mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-01-26 03:35:35 +00:00
Merge pull request #7431 from valeriosetti/issue7404
driver-only: ECP.PSA starter
This commit is contained in:
commit
1b59e76a8f
@ -2289,6 +2289,140 @@ component_test_psa_crypto_config_reference_all_ec_algs_use_psa () {
|
||||
tests/ssl-opt.sh
|
||||
}
|
||||
|
||||
# This helper function is used by:
|
||||
# - component_test_psa_crypto_full_accel_all_ec_algs_no_ecp_use_psa()
|
||||
# - component_test_psa_crypto_full_reference_all_ec_algs_no_ecp_use_psa()
|
||||
# to ensure that both tests use the same underlying configuration when testing
|
||||
# driver's coverage with analyze_outcomes.py.
|
||||
#
|
||||
# This functions accepts 1 boolean parameter as follows:
|
||||
# - 1: building with accelerated EC algorithms (ECDSA, ECDH, ECJPAKE), therefore
|
||||
# excluding their built-in implementation as well as ECP_C & ECP_LIGHT
|
||||
# - 0: include built-in implementation of EC algorithms.
|
||||
#
|
||||
# PK_C and RSA_C are always disabled to ensure there is no remaining dependency
|
||||
# on the ECP module.
|
||||
config_psa_crypto_full_all_ec_algs_no_ecp_use_psa () {
|
||||
DRIVER_ONLY="$1"
|
||||
# start with crypto_full config for maximum coverage (also enables USE_PSA),
|
||||
# but excluding X509, TLS and key exchanges
|
||||
scripts/config.py crypto_full
|
||||
# enable support for drivers and configuring PSA-only algorithms
|
||||
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
if [ "$DRIVER_ONLY" -eq 1 ]; then
|
||||
# Disable modules that are accelerated
|
||||
scripts/config.py unset MBEDTLS_ECDSA_C
|
||||
scripts/config.py unset MBEDTLS_ECDH_C
|
||||
scripts/config.py unset MBEDTLS_ECJPAKE_C
|
||||
# Disable ECP module (entirely)
|
||||
scripts/config.py unset MBEDTLS_ECP_C
|
||||
scripts/config.py unset MBEDTLS_ECP_LIGHT
|
||||
fi
|
||||
|
||||
# Disable PK module since it depends on ECP
|
||||
scripts/config.py unset MBEDTLS_PK_C
|
||||
scripts/config.py unset MBEDTLS_PK_PARSE_C
|
||||
scripts/config.py unset MBEDTLS_PK_WRITE_C
|
||||
# Disable also RSA_C that would re-enable PK
|
||||
scripts/config.py unset MBEDTLS_RSA_C
|
||||
scripts/config.py unset MBEDTLS_PKCS1_V15
|
||||
scripts/config.py unset MBEDTLS_PKCS1_V21
|
||||
scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
|
||||
# Disable also key exchanges that depend on RSA for completeness
|
||||
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
|
||||
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
||||
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
|
||||
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
|
||||
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
|
||||
|
||||
# Restartable feature is not yet supported by PSA. Once it will in
|
||||
# the future, the following line could be removed (see issues
|
||||
# 6061, 6332 and following ones)
|
||||
scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
|
||||
# Dynamic secure element support is a deprecated feature and needs to be disabled here.
|
||||
# This is done to have the same form of psa_key_attributes_s for libdriver and library.
|
||||
scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
|
||||
|
||||
# Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having
|
||||
# partial support for cipher operations in the driver test library.
|
||||
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
|
||||
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
|
||||
|
||||
# Disable PSA_WANT symbols that would re-enable PK
|
||||
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR
|
||||
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
|
||||
for ALG in $(sed -n 's/^#define \(PSA_WANT_ALG_RSA_[0-9A-Z_a-z]*\).*/\1/p' <"$CRYPTO_CONFIG_H"); do
|
||||
scripts/config.py -f include/psa/crypto_config.h unset $ALG
|
||||
done
|
||||
}
|
||||
|
||||
# Build and test a configuration where driver accelerates all EC algs while
|
||||
# all support and dependencies from ECP and ECP_LIGHT are removed on the library
|
||||
# side.
|
||||
#
|
||||
# Keep in sync with component_test_psa_crypto_full_reference_all_ec_algs_no_ecp_use_psa()
|
||||
component_test_psa_crypto_full_accel_all_ec_algs_no_ecp_use_psa () {
|
||||
msg "build: crypto_full + accelerated EC algs + USE_PSA - ECP"
|
||||
|
||||
# Algorithms and key types to accelerate
|
||||
loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
|
||||
ALG_ECDH \
|
||||
ALG_JPAKE \
|
||||
KEY_TYPE_ECC_KEY_PAIR KEY_TYPE_ECC_PUBLIC_KEY"
|
||||
|
||||
# Set common configurations between library's and driver's builds
|
||||
config_psa_crypto_full_all_ec_algs_no_ecp_use_psa 1
|
||||
|
||||
# Configure and build the test driver library
|
||||
# -------------------------------------------
|
||||
|
||||
# Things we wanted supported in libtestdriver1, but not accelerated in the main library:
|
||||
# SHA-1 and all SHA-2 variants, as they are used by ECDSA deterministic.
|
||||
loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512"
|
||||
loc_accel_flags=$( echo "$loc_accel_list $loc_extra_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
|
||||
make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"
|
||||
|
||||
# Configure and build the main libraries with drivers enabled
|
||||
# -----------------------------------------------------------
|
||||
|
||||
# Build the library
|
||||
loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
|
||||
loc_symbols="-DPSA_CRYPTO_DRIVER_TEST \
|
||||
-DMBEDTLS_TEST_LIBTESTDRIVER1"
|
||||
make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests $loc_symbols $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
|
||||
|
||||
# Make sure any built-in EC alg was not re-enabled by accident (additive config)
|
||||
not grep mbedtls_ecdsa_ library/ecdsa.o
|
||||
not grep mbedtls_ecdh_ library/ecdh.o
|
||||
not grep mbedtls_ecjpake_ library/ecjpake.o
|
||||
# Also ensure that ECP or RSA modules were not re-enabled
|
||||
not grep mbedtls_ecp_ library/ecp.o
|
||||
not grep mbedtls_rsa_ library/rsa.o
|
||||
|
||||
# Run the tests
|
||||
# -------------
|
||||
|
||||
msg "test suites: crypto_full + accelerated EC algs + USE_PSA - ECP"
|
||||
make test
|
||||
}
|
||||
|
||||
# Reference function used for driver's coverage analysis in analyze_outcomes.py
|
||||
# in conjunction with component_test_psa_crypto_full_accel_all_ec_algs_no_ecp_use_psa().
|
||||
# Keep in sync with its accelerated counterpart.
|
||||
component_test_psa_crypto_full_reference_all_ec_algs_no_ecp_use_psa () {
|
||||
msg "build: crypto_full + non accelerated EC algs + USE_PSA"
|
||||
|
||||
config_psa_crypto_full_all_ec_algs_no_ecp_use_psa 0
|
||||
|
||||
make
|
||||
|
||||
# Esure that the RSA module was not re-enabled
|
||||
not grep mbedtls_rsa_ library/rsa.o
|
||||
|
||||
msg "test suites: crypto_full + non accelerated EC algs + USE_PSA"
|
||||
make test
|
||||
}
|
||||
|
||||
# Helper function used in:
|
||||
# - component_test_psa_crypto_config_accel_all_curves_except_p192
|
||||
# - component_test_psa_crypto_config_accel_all_curves_except_x25519
|
||||
|
@ -251,6 +251,41 @@ TASKS = {
|
||||
}
|
||||
}
|
||||
},
|
||||
'analyze_driver_vs_reference_all_ec_algs_no_ecp': {
|
||||
'test_function': do_analyze_driver_vs_reference,
|
||||
'args': {
|
||||
'component_ref': 'test_psa_crypto_full_reference_all_ec_algs_no_ecp_use_psa',
|
||||
'component_driver': 'test_psa_crypto_full_accel_all_ec_algs_no_ecp_use_psa',
|
||||
'ignored_suites': [
|
||||
# Ignore test suites for the modules that are disabled in the
|
||||
# accelerated test case.
|
||||
'ecp',
|
||||
'ecdsa',
|
||||
'ecdh',
|
||||
'ecjpake',
|
||||
],
|
||||
'ignored_tests': {
|
||||
'test_suite_random': [
|
||||
'PSA classic wrapper: ECDSA signature (SECP256R1)',
|
||||
],
|
||||
'test_suite_psa_crypto': [
|
||||
'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1',
|
||||
'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1 (1 redraw)',
|
||||
'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1, exercise ECDSA',
|
||||
'PSA key derivation: HKDF-SHA-256 -> ECC secp384r1',
|
||||
'PSA key derivation: HKDF-SHA-256 -> ECC secp521r1 #0',
|
||||
'PSA key derivation: HKDF-SHA-256 -> ECC secp521r1 #1',
|
||||
'PSA key derivation: bits=7 invalid for ECC BRAINPOOL_P_R1 (ECC enabled)',
|
||||
'PSA key derivation: bits=7 invalid for ECC SECP_K1 (ECC enabled)',
|
||||
'PSA key derivation: bits=7 invalid for ECC SECP_R1 (ECC enabled)',
|
||||
'PSA key derivation: bits=7 invalid for ECC SECP_R2 (ECC enabled)',
|
||||
'PSA key derivation: bits=7 invalid for ECC SECT_K1 (ECC enabled)',
|
||||
'PSA key derivation: bits=7 invalid for ECC SECT_R1 (ECC enabled)',
|
||||
'PSA key derivation: bits=7 invalid for ECC SECT_R2 (ECC enabled)',
|
||||
]
|
||||
}
|
||||
}
|
||||
},
|
||||
}
|
||||
|
||||
def main():
|
||||
|
@ -727,14 +727,12 @@ int mbedtls_test_psa_exported_key_sanity_check(
|
||||
} else
|
||||
#endif /* MBEDTLS_ASN1_PARSE_C */
|
||||
|
||||
#if defined(MBEDTLS_ECP_LIGHT)
|
||||
if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(type)) {
|
||||
/* Just the secret value */
|
||||
TEST_EQUAL(exported_length, PSA_BITS_TO_BYTES(bits));
|
||||
|
||||
TEST_ASSERT(exported_length <= PSA_EXPORT_KEY_PAIR_MAX_SIZE);
|
||||
} else
|
||||
#endif /* MBEDTLS_ECP_LIGHT */
|
||||
|
||||
#if defined(MBEDTLS_ASN1_PARSE_C)
|
||||
if (type == PSA_KEY_TYPE_RSA_PUBLIC_KEY) {
|
||||
@ -766,7 +764,6 @@ int mbedtls_test_psa_exported_key_sanity_check(
|
||||
} else
|
||||
#endif /* MBEDTLS_ASN1_PARSE_C */
|
||||
|
||||
#if defined(MBEDTLS_ECP_LIGHT)
|
||||
if (PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(type)) {
|
||||
|
||||
TEST_ASSERT(exported_length <=
|
||||
@ -792,10 +789,7 @@ int mbedtls_test_psa_exported_key_sanity_check(
|
||||
TEST_EQUAL(1 + 2 * PSA_BITS_TO_BYTES(bits), exported_length);
|
||||
TEST_EQUAL(exported[0], 4);
|
||||
}
|
||||
} else
|
||||
#endif /* MBEDTLS_ECP_LIGHT */
|
||||
|
||||
{
|
||||
} else {
|
||||
(void) exported;
|
||||
TEST_ASSERT(!"Sanity check not implemented for this key type");
|
||||
}
|
||||
|
Loading…
x
Reference in New Issue
Block a user