From 0739336dd26eb28b21d38380c203731225776135 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Thu, 14 Apr 2022 15:36:17 +0200 Subject: [PATCH 01/13] Enable mbedtls_endpoint_sanity tests with PSA Signed-off-by: Neil Armstrong --- tests/suites/test_suite_ssl.function | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 1a31573624..325e703bbb 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4839,7 +4839,7 @@ void ssl_session_serialize_version_check( int corrupt_major, } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_ENTROPY_C:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_ENTROPY_C:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */ void mbedtls_endpoint_sanity( int endpoint_type ) { enum { BUFFSIZE = 1024 }; From 993eea33626c057efbdea7f982c75a3353a19979 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Thu, 14 Apr 2022 15:37:23 +0200 Subject: [PATCH 02/13] Enable app_data_tls & app_data_dtls tests with PSA Signed-off-by: Neil Armstrong --- tests/suites/test_suite_ssl.function | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 325e703bbb..233148a0f6 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4976,7 +4976,7 @@ void app_data( int mfl, int cli_msg_len, int srv_msg_len, } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */ void app_data_tls( int mfl, int cli_msg_len, int srv_msg_len, int expected_cli_fragments, int expected_srv_fragments ) @@ -4988,7 +4988,7 @@ void app_data_tls( int mfl, int cli_msg_len, int srv_msg_len, } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */ void app_data_dtls( int mfl, int cli_msg_len, int srv_msg_len, int expected_cli_fragments, int expected_srv_fragments ) From 181fe694efdd85956598052471329e432cc75907 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Thu, 14 Apr 2022 15:38:01 +0200 Subject: [PATCH 03/13] Enable handshake_serialization & handshake_fragmentation tests with PSA Signed-off-by: Neil Armstrong --- tests/suites/test_suite_ssl.function | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 233148a0f6..ae90ce0a65 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -5000,7 +5000,7 @@ void app_data_dtls( int mfl, int cli_msg_len, int srv_msg_len, } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */ void handshake_serialization( ) { handshake_test_options options; @@ -5014,7 +5014,7 @@ void handshake_serialization( ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_DEBUG_C:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_DEBUG_C:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */ void handshake_fragmentation( int mfl, int expected_srv_hs_fragmentation, int expected_cli_hs_fragmentation) { handshake_test_options options; From 537e915a6e7c445d7ee1243cddd9938f5565ffb2 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Thu, 14 Apr 2022 15:40:26 +0200 Subject: [PATCH 04/13] Enable DTLS renegotiation, resize_buffers, _serialize_mfl & renegotiate_mfl tests with PSA Signed-off-by: Neil Armstrong --- tests/suites/test_suite_ssl.function | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index ae90ce0a65..2354ec016e 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -5050,7 +5050,7 @@ void handshake_fragmentation( int mfl, int expected_srv_hs_fragmentation, int ex } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */ void renegotiation( int legacy_renegotiation ) { handshake_test_options options; @@ -5066,7 +5066,7 @@ void renegotiation( int legacy_renegotiation ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */ void resize_buffers( int mfl, int renegotiation, int legacy_renegotiation, int serialize, int dtls, char *cipher ) { @@ -5087,7 +5087,7 @@ void resize_buffers( int mfl, int renegotiation, int legacy_renegotiation, } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */ void resize_buffers_serialize_mfl( int mfl ) { test_resize_buffers( mfl, 0, MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION, 1, 1, @@ -5098,7 +5098,7 @@ void resize_buffers_serialize_mfl( int mfl ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */ void resize_buffers_renegotiate_mfl( int mfl, int legacy_renegotiation, char *cipher ) { From 06baf0487030ebc604b6e17d843caee00f218514 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Thu, 14 Apr 2022 16:21:15 +0200 Subject: [PATCH 05/13] Initialize PSA to fix move_handshake_to_state when USE_PSA is enabled Signed-off-by: Neil Armstrong --- tests/suites/test_suite_ssl.function | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 2354ec016e..6526ee9afc 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4862,13 +4862,15 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_ENTROPY_C:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_ENTROPY_C:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */ void move_handshake_to_state(int endpoint_type, int state, int need_pass) { enum { BUFFSIZE = 1024 }; mbedtls_endpoint base_ep, second_ep; int ret = -1; + USE_PSA_INIT( ); + ret = mbedtls_endpoint_init( &base_ep, endpoint_type, MBEDTLS_PK_RSA, NULL, NULL, NULL ); TEST_ASSERT( ret == 0 ); @@ -4901,6 +4903,7 @@ void move_handshake_to_state(int endpoint_type, int state, int need_pass) exit: mbedtls_endpoint_free( &base_ep, NULL ); mbedtls_endpoint_free( &second_ep, NULL ); + USE_PSA_DONE( ); } /* END_CASE */ From eed1c6255dd99dc095a8b90342783b067cf34e2f Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Fri, 15 Apr 2022 09:30:28 +0200 Subject: [PATCH 06/13] Enable TLS 1.3 ALPN tests when MBEDTLS_USE_PSA_CRYPTO is enabled Those were disabled in original submission, but it works fine with PSA crypto enabled. Signed-off-by: Neil Armstrong --- tests/ssl-opt.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 18fff9d7ea..efad87ede5 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -9718,7 +9718,6 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_ALPN -requires_config_disabled MBEDTLS_USE_PSA_CRYPTO run_test "TLS 1.3: alpn - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -alpn h2" \ "$P_CLI debug_level=3 alpn=h2" \ @@ -9754,7 +9753,6 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_ALPN -requires_config_disabled MBEDTLS_USE_PSA_CRYPTO run_test "TLS 1.3: alpn - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS --disable-client-cert --alpn=h2" \ "$P_CLI debug_level=3 alpn=h2" \ From 655725a6248bcc50bed153648df279e47dbfd498 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Fri, 15 Apr 2022 12:00:16 +0200 Subject: [PATCH 07/13] Unify PSA & non-PSA Verify ext RSA #5 test, and handle different return in pk_rsa_verify_ext_test_vec() Signed-off-by: Neil Armstrong --- tests/suites/test_suite_pk.data | 6 +----- tests/suites/test_suite_pk.function | 21 ++++++++++++++++++--- 2 files changed, 19 insertions(+), 8 deletions(-) diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data index 323efc2c48..430c5a2103 100644 --- a/tests/suites/test_suite_pk.data +++ b/tests/suites/test_suite_pk.data @@ -185,12 +185,8 @@ Verify ext RSA #4 (PKCS1 v2.1, salt_len = max, OK) depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:94:128:0 -Verify ext RSA #5 using PSA (PKCS1 v2.1, wrong salt_len) -depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C:MBEDTLS_USE_PSA_CRYPTO -pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:32:128:MBEDTLS_ERR_RSA_VERIFY_FAILED - Verify ext RSA #5 (PKCS1 v2.1, wrong salt_len) -depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C:!MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:32:128:MBEDTLS_ERR_RSA_INVALID_PADDING Verify ext RSA #6 (PKCS1 v2.1, MGF1 alg != MSG hash alg) diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 6c4f9e44d2..13e14d49a3 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -487,6 +487,7 @@ void pk_rsa_verify_ext_test_vec( data_t * message_str, int digest, mbedtls_pk_rsassa_pss_options pss_opts; void *options; size_t hash_len; + int ret; USE_PSA_INIT( ); mbedtls_pk_init( &pk ); @@ -526,9 +527,23 @@ void pk_rsa_verify_ext_test_vec( data_t * message_str, int digest, pss_opts.expected_salt_len = salt_len; } - TEST_ASSERT( mbedtls_pk_verify_ext( pk_type, options, &pk, - digest, hash_result, hash_len, - result_str->x, sig_len ) == result ); + ret = mbedtls_pk_verify_ext( pk_type, options, &pk, + digest, hash_result, hash_len, + result_str->x, sig_len ); + + /* Mbed TLS distinguishes "invalid padding" from "valid padding but + * the rest of the signature is invalid". This has little use in + * practice and PSA doesn't report this distinction. + * In this case, PSA returns PSA_ERROR_INVALID_SIGNATURE translated + * to MBEDTLS_ERR_RSA_VERIFY_FAILED + */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( result == MBEDTLS_ERR_RSA_INVALID_PADDING && + ret == MBEDTLS_ERR_RSA_VERIFY_FAILED ) + TEST_EQUAL( ret, MBEDTLS_ERR_RSA_VERIFY_FAILED); + else +#endif + TEST_EQUAL( ret, result ); exit: mbedtls_pk_free( &pk ); From 4ad82e4b33f119f751f9521fdfe32e274afd37b1 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Fri, 15 Apr 2022 13:27:17 +0200 Subject: [PATCH 08/13] Add component_check_test_requires_psa_disabled used to check if some tests requiring PSA to be disabled are presemt Signed-off-by: Neil Armstrong --- tests/scripts/all.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 07e708ba42..a9a5af699e 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -873,7 +873,12 @@ component_check_doxygen_warnings () { tests/scripts/doxygen.sh } +component_check_test_requires_psa_disabled () { + msg "Check: tests requiring PSA to be disabled" + not grep -n 'depends.*!MBEDTLS_USE_PSA_CRYPTO' -R tests/suites/ + not grep -n 'requires.*disabled.*USE_PSA' tests/ssl-opt.sh tests/opt-testcases/tls13-compat.sh +} ################################################################ #### Build and test many configurations and targets From 09030a345cd0a1d057c8dae970a74878648e3697 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Thu, 21 Apr 2022 11:17:43 +0200 Subject: [PATCH 09/13] Refine component_check_test_requires_psa_disabled change grep options order for better compatibility Signed-off-by: Neil Armstrong --- tests/scripts/all.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index a9a5af699e..ca3736c4ac 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -876,8 +876,8 @@ component_check_doxygen_warnings () { component_check_test_requires_psa_disabled () { msg "Check: tests requiring PSA to be disabled" - not grep -n 'depends.*!MBEDTLS_USE_PSA_CRYPTO' -R tests/suites/ - not grep -n 'requires.*disabled.*USE_PSA' tests/ssl-opt.sh tests/opt-testcases/tls13-compat.sh + not grep -n -R 'depends.*!MBEDTLS_USE_PSA_CRYPTO' tests/suites/ + not grep -n -R 'requires.*disabled.*USE_PSA' tests/ssl-opt.sh tests/opt-testcases/ } ################################################################ From 6e6967f6a0faa8bb3c7a4688c7222cdd9363d589 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Fri, 22 Apr 2022 11:32:18 +0200 Subject: [PATCH 10/13] Reorganize PSA INVALID_PADDING handling for test #5 in pk_rsa_verify_ext_test_vec() Signed-off-by: Neil Armstrong --- tests/suites/test_suite_pk.function | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 13e14d49a3..1ba305561c 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -531,19 +531,25 @@ void pk_rsa_verify_ext_test_vec( data_t * message_str, int digest, digest, hash_result, hash_len, result_str->x, sig_len ); - /* Mbed TLS distinguishes "invalid padding" from "valid padding but - * the rest of the signature is invalid". This has little use in - * practice and PSA doesn't report this distinction. - * In this case, PSA returns PSA_ERROR_INVALID_SIGNATURE translated - * to MBEDTLS_ERR_RSA_VERIFY_FAILED - */ #if defined(MBEDTLS_USE_PSA_CRYPTO) - if( result == MBEDTLS_ERR_RSA_INVALID_PADDING && - ret == MBEDTLS_ERR_RSA_VERIFY_FAILED ) - TEST_EQUAL( ret, MBEDTLS_ERR_RSA_VERIFY_FAILED); + if( result == MBEDTLS_ERR_RSA_INVALID_PADDING ) + { + /* mbedtls_pk_verify_ext() may return MBEDTLS_ERR_RSA_INVALID_PADDING + * error depending on which path was taken. + * If the PSA path is used, it won't because Mbed TLS + * distinguishes "invalid padding" from "valid padding but + * the rest of the signature is invalid". This has little use in + * practice and PSA doesn't report this distinction. + * In this case, PSA returns PSA_ERROR_INVALID_SIGNATURE translated + * to MBEDTLS_ERR_RSA_VERIFY_FAILED + */ + TEST_ASSERT( ret == result || ret == MBEDTLS_ERR_RSA_VERIFY_FAILED ); + } else #endif - TEST_EQUAL( ret, result ); + { + TEST_EQUAL( ret, result ); + } exit: mbedtls_pk_free( &pk ); From 882e02ea7aa8dd1d4f5c9b7c237c627f4cb20ac6 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Fri, 22 Apr 2022 16:50:29 +0200 Subject: [PATCH 11/13] Move and fixup check_test_requires_psa_disabled() into check_test_cases() Signed-off-by: Neil Armstrong --- tests/scripts/all.sh | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index ca3736c4ac..4e90d9e429 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -866,6 +866,10 @@ component_check_test_cases () { fi tests/scripts/check_test_cases.py $opt unset opt + + # Check if some test are explicitely disabled when USE_PSA_CRYPTO is set + not grep -n -R 'depends_on.*!MBEDTLS_USE_PSA_CRYPTO' tests/suites/*.function tests/suites/*.data + not grep -n -R '^ *requires_config_disabled.*MBEDTLS_USE_PSA_CRYPTO' tests/ssl-opt.sh tests/opt-testcases/*.sh } component_check_doxygen_warnings () { @@ -873,12 +877,7 @@ component_check_doxygen_warnings () { tests/scripts/doxygen.sh } -component_check_test_requires_psa_disabled () { - msg "Check: tests requiring PSA to be disabled" - not grep -n -R 'depends.*!MBEDTLS_USE_PSA_CRYPTO' tests/suites/ - not grep -n -R 'requires.*disabled.*USE_PSA' tests/ssl-opt.sh tests/opt-testcases/ -} ################################################################ #### Build and test many configurations and targets From 1c9eb722fdbd4c15b416b3ab3d5cb5b62d082f6c Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Mon, 25 Apr 2022 14:38:18 +0200 Subject: [PATCH 12/13] Update PSA specific comment in pk_rsa_verify_ext_test_vec() Signed-off-by: Neil Armstrong --- tests/suites/test_suite_pk.function | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 1ba305561c..24344d8606 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -534,14 +534,14 @@ void pk_rsa_verify_ext_test_vec( data_t * message_str, int digest, #if defined(MBEDTLS_USE_PSA_CRYPTO) if( result == MBEDTLS_ERR_RSA_INVALID_PADDING ) { - /* mbedtls_pk_verify_ext() may return MBEDTLS_ERR_RSA_INVALID_PADDING - * error depending on which path was taken. - * If the PSA path is used, it won't because Mbed TLS - * distinguishes "invalid padding" from "valid padding but + /* Mbed TLS distinguishes "invalid padding" from "valid padding but * the rest of the signature is invalid". This has little use in * practice and PSA doesn't report this distinction. * In this case, PSA returns PSA_ERROR_INVALID_SIGNATURE translated - * to MBEDTLS_ERR_RSA_VERIFY_FAILED + * to MBEDTLS_ERR_RSA_VERIFY_FAILED. + * However, currently `mbedtls_pk_verify_ext()` may use either the + * PSA or the Mbed TLS API, depending on the PSS options used. + * So, it may return either INVALID_PADDING or INVALID_SIGNATURE. */ TEST_ASSERT( ret == result || ret == MBEDTLS_ERR_RSA_VERIFY_FAILED ); } From 98136b14e0898726dc6b5b8cfc0d4a8d7f0084de Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Wed, 27 Apr 2022 10:00:42 +0200 Subject: [PATCH 13/13] Fixup and update comment of disabled USE_PSA_CRYPTO test check in all.sh Signed-off-by: Neil Armstrong --- tests/scripts/all.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 4e90d9e429..6273ee0f96 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -867,9 +867,11 @@ component_check_test_cases () { tests/scripts/check_test_cases.py $opt unset opt - # Check if some test are explicitely disabled when USE_PSA_CRYPTO is set - not grep -n -R 'depends_on.*!MBEDTLS_USE_PSA_CRYPTO' tests/suites/*.function tests/suites/*.data - not grep -n -R '^ *requires_config_disabled.*MBEDTLS_USE_PSA_CRYPTO' tests/ssl-opt.sh tests/opt-testcases/*.sh + # Check that no tests are explicitely disabled when USE_PSA_CRYPTO is set + # as a matter of policy to ensure there is no missed testing + msg "Check: explicitely disabled test with USE_PSA_CRYPTO" # < 1s + not grep -n 'depends_on:.*!MBEDTLS_USE_PSA_CRYPTO' tests/suites/*.function tests/suites/*.data + not grep -n '^ *requires_config_disabled.*MBEDTLS_USE_PSA_CRYPTO' tests/ssl-opt.sh tests/opt-testcases/*.sh } component_check_doxygen_warnings () {