From 1701c340ebef2aa23b3194f34904f945610c29fd Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 21 Nov 2024 22:06:39 +0100 Subject: [PATCH 1/5] Fix `make dir/file` not rebuilding existing files Running `make library/foo`, `make programs/foo` or `make tests/foo` only rebuilt the given target if it was not an existing file, because the toplevel makefile does not know the file's dependencies and thus thought that every such target had empty dependencies. Fix this by always invoking make recursively. Signed-off-by: Gilles Peskine --- Makefile | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index c9f575082d..a580736602 100644 --- a/Makefile +++ b/Makefile @@ -49,11 +49,14 @@ tests: mbedtls_test mbedtls_test: $(MAKE) -C tests mbedtls_test -library/%: +.PHONY: FORCE +FORCE: + +library/%: FORCE $(MAKE) -C library $* -programs/%: +programs/%: FORCE $(MAKE) -C programs $* -tests/%: +tests/%: FORCE $(MAKE) -C tests $* .PHONY: generated_files From a074fe491acedbafbb8b8dfa51006bbd3dcf1b1b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 17 Dec 2024 18:54:12 +0100 Subject: [PATCH 2/5] Declare the new Python module used by generate_psa_tests.py Signed-off-by: Gilles Peskine --- tests/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/Makefile b/tests/Makefile index e13eb50c7f..7bd9953422 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -127,6 +127,7 @@ generated_psa_test_data: ../framework/scripts/mbedtls_framework/crypto_knowledge generated_psa_test_data: ../framework/scripts/mbedtls_framework/macro_collector.py generated_psa_test_data: ../framework/scripts/mbedtls_framework/psa_information.py generated_psa_test_data: ../framework/scripts/mbedtls_framework/psa_storage.py +generated_psa_test_data: ../framework/scripts/mbedtls_framework/psa_test_case.py generated_psa_test_data: ../framework/scripts/mbedtls_framework/test_case.py generated_psa_test_data: ../framework/scripts/mbedtls_framework/test_data_generation.py ## The generated file only depends on the options that are present in From bc7c52342030fbd2d8cd3de5d4a8d60af26f9b05 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 2 Jan 2025 11:30:55 +0100 Subject: [PATCH 3/5] Remove uses of secp244k1 Remove all code guarded by `PSA_WANT_ECC_SECP_K1_224`, which is not and will not be implemented. (It would be K1_225 anyway, but we don't intend to implement it anyway.) Signed-off-by: Gilles Peskine --- configs/ext/crypto_config_profile_medium.h | 6 ------ include/mbedtls/check_config.h | 1 - library/ssl_tls.c | 3 --- programs/ssl/ssl_test_lib.c | 5 ----- scripts/config.py | 12 +----------- tests/scripts/analyze_outcomes.py | 2 -- tests/ssl-opt.sh | 7 ------- tests/suites/test_suite_ssl.function | 5 ----- 8 files changed, 1 insertion(+), 40 deletions(-) diff --git a/configs/ext/crypto_config_profile_medium.h b/configs/ext/crypto_config_profile_medium.h index 67de4c0fd9..637c2ff11c 100644 --- a/configs/ext/crypto_config_profile_medium.h +++ b/configs/ext/crypto_config_profile_medium.h @@ -198,12 +198,6 @@ //#define PSA_WANT_ECC_MONTGOMERY_255 1 //#define PSA_WANT_ECC_MONTGOMERY_448 1 //#define PSA_WANT_ECC_SECP_K1_192 1 -/* - * SECP224K1 is buggy via the PSA API in Mbed TLS - * (https://github.com/Mbed-TLS/mbedtls/issues/3541). Thus, do not enable it by - * default. - */ -//#define PSA_WANT_ECC_SECP_K1_224 1 //#define PSA_WANT_ECC_SECP_K1_256 1 //#define PSA_WANT_ECC_SECP_R1_192 1 //#define PSA_WANT_ECC_SECP_R1_224 1 diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 9deb14fc1f..eebe1644be 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -43,7 +43,6 @@ defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_255) || \ defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_448) || \ defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192) || \ - defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_224) || \ defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256) || \ defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_192) || \ defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_224) || \ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index ae4fd89f6a..5031c77a56 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6251,9 +6251,6 @@ static const struct { #if defined(PSA_WANT_ECC_SECP_R1_224) { 21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224 }, #endif -#if defined(PSA_WANT_ECC_SECP_K1_224) - { 20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224 }, -#endif #if defined(PSA_WANT_ECC_SECP_R1_192) { 19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192 }, #endif diff --git a/programs/ssl/ssl_test_lib.c b/programs/ssl/ssl_test_lib.c index 2aa2d88840..2c68489ba6 100644 --- a/programs/ssl/ssl_test_lib.c +++ b/programs/ssl/ssl_test_lib.c @@ -518,11 +518,6 @@ static const struct { #else { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1", 0 }, #endif -#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_224) - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1, "secp224k1", 1 }, -#else - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1, "secp224k1", 0 }, -#endif #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_192) { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1", 1 }, #else diff --git a/scripts/config.py b/scripts/config.py index db2bc57e3f..3508ce4797 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -60,13 +60,8 @@ PSA_DEPRECATED_FEATURE = frozenset([ 'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR' ]) -PSA_UNSTABLE_FEATURE = frozenset([ - 'PSA_WANT_ECC_SECP_K1_224' -]) - EXCLUDE_FROM_CRYPTO = PSA_UNSUPPORTED_FEATURE | \ - PSA_DEPRECATED_FEATURE | \ - PSA_UNSTABLE_FEATURE + PSA_DEPRECATED_FEATURE # The goal of the full configuration is to have everything that can be tested # together. This includes deprecated or insecure options. It excludes: @@ -114,7 +109,6 @@ EXCLUDE_FROM_FULL = frozenset([ 'MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE', # only relevant for embedded devices *PSA_UNSUPPORTED_FEATURE, *PSA_DEPRECATED_FEATURE, - *PSA_UNSTABLE_FEATURE ]) def is_seamless_alt(name): @@ -367,8 +361,6 @@ class CryptoConfig(config_common.Config): if name in PSA_UNSUPPORTED_FEATURE: raise ValueError(f'Feature is unsupported: \'{name}\'') - if name in PSA_UNSTABLE_FEATURE: - raise ValueError(f'Feature is unstable: \'{name}\'') if name not in self.settings: self._get_configfile().templates.append((name, '', '#define ' + name + ' ')) @@ -417,8 +409,6 @@ class CombinedConfig(config_common.Config): if configfile == self.crypto_configfile: if name in PSA_UNSUPPORTED_FEATURE: raise ValueError(f'Feature is unsupported: \'{name}\'') - if name in PSA_UNSTABLE_FEATURE: - raise ValueError(f'Feature is unstable: \'{name}\'') # The default value in the crypto config is '1' if not value and re.match(self._crypto_regexp, name): diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index ad1cf37307..90d28df1de 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -132,8 +132,6 @@ class CoverageTask(outcome_analysis.CoverageTask): 'Config: PSA_WANT_ALG_CBC_MAC', # Algorithm declared but not supported. 'Config: PSA_WANT_ALG_XTS', - # Family declared but not supported. - 'Config: PSA_WANT_ECC_SECP_K1_224', # More granularity of key pair type enablement macros # than we care to test. # https://github.com/Mbed-TLS/mbedtls/issues/9590 diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 1c4fae729e..88b0e115d1 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2690,13 +2690,6 @@ requires_config_enabled PSA_WANT_ECC_BRAINPOOL_P_R1_256 run_test_psa_force_curve "brainpoolP256r1" requires_config_enabled PSA_WANT_ECC_SECP_R1_224 run_test_psa_force_curve "secp224r1" -## SECP224K1 is buggy via the PSA API -## (https://github.com/Mbed-TLS/mbedtls/issues/3541), -## so it is disabled in PSA even when it's enabled in Mbed TLS. -## The proper dependency would be on PSA_WANT_ECC_SECP_K1_224 but -## dependencies on PSA symbols in ssl-opt.sh are not implemented yet. -#requires_config_enabled PSA_WANT_ECC_SECP_K1_224 -#run_test_psa_force_curve "secp224k1" requires_config_enabled PSA_WANT_ECC_SECP_R1_192 run_test_psa_force_curve "secp192r1" requires_config_enabled PSA_WANT_ECC_SECP_K1_192 diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 3802074f9d..3a2d61becd 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3595,11 +3595,6 @@ void elliptic_curve_get_properties() #else TEST_UNAVAILABLE_ECC(21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224); #endif -#if defined(PSA_WANT_ECC_SECP_K1_224) - TEST_AVAILABLE_ECC(20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224); -#else - TEST_UNAVAILABLE_ECC(20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224); -#endif #if defined(PSA_WANT_ECC_SECP_R1_192) TEST_AVAILABLE_ECC(19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192); #else From 46fb5dc301ae1eaa046eb3577ad10a14cf5dbbfc Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 2 Jan 2025 11:31:48 +0100 Subject: [PATCH 4/5] Update submodules Update TF-PSA-Crypto to have the latest framework with https://github.com/Mbed-TLS/mbedtls-framework/pull/83 . Update the framework to match. Signed-off-by: Gilles Peskine --- tf-psa-crypto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf-psa-crypto b/tf-psa-crypto index e95def83c2..c78da5a1e7 160000 --- a/tf-psa-crypto +++ b/tf-psa-crypto @@ -1 +1 @@ -Subproject commit e95def83c262522fd0c78b89837b218ac839138a +Subproject commit c78da5a1e7fd503685f28b18e17756a38f10444e From 49e48ef24056eaabeee1f7e684808ae7b1f30e79 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 24 Dec 2024 17:17:03 +0100 Subject: [PATCH 5/5] Remove test coverage exceptions that are no longer needed Signed-off-by: Gilles Peskine --- tests/scripts/analyze_outcomes.py | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 90d28df1de..721ac4a7d6 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -198,16 +198,6 @@ class CoverageTask(outcome_analysis.CoverageTask): # https://github.com/Mbed-TLS/mbedtls/issues/9592 re.compile(r'.*ECDSA.*only deterministic supported'), ], - 'test_suite_psa_crypto_generate_key.generated': [ - # Ignore mechanisms that are not implemented, except - # for public keys for which we always test that - # psa_generate_key() returns PSA_ERROR_INVALID_ARGUMENT - # regardless of whether the specific key type is supported. - _has_word_re((mech - for mech in _PSA_MECHANISMS_NOT_IMPLEMENTED - if not mech.startswith('ECC_PUB')), - exclude=r'ECC_PUB'), - ], 'test_suite_psa_crypto_metadata': [ # Algorithms declared but not supported. # https://github.com/Mbed-TLS/mbedtls/issues/9579 @@ -221,10 +211,6 @@ class CoverageTask(outcome_analysis.CoverageTask): 'MAC: CBC_MAC-AES-256', ], 'test_suite_psa_crypto_not_supported.generated': [ - # It is a bug that not-supported test cases aren't getting - # run for never-implemented key types. - # https://github.com/Mbed-TLS/mbedtls/issues/7915 - PSA_MECHANISM_NOT_IMPLEMENTED_SEARCH_RE, # We never test with DH key support disabled but support # for a DH group enabled. The dependencies of these test # cases don't really make sense. @@ -263,12 +249,6 @@ class CoverageTask(outcome_analysis.CoverageTask): # https://github.com/Mbed-TLS/mbedtls/issues/9592 'PSA sign DETERMINISTIC_ECDSA(SHA_256): !ECDSA but DETERMINISTIC_ECDSA with ECC_KEY_PAIR(SECP_R1)', #pylint: disable=line-too-long ], - 'test_suite_psa_crypto_storage_format.current': [ - PSA_MECHANISM_NOT_IMPLEMENTED_SEARCH_RE, - ], - 'test_suite_psa_crypto_storage_format.v0': [ - PSA_MECHANISM_NOT_IMPLEMENTED_SEARCH_RE, - ], 'tls13-misc': [ # Disabled due to OpenSSL bug. # https://github.com/openssl/openssl/issues/10714