algs + USE_PSA" + make test +} + # Helper function used in: # - component_test_psa_crypto_config_accel_all_curves_except_p192 # - component_test_psa_crypto_config_accel_all_curves_except_x25519 diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 1eefe31da..293459b11 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -251,6 +251,41 @@ TASKS = { } } }, + 'analyze_driver_vs_reference_all_ec_algs_no_ecp': { + 'test_function': do_analyze_driver_vs_reference, + 'args': { + 'component_ref': 'test_psa_crypto_full_reference_all_ec_algs_no_ecp_use_psa', + 'component_driver': 'test_psa_crypto_full_accel_all_ec_algs_no_ecp_use_psa', + 'ignored_suites': [ + # Ignore test suites for the modules that are disabled in the + # accelerated test case. + 'ecp', + 'ecdsa', + 'ecdh', + 'ecjpake', + ], + 'ignored_tests': { + 'test_suite_random': [ + 'PSA classic wrapper: ECDSA signature (SECP256R1)', + ], + 'test_suite_psa_crypto': [ + 'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1', + 'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1 (1 redraw)', + 'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1, exercise ECDSA', + 'PSA key derivation: HKDF-SHA-256 -> ECC secp384r1', + 'PSA key derivation: HKDF-SHA-256 -> ECC secp521r1 #0', + 'PSA key derivation: HKDF-SHA-256 -> ECC secp521r1 #1', + 'PSA key derivation: bits=7 invalid for ECC BRAINPOOL_P_R1 (ECC enabled)', + 'PSA key derivation: bits=7 invalid for ECC SECP_K1 (ECC enabled)', + 'PSA key derivation: bits=7 invalid for ECC SECP_R1 (ECC enabled)', + 'PSA key derivation: bits=7 invalid for ECC SECP_R2 (ECC enabled)', + 'PSA key derivation: bits=7 invalid for ECC SECT_K1 (ECC enabled)', + 'PSA key derivation: bits=7 invalid for ECC SECT_R1 (ECC enabled)', + 'PSA key derivation: bits=7 invalid for ECC SECT_R2 (ECC enabled)', + ] + } + } + }, } def main(): diff --git a/tests/src/psa_exercise_key.c b/tests/src/psa_exercise_key.c index 6c3d06f62..2656deb43 100644 --- a/tests/src/psa_exercise_key.c +++ b/tests/src/psa_exercise_key.c @@ -727,14 +727,12 @@ int mbedtls_test_psa_exported_key_sanity_check( } else #endif /* MBEDTLS_ASN1_PARSE_C */ -#if defined(MBEDTLS_ECP_LIGHT) if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(type)) { /* Just the secret value */ TEST_EQUAL(exported_length, PSA_BITS_TO_BYTES(bits)); TEST_ASSERT(exported_length <= PSA_EXPORT_KEY_PAIR_MAX_SIZE); } else -#endif /* MBEDTLS_ECP_LIGHT */ #if defined(MBEDTLS_ASN1_PARSE_C) if (type == PSA_KEY_TYPE_RSA_PUBLIC_KEY) { @@ -766,7 +764,6 @@ int mbedtls_test_psa_exported_key_sanity_check( } else #endif /* MBEDTLS_ASN1_PARSE_C */ -#if defined(MBEDTLS_ECP_LIGHT) if (PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(type)) { TEST_ASSERT(exported_length <= @@ -792,10 +789,7 @@ int mbedtls_test_psa_exported_key_sanity_check( TEST_EQUAL(1 + 2 * PSA_BITS_TO_BYTES(bits), exported_length); TEST_EQUAL(exported[0], 4); } - } else -#endif /* MBEDTLS_ECP_LIGHT */ - - { + } else { (void) exported; TEST_ASSERT(!"Sanity check not implemented for this key type"); }