From 42d5f1959f3241cb094347f74cc4200befbd084d Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 20 Mar 2023 13:54:41 +0100 Subject: [PATCH 01/14] test: add a test with all EC based algs accelerated Actually this adds both the accelerated test as well as the reference. Both of them are used to evaluate the driver's coverage with analyze_outcomes.py script. Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 107 ++++++++++++++++++++++++++++++ tests/scripts/analyze_outcomes.py | 18 +++++ 2 files changed, 125 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index bafca0a83..d24da47de 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2410,6 +2410,113 @@ component_test_psa_crypto_config_reference_ecjpake_use_psa () { tests/ssl-opt.sh } +# Auxiliary function to build config for all EC based algorithms (EC-JPAKE, +# ECDH, ECDSA) with and without drivers. +# +# This is used by the two following components to ensure they always use the +# same config, except for the use of driver or built-in EC algorithms: +# - component_test_psa_crypto_config_accel_all_ec_algs_use_psa; +# - component_test_psa_crypto_config_reference_all_ec_algs_use_psa. +# This support comparing their test coverage with analyze_outcomes.py. +config_psa_crypto_config_all_ec_algs_use_psa () { + DRIVER_ONLY="$1" + # start with config full for maximum coverage (also enables USE_PSA) + scripts/config.py full + # enable support for drivers and configuring PSA-only algorithms + scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG + scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS + if [ "$DRIVER_ONLY" -eq 1 ]; then + # Disable modules that are accelerated + scripts/config.py unset MBEDTLS_ECDSA_C + scripts/config.py unset MBEDTLS_ECDH_C + scripts/config.py unset MBEDTLS_ECJPAKE_C + fi + + # Restartable feature is not yet supported by PSA. Once it will in + # the future, the following line could be removed (see issues + # 6061, 6332 and following ones) + scripts/config.py unset MBEDTLS_ECP_RESTARTABLE + # Dynamic secure element support is a deprecated feature and needs to be disabled here. + # This is done to have the same form of psa_key_attributes_s for libdriver and library. + scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C +} + +# Keep in sync with component_test_psa_crypto_config_reference_all_ec_algs_use_psa +component_test_psa_crypto_config_accel_all_ec_algs_use_psa () { + msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated EC algs + USE_PSA" + + # Algorithms and key types to accelerate + loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ + ALG_ECDH \ + ALG_JPAKE \ + KEY_TYPE_ECC_KEY_PAIR KEY_TYPE_ECC_PUBLIC_KEY" + + # Configure and build the test driver library + # ------------------------------------------- + + # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having + # partial support for cipher operations in the driver test library. + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING + + loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) + # SHA-1 and all variants of SHA-2 are needed for ECDSA and X.509 tests. + # Note = we are NOT adding these ALG_SHA_xxx to the "loc_accel_flags" list + # because we need that support on the driver side (ex: hash-and-sign + # algorithms), but we do not want to accelerate other hash only tests. + # Indeed the same "loc_accel_list" variable is also used later when + # building the library. + loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_1" + loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_224" + loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_256" + loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_384" + loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_512" + make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" + + # Configure and build the main libraries with drivers enabled + # ----------------------------------------------------------- + + # Use the same config as reference, only without built-in EC algs + config_psa_crypto_config_all_ec_algs_use_psa 1 + + # Build the library + loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" + make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" + + # Make sure any built-in EC alg was not re-enabled by accident (additive config) + not grep mbedtls_ecdsa_ library/ecdsa.o + not grep mbedtls_ecdh_ library/ecdh.o + not grep mbedtls_ecjpake_ library/ecjpake.o + + # Run the tests + # ------------- + + msg "test suites: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated EC algs + USE_PSA" + make test + + msg "ssl-opt: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated EC algs + USE_PSA" + tests/ssl-opt.sh +} + +# Keep in sync with component_test_psa_crypto_config_accel_all_ec_algs_use_psa +component_test_psa_crypto_config_reference_all_ec_algs_use_psa () { + msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with non-accelerated EC algs + USE_PSA" + + # To be aligned with the accel component that needs this + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING + + config_psa_crypto_config_all_ec_algs_use_psa 0 + + make + + msg "test suites: MBEDTLS_PSA_CRYPTO_CONFIG with non-accelerated EC algs + USE_PSA" + make test + + msg "ssl-opt: MBEDTLS_PSA_CRYPTO_CONFIG with non-accelerated EC algs + USE_PSA" + tests/ssl-opt.sh +} + component_test_psa_crypto_config_accel_ecc () { msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECC" diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 800b744ca..0b8e7a30c 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -207,6 +207,24 @@ TASKS = { } } }, + 'analyze_driver_vs_reference_all_ec_algs': { + 'test_function': do_analyze_driver_vs_reference, + 'args': { + 'component_ref': 'test_psa_crypto_config_reference_all_ec_algs_use_psa', + 'component_driver': 'test_psa_crypto_config_accel_all_ec_algs_use_psa', + # ignore the suites of the accelerated components + 'ignored_suites': [ + 'ecdsa', + 'ecdh', + 'ecjpake', + ], + 'ignored_tests': { + 'test_suite_random': [ + 'PSA classic wrapper: ECDSA signature (SECP256R1)', + ], + } + } + }, } def main(): From 1fa5c5686378b4afa37fbcf319a03f37ef4d6496 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 20 Mar 2023 13:56:38 +0100 Subject: [PATCH 02/14] ssl_tls: fix guard symbols for EC accelerated tests Signed-off-by: Valerio Setti --- include/mbedtls/pk.h | 5 +++++ library/ssl_misc.h | 4 ++-- library/ssl_tls12_server.c | 18 +++++++++--------- 3 files changed, 16 insertions(+), 11 deletions(-) diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h index 3de7a8fa0..5d2cf3438 100644 --- a/include/mbedtls/pk.h +++ b/include/mbedtls/pk.h @@ -197,6 +197,11 @@ typedef struct mbedtls_pk_rsassa_pss_options { #define MBEDTLS_PK_CAN_ECDSA_SOME #endif +#if (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_ECDH)) || \ + (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECDH_C)) +#define MBEDTLS_PK_CAN_ECDH +#endif + /** * \brief Types for interfacing with the debug module */ diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 9dc402130..0e3d3af32 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -756,7 +756,7 @@ struct mbedtls_ssl_handshake_params { * access to ecdh_ctx structure is needed for MBEDTLS_ECDSA_C which does not * seem correct. */ -#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) +#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_PK_CAN_ECDSA_SOME) #if !defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */ #endif /* !MBEDTLS_USE_PSA_CRYPTO */ @@ -787,7 +787,7 @@ struct mbedtls_ssl_handshake_params { #endif #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ -#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ +#if defined(MBEDTLS_PK_CAN_ECDH) || defined(MBEDTLS_PK_CAN_ECDSA_SOME) || \ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) uint16_t *curves_tls_id; /*!< List of TLS IDs of supported elliptic curves */ #endif diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 631331d82..0fc4a5c6f 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -140,7 +140,7 @@ static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl, return 0; } -#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ +#if defined(MBEDTLS_PK_CAN_ECDH) || defined(MBEDTLS_PK_CAN_ECDSA_SOME) || \ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) /* * Function for parsing a supported groups (TLS 1.3) or supported elliptic @@ -286,7 +286,7 @@ static int ssl_parse_supported_point_formats(mbedtls_ssl_context *ssl, return 0; } -#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || +#endif /* MBEDTLS_PK_CAN_ECDH || MBEDTLS_PK_CAN_ECDSA_SOME || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) @@ -662,7 +662,7 @@ static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl, /* * Return 0 if the given key uses one of the acceptable curves, -1 otherwise */ -#if defined(MBEDTLS_ECDSA_C) +#if defined(MBEDTLS_PK_CAN_ECDSA_SOME) MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_check_key_curve(mbedtls_pk_context *pk, uint16_t *curves_tls_id) @@ -681,7 +681,7 @@ static int ssl_check_key_curve(mbedtls_pk_context *pk, return -1; } -#endif /* MBEDTLS_ECDSA_C */ +#endif /* MBEDTLS_PK_CAN_ECDSA_SOME */ /* * Try picking a certificate for this ciphersuite, @@ -766,7 +766,7 @@ static int ssl_pick_cert(mbedtls_ssl_context *ssl, continue; } -#if defined(MBEDTLS_ECDSA_C) +#if defined(MBEDTLS_PK_CAN_ECDSA_SOME) if (pk_alg == MBEDTLS_PK_ECDSA && ssl_check_key_curve(&cur->cert->pk, ssl->handshake->curves_tls_id) != 0) { @@ -830,7 +830,7 @@ static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id, #endif -#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) +#if defined(MBEDTLS_PK_CAN_ECDH) || defined(MBEDTLS_PK_CAN_ECDSA_SOME) if (mbedtls_ssl_ciphersuite_uses_ec(suite_info) && (ssl->handshake->curves_tls_id == NULL || ssl->handshake->curves_tls_id[0] == 0)) { @@ -1369,7 +1369,7 @@ read_record_header: break; #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ -#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ +#if defined(MBEDTLS_PK_CAN_ECDH) || defined(MBEDTLS_PK_CAN_ECDSA_SOME) || \ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS: MBEDTLS_SSL_DEBUG_MSG(3, ("found supported elliptic curves extension")); @@ -1389,7 +1389,7 @@ read_record_header: return ret; } break; -#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || +#endif /* MBEDTLS_PK_CAN_ECDH || MBEDTLS_PK_CAN_ECDSA_SOME || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) @@ -1499,7 +1499,7 @@ read_record_header: if (!sig_hash_alg_ext_present) { uint16_t *received_sig_algs = ssl->handshake->received_sig_algs; const uint16_t default_sig_algs[] = { -#if defined(MBEDTLS_ECDSA_C) +#if defined(MBEDTLS_PK_CAN_ECDSA_SOME) MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA1), #endif From 1c3de61ba8c70a27aa34bccac5c59f63230163d1 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 20 Mar 2023 16:59:15 +0100 Subject: [PATCH 03/14] test: remove previous tests for accelerated ECDSA/ECDH/ECJPAKE coverage analysis All these EC based algs are now tested all at once in test_psa_crypto_config_[accel/reference]_all_ec_algs_use_psa() functions. Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 239 ------------------------------------------- 1 file changed, 239 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index d24da47de..4f0360fea 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2171,245 +2171,6 @@ component_test_psa_crypto_config_accel_ecdsa_use_psa () { tests/ssl-opt.sh } -# Keep in sync with component_test_psa_crypto_config_accel_ecdsa_use_psa. -# Used by tests/scripts/analyze_outcomes.py for comparison purposes. -component_test_psa_crypto_config_reference_ecdsa_use_psa () { - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA + USE_PSA" - - # To be aligned with the accel component that needs this - scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER - scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING - - config_psa_crypto_config_ecdsa_use_psa 0 - - make - - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA + USE_PSA" - make test - - msg "test: ssl-opt.sh" - tests/ssl-opt.sh -} - -component_test_psa_crypto_config_accel_ecdh () { - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH" - - # Algorithms and key types to accelerate - loc_accel_list="ALG_ECDH KEY_TYPE_ECC_KEY_PAIR KEY_TYPE_ECC_PUBLIC_KEY" - - # Configure and build the test driver library - # ------------------------------------------- - - # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having - # partial support for cipher operations in the driver test library. - scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER - scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING - - loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) - make -C tests libtestdriver1.a CFLAGS=" $ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" - - # Configure and build the main libraries - # -------------------------------------- - - # Start from default config (no USE_PSA or TLS 1.3) + driver support - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - - # Disable the module that's accelerated - scripts/config.py unset MBEDTLS_ECDH_C - - # Disable things that depend on it - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED - - # Build the main library - loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" - make CFLAGS="$ASAN_CFLAGS -O -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" - - # Make sure this was not re-enabled by accident (additive config) - not grep mbedtls_ecdh_ library/ecdh.o - - # Run the tests - # ------------- - - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH" - make test -} - -# Auxiliary function to build config for ECDH with and without drivers. -# -# This is used by the two following components to ensure they always use the -# same config, except for the use of driver or built-in ECDH: -# - component_test_psa_crypto_config_accel_ecdh_use_psa; -# - component_test_psa_crypto_config_reference_ecdh_use_psa. -# This support comparing their test coverage with analyze_outcomes.py. -config_psa_crypto_config_ecdh_use_psa () { - DRIVER_ONLY="$1" - # start with config full for maximum coverage (also enables USE_PSA) - scripts/config.py full - # enable support for drivers and configuring PSA-only algorithms - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS - if [ "$DRIVER_ONLY" -eq 1 ]; then - # Disable the module that's accelerated - scripts/config.py unset MBEDTLS_ECDH_C - fi - - # Restartable feature is not yet supported by PSA. Once it will in - # the future, the following line could be removed (see issues - # 6061, 6332 and following ones) - scripts/config.py unset MBEDTLS_ECP_RESTARTABLE -} - -# Keep in sync with component_test_psa_crypto_config_reference_ecdh_use_psa -component_test_psa_crypto_config_accel_ecdh_use_psa () { - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH + USE_PSA" - - # Algorithms and key types to accelerate - loc_accel_list="ALG_ECDH KEY_TYPE_ECC_KEY_PAIR KEY_TYPE_ECC_PUBLIC_KEY" - - # Configure and build the test driver library - # ------------------------------------------- - - # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having - # partial support for cipher operations in the driver test library. - scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER - scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING - - loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) - make -C tests libtestdriver1.a CFLAGS=" $ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" - - # Configure and build the main libraries - # -------------------------------------- - - # Use the same config as reference, only without built-in ECDH - config_psa_crypto_config_ecdh_use_psa 1 - - # Build the main library - loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" - make CFLAGS="$ASAN_CFLAGS -O -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" - - # Make sure this was not re-enabled by accident (additive config) - not grep mbedtls_ecdh_ library/ecdh.o - - # Run the tests - # ------------- - - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH + USE_PSA" - make test - - msg "test: ssl-opt.sh" - tests/ssl-opt.sh -} - -# Keep in sync with component_test_psa_crypto_config_accel_ecdh_use_psa. -# Used by tests/scripts/analyze_outcomes.py for comparison purposes. -component_test_psa_crypto_config_reference_ecdh_use_psa () { - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with reference ECDH + USE_PSA" - - # To be aligned with the accel component that needs this - scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER - scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING - - config_psa_crypto_config_ecdh_use_psa 0 - - make - - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with reference ECDH + USE_PSA" - make test - - msg "test: ssl-opt.sh" - tests/ssl-opt.sh -} - -# Auxiliary function to build config for EC JPAKE with and without drivers. -# -# This is used by the two following components to ensure they always use the -# same config, except for the use of driver or built-in ECJPAKE: -# - component_test_psa_crypto_config_accel_ecjpake_use_psa; -# - component_test_psa_crypto_config_reference_ecjpake_use_psa. -# This support comparing their test coverage with analyze_outcomes.py. -config_psa_crypto_config_ecjpake_use_psa () { - DRIVER_ONLY="$1" - # start with config full for maximum coverage (also enables USE_PSA) - scripts/config.py full - # enable support for drivers and configuring PSA-only algorithms - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS - if [ "$DRIVER_ONLY" -eq 1 ]; then - # Disable the module that's accelerated - scripts/config.py unset MBEDTLS_ECJPAKE_C - fi - - # Dynamic secure element support is a deprecated feature and needs to be disabled here. - # This is done to have the same form of psa_key_attributes_s for libdriver and library. - scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C -} - -# Keep in sync with component_test_psa_crypto_config_reference_ecjpake_use_psa -component_test_psa_crypto_config_accel_ecjpake_use_psa () { - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECJPAKE + USE_PSA" - - # Algorithms and key types to accelerate - loc_accel_list="ALG_JPAKE KEY_TYPE_ECC_KEY_PAIR KEY_TYPE_ECC_PUBLIC_KEY" - - # Configure and build the test driver library - # ------------------------------------------- - - # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having - # partial support for cipher operations in the driver test library. - scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER - scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING - - loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) - make -C tests libtestdriver1.a CFLAGS=" $ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" - - # Configure and build the main libraries - # -------------------------------------- - - # Use the same config as reference, only without built-in JPAKE - config_psa_crypto_config_ecjpake_use_psa 1 - - # Build the main library - loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" - make CFLAGS="$ASAN_CFLAGS -O -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" - - # Make sure this was not re-enabled by accident (additive config) - not grep mbedtls_ecjpake_ library/ecjpake.o - - # Run the tests - # ------------- - - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated JPAKE + USE_PSA" - make test - - msg "test: ssl-opt.sh" - tests/ssl-opt.sh -} - -# Keep in sync with component_test_psa_crypto_config_accel_ecjpake_use_psa. -# Used by tests/scripts/analyze_outcomes.py for comparison purposes. -component_test_psa_crypto_config_reference_ecjpake_use_psa () { - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with reference ECJPAKE + USE_PSA" - - # To be aligned with the accel component that needs this - scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER - scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING - - config_psa_crypto_config_ecjpake_use_psa 0 - - make - - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with reference ECJPAKE + USE_PSA" - make test - - msg "test: ssl-opt.sh" - tests/ssl-opt.sh -} - # Auxiliary function to build config for all EC based algorithms (EC-JPAKE, # ECDH, ECDSA) with and without drivers. # From 6f820cccb8a74f60a9cc664bd60daa59f2609690 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 20 Mar 2023 17:07:28 +0100 Subject: [PATCH 04/14] test: fix comments in test_psa_crypto_config_accel_ecc() Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 4f0360fea..2ba898e15 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2303,7 +2303,7 @@ component_test_psa_crypto_config_accel_ecc () { # Configure and build the main libraries # --------------------------------------- - # start with default + driver support + # start with default (no TLS 1.3 or USE_PSA) + driver support scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG @@ -2313,7 +2313,6 @@ component_test_psa_crypto_config_accel_ecc () { scripts/config.py unset MBEDTLS_ECJPAKE_C # dependencies - #scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 # not in default anyway scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED From 9affb73e4447ddc222d9f11d098d6c651a171a30 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 20 Mar 2023 17:07:57 +0100 Subject: [PATCH 05/14] psa_crypto: fix guard for mbedtls_ecc_group_of_psa() Signed-off-by: Valerio Setti --- library/psa_crypto.c | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index bc19ed07c..1609c74df 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -377,11 +377,7 @@ static void psa_wipe_tag_output_buffer(uint8_t *output_buffer, psa_status_t stat /* Key management */ /****************************************************************/ -#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) || \ - defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) +#if defined(MBEDTLS_ECP_C) mbedtls_ecp_group_id mbedtls_ecc_group_of_psa(psa_ecc_family_t curve, size_t bits, int bits_is_sloppy) @@ -473,11 +469,7 @@ mbedtls_ecp_group_id mbedtls_ecc_group_of_psa(psa_ecc_family_t curve, (void) bits_is_sloppy; return MBEDTLS_ECP_DP_NONE; } -#endif /* defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) || - defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) || - defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || - defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || - defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) */ +#endif /* defined(MBEDTLS_ECP_C) */ psa_status_t psa_validate_unstructured_key_bit_size(psa_key_type_t type, size_t bits) From 44b178ca60aaec9a821e3dfacef6a43245df3715 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 22 Mar 2023 14:02:57 +0100 Subject: [PATCH 06/14] test: fix erroneous changes in all.sh Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 68 ++++++++++++++++---------------------------- 1 file changed, 24 insertions(+), 44 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 2ba898e15..341cabba5 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2103,33 +2103,11 @@ component_test_psa_crypto_config_accel_ecdsa () { make test } -# Auxiliary function to build config for ECDSA with and without drivers -config_psa_crypto_config_ecdsa_use_psa () { - DRIVER_ONLY="$1" - # start with config full for maximum coverage (also enables USE_PSA) - scripts/config.py full - # enable support for drivers and configuring PSA-only algorithms - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS - if [ "$DRIVER_ONLY" -eq 1 ]; then - # Disable the module that's accelerated - scripts/config.py unset MBEDTLS_ECDSA_C - fi - # Restartable feature is not yet supported by PSA. Once it will in - # the future, the following line could be removed (see issues - # 6061, 6332 and following ones) - scripts/config.py unset MBEDTLS_ECP_RESTARTABLE - # Dynamic secure element support is a deprecated feature and needs to be disabled here. - # This is done to have the same form of psa_key_attributes_s for libdriver and library. - scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C -} - -# Keep in sync with component_test_psa_crypto_config_reference_ecdsa_use_psa -component_test_psa_crypto_config_accel_ecdsa_use_psa () { - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA + USE_PSA" +component_test_psa_crypto_config_accel_ecdh () { + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH" # Algorithms and key types to accelerate - loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA KEY_TYPE_ECC_KEY_PAIR KEY_TYPE_ECC_PUBLIC_KEY" + loc_accel_list="ALG_ECDH KEY_TYPE_ECC_KEY_PAIR KEY_TYPE_ECC_PUBLIC_KEY" # Configure and build the test driver library # ------------------------------------------- @@ -2140,35 +2118,37 @@ component_test_psa_crypto_config_accel_ecdsa_use_psa () { scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) - # SHA-1 and all variants of SHA-2 are needed for ECDSA and X.509 tests - loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_1" - loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_224" - loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_256" - loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_384" - loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_512" - make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" + make -C tests libtestdriver1.a CFLAGS=" $ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" - # Configure and build the main libraries with drivers enabled - # ----------------------------------------------------------- + # Configure and build the main libraries + # -------------------------------------- - # Use the same config as reference, only without built-in ECDSA - config_psa_crypto_config_ecdsa_use_psa 1 + # Start from default config (no USE_PSA or TLS 1.3) + driver support + scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS + scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - # Build the library + # Disable the module that's accelerated + scripts/config.py unset MBEDTLS_ECDH_C + + # Disable things that depend on it + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED + + # Build the main library loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" make CFLAGS="$ASAN_CFLAGS -O -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" - # Make sure ECDSA was not re-enabled by accident (additive config) - not grep mbedtls_ecdsa_ library/ecdsa.o + # Make sure this was not re-enabled by accident (additive config) + not grep mbedtls_ecdh_ library/ecdh.o # Run the tests # ------------- - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA + USE_PSA" + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH" make test - - msg "test: ssl-opt.sh" - tests/ssl-opt.sh } # Auxiliary function to build config for all EC based algorithms (EC-JPAKE, @@ -2178,7 +2158,7 @@ component_test_psa_crypto_config_accel_ecdsa_use_psa () { # same config, except for the use of driver or built-in EC algorithms: # - component_test_psa_crypto_config_accel_all_ec_algs_use_psa; # - component_test_psa_crypto_config_reference_all_ec_algs_use_psa. -# This support comparing their test coverage with analyze_outcomes.py. +# This supports comparing their test coverage with analyze_outcomes.py. config_psa_crypto_config_all_ec_algs_use_psa () { DRIVER_ONLY="$1" # start with config full for maximum coverage (also enables USE_PSA) From 2495cdbcc25a9bda1883c791e47c52bb5092c5eb Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 24 Mar 2023 06:25:59 +0100 Subject: [PATCH 07/14] test: remove unused tasks in analyze_outcomes.py Signed-off-by: Valerio Setti --- tests/scripts/analyze_outcomes.py | 39 ------------------------------- 1 file changed, 39 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 0b8e7a30c..80b3d54f9 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -168,45 +168,6 @@ TASKS = { } } }, - 'analyze_driver_vs_reference_ecdsa': { - 'test_function': do_analyze_driver_vs_reference, - 'args': { - 'component_ref': 'test_psa_crypto_config_reference_ecdsa_use_psa', - 'component_driver': 'test_psa_crypto_config_accel_ecdsa_use_psa', - 'ignored_suites': [ - 'ecdsa', # the software implementation that's excluded - ], - 'ignored_tests': { - 'test_suite_random': [ - 'PSA classic wrapper: ECDSA signature (SECP256R1)', - ], - } - } - }, - 'analyze_driver_vs_reference_ecdh': { - 'test_function': do_analyze_driver_vs_reference, - 'args': { - 'component_ref': 'test_psa_crypto_config_reference_ecdh_use_psa', - 'component_driver': 'test_psa_crypto_config_accel_ecdh_use_psa', - 'ignored_suites': [ - 'ecdh', # the software implementation that's excluded - ], - 'ignored_tests': { - } - } - }, - 'analyze_driver_vs_reference_ecjpake': { - 'test_function': do_analyze_driver_vs_reference, - 'args': { - 'component_ref': 'test_psa_crypto_config_reference_ecjpake_use_psa', - 'component_driver': 'test_psa_crypto_config_accel_ecjpake_use_psa', - 'ignored_suites': [ - 'ecjpake', # the software implementation that's excluded - ], - 'ignored_tests': { - } - } - }, 'analyze_driver_vs_reference_all_ec_algs': { 'test_function': do_analyze_driver_vs_reference, 'args': { From 77bdff196382ca3d85b08f23f76f89756e513945 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 24 Mar 2023 06:42:45 +0100 Subject: [PATCH 08/14] test: improve comment in the added test Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 341cabba5..5ac25b5a2 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2203,10 +2203,10 @@ component_test_psa_crypto_config_accel_all_ec_algs_use_psa () { loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) # SHA-1 and all variants of SHA-2 are needed for ECDSA and X.509 tests. # Note = we are NOT adding these ALG_SHA_xxx to the "loc_accel_flags" list - # because we need that support on the driver side (ex: hash-and-sign - # algorithms), but we do not want to accelerate other hash only tests. - # Indeed the same "loc_accel_list" variable is also used later when - # building the library. + # because that list is used to define accelerated components both on + # the driver and main library sides. Now, albeit we need SHA_xxx to be + # available on the driver side (ex: hash-and-sign algorithms), we do + # not want the main library to use such accelerators. loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_1" loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_224" loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_256" @@ -2243,7 +2243,7 @@ component_test_psa_crypto_config_accel_all_ec_algs_use_psa () { component_test_psa_crypto_config_reference_all_ec_algs_use_psa () { msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with non-accelerated EC algs + USE_PSA" - # To be aligned with the accel component that needs this + # To be aligned with component_test_psa_crypto_config_accel_all_ec_algs_use_psa() scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING From 77a904c761b05cfd0104dcd8c136548db1cd393d Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 24 Mar 2023 07:28:49 +0100 Subject: [PATCH 09/14] ssl: remove useless guard Signed-off-by: Valerio Setti --- include/mbedtls/ssl.h | 6 +----- library/ssl_misc.h | 11 ++--------- library/ssl_tls12_client.c | 6 ++---- library/ssl_tls12_server.c | 6 ++---- 4 files changed, 7 insertions(+), 22 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index e011b1ae3..7d526a7ab 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -40,11 +40,7 @@ #include "mbedtls/dhm.h" #endif -/* Adding guard for MBEDTLS_ECDSA_C to ensure no compile errors due - * to guards in TLS code. There is a gap in functionality that access to - * ecdh_ctx structure is needed for MBEDTLS_ECDSA_C which does not seem correct. - */ -#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) +#if defined(MBEDTLS_ECDH_C) #include "mbedtls/ecdh.h" #endif diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 0e3d3af32..14a3c7ef0 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -751,16 +751,9 @@ struct mbedtls_ssl_handshake_params { mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */ #endif -/* Adding guard for MBEDTLS_ECDSA_C to ensure no compile errors due - * to guards in client and server code. There is a gap in functionality that - * access to ecdh_ctx structure is needed for MBEDTLS_ECDSA_C which does not - * seem correct. - */ -#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_PK_CAN_ECDSA_SOME) -#if !defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_ECDH_C) && !defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */ -#endif /* !MBEDTLS_USE_PSA_CRYPTO */ -#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ +#endif /* MBEDTLS_ECDH_C && !MBEDTLS_USE_PSA_CRYPTO */ #if defined(PSA_WANT_ALG_ECDH) && \ (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 890e9a906..a6551c6e2 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -831,11 +831,9 @@ static int ssl_parse_supported_point_formats_ext(mbedtls_ssl_context *ssl, while (list_size > 0) { if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || p[0] == MBEDTLS_ECP_PF_COMPRESSED) { -#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ - (defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)) +#if !defined(MBEDTLS_USE_PSA_CRYPTO) && (defined(MBEDTLS_ECDH_C)) ssl->handshake->ecdh_ctx.point_format = p[0]; -#endif /* !MBEDTLS_USE_PSA_CRYPTO && - ( MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ) */ +#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_ECDH_C */ #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx, diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 0fc4a5c6f..656c40d5b 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -266,11 +266,9 @@ static int ssl_parse_supported_point_formats(mbedtls_ssl_context *ssl, while (list_size > 0) { if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || p[0] == MBEDTLS_ECP_PF_COMPRESSED) { -#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ - (defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)) +#if !defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECDH_C) ssl->handshake->ecdh_ctx.point_format = p[0]; -#endif /* !MBEDTLS_USE_PSA_CRYPTO && - ( MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ) */ +#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_ECDH_C */ #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx, From 4fa6d0bb883dd54cc44f3a5c818afd245953d348 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 27 Mar 2023 09:38:51 +0200 Subject: [PATCH 10/14] test: moving accel ECJPAKE test close to accel ECDH and ECDSA ones Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 70 ++++++++++++++++++++++---------------------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 5ac25b5a2..fae149517 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2151,6 +2151,41 @@ component_test_psa_crypto_config_accel_ecdh () { make test } +component_test_psa_crypto_config_accel_pake() { + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated PAKE" + + # Start with full + scripts/config.py full + + # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having + # partial support for cipher operations in the driver test library. + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING + + loc_accel_list="ALG_JPAKE" + loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) + make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" + + scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS + scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG + + # Make build-in fallback not available + scripts/config.py unset MBEDTLS_ECJPAKE_C + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED + + # Dynamic secure element support is a deprecated feature and needs to be disabled here. + # This is done to have the same form of psa_key_attributes_s for libdriver and library. + scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C + + loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" + make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" + + not grep mbedtls_ecjpake_init library/ecjpake.o + + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated PAKE" + make test +} + # Auxiliary function to build config for all EC based algorithms (EC-JPAKE, # ECDH, ECDSA) with and without drivers. # @@ -2613,41 +2648,6 @@ component_test_psa_crypto_config_accel_aead () { make test } -component_test_psa_crypto_config_accel_pake() { - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated PAKE" - - # Start with full - scripts/config.py full - - # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having - # partial support for cipher operations in the driver test library. - scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER - scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING - - loc_accel_list="ALG_JPAKE" - loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) - make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" - - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - - # Make build-in fallback not available - scripts/config.py unset MBEDTLS_ECJPAKE_C - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED - - # Dynamic secure element support is a deprecated feature and needs to be disabled here. - # This is done to have the same form of psa_key_attributes_s for libdriver and library. - scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C - - loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" - make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" - - not grep mbedtls_ecjpake_init library/ecjpake.o - - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated PAKE" - make test -} - component_test_psa_crypto_config_no_driver() { # full plus MBEDTLS_PSA_CRYPTO_CONFIG msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG minus MBEDTLS_PSA_CRYPTO_DRIVERS" From c76279785673c5a368e5b268e389d4eb863c724b Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 27 Mar 2023 09:40:36 +0200 Subject: [PATCH 11/14] test: removing test with all accel EC algs without USE_PSA We keep tests without USE_PSA for single accel components (i.e. ECDH, ECDSA, ECJPAKE), but when testing for all 3 accelerated at the same time we use USE_PSA for better test coverage. However for this purpose there is already the: component_test_psa_crypto_config_[reference/accel]_all_ec_algs_use_psa() so we can delete this extra component. Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 57 -------------------------------------------- 1 file changed, 57 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index fae149517..717b880c0 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2293,63 +2293,6 @@ component_test_psa_crypto_config_reference_all_ec_algs_use_psa () { tests/ssl-opt.sh } -component_test_psa_crypto_config_accel_ecc () { - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECC" - - # Algorithms and key types to accelerate - loc_accel_list="ALG_ECDH ALG_ECDSA ALG_DETERMINISTIC_ECDSA ALG_JPAKE KEY_TYPE_ECC_KEY_PAIR KEY_TYPE_ECC_PUBLIC_KEY" - - # Configure and build the test driver library - # -------------------------------------------- - - # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having - # partial support for cipher operations in the driver test library. - scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER - scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING - - loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) - # These hashes are needed for some ECDSA signature tests. - loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_224" - loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_256" - loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_384" - loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_512" - make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" - - # Configure and build the main libraries - # --------------------------------------- - - # start with default (no TLS 1.3 or USE_PSA) + driver support - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - - # disable modules for which we have drivers - scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_ECDH_C - scripts/config.py unset MBEDTLS_ECJPAKE_C - - # dependencies - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED - - # build and link with test drivers - loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" - make CFLAGS="$ASAN_CFLAGS -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" - - # make sure these were not auto-re-enabled by accident - not grep mbedtls_ecdh_ library/ecdh.o - not grep mbedtls_ecdsa_ library/ecdsa.o - not grep mbedtls_ecjpake_ library/ecjpake.o - - # Run the tests - # ------------- - - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECC" - make test -} - component_test_psa_crypto_config_accel_rsa_signature () { msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated RSA signature" From 6d687b98cf5a4799b55ef4ba85e030ab11744388 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 27 Mar 2023 10:01:14 +0200 Subject: [PATCH 12/14] test: simplify comment in test_psa_crypto_config_accel_all_ec_algs_use_psa() Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 717b880c0..1af03ad59 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2235,18 +2235,10 @@ component_test_psa_crypto_config_accel_all_ec_algs_use_psa () { scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING - loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) - # SHA-1 and all variants of SHA-2 are needed for ECDSA and X.509 tests. - # Note = we are NOT adding these ALG_SHA_xxx to the "loc_accel_flags" list - # because that list is used to define accelerated components both on - # the driver and main library sides. Now, albeit we need SHA_xxx to be - # available on the driver side (ex: hash-and-sign algorithms), we do - # not want the main library to use such accelerators. - loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_1" - loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_224" - loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_256" - loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_384" - loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_512" + # Things we wanted supported in libtestdriver1, but not accelerated in the main library: + # SHA-1 and all SHA-2 variants, as they are used by ECDSA deterministic. + loc_extra_list="ALG_SHA1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512" + loc_accel_flags=$( echo "$loc_accel_list $loc_extra_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" # Configure and build the main libraries with drivers enabled From b76672dd527c43485ab4c7a2157bf9ac79c665a8 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 27 Mar 2023 14:28:01 +0200 Subject: [PATCH 13/14] test: fix wrong accelerated SHA1 symbol Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 1af03ad59..23ad16e12 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2237,7 +2237,7 @@ component_test_psa_crypto_config_accel_all_ec_algs_use_psa () { # Things we wanted supported in libtestdriver1, but not accelerated in the main library: # SHA-1 and all SHA-2 variants, as they are used by ECDSA deterministic. - loc_extra_list="ALG_SHA1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512" + loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512" loc_accel_flags=$( echo "$loc_accel_list $loc_extra_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" From 46423164c16d7cf62b13be9936a3058af34f1a85 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 27 Mar 2023 14:33:27 +0200 Subject: [PATCH 14/14] tls12_client: remove unnecessary parentheses Signed-off-by: Valerio Setti --- library/ssl_tls12_client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index a6551c6e2..d94d8295c 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -831,7 +831,7 @@ static int ssl_parse_supported_point_formats_ext(mbedtls_ssl_context *ssl, while (list_size > 0) { if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || p[0] == MBEDTLS_ECP_PF_COMPRESSED) { -#if !defined(MBEDTLS_USE_PSA_CRYPTO) && (defined(MBEDTLS_ECDH_C)) +#if !defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECDH_C) ssl->handshake->ecdh_ctx.point_format = p[0]; #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_ECDH_C */ #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \