This value should be:
- OK for all EC/FFDH key pairs/public keys;
- OK for all supported public RSA keys;
- OK for RSA key pairs up to 2048 bits;
- FAIL for RSA key pairs above 2048 bits.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Intentionally set MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE slightly
smaller than the maximum RSA key pair size for an RSA key of 4096
bits. Also add a test in test_suite_psa_crypto to verify this
condition.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Disable all MBEDTLS_xxx symbols (keeping only the relevant ones enabled)
when building the main library.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This commit also fixes related errors in test suites. In all
cases those failures are related to the use of raw keys whose
size cannot be determined a-priori.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
With the `depend.py` using the crypto config the `PBKDF2_HMAC` can be
enabled so thest cases can be run.
The equivalence (synonym) between `PSA_WANT_ALG_RSA_PSS_ANY_SALT` and
`PSA_WANT_ALG_RSA_PSS` is now done properly, the test can be run.
Dependencies for `MBEDTLS_CIPHER_PADDING_PKCS7' has been updated and
now it can be actually disabled.
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
The PSA and MbedTLS options can switch the same functionality separately
so add a check to ensure the cpnsistency.
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
Without quotes, when the variable is empty, the shell will see three
tokens: [, -n, ]. After skipping ] as usual, it will see a single token,
so it will consider it not as command, but a string to be tested for "is
it empty", and since "-n" is not empty, the command will return true.
With quotes it see 4 tokens: [, -n, <empty string>, ] and interprets -n
as desired.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Replace obvious additions of an `MBEDTLS_ERR_xxx` constant by a call to
`MBEDTLS_ERROR_ADD`.
Skip `case` statements since `MBEDTLS_ERROR_ADD(pp_constant)` is not a
preprocessor constant.
This commit does not replace additions split over lines. Those will be
handled in a subsequent commit.
```
git ls-files '*.h' '*.c' '*.function' '*.data' |
xargs perl -i -pe '
next if /\bcase\b/;
s/\b(MBEDTLS_ERR_\w+)\s*\+\s*(\w+)\b/MBEDTLS_ERROR_ADD($1, $2)/g;
s/\b(\w+)\s*\+\s*(MBEDTLS_ERR_\w+)\b/MBEDTLS_ERROR_ADD($1, $2)/g'
```
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This aligns development and 3.6 in preparation for moving to the
framework repo.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Use config_adjust_test_accelerators.h
to adjust the configuration needed for
test_psa_crypto_drivers all.sh component
with PSA_CRYPTO_CONFIG enabled.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
As we move to PSA_CRYPTO_CONFIG always on,
the way to configure the build with both
the builtin drivers and the transparent test
drivers (that are wrappers around the
builtin drivers) cannot be done through the
MBEDTLS_USER_CONFIG_FILE mechanism anymore.
With this mechanism and PSA_CRYPTO_CONFIG
enabled, the PSA_ACCEL_ macros are defined
before including config_adjust_legacy_from_psa.h
and the builtin implementations are removed.
Thus, we will rather define the PSA_ACCEL_
just after the inclusion of
config_adjust_legacy_from_psa.h through the
dedicated config_adjust_test_accelerators.h
header introduced by this commit.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
TLS only supports actual restartable ECDH with the legacy code that's going
away, not with the MBEDTLS_USE_PSA_CRYPTO code that's becoming the only
variant. This leaves a few test cases that validate restartable ECDH in TLS
as desirable, but not currently able to pass.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
For each ignore list entry, link to a GitHub issue for its resolution,
except for a few configurations which there is a good reason to leave
uncovered.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
For each ignore list entry, link to a GitHub issue for its resolution,
except for ssl-opt Valgrind tests which we never intend to run on the CI.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Ignore certain test cases which either should not be generated or should be
executed. For each ignore list entry, link to a GitHub issue whose
definition of done includes removing the entry.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Some negative tests involving unsupported mechanisms are executed, because
they're testing what happens if the mechanism is unsupported. Refine the
ignore list for `test_suite_psa_crypto_generate_key.generated` and
`test_suite_psa_crypto_op_fail.generated` accordingly.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This clears more than half of the test cases that are not executed.
This also captures a few negative test cases that are executed.
Subsequent commits will refine the filtering.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
