Commit graph

1303 commits

Author SHA1 Message Date
Gilles Peskine
45f2a40fa4 Speed up the generation of storage format test cases
Restore the optimization done in
 HEAD^{/Speed up the generation of storage format test cases}
which was lost during refactoring made when adding support for
implicit usage flags.

There are still more than one call to the C compiler, but the extra
calls are only for some key usage test cases.

This is an internal refactoring. This commit does not change the
output of generate_psa_tests.py

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-07-07 12:47:47 +02:00
Gilles Peskine
1fe01acfc3 Add option to list the generated files and exit
This is useful during the release process, when we want to commit the
generated files.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-07-01 11:13:29 +02:00
gabor-mezei-arm
2c9e54a063
Fix pylint issue
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 20:40:31 +02:00
gabor-mezei-arm
0c24edd56a
Return iterator instead of list
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 17:07:01 +02:00
gabor-mezei-arm
6385780f54
Rename function
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 17:07:00 +02:00
gabor-mezei-arm
2a499c0cc5
Refactor handlibg of the key usage flags
Move implicit usage flags handling to the StorageKey class.
Create a subclass for test case data.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 17:07:00 +02:00
gabor-mezei-arm
2784bfe226
Move key type validation to crypto_knowledge
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 17:06:59 +02:00
gabor-mezei-arm
340fbf3735 Refactor key generation
Remove the key builder and use iterator instead of lists.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 17:06:56 +02:00
gabor-mezei-arm
5df1dee0c6
Rename variables and funcions
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 17:06:47 +02:00
gabor-mezei-arm
2710bb1d82
Use string in dict instead of Expr object
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 17:06:47 +02:00
gabor-mezei-arm
d9050a53ac Remove unnecessary test cases
It is enough only one test case for a key type, algorithm pair when
testing the implicit usage flags.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 17:06:43 +02:00
gabor-mezei-arm
8f40510a92
Add better name for variables
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 17:06:34 +02:00
gabor-mezei-arm
35929ebb72
Simplify code
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 17:06:33 +02:00
gabor-mezei-arm
11e4838ef3
Fix generated file modification
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 17:06:32 +02:00
gabor-mezei-arm
49d6ea9c9a Fix test case duplication
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 17:06:30 +02:00
gabor-mezei-arm
0f8136af79
Fix pylint issues
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 17:06:22 +02:00
gabor-mezei-arm
672e376ba5 Add test case generation for usage extensions when loading keys
Add test cases validating that if a stored key only had the hash policy,
then after loading it psa_get_key_attributes reports that it also has the
message policy, and the key can be used with message functions.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 17:06:20 +02:00
gabor-mezei-arm
7748b6f24b Add key usage policy extension support for key generation
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 17:06:08 +02:00
gabor-mezei-arm
a4102cb57d
Use different subslasses for the test data files
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 17:05:53 +02:00
gabor-mezei-arm
780cf9da72
Create a function for gather all the keys.
Prepare for using subclasses.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 17:05:53 +02:00
gabor-mezei-arm
6ee7253df2
Extend description generation
Add an extra optional parameter to generate a more detailed description
for test cases.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 17:05:53 +02:00
gabor-mezei-arm
68c030a76c
Use builder method pattern to generate a key
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 17:05:53 +02:00
gabor-mezei-arm
b5db2c480f
Convert iterators to lists to remove late binding
Remove late binding of iterators to enable the creation of an object
with an actual state of a variable.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 17:05:52 +02:00
gabor-mezei-arm
7b5c4e2db3
Add type annotations
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 17:05:52 +02:00
Bence Szépkúti
414d6bd424 Fix pre-existing typo in comment
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-06-28 14:11:11 +01:00
Bence Szépkúti
fc04aa2be5 Remove MBEDTLS_USER_CONFIG_VERSION handling
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-06-28 09:28:48 +01:00
Bence Szépkúti
ba7248abc4 Introduce versioning in the config files
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-06-28 09:28:47 +01:00
Bence Szépkúti
bb0cfeb2d4 Rename config.h to mbedtls_config.h
This commit was generated using the following script:

# ========================
#!/bin/sh
git ls-files | grep -v '^ChangeLog' | xargs sed -b -E -i '
s/((check|crypto|full|mbedtls|query)_config)\.h/\1\nh/g
s/config\.h/mbedtls_config.h/g
y/\n/./
'
mv include/mbedtls/config.h include/mbedtls/mbedtls_config.h
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-06-28 09:28:33 +01:00
Dave Rodgman
10bda58b49
Merge pull request #4259 from CJKay/cmake-config
Add CMake package config file
2021-06-25 20:32:13 +01:00
Ronald Cron
3698fa1043
Merge pull request #4673 from gilles-peskine-arm/psa_crypto_spm-from_platform_h
Fix and test the MBEDTLS_PSA_CRYPTO_SPM build
2021-06-25 09:01:08 +02:00
Gilles Peskine
eb7bdaa177 Add storage tests for lifetimes
Test keys with various persistence levels, enumerated from the
metadata tests.

For read-only keys, do not attempt to create or destroy the key
through the API, only to read a key that has been injected into
storage directly through filesystem access.

Do not test keys with a non-default location, since they require a
driver and we do not yet have a dependency mechanism to require the
presence of a driver for a specific location value.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-23 13:44:35 +02:00
Manuel Pégourié-Gonnard
32750ef5c2
Merge pull request #4685 from mpg/improve-all-sh-robustness
all.sh: Clean up old files before generating them
2021-06-22 11:14:49 +02:00
Manuel Pégourié-Gonnard
a805d57261
Merge pull request #4588 from TRodziewicz/remove_MD2_MD4_RC4_Blowfish_and_XTEA
Remove MD2, MD4, RC4, Blowfish and XTEA
2021-06-22 09:27:41 +02:00
Manuel Pégourié-Gonnard
87db8a2676 Clean up old files before generating them
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-18 13:30:14 +02:00
Gilles Peskine
a354867399 In the SPM test build, fail if a symbol wasn't renamed
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 11:40:51 +02:00
Gilles Peskine
d1dcfd53aa Do a test build with MBEDTLS_PSA_CRYPTO_SPM
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 11:40:51 +02:00
Manuel Pégourié-Gonnard
d51aaad4c9 Remove config option MBEDTLS_ECP_NO_INTERNAL_RNG
It was used to remove the code used when mbedtls_ecp_mul() received a
NULL RNG parameter. This code is no longer relevant (as the RNG may no
longer be NULL) and will be unconditionally removed in the next commit.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
TRodziewicz
10e8cf5fef Remove MD2, MD4, RC4, Blowfish and XTEA
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-16 10:34:25 +02:00
Gilles Peskine
17575dcb03
Merge pull request #4629 from TRodziewicz/rename_functions_whose_deprecated_variants_have_been_removd
Rename the _ret() functions
2021-06-15 20:32:07 +02:00
TRodziewicz
28a4a963fc Corrections to the docs wording and changes to aux scripts
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-15 00:18:32 +02:00
Gilles Peskine
1628a9c140 MBEDTLS_DEBUG_C is compatible with every whole-module ALT except DHM
It would be possible to make SSL debugging compatible with MBEDTLS_DHM_ALT,
but too much low-priority work right now, so don't require it.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:14:28 +02:00
Gilles Peskine
5c3f18d37c MBEDTLS_PK_PARSE_EC_EXTENDED is incompatible with MBEDTLS_ECP_ALT
... unless the alt implementation defines a group structure that's mostly
compatible with the built-in one and supports partially filled group
structures in the same way.

It would be possible to rewrite the SpecifiedECDomain parsing code to avoid
requiring support for partially filled group structures, but that's too
complicated to do now.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:13:02 +02:00
Gilles Peskine
cc73cc55e8 Test the build with whole-module alternative implementations
Use headers defining dummy context types.

The test does not pass yet. I plan to fix this in subsequent commits.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:12:18 +02:00
TRodziewicz
26371e4793 Rename the _ret() functions
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-08 16:45:41 +02:00
TRodziewicz
0730cd5d9e Merge branch 'development' into Remove__CHECK_PARAMS_option 2021-06-07 15:41:49 +02:00
Chris Kay
d259e347e6 Add CMake package config file
This change enables automatic detection and consumption of Mbed TLS
library targets from within other CMake projects. By generating an
`MbedTLSConfig.cmake` file, consuming projects receive a more complete
view of these targets, allowing them to be used as dependencies which
properly inherit the transitive dependencies of the libraries.

This is fairly fragile, as it seems Mbed TLS's libraries do not appear
to properly model their dependencies on other targets, including
third-party dependencies. It is, however, sufficient for building and
linking the compiled Mbed TLS libraries when there are no third-party
dependencies involved. Further work is needed for more complex
use-cases, but this will likely meet the needs of most projects.

Resolves #298. Probably useful for #2857.

Signed-off-by: Chris Kay <chris.kay@arm.com>
2021-06-04 16:02:48 +01:00
Manuel Pégourié-Gonnard
f9f9cc217c
Merge pull request #4579 from tom-daubney-arm/rm_ecdh_legacy_context_config_option
Remove `MBEDTLS_ECDH_LEGACY_CONTEXT` config option
2021-06-04 10:02:59 +02:00
Thomas Daubney
42aaf7a718 Removes component_test_new_ecdh_context in all.sh
Commit removes the
component_test_new_new_ecdh_context in all.sh.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-06-01 17:48:40 +01:00
Thomas Daubney
8f4eacaac6 Removes MBEDTLS_ECDH_LEGACY_CONTEXT from config.h
Commit removes the definition of
MBEDTLS_ECDH_LEGACY_CONTEXT from config.h.
Additionally removes the unset calls to
MBEDTLS_ECDH_LEGACY_CONTEXT in all.sh.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-06-01 15:28:26 +01:00
Ronald Cron
7146cb9488
Merge pull request #4559 from gilles-peskine-arm/psa-storage-format-test-algorithms-3.0
PSA storage format test: algorithms
2021-05-27 17:33:57 +02:00
Ronald Cron
875b5fb7fa Refactor optional parameter check tests
Remove tests related to NULL pointers,
keep tests related to invalid enum values.
Remove test code related to MBEDTLS_CHECK_PARAMS.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-27 17:27:14 +02:00
Ronald Cron
142c205ffc
Merge pull request #4513 from Patater/psa-without-genprime-fix
psa: Support RSA signature without MBEDTLS_GENPRIME
2021-05-27 14:19:24 +02:00
Gilles Peskine
45f1cd7834 key_storage_read: pass exercise as a flag rather than a boolean
This will allow adding other flags in the future.

No intended behavior change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 20:12:00 +02:00
Gilles Peskine
ae4c460df6 Do support multiple files generated from the same script
The call to `tests/scripts/generate_psa_tests.py` added by the commit
"generate_psa_tests.py: allow generating each file independently"
assumed that the `check` function supports multiple file names, but in
fact it does not do so. When `generate_psa_tests.py` started generating
more than one file, `check-generated-files.sh` did not detect changes to
files other than the first one listed by `generate_psa_tests.py --list`.

Fix this: change `check` to support either a single directory (with
detection of added/removed files) or a list of files (which is assumed
to be static).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 20:11:48 +02:00
Gilles Peskine
20f55f6726 Abbreviate algorithms in test descriptions
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:40:35 +02:00
Gilles Peskine
c5d086f6ae Don't generate non-existent dependency symbols
Filter our algorithm constructors that don't have a dependency symbol
of their own.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:40:08 +02:00
Gilles Peskine
537d5fa48a Expand psa_generate_tests to support constructor arguments
In macro_collector.py, base InputsForTest on PSAMacroEnumerator rather
than PSAMacroCollector. It didn't make much sense to use
PSAMacroCollector anymore since InputsForTest didn't use anything
other than the constructor.

psa_generate_tests now generates arguments for more macros.
In particular, it now collects macro arguments from
test_suite_psa_crypto_metadata. Algorithms with parameters are now
supported.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:39:53 +02:00
Gilles Peskine
3c9d423fe7 Speed up the generation of storage format test cases
First build a list of all keys, then construct all the corresponding
test cases. This allows all required information to be obtained in
one go, which is a significant performance gain as the information
includes numerical values obtained by compiling a C program.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:39:02 +02:00
Gilles Peskine
3d404b8a10 Use InputsForTest in generate_psa_tests
In generate_psa_tests, use InputsForTest rather than PSAMacroCollector
to gather values. This way, the enumeration of values to test includes
values used in metadata tests in addition to constructors parsed from
header files. This allows greater coverage of values built from
constructors with arguments. This doesn't make a difference yet, but
it will once algorithm constructors with arguments are supported in
generate_psa_tests.

Make the injection of numerical values optional. They are useful for
test_psa_constant_names, so keep them there. Don't use them for
not-supported tests: they might make sense, but the current code
wouldn't work since it doesn't know how to make up fake key material
or what dependencies to generate. Don't use them for storage tests:
they only make sense for supported values.

Don't inject 'PSA_SUCCESS': that's superfluous.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:39:02 +02:00
Gilles Peskine
b4edff9cd8 Move InputsForTest to macro_collector.py
This is useful to generate PSA tests for more than constant names.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:39:02 +02:00
Gilles Peskine
95649ed779 Add type annotations
Prepare to move InputsForTest to macro_collector.py.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:39:02 +02:00
Gilles Peskine
c893a570a8 Fix copypasta in documentation
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:39:02 +02:00
TRodziewicz
28126050f2 Removal of constants and functions and a new ChangeLog file
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-24 12:48:12 +02:00
TRodziewicz
0f82ec6740 Remove the TLS 1.0 and 1.1 support
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-24 12:45:20 +02:00
Jaeden Amero
424fa93efd psa: Support RSA signature without MBEDTLS_GENPRIME
On space-constrained platforms, it is a useful configuration to be able
to import/export and perform RSA key pair operations, but to exclude RSA
key generation, potentially saving flash space. It is not possible to
express this with the PSA_WANT_ configuration system at the present
time. However, in previous versions of Mbed TLS (v2.24.0 and earlier) it
was possible to configure a software PSA implementation which was
capable of making RSA signatures but not capable of generating RSA keys.
To do this, one unset MBEDTLS_GENPRIME.

Since the addition of MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR, this
expressivity was lost. Expressing that you wanted to work with RSA key
pairs forced you to include the ability to generate key pairs as well.

Change psa_crypto_rsa.c to only call mbedtls_rsa_gen_key() if
MBEDTLS_GENPRIME is also set. This restores the configuration behavior
present in Mbed TLS v2.24.0 and earlier versions.

It left as a future exercise to add the ability to PSA to be able to
express a desire for a software or accelerator configuration that
includes RSA key pair operations, like signature, but excludes key pair
generation.

Without this change, linker errors will occur when attempts to call,
which doesn't exist when MBEDTLS_GENPRIME is unset.
    psa_crypto_rsa.c.obj: in function `rsa_generate_key':
    psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key'

Fixes #4512

Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
2021-05-20 17:08:59 +01:00
Mateusz Starzyk
17011a3185 Merge branch 'development' into convert_NO_SHA384_to_positive
Conflicts:
	library/version_features.c
	programs/test/query_config.c

Files were removed in development branch and modified by current branch.
Conflicts fixes by removing them.
2021-05-20 14:18:12 +02:00
Gilles Peskine
eb30b0cc39 Merge remote-tracking branch 'upstream-public/development' into no-generated-files-3.0
Conflicts: generated files that are removed in this branch and have
changed in development. Resolved by keeping the files removed.
2021-05-20 10:40:48 +02:00
Gilles Peskine
67debb6161 Test check-generated-files.sh
Re-create a component check_generated_files. Unlike the old one, which checked
that the generated files were up-to-date, the job of the new one is to check
that tests/scripts/check-generated-files.sh works (at least to the extent of
not errorring out).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-20 10:37:22 +02:00
Gilles Peskine
94230eaf41 Fix make generated_files generating broken visualc files
Ensure that the .c files that generate_visualc_files.pl enumerates are present
before it runs. Otherwise, depending on the order in which make builds
targets, running `make generated_files` from a fresh checkout could end up
missing `library/error.c` and `library/version_features.c`.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-20 10:37:22 +02:00
Gilles Peskine
e2f476e0fd Avoid creating visualc/VS2010/*.bak.bak files
This could happen if a previous run of check-generated-files failed.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-20 10:37:22 +02:00
Gilles Peskine
b32966dd92 In update mode, create the files if they don't exist
`check-generated-files -u` aborted if one of the generated files
didn't exist. Now it treats a missing file as an out-of-date file.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-20 10:37:22 +02:00
Bence Szépkúti
9e84ec7711 Always use posix semantics when joining paths
The backslashes were causing issues with Makefile rules.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-05-20 10:37:22 +02:00
Gilles Peskine
1570b59bcc Generate source files before running any components
Now that generated source files are no longer checked in version
control, they must be generated before running any tests.

Do not check the generated files for freshness: it's no longer relevant.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-20 10:37:22 +02:00
Manuel Pégourié-Gonnard
729fa5be88
Merge pull request #4450 from mstarzyk-mobica/remove_null_entropy
Remove MBEDTLS_TEST_NULL_ENTROPY config option.
2021-05-20 09:19:55 +02:00
Mateusz Starzyk
4228f895c0 Merge branch 'development' into convert_NO_SHA384_to_positive
Conflicts:
* configs/config-psa-crypto.h: modified here, removed in development
* tests/suites/test_suite_x509parse.data: all conflicts are in depends_on
  lines where development made a change unrelated to MBEDTLS_SHAxxx and our
  branch either changed `MBEDTLS_SHA256_C` to `MBEDTLS_SHA224_C` or
  `MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384` to ``MBEDTLS_SHA384_C`, with
  no change to what the test does. Pick the other branch's dependency
  changes then apply our SHA dpeendency change.
2021-05-19 11:37:49 +02:00
Gilles Peskine
c86f20af98 Allow running source file generators from a subdirectory
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-17 22:46:27 +02:00
Ronald Cron
eb3e463380
Merge pull request #4247 from stevew817/dispatch_mac_operations
Dispatch MAC operations through the driver interface
Only API-ABI checking job failing which is expected thus CI OK.
2021-05-11 17:56:50 +02:00
Mateusz Starzyk
72f60dfcc1 Remove MBEDTLS_TEST_NULL_ENTROPY config option.
Building the library without entropy sources negates any and all security
provided by the library.
This option was originally requested a relatively long time ago and it
does not provide any tangible benefit for users any more.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-05-11 13:15:19 +02:00
Gilles Peskine
31017d318f Remove config-psa-crypto.h
This configuration file was useful in the early days of PSA crypto
development. It stopped becoming relevant when MBEDTLS_PSA_CRYPTO_C entered
the default configuration. Remove it: better late than never.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-10 10:36:37 +02:00
Steven Cooreman
7515e7535d Add CMAC and HMAC driver testing to all.sh
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:32:32 +02:00
Manuel Pégourié-Gonnard
b548cda1cf
Merge pull request #4397 from TRodziewicz/change_config_h_defaults
Four config.h defaults have been changed.
2021-05-07 12:42:39 +02:00
Ronald Cron
7f13fa2454 tests: psa: Add mbedtls/MBEDTLS prefix to test driver symbols
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-05-01 18:33:26 +02:00
TRodziewicz
89f98c2556 Removal of wrongly placed unset
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-04-29 14:08:09 +02:00
TRodziewicz
2add5c13ea On second thought changing the way the test is run
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-04-28 16:50:20 +02:00
Tomasz Rodziewicz
e66f49c3ce
Merge branch 'development_3.0' into change_config_h_defaults 2021-04-28 16:37:27 +02:00
Mateusz Starzyk
e3c48b4a88 Separate SHA224 from SHA256 config options.
These options are still dependant on each other.
This is an intermediate step.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-04-28 14:38:37 +02:00
Mateusz Starzyk
6fce30fc49 Update hashes dependencies testing script.
Since SHA384 depends on SHA512, depends-hashes script
should not generate configuration where SHA384 is defined
without SHA512.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-04-28 14:38:37 +02:00
Mateusz Starzyk
3352a53475 Modify config option for SHA384.
Although SHA512 is currently required to enable SHA384, this
is expected to change in the future. This commit is an
intermediate step towards fully separating SHA384 and SHA512.

check_config is the only module which enforces that SHA512 is
enabled together with SHA384.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-04-28 14:38:37 +02:00
Chris Jones
856db5f722 Remove merge conflict marker
Remove a merge conflict marker that was missed in `all.sh` and was causing
building to fail.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-04-27 17:38:24 +01:00
Hanno Becker
c5722d1fb1 Add missing MBEDTLS_X509_REMOVE_INFO guards to ssl-opt.sh
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-04-27 17:20:56 +01:00
Dave Rodgman
12f93f4fc2
Merge pull request #4407 from ARMmbed/dev3_signoffs
Merge development_3.0 into development
2021-04-26 19:48:16 +01:00
TRodziewicz
1f98424508 Correction fixing the test_when_no_ciphersuites_have_mac falure
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-04-23 14:57:39 +02:00
TRodziewicz
7c1d41da52 Correction fixing the test_everest_curve25519_only falure
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-04-23 13:33:44 +02:00
TRodziewicz
85aff9f07a Correction fixing the test_depends_curves_psa falure
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-04-23 10:47:26 +02:00
Gilles Peskine
b683776181 Per-line opt-out of check-names typo check
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-04-21 18:45:08 +02:00
Mateusz Starzyk
a58625f90d Remove optional SHA-1 in the default TLS configuration.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-04-16 18:39:10 +02:00
Steven Cooreman
6801f08973 Implement support for MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
According to the design in psa-driver-interface.md. Compiles without
issue in test_psa_crypto_drivers.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-04-15 15:04:26 +02:00
Mateusz Starzyk
c301bd56f0 Merge branch 'development_3.0' into drop_old_tls_options 2021-04-15 13:55:20 +02:00
Mateusz Starzyk
f5c535139d Remove remaining comments and strings refering to removed features.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-04-15 13:28:52 +02:00
Dave Rodgman
73e3e2cb1a Merge remote-tracking branch 'origin/development' into development_new
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>

Conflicts:
        include/mbedtls/check_config.h: nearby edits
	library/entropy.c: nearby edits
	programs/random/gen_random_havege.c: modification vs. removal
	programs/ssl/ssl_test_lib.h: nearby edits
	programs/test/cpp_dummy_build.cpp: nearby edits
	visualc/VS2010/mbedTLS.vcxproj: automatically generated file,
            regenerated with scripts/generate_visualc_files.pl
2021-04-07 16:31:09 +01:00
Dave Rodgman
6741fc9148
Merge pull request #4306 from daverodgman/fix_mps_trace_macros
Capitalise MPS trace macros
2021-04-07 16:07:50 +01:00
Dave Rodgman
95caad3743 Make check-names.sh accept any grep
check-names.sh works fine with GNU and with modern FreeBSD grep
so remove the check for GNU grep.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-04-07 15:01:28 +01:00
Dave Rodgman
6341c068bc Make check-names.sh accept any grep
check-names.sh works fine with GNU and with modern FreeBSD grep
so remove the check for GNU grep.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-04-07 14:54:33 +01:00
Dave Rodgman
add60da95b Scan library for enums in list-enum-consts.sh
Add library/*.h to the list of files scanned for enums in
list-enum-consts.sh, consistent with the changes made to
list-macros.sh.

This is needed to ensure that check-names.sh passes for the MPS
trace enums.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-04-07 14:48:14 +01:00
Ronald Cron
e6f6301390 psa: Add cipher accelerator flags to test_psa_crypto_drivers
Add cipher accelerator compilation flags to
test_psa_crypto_drivers() all.sh component. The flags
are not necessary currently but may become.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-03-26 15:48:13 +01:00
Ronald Cron
067de3b5ea tests: psa: Test cipher operations by a transparent driver
Test cipher operations by a transparent driver in all.sh
test_psa_crypto_config_basic and
test_psa_crypto_drivers components.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-03-26 15:48:13 +01:00
Ronald Cron
9f97c6ecdf Update PSA crypto test dependencies
Given the PSA_WANT_* config options added lately,
update set_psa_test_dependencies.py and run it
on test_suite_psa_crypto*.data files but the SE
and generated ones.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-03-24 09:26:44 +01:00
Ronald Cron
9838dc2702 tests: Fine tune handling of policy negative tests
Fine tune handling of policy negative tests when
setting automatically PSA crypto unit tests
dependencies.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-03-24 09:18:23 +01:00
Ronald Cron
6ac020d797 tests: Treat PSA_WANT_ECC_* as manual dependencies
For the time being, it is not possible to determine
the size of ECC keys from the arguments of all test
cases thus treat them as dependencies that are not
systematic. Such dependencies are not generated nor
deleted by set_psa_test_dependencies.py.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-03-24 09:03:56 +01:00
Gilles Peskine
01196d0464
Merge pull request #4214 from gilles-peskine-arm/psa-storage-format-test-types
PSA storage format test case generator
2021-03-22 12:16:17 +01:00
Gilles Peskine
d86bc52d78 Cover encodings of algorithms without parameters
Generate test cases for all algorithms without parameters. Only the encoding
of the algorithm in the key metadata is covered: the test keys are not of a
type that permits the algorithm to be used in an operation.

This commit only covers algorithms without parameters. A subsequent commit
will generate algorithms with parameters.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-16 22:29:12 +01:00
Mateusz Starzyk
e204dbf272 Drop support for MBEDTLS_SSL_HW_RECORD_ACCEL.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-03-16 12:49:54 +01:00
Mateusz Starzyk
a3a9984a5d Drop support for TLS record-level compression.
Remove option MBEDTLS_ZLIB_SUPPORT.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-03-16 12:49:51 +01:00
Mateusz Starzyk
06b07fb839 Drop support for SSLv3.
Remove options: MBEDTLS_SSL_MINOR_VERSION_0 and
MBEDTLS_SSL_PROTO_SSL3).

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-03-16 12:19:05 +01:00
Steven Cooreman
753f973f87 Use full config during driver testing
Due to the way the test drivers are setup, we require the full setup.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-03-15 12:14:40 +01:00
Gilles Peskine
f8223abb16 Cover all key types
Generate test cases for all key types. These test cases cover the key
representation (checked with export) and the encoding of the key type and
the bit-size.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-10 23:22:35 +01:00
Gilles Peskine
897dff9527 Code to generate storage format test cases
Start generating storage format test cases. This commit introduces two test
data files: test_suite_psa_crypto_storage_format.v0.data for reading keys in
storage format version 0 (the current version at this time), and
test_suite_psa_crypto_storage_format.current.data for saving keys in the
current format (version 0 at this time).

This commit kicks off the test case generation with test cases to exercise
the encoding of usage flags. Subsequent commits will cover other aspects of
keys.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-10 23:22:35 +01:00
Gilles Peskine
22fcf1b5f5 Move PSAMacroEnumerator to macro_collector
It's useful for more than test_psa_constant_names.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-10 23:22:35 +01:00
Gilles Peskine
10ab267afb Add some type annotations
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-10 23:22:35 +01:00
Gilles Peskine
6f7ba5f9c4 Split out PSAMacroEnumerator from the test data collection code
Split out the code that enumerates constructors of a PSA crypto type
from the code used to populate the list of constructors for the
specific purpose of testing psa_constant_names.

This commit adds some documentation but otherwise strives to minimize
code changes.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-10 23:22:35 +01:00
Gilles Peskine
3d7783909a Use an iterator when constructing test cases
It's more pythonic, and more importantly more readable.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-10 23:22:35 +01:00
Gilles Peskine
0298bdae8d generate_psa_tests.py: allow generating each file independently
Generating all files all the time makes debugging one specific target
harder. So support generating a selection of targets only.

As a bonus, it is now more apparent what files this script generates,
and check-generated-files.sh takes advantage of it.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-10 23:22:35 +01:00
Gilles Peskine
b94ea51ad0 Break up the god class TestGenerator
Use separate classes for information gathering, for each kind of test
generation (currently just one: not-supported), and for writing output
files.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-10 23:22:35 +01:00
Chris Jones
f6643ccd90 Add library/*_internal.h to build files
Build scripts modified to refer to all internal headers being in
`library/*_internal.h`.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-03-10 12:52:37 +00:00
Steven Cooreman
d50db945c4 Add hash acceleration driver testing
Test hash algorithm functions when called through a transparent
driver in all.sh test_psa_crypto_config_basic and
test_psa_crypto_drivers components.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-03-10 13:03:36 +01:00
Manuel Pégourié-Gonnard
17605f072b
Merge pull request #4151 from ronald-cron-arm/psa-sign_verify-hash
PSA sign and verify hash rework
2021-03-10 10:08:50 +01:00
Mateusz Starzyk
7d48b28218 Remove 1.3 to 2.0 transition helpers files.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-03-03 11:00:34 +01:00
Steven Cooreman
2c2efa488b Fix dependency-setting script and test dependencies for new tests
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-03-01 16:03:39 +01:00
Steven Cooreman
4400c3a44a Add _AT_LEAST_THIS_LENGTH_ macros to PSA constants test
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-03-01 16:03:39 +01:00
Dave Rodgman
d6ee36ed04
Merge pull request #4110 from gilles-peskine-arm/psa-external-random-in-mbedtls
Expose the PSA RNG in mbedtls
2021-02-22 14:47:29 +00:00
Ronald Cron
17b3afcc33 tests: psa: Test sign/verify hash by a transparent driver
Test signature and signature verification by a transparent
driver in all.sh test_psa_crypto_config_basic and
test_psa_crypto_drivers components.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-18 15:45:12 +01:00
Gilles Peskine
0d241eda69 Remove trailing comma which is only supported since Python 3.6
It's a syntax error in Python 3.5 and we run that in our CI.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-17 14:58:29 +01:00
Gilles Peskine
d169d60319 Skip dependency symbols that are not implemented
A temporary hack: at the time of writing, not all dependency symbols
are implemented yet. Skip test cases for which the dependency symbols are
not available. Once all dependency symbols are available, this comit
should be reverted.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-17 14:58:29 +01:00
Gilles Peskine
60b29fea46 Define WANT symbols for always-supported key types
PSA_KEY_TYPE_RAW_DATA and PSA_KEY_TYPE_DERIVE are always supported.
Make this explicit by declaring PSA_WANT_KEY_TYPE_RAW_DATA and
PSA_WANT_KEY_TYPE_DERIVE unconditionally. This makes it easier to
infer dependencies in a systematic way.

Don't generate not-supported test cases for those key types. They
would always be skipped, which is noise and would make it impossible
to eventually validate that all test cases pass in at least one
configuration over the whole CI.

Don't remove the exception in set_psa_test_dependencies.py for now, to
get less noise in dependencies. This may be revised later if it is
deemed more important to be systematic.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-17 14:50:52 +01:00
Gilles Peskine
7f756876b9 Append the key size to ECC curve dependencies
ECC curve dependency symbols include the key size in addition to the
curve family. Tweak the dependencies once the key size is known.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-17 14:50:17 +01:00
Gilles Peskine
7d112ae04c Check in test_suite_psa_crypto_not_supported.generated.data
This test data file is automatically generated. We could do that as
part of the build, since the only requirement is Python and we have a
requirement on Python to build tests anyway (to generate the .c file
from the .function file). However, committing the generating file into
the repository has less impact on build scripts, and will be necessary
for some of the files generated by generate_psa_tests.py (at least the
storage format stability tests, for which stability is guaranteed by
the fact that the generated file doesn't change). To keep things
simple, for now, let's commit all the files generated by
generate_psa_tests.py into the repository.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-17 14:50:17 +01:00
Gilles Peskine
af1728442d Generate not-supported test cases: ECC key types
Add support for ECC key types to the generation of not-supported test
cases in generate_psa_tests.py. For each curve, generate test cases
both for when ECC isn't supported and for when the curve isn't
supported.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-17 14:50:17 +01:00
Gilles Peskine
14e428f921 Generate not-supported test cases automatically: import, generate
For each declared key type, generate test cases for psa_import_key and
psa_generate_key when the corresponding type is not supported.

Some special cases:
* Public keys can never be generated.
* Omit key types that Mbed TLS does not support at all.
* ECC and FFDH, which depend on a curve/group, are not covered yet.

The generated test cases are written to
tests/suites/test_suite_psa_crypto_not_supported.generated.data .

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-17 14:50:17 +01:00
Gilles Peskine
0994049614 New framework for generating PSA test cases automatically
This commit creates a script to generate test cases automatically
based on enumerating PSA key types, algorithms and other
classifications of cryptographic mechanisms.

Subsequent commits will implement the generation of test cases.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-17 14:50:17 +01:00
Gilles Peskine
38c12fd48e In external_rng tests, disable the entropy module
The point of having an external RNG is that you can disable all
built-in RNG functionality: both the entropy part and the DRBG part.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-16 15:46:06 +01:00
Gilles Peskine
8eb2943705 Support mbedtls_psa_get_random() in SSL test programs
The SSL test programs can now use mbedtls_psa_get_random() rather than
entropy+DRBG as a random generator. This happens if
the configuration option MBEDTLS_USE_PSA_CRYPTO is enabled, or if
MBEDTLS_TEST_USE_PSA_CRYPTO_RNG is set at build time.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-16 15:39:48 +01:00
Ronald Cron
761905e7a3 tests: psa config: Extend tests to RSA keys
Extend import/export/generate key through a PSA
transparent driver without software fallback
testing to RSA keys.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-16 09:07:46 +01:00
Ronald Cron
5cd00d28bf
Merge pull request #4092 from ronald-cron-arm/psa-crypto-client
Psa crypto client
2021-02-15 10:46:35 +01:00
Mateusz Starzyk
0fdcc8eee9 Remove Havege module.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-02-11 14:17:07 +01:00
Bence Szépkúti
a63b20d28b Rename AEAD tag length macros
This brings them in line with PSA Crypto API 1.0.0

PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH -> PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG
PSA_ALG_AEAD_WITH_TAG_LENGTH         -> PSA_ALG_AEAD_WITH_SHORTENED_TAG

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-02-11 11:39:31 +01:00
Gilles Peskine
2747d7dc60 Duplicate no-DRBG tests: with and without MBEDTLS_USE_PSA_CRYPTO
Whether MBEDTLS_USE_PSA_CRYPTO is enabled makes a significant
difference with respect to how random generators are used (and, for
no-HMAC_DRBG, how ECDSA signature is dispatched), so test both with
and without it.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-03 15:50:46 +01:00
Ronald Cron
80eaa93b59 tests: psa: Reactivate and expand key management through test driver
The compilation guards in key_management.c are now
accelerator compilation guards (MBEDTLS_PSA_ACCEL_KEY_TYPE_xyz).

As a consequence when running the PSA driver wrapper
tests as part of test_psa_crypto_config_basic
and test_psa_crypto_drivers all.sh components all
key management cryptographic operations were handled by
the software builtin fallback, and not by the test driver
as intended in the first place.

This commits fixes this issue by:
. declaring an accelerator for ECC key pairs in
  test_psa_crypto_config_basic.
. declaring an accelerator for both ECC and RSA
  key pairs in test_psa_crypto_drivers.

It is possible to declare an accelerator for both
ECC and RSA key pairs in test_psa_crypto_drivers
and not in test_psa_crypto_config_basic because
in the case of test_psa_crypto_drivers the new
PSA configuration is not activated. That way,
the builtin fallback software implementation
is present to supply the transparent test driver
when some support is missing in it (mainly
RSA key generation).

Note that the declaration of accelerators does
much more than just "fixing" the execution flow of
driver wrapper tests, it makes all import and public
key export cryptographic operations in all unit
tests being handled by the transparent test driver
(provided that it supports the key type).

One test case related to key generation is
partially disabled. This will be fixed with the
rework of psa_generate_key along the lines
described in psa-crypto-implementation-structure.md.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-02 11:38:50 +01:00
Gilles Peskine
80a970806f No dependencies for storage format tests
Storage format tests that only look at how the file is structured and
don't care about the format of the key material don't depend on any
cryptographic mechanisms.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-01 13:22:38 +01:00
Gilles Peskine
b51d72f82e Run copy_fail even when the target policy is unsupported
The negative test cases for psa_copy_key() don't actually care whether
the target policy is supported. This is similar to _key_policy tests.
Add a similar rule.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-01 13:22:38 +01:00
Gilles Peskine
fa37961413 Rename OMITTED_SYSTEMATIC_DEPENDENCIES
It isn't a set of dependencies, it's a set of symbols. So give it a
name that describes the symbol rather than a name that pretends it's a
collection of dependencies.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-01 13:22:38 +01:00
Gilles Peskine
0794572f96 More precise recognition of key policy negative tests
The test function asymmetric_signature_key_policy combines positive
and negative tests inside the code, so it doesn't take a status as its
last argument.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-01 13:22:38 +01:00
Gilles Peskine
a87e178553 If there are no arguments, don't update the file content
This avoids having to bother with edge cases of the .data syntax.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-01 13:19:26 +01:00
Gilles Peskine
72d8e0ad04 Key policy negative tests don't actually require the algorithm
It doesn't make much difference in practice, but to keep closer to
what the current code does, run negative key policy tests even if the
algorithm for the operation attempt is not supported.

In particular, this allows the following test cases to run:
* "PSA key policy: agreement + KDF, wrong agreement algorithm"
* "PSA key policy: raw agreement, wrong algorithm"
Without this exception, those two test cases would never run, because
they would depend on PSA_ALG_WANT_FFDH. Since FFDH is not implemented
yet, it isn't enabled in any configuration. There's no alternative to
FFDH for these particular test cases because ECDH is the only key
agreement that is implemented in Mbed TLS so far.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-01 13:19:26 +01:00
Gilles Peskine
20987b9a46 Detect test cases that require something not to be supported
PSA_xxx_CATEGORY_yyy is used in metadata tests where it doesn't
involve any particular support, and elsewhere it's used as a value
that is definitely not supported but is in a plausible range. Such
symbols do not require any dependency.

If a test case is expects PSA_ERROR_NOT_SUPPORTED, its
dependencies (often including one negative dependency) cannot be
determined automatically, so leave that test case alone.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-01 13:19:26 +01:00
Gilles Peskine
f032fa9d94 Special handling for some always-on or alias symbols
Some symbols don't require a dependency symbol:

* Modifiers such as truncated MAC
* Always-on features such as the raw data key type
* Aliases or special values such as RSA PKCS#1v1.5 raw

I'm not convinced that all of these warrant special handling in the
script, rather than having the expected symbol defined somewhere. But
for now I prefer to minimize changes to the header files.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-01 13:19:26 +01:00
Gilles Peskine
81dec0047f Remove classic crypto dependencies
Don't remove cipher-related dependencies because the corresponding
PSA_WANT_xxx dependencies are not implemented yet.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-01 13:19:26 +01:00
Gilles Peskine
e4f539caf9 Don't add cipher-related PSA_WANT_xxx because they aren't implemented yet
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-01 13:19:26 +01:00
Gilles Peskine
9bbba5ea69 Add a function to remove classic crypto dependencies
A list of symbols to remove will be added in a subsequent commit.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-01 13:19:26 +01:00
Gilles Peskine
2d2e924401 Implement basic update of PSA_WANT dependencies
Remove any existing PSA_WANT_xxx dependency. Add PSA_WANT_xxx
dependencies based on the PSA_KEY_TYPE_xxx and PSA_ALG_xxx symbols
used in the test case arguments.

PSA_ECC_FAMILY_xxx and PSA_DH_GROUP_xxx are not implemented yet in the
PSA conditional inclusion mechanism in Mbed TLS, so this script
doesn't handle them yet.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-01 13:19:26 +01:00
Gilles Peskine
45e9e73e66 Add a possibility to keep manual dependencies for certain functions
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-01 13:19:26 +01:00
Gilles Peskine
82ebaa4d36 Implement stanza parsing in .data files
Parse the existing dependencies. For now, just write them back.
Subsequent commits will implement the dependency processing that is
the goal of this program.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-01 13:19:26 +01:00
Gilles Peskine
bdffaeaf3a New script to determine PSA crypto test dependencies automatically
This commit only contains a framework to rewrite .data files. No
actual modification of the content is implemented yet.

For now, command line parsing is trivial: just a list of file names,
with no options.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-01 13:19:26 +01:00
Ronald Cron
336678bccc tests: psa: Test PSA client-only code
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-01 13:17:23 +01:00
Ronald Cron
88a8035860
Merge pull request #3953 from gilles-peskine-arm/python-mypy-mkdir
Python upscale: pass mypy and create library directory
2021-01-29 12:07:53 +01:00
Gilles Peskine
0370c17105 mypy: require at least version 0.780
0.780 works. The previous release, 0.770, does not.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-20 12:03:24 +01:00
Gilles Peskine
4738b96d75 Use $PYTHON when running mypy
Make sure to run mypy with the desired Python version.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-19 21:45:32 +01:00
Gilles Peskine
c3b178768f Use can_mypy rather than just checking for mypy
As indicated in the comments in the can_mypy function, we don't just
need a mypy executable to be present, we need it to work.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-19 21:43:24 +01:00
Gilles Peskine
bdde5d002c Use Python to check the version of pylint
This reduces dependencies, doesn't require maintainers to know awk,
and makes the version parsing more robust.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-19 21:42:05 +01:00
Gilles Peskine
6d82a7ef9f Say we're running pylint
Now that the script might additionally run mypy, it's more
user-friendly to indicate what's going on at the beginning as well.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-19 21:23:11 +01:00
Gilles Peskine
2991b5f6c0 Minor documentation fixes
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-19 21:23:11 +01:00
Gilles Peskine
a222434952 Test SSL with non-deterministic ECDSA
In component_test_no_hmac_drbg, the fact that HMAC_DRBG is disabled
doesn't affect the SSL code, but the fact that deterministic ECDSA is
disabled does. So run some ECDSA-related SSL tests.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-13 20:31:24 +01:00
Gilles Peskine
ba74904c48 SSL test programs: support HMAC_DRBG
Support HMAC_DRBG in ssl_client2 and ssl_server2, in addition to
CTR_DRBG. CTR_DRBG is still used if present, but it's now possible to
run the SSL test programs with CTR_DRBG disabled.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-13 20:30:03 +01:00
Gilles Peskine
1cc6a8ea15 Add --can-pylint and --can-mypy options
With just the option --can-pylint or --can-mypy, check whether the
requisite tool is available with an acceptable version and exit.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-06 17:12:18 +01:00
Gilles Peskine
b13ed70b32 Check scripts/mbedtls_dev/*.py with pylint
mypy automatically checks the modules when it encounters them as
imports. Don't make it check them twice, because it would complain
about encountering them through different paths (via the command line
as scripts/mbedtls_dev/*.py and via imports as just mbedtls_dev/*.py).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-06 17:12:10 +01:00
Gilles Peskine
a51e1dbe76
Merge pull request #3895 from gilles-peskine-arm/psa-external-random
Alternative random generator support for PSA
2021-01-06 17:09:11 +01:00
Gilles Peskine
2adebc89da Move get_c_expression_values into a separate module
Create a directory mbedtls_dev intended to contain various Python
module for use by Python scripts located anywhere in the Mbed TLS
source tree.

Move get_c_expression_values and its auxiliary functions into a new
Python module mbedtls_dev.c_build_helper.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-11 00:35:19 +01:00
Gilles Peskine
fc62211e3b Refactor and generalize run_c
Generalize the very ad hoc run_c function into a function to generate
a C program to print the value of a list of expressions. Refactor the
code into several functions to make it more manageable.

No intended behavior change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-11 00:35:11 +01:00
Gilles Peskine
45d350b9dc Allow tests/scripts/foo.py to import from scripts
Allow Python scripts in tests/scripts to import modules located in the
scripts directory. To do this, use
```
import scripts_path # pylint: disable=unused-import
```

Declare the scripts directory to pylint and to mypy.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-10 23:16:03 +01:00
Gilles Peskine
7be4551f23 Check typing of python scripts if mypy is available
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-10 21:32:32 +01:00
Gilles Peskine
e6d0ac26ca mbedtls_test.py: Tell mypy to ignore mbed_host_tests
Since no typing stubs are available for mbed_host_tests.py, mypy
errors out on mbedtls_test.py with

    error: Skipping analyzing 'mbed_host_tests': found module but no type hints or library stubs

Ignore this import to get at least some benefit from mypy without
spending significant effort to write stubs.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-10 21:30:14 +01:00
Gilles Peskine
38b66dfc85 test_generate_test_code: remove Python 2 compatibility code
This makes the code cleaner.

As a bonus, mypy no longer gets confused.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-10 21:30:08 +01:00
Gilles Peskine
ac9e7c0b6e check_files.py: pass mypy
Add enough type annotations to pass mypy 0.782 with Python 3.5. The
source code will still run normally under older Python versions.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-10 21:30:01 +01:00
Gilles Peskine
4aebb8d936 Test shebang lines
Executable scripts must have shebang (#!) line to be effectively
executable on most Unix-like systems. Enforce this, and conversely
enforce that files with a shebang line are executable.

Check that the specified interperter is consistent with the file
extension.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-10 21:29:55 +01:00
Gilles Peskine
15898eec23 Allow Python files not to be executable
.py files may be modules which are not standalone program, so allow
them not to be executable.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-10 21:29:49 +01:00
Manuel Pégourié-Gonnard
48c76c91f3
Merge pull request #3949 from bensze01/update_psa_values
Improve documentation in test_psa_constant_names.py
2020-12-10 11:19:30 +01:00
Bence Szépkúti
4af6560860 Improve documentation in test_psa_constant_names.py
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-12-08 11:10:21 +01:00
Gilles Peskine
2b759626a9
Merge pull request #3948 from bensze01/update_psa_values
Update the values of PSA Crypto API macros to version 1.0.0
2020-12-08 11:03:33 +01:00
Bence Szépkúti
7e37bf97ee Update test_psa_constant_names.py for new values
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-12-08 07:33:08 +01:00
John Durkop
1b7ee05461 Added tests to confirm hash support for crypto config
New tests have been added for all the hash algorithms to
confirm they compile correctly when using PSA_WANT and
accelerator guards.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-11-27 08:51:22 -08:00
Gilles Peskine
c109b37b07 Test MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
Add two builds with MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG to all.sh:
* full minus all DRBG (validates that PSA can work without any of the
  DRBG modules).
* with MBEDTLS_USE_PSA_CRYPTO and no CTR_DRBG (validates that PSA can
  work without CTR_DRBG, and that it works for USE_PSA_CRYPTO).

The goal is to exercise default/full, with/out USE_PSA_CRYPTO, and
with/out deterministic ECDSA (which requires HMAC_DRBG). The choice of
pairing is rather arbitrary.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-23 17:42:54 +01:00
Gilles Peskine
82e57d1611 PSA: support HMAC_DRBG
Support using HMAC_DRBG instead of CTR_DRBG in the PSA subsystem.

Use HMAC_DRBG if CTR_DRBG is available. Choose between SHA-256 and
SHA-512 based on availability.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-23 17:42:54 +01:00
Gilles Peskine
662deb38d6
Merge pull request #3547 from ronald-cron-arm/psa-openless
Openless PSA crypto APIs implementation
2020-11-20 18:48:33 +01:00
Gilles Peskine
9a68810405
Merge pull request #3830 from jdurkop/psa-crypto-config-phase2
Phase 2 support for MBDTLS_PSA_CRYPTO_CONFIG
2020-11-19 09:32:23 +01:00
John Durkop
07cc04a8ad Updates to PSA crypto library based on review comments
Moved new check_crypto_config.h file from include/psa to library
directory and the file is now included from *.c instead of the
crypto_config.h file. Fixed guards in PSA crypto library based
on review comments for new PSA crypto config features.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-11-18 08:09:49 -08:00
Gilles Peskine
c70431451b
Merge pull request #3867 from gilles-peskine-arm/error-include-string
Fix several configuration-related issues
2020-11-17 20:32:59 +01:00
John Durkop
6ba40d1faa Corrected guards in PSA library based on review comments
Revised the placement of various new MBEDTLS_PSA_BUILTIN_xxx
guards based on review comments. Corrected guards in psa
test driver to use _ACCEL version instead of _BUILTIN version.
Updated check_config_psa.h to include additional dependency checks
for more algorithms. Renamed some of the new tests to be a little
more clear on the purpose.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-11-12 10:21:40 -08:00
Ronald Cron
c3623dbc76 State PSA_CRYPTO_KEY_ID_ENCODES_OWNER and USE_PSA_CRYPTO incompatibility
Code under MBEDTLS_USE_PSA_CRYPTO define is PSA client
code intended to use key identifiers of type psa_key_id_t.
Thus the MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
configuration option is incompatible with
MBEDTLS_USE_PSA_CRYPTO.

State this in config.h and check_config.h.

As a consequence:
. remove MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER from
  the full configuration, as MBEDTLS_USE_PSA_CRYPTO is
  part of it.

. add a new component in all.sh to keep testing the
  library when MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
  is set.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:00:41 +01:00
John Durkop
9814fa2b08 Minor updates from review comments
Updated macros in config_psa.h that used ECC_xxx to use KEY_TYPE_ECC_xxx
per comments from review. Implemented a check_config_psa.h to help with
dependency checking of features enabled in config_psa.h. Added
check_config_psa.h to visual studio project.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-11-10 06:11:41 -08:00
John Durkop
7fc75eac21 Enable all features in crypto_config.h
In order to pass existing tests like test_psa_crypto_config_basic
and test_psa_crypto_config_no_driver, all the new features need
to be enabled in the default crypto_config.h file. This change
enables those features by default and updates the other new
tests to compensate for everything being enabled by disabling
some features for some of the tests as needed.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-11-10 06:11:41 -08:00
John Durkop
bd069d32e8 Enhanced testing for PSA crypto config features
Updated some of the test names to better reflect what they are testing.
Expanded the testing around RSA feature for PSA crypto config. Updated
the test script to support backing up and restoring the
include/psa/crypto_config.h file so that features can be individually
setup for each unique feature test.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-11-10 06:11:41 -08:00