From 60b29fea46326f5d3f3aeb3334f2c4e5193ca42b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 16 Feb 2021 14:06:50 +0100 Subject: [PATCH] Define WANT symbols for always-supported key types PSA_KEY_TYPE_RAW_DATA and PSA_KEY_TYPE_DERIVE are always supported. Make this explicit by declaring PSA_WANT_KEY_TYPE_RAW_DATA and PSA_WANT_KEY_TYPE_DERIVE unconditionally. This makes it easier to infer dependencies in a systematic way. Don't generate not-supported test cases for those key types. They would always be skipped, which is noise and would make it impossible to eventually validate that all test cases pass in at least one configuration over the whole CI. Don't remove the exception in set_psa_test_dependencies.py for now, to get less noise in dependencies. This may be revised later if it is deemed more important to be systematic. Signed-off-by: Gilles Peskine --- include/mbedtls/config_psa.h | 4 ++++ include/psa/crypto_config.h | 2 ++ tests/scripts/generate_psa_tests.py | 11 ++++++++--- tests/scripts/set_psa_test_dependencies.py | 6 +++--- ...suite_psa_crypto_not_supported.generated.data | 16 ---------------- 5 files changed, 17 insertions(+), 22 deletions(-) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 4ad390d7a7..73a3ea356e 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -533,6 +533,10 @@ extern "C" { #endif /* MBEDTLS_PSA_CRYPTO_CONFIG */ +/* These features are always enabled. */ +#define PSA_WANT_KEY_TYPE_DERIVE 1 +#define PSA_WANT_KEY_TYPE_RAW_DATA 1 + #ifdef __cplusplus } #endif diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h index 9453e81c79..773e1711d2 100644 --- a/include/psa/crypto_config.h +++ b/include/psa/crypto_config.h @@ -79,6 +79,7 @@ #define PSA_WANT_ALG_TLS12_PRF 1 #define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 #define PSA_WANT_ALG_XTS 1 + #define PSA_WANT_KEY_TYPE_DERIVE 1 #define PSA_WANT_KEY_TYPE_HMAC 1 #define PSA_WANT_KEY_TYPE_AES 1 @@ -88,6 +89,7 @@ #define PSA_WANT_KEY_TYPE_DES 1 #define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR 1 #define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 1 +#define PSA_WANT_KEY_TYPE_RAW_DATA 1 #define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR 1 #define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1 diff --git a/tests/scripts/generate_psa_tests.py b/tests/scripts/generate_psa_tests.py index 4036ee38fa..19cb78cf6c 100755 --- a/tests/scripts/generate_psa_tests.py +++ b/tests/scripts/generate_psa_tests.py @@ -119,8 +119,12 @@ class TestGenerator: filename = os.path.join(self.test_suite_directory, basename + '.data') test_case.write_data_file(filename, test_cases) - @staticmethod + ALWAYS_SUPPORTED = frozenset([ + 'PSA_KEY_TYPE_DERIVE', + 'PSA_KEY_TYPE_RAW_DATA', + ]) def test_cases_for_key_type_not_supported( + self, kt: crypto_knowledge.KeyType, param: Optional[int] = None, param_descr: str = '', @@ -131,8 +135,9 @@ class TestGenerator: parameter not being supported. If it is absent or None, emit test cases conditioned on the base type not being supported. """ - if kt.name == 'PSA_KEY_TYPE_RAW_DATA': - # This key type is always supported. + if kt.name in self.ALWAYS_SUPPORTED: + # Don't generate test cases for key types that are always supported. + # They would be skipped in all configurations, which is noise. return [] import_dependencies = [('!' if param is None else '') + psa_want_symbol(kt.name)] diff --git a/tests/scripts/set_psa_test_dependencies.py b/tests/scripts/set_psa_test_dependencies.py index e3760c564f..7a84cf4d8a 100755 --- a/tests/scripts/set_psa_test_dependencies.py +++ b/tests/scripts/set_psa_test_dependencies.py @@ -112,9 +112,9 @@ WITHOUT_SYSTEMATIC_DEPENDENCIES = frozenset([ 'PSA_ALG_ANY_HASH', # only meaningful in policies 'PSA_ALG_KEY_AGREEMENT', # only a way to combine algorithms 'PSA_ALG_TRUNCATED_MAC', # only a modifier - 'PSA_KEY_TYPE_NONE', # always supported - 'PSA_KEY_TYPE_DERIVE', # always supported - 'PSA_KEY_TYPE_RAW_DATA', # always supported + 'PSA_KEY_TYPE_NONE', # not a real key type + 'PSA_KEY_TYPE_DERIVE', # always supported, don't list it to reduce noise + 'PSA_KEY_TYPE_RAW_DATA', # always supported, don't list it to reduce noise # Not implemented yet: cipher-related key types and algorithms. # Manually extracted from crypto_values.h. diff --git a/tests/suites/test_suite_psa_crypto_not_supported.generated.data b/tests/suites/test_suite_psa_crypto_not_supported.generated.data index 614f4a42a6..02c7df399d 100644 --- a/tests/suites/test_suite_psa_crypto_not_supported.generated.data +++ b/tests/suites/test_suite_psa_crypto_not_supported.generated.data @@ -80,22 +80,6 @@ PSA generate CHACHA20 256-bit not supported depends_on:!PSA_WANT_KEY_TYPE_CHACHA20 generate_not_supported:PSA_KEY_TYPE_CHACHA20:256 -PSA import DERIVE 120-bit not supported -depends_on:!PSA_WANT_KEY_TYPE_DERIVE -import_not_supported:PSA_KEY_TYPE_DERIVE:"48657265006973206b6579a0646174" - -PSA generate DERIVE 120-bit not supported -depends_on:!PSA_WANT_KEY_TYPE_DERIVE -generate_not_supported:PSA_KEY_TYPE_DERIVE:120 - -PSA import DERIVE 128-bit not supported -depends_on:!PSA_WANT_KEY_TYPE_DERIVE -import_not_supported:PSA_KEY_TYPE_DERIVE:"48657265006973206b6579a064617461" - -PSA generate DERIVE 128-bit not supported -depends_on:!PSA_WANT_KEY_TYPE_DERIVE -generate_not_supported:PSA_KEY_TYPE_DERIVE:128 - PSA import DES 64-bit not supported depends_on:!PSA_WANT_KEY_TYPE_DES import_not_supported:PSA_KEY_TYPE_DES:"644573206b457901"