Normally we need all the combinations, unique combinations make sense
only if the operation is commutative.
No changes to generated tests.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Remove old dataset that was overriding the defaults in bignum_core. This
will change the datasets for core_sub and core_add to the default
inherited from bignum_common.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Add data for small values, 192 bit and 1024 bit values, primes,
non-primes odd, even, and some typical corner cases.
All subclasses override this for the time being so there are no changes
to the test cases.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The goal of this commit is to add some constants that can be used to
define datasets and add test data in a more readable and reusable
manner.
All platforms using ECC need to support calculations with at least 192
bits, therefore constants for this length are added. We are not using a
curve prime as those will be tested elsewhere and it is better not to
play favourites.
All platforms using RSA or FFDH need to support calculations with at
least 1024 bits, therefore numbers of this size are added too.
A safe prime is added for both sizes as it makes all elements generators
(except 0 and 1 of course), which in turn makes some tests more
effective.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Only fixed width input_style uses the default value of the bits_in_limb
parameter, so set it to 32 in order to have less leading zeroes.
Signed-off-by: Janos Follath <janos.follath@arm.com>
There are no intended changes to generated tests. (The ordering of tests
in the mod_raw module has changed.)
Signed-off-by: Janos Follath <janos.follath@arm.com>
The special case list type depends on the arity and the subclass. Remove
type restriction to make defining special case lists more flexible and natural.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Sometimes we don't want all possible combinations of the input data and
sometimes not all combinations make sense. We are adding a convenient
way to decide on a case by case basis. Now child classes only need to
implement the is_valid method and the invalid cases will be filtered out
automatically.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Having int_ variants as an attribute has the advantage of the input
being validated when the object is instantiated. In theory otherwise if
a particular int_ attribute is not accessed, then the invalid argument
is passed to the tests as it is. (This would in all likelihood detected
by the actual test cases, still, it is more robust like this.)
There are no semantic changes to the generated test cases. (The order
of appearance of 64 and 32 bit mpi_core_add_and_add_if test cases has
changed.)
Signed-off-by: Janos Follath <janos.follath@arm.com>
Before arg_ attributes were the arguments as they were defined in the
python script. Turning these into properties and having them take the
form respect the style set in input_style makes the class easier to use
and more consistent.
This change makes the hex_ properties redundant and therefore they are
removed.
There are no semantic changes to the generated test cases. (The order
of appearance of 64 and 32 bit mpi_core_add_and_add_if test cases has
changed.)
Signed-off-by: Janos Follath <janos.follath@arm.com>
The ArchSplit functionality was duplicated and moved to OperationCommon
from the other copy. The remnants of the functionality is moved to the
only subclass using this.
There is no semantic change to the generated tests. The order has
changed however: core_add tests have been moved before core_mla tests
and the order of the 64 and 32 bit versions have been swapped.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The functionality of ModOperationCommonArchSplit is needed in several
subclasses, therefore moving it to a superclass.
There is another, redundant ArchSplit class, which will be removed in a
later commit.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The class BignumModRawOperationArchSplit has functionality that are
needed in other modules, therefore moving it to bignum_common.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The class BignumModRawOperation implements functionality that are needed
in other modules, therefore we move it to common.
No intended changes to test cases. The order of add_and_add_if and sub tests
have been switched.
Signed-off-by: Janos Follath <janos.follath@arm.com>
We need arch split tests in different modules, moving it to the common
module makes it reusable.
No intended changes in the generated tests. (The position of the
core_add_if tests changed, but they are still all there.)
Signed-off-by: Janos Follath <janos.follath@arm.com>
The class BaseTarget served two purposes:
- track test cases and target files for generation
- provide an abstract base class for individual test groups
Splitting these allows decoupling these two and to have further common
superclasses across targets.
No intended change in generated test cases.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Although negative zero is officially unsupported, we've had bugs related to
it in the past. So do test functions with a negative zero input.
There will likely be cases where we don't want to accept negative zero as if
it was valid, because it's too hard to handle. We'll add exceptions on a
case by case basis.
For the functions that are currently tested by the generated tests, the new
test cases pass.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This exposes a bug in mbedtls_mpi_add_mpi() and mbedtls_mpi_sub_mpi() which
will be fixed in a subsequent commit.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This patch moves `BignumModRawOperation` and `BignumModRawOperationArchSplit`
outside of the scaffolding merge slot.
It also renames `r_sqrt` property to `r2`.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
This patch modifies the BignumModRawOperation class to
provide special access to key members commonly used
in tests.
It binds the module's getters to conversion functions
which enable automatic conversions such as:
* hex to int.
* zero padding hex strings.
* common Montgomery constants such as R, R^2 and R^01
are now be calculated upon access.
class `BignumModRawOperationArchSplit` is also updated to
utilise the new design.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
This patch is adding a basic instantance of `BignumModRawOperation`
and creates an `BignumModRawOperationArchSplit` class, copying
over the implementation of `BignumCoreRawOperationArchSplit`.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
Legacy Bignum is excluded as it doesn't get regular extensions like new
ones.
Each slot uses comments of their respective filetype. Since .data files
don't have a syntax for comments, dummy test cases are used. (These test
cases will never be executed and no noise will be added to tests.)
Signed-off-by: Janos Follath <janos.follath@arm.com>
We will need it to pad parameters in the base class, but it is useful
because every child class would need to calculate it anyway.
Signed-off-by: Janos Follath <janos.follath@arm.com>
In Bignum Core the result also involves a carry and both the result and
the carry depend on the size of the limbs.
Before this change both 32 and 64 bit specific result have been passed
to the test functions.
Moving this decision out of the tests makes the test functions easier to
write and read and the test cases easier to read and debug. The change
doesn't make writing the generator script any harder and might even make
reading it easier.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Many bignum tests have multiple calculated result values, so return
these as a list, rather than formatting as a string.
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
Separate file is added for classes used to generate cases for tests
in bignum_core.function. Common elements of the BignumOperation class
are added to classes in a new common file, for use across files.
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
When writing the new .data file, first write the new content, then replace
the target. This way, there isn't a temporary state in which the file is
partially written. This temporary state can be misleading if the build is
interrupted. It's annoying if you're watching changes to the output and the
changes appear as emptying the file following by the new version appearing.
Now interrupted builds don't leave a file that appears to be up to date but
isn't, and when watching the output, there's a single transition to the new
version.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
When writing the new .data file, first write the new content, then replace
the target. This way, there isn't a temporary state in which the file is
partially written. This temporary state can be misleading if the build is
interrupted. It's annoying if you're watching changes to the output and the
changes appear as emptying the file following by the new version appearing.
Now interrupted builds don't leave a file that appears to be up to date but
isn't, and when watching the output, there's a single transition to the new
version.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
We had 4 identical copies of the check_repo_path function. Replace them by a
single copy in the build_tree module where it naturally belongs.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
We were using absolute imports under the assumption that the /scripts
directory is in the path. This worked in normal use because every one of our
Python scripts either were in the /scripts directory, or added the /scripts
directory to the module search path in order to reference mbedtls_dev.
However, this broke things like
```
python3 -m unittest scripts/mbedtls_dev/psa_storage.py
```
Fix this by using relative imports.
Relative imports are only supposed to be used inside a package (Python
doesn't complain, but Pylint does). So make /scripts/mbedtls_dev a proper
package by creating __init__.py.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The option to --directory was intended to be relative to the current
directory when the script is invoked, which is the intuitive behavior. But
this was not implemented correctly, and it was actually interpreted relative
to the mbedtls root (which the script chdir's into). Fix this.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
We have Python code both for test code generation
(tests/scripts/generate_test_code.py) and now for test data generation.
Avoid the ambiguous expression "test generation".
This commit renames the Python module and adjusts all references to it. A
subsequent commit will adjust the documentation.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Previous changes used the docstring of the test_generation module,
which does not inform a user about the script.
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
TLS uses it to derive the session secret. The algorithm takes a serialized
point in an uncompressed form, extracts the X coordinate and computes
SHA256 of it. It is only expected to work with P-256.
Fixes#5978.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
BaseTarget-derived targets are now added to TestGenerator.targets in
initialization. This reduces repeated code in generate_xxx_tests.py
scripts which use this framework.
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
Previous implementation mixed the test case generation and the
recursive generation calls together. A separate method is added to
generate test cases for the current class' test function. This reduces
the need to override generate_tests().
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
The PSA API does not use public key objects in key agreement
operations: it imports the public key as a formatted byte string.
So a public key object with a key agreement algorithm is not
a valid combination.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
RSA-OAEP requires the key to be larger than a function of the hash size.
Ideally such combinations would be detected as a key/algorithm
incompatibility. However key/algorithm compatibility is currently tested
between the key type and the algorithm without considering the key size, and
this is inconvenient to change. So as a workaround, dispense
OAEP-with-too-small-hash from exercising, without including it in the
automatic operation-failure test generation.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Mbed TLS doesn't support certain block cipher mode combinations. This
limitation should probably be lifted, but for now, test them as unsupported.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Reject algorithms of the form PSA_ALG_TRUNCATED_MAC(...) or
PSA_ALG_AEAD_WITH_SHORTENED_TAG(...) when the truncation length is invalid
or not accepted by policy in Mbed TLS.
This is done in KeyType.can_do, so in generate_psa_tests.py, keys will be
tested for operation failure with this algorithm if the algorithm is
rejected, and for storage if the algorithm is accepted.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The current macro collector only tried the minimum and maximum expressible
lengths for PSA_ALG_TRUNCATED_MAC and PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG.
This was good enough for psa_constant_names, but it's weak for exercising
keys, in particular because it doesn't include any valid AEAD tag length.
So cover more lengths.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Only allow selected modes with 64-bit block ciphers (i.e. DES).
This removes some storage tests and creates corresponding op_fail tests.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In key read tests, add usage flags that are suitable for the key type and
algorithm. This way, the call to exercise_key() in the test not only checks
that exporting the key is possible, but also that operations on the key are
possible.
This triggers a number of failures in edge cases where the generator
generates combinations that are not valid, which will be fixed in subsequent
commits.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This currently makes all the descriptions unambiguous even when truncated at
66 characters, as the unit test framework does.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The output of generate_psa_tests.py is almost unchanged: the differences are
only spaces after commas (now consistently omitted).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Use the new generic is_public method.
Impact on generated cases: there are new HMAC test cases for SIGN_HASH. It
was a bug that these test cases were previously not generated.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Determine key types that are compatible with an algorithm based on
their names.
Key derivation and PAKE are not yet supported.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This is automatic in CPython but not guaranteed by the language. Be friendly
to other Python implementations.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Genertae test_suite_psa_crypto_generate_key.generated.data.
Use test_suite_psa_crypto_generate_key.function as a test function.
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
This is a variant of PSA_ALG_RSA_PSS which currently has exactly the same
behavior, but is intended to have a different behavior when verifying
signatures.
In a subsequent commit, PSA_ALG_RSA_PSS will change to requiring the salt
length to be what it would produce when signing, as is currently documented,
whereas PSA_ALG_RSA_PSS_ANY_SALT will retain the current behavior of
allowing any salt length (including 0).
Changes in this commit:
* New algorithm constructor PSA_ALG_RSA_PSS_ANY_SALT.
* New predicates PSA_ALG_IS_RSA_PSS_STANDARD_SALT (corresponding to
PSA_ALG_RSA_PSS) and PSA_ALG_IS_RSA_PSS_ANY_SALT (corresponding to
PSA_ALG_RSA_PSS_ANY_SALT).
* Support for the new predicates in macro_collector.py (needed for
generate_psa_constant_names).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Add test cases validating that if a stored key only had the hash policy,
then after loading it psa_get_key_attributes reports that it also has the
message policy, and the key can be used with message functions.
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
Test keys with various persistence levels, enumerated from the
metadata tests.
For read-only keys, do not attempt to create or destroy the key
through the API, only to read a key that has been injected into
storage directly through filesystem access.
Do not test keys with a non-default location, since they require a
driver and we do not yet have a dependency mechanism to require the
presence of a driver for a specific location value.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
When generating expressions to construct test case data, there can be
duplicate values, for example if a value of the form C(A) is present
as such in test_suite_psa_crypto_metadata.data and also constructed by
enumerating the argument A for the constructor C. Eliminate such
duplicates in generate_expressions.
This commit removes many test cases that were exact duplicates (and
were near-duplicates differing only in whitespace before the
whitespace normalization).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In macro_collector.py, base InputsForTest on PSAMacroEnumerator rather
than PSAMacroCollector. It didn't make much sense to use
PSAMacroCollector anymore since InputsForTest didn't use anything
other than the constructor.
psa_generate_tests now generates arguments for more macros.
In particular, it now collects macro arguments from
test_suite_psa_crypto_metadata. Algorithms with parameters are now
supported.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In generate_psa_tests, use InputsForTest rather than PSAMacroCollector
to gather values. This way, the enumeration of values to test includes
values used in metadata tests in addition to constructors parsed from
header files. This allows greater coverage of values built from
constructors with arguments. This doesn't make a difference yet, but
it will once algorithm constructors with arguments are supported in
generate_psa_tests.
Make the injection of numerical values optional. They are useful for
test_psa_constant_names, so keep them there. Don't use them for
not-supported tests: they might make sense, but the current code
wouldn't work since it doesn't know how to make up fake key material
or what dependencies to generate. Don't use them for storage tests:
they only make sense for supported values.
Don't inject 'PSA_SUCCESS': that's superfluous.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Add the test keys from RFC 8032 (§7.1 Ed25519 "TEST 1", §7.4 Ed448 "Blank").
This replaces the generic byte-sized data used for unknown key types
which no longer works now that Ed25519 is considered to have 255 bits.
Re-generate the automatically generated test data accordingly.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The coordinates are over $F_{2^{255}-19}$, so by the general
definition of the bit size associated with the curve in the
specification, the value for size attribute of keys is 255.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Add an elliptic curve family for the twisted Edwards curves
Edwards25519 and Edwards448 ("Goldilocks"). As with Montgomery curves,
since these are the only two curves in common use, the family has a
generic name.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Generate test cases for all key types. These test cases cover the key
representation (checked with export) and the encoding of the key type and
the bit-size.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Construct an object given the attributes and material for a PSA crypto key
and get the Mbed TLS storage representation.
The code to generate the storage representation was written based on the
specification in docs/architecture/mbed-crypto-storage-specification.md,
without looking at the code.
The data in the unit tests is from the AES-128 format_storage_data_check
test case in test_suite_psa_crypto_persistent_key.data, tweaked manually.
This commit creates a basic framework for using symbolic values for
attributes, but does not yet implement obtaining the corresponding numerical
values from an external source.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Make it possible to enumerate the key types, algorithms, etc.
collected by PSAMacroCollector.
This commit ensures that all fields of PSAMacroEnumerator are filled
by code inspection. Testing of the result may reveal more work to be
done in later commits.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
There are type annotations that indirectly depend on the
typing_extensions module (on Python 3.5-3.7: Protocol was added to the
core typing module in 3.8). The typing_extensions module is not
installed by default, so the code didn't run on a pristine Python
installation.
To avoid depending on a non-default module, make the dependency on
typing_extensions optional. (It's still required to run mypy, but
installing mypy takes care of providing typing_extensions.) If it
isn't available, provide a substitute definition that's just good
enough to get the scripts to run.
Move this ugly code to its own module to avoid the temptation of
spreading such ugliness all over the place. It's likely to be used in
other modules anyway.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Otherwise the generation is sensitive to trivial differences such as
running `tests/scripts/generate_psa_tests.py` vs
`./tests/scripts/generate_psa_tests.py` vs an absolute path.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
SECP192R1 is declared in the PSA API specification, but it's an old
one that Mbed TLS doesn't support and even OpenSSL doesn't support.
We don't have test vectors for it. Just skip it.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Asymmetric keys can't just be arbitrary byte strings: the public key
has to match the private key and the private key usually has
nontrivial constraints.
In order to have deterministic test data and not to rely on
cryptographic dependencies in the Python script, hard-code some test
keys.
In this commit, copy some test keys from test_suite_psa_crypto.data.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>