cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-10-01 09:31:25 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7321 from valeriosetti/issue7272

Browse Source 
Driver-only ECC: all three top-level modules
This commit is contained in:
Manuel Pégourié-Gonnard 2023-03-29 09:56:21 +02:00 committed by GitHub
commit 77902df54a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 106 additions and 363 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
include/mbedtls/pk.h
View File

@ -197,6 +197,11 @@ typedef struct mbedtls_pk_rsassa_pss_options {
#define MBEDTLS_PK_CAN_ECDSA_SOME #define MBEDTLS_PK_CAN_ECDSA_SOME
#endif #endif
#if (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_ECDH)) || \
(!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECDH_C))
#define MBEDTLS_PK_CAN_ECDH
#endif
/** /**
* \brief Types for interfacing with the debug module * \brief Types for interfacing with the debug module
*/ */

6
include/mbedtls/ssl.h
View File

@ -40,11 +40,7 @@
#include "mbedtls/dhm.h" #include "mbedtls/dhm.h"
#endif #endif
/* Adding guard for MBEDTLS_ECDSA_C to ensure no compile errors due #if defined(MBEDTLS_ECDH_C)
* to guards in TLS code. There is a gap in functionality that access to
* ecdh_ctx structure is needed for MBEDTLS_ECDSA_C which does not seem correct.
*/
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
#include "mbedtls/ecdh.h" #include "mbedtls/ecdh.h"
#endif #endif

12
library/psa_crypto.c
View File

@ -377,11 +377,7 @@ static void psa_wipe_tag_output_buffer(uint8_t *output_buffer, psa_status_t stat
/* Key management */ /* Key management */
/****************************************************************/ /****************************************************************/
#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) || \ #if defined(MBEDTLS_ECP_C)
defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
mbedtls_ecp_group_id mbedtls_ecc_group_of_psa(psa_ecc_family_t curve, mbedtls_ecp_group_id mbedtls_ecc_group_of_psa(psa_ecc_family_t curve,
size_t bits, size_t bits,
int bits_is_sloppy) int bits_is_sloppy)
@ -473,11 +469,7 @@ mbedtls_ecp_group_id mbedtls_ecc_group_of_psa(psa_ecc_family_t curve,
(void) bits_is_sloppy; (void) bits_is_sloppy;
return MBEDTLS_ECP_DP_NONE; return MBEDTLS_ECP_DP_NONE;
} }
#endif /* defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) || #endif /* defined(MBEDTLS_ECP_C) */
defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) ||
defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) ||
defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) */
psa_status_t psa_validate_unstructured_key_bit_size(psa_key_type_t type, psa_status_t psa_validate_unstructured_key_bit_size(psa_key_type_t type,
size_t bits) size_t bits)

13
library/ssl_misc.h
View File

@ -751,16 +751,9 @@ struct mbedtls_ssl_handshake_params {
mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */ mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */
#endif #endif
/* Adding guard for MBEDTLS_ECDSA_C to ensure no compile errors due #if defined(MBEDTLS_ECDH_C) && !defined(MBEDTLS_USE_PSA_CRYPTO)
* to guards in client and server code. There is a gap in functionality that
* access to ecdh_ctx structure is needed for MBEDTLS_ECDSA_C which does not
* seem correct.
*/
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */ mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */
#endif /* !MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_ECDH_C && !MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
#if defined(PSA_WANT_ALG_ECDH) && \ #if defined(PSA_WANT_ALG_ECDH) && \
(defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)) (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
@ -787,7 +780,7 @@ struct mbedtls_ssl_handshake_params {
#endif #endif
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ #if defined(MBEDTLS_PK_CAN_ECDH) || defined(MBEDTLS_PK_CAN_ECDSA_SOME) || \
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
uint16_t *curves_tls_id; /*!< List of TLS IDs of supported elliptic curves */ uint16_t *curves_tls_id; /*!< List of TLS IDs of supported elliptic curves */
#endif #endif

6
library/ssl_tls12_client.c
View File

@ -831,11 +831,9 @@ static int ssl_parse_supported_point_formats_ext(mbedtls_ssl_context *ssl,
while (list_size > 0) { while (list_size > 0) {
if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
p[0] == MBEDTLS_ECP_PF_COMPRESSED) { p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ #if !defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECDH_C)
(defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C))
ssl->handshake->ecdh_ctx.point_format = p[0]; ssl->handshake->ecdh_ctx.point_format = p[0];
#endif /* !MBEDTLS_USE_PSA_CRYPTO && #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_ECDH_C */
( MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ) */
#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx, mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx,

24
library/ssl_tls12_server.c
View File

@ -140,7 +140,7 @@ static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
return 0; return 0;
} }
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ #if defined(MBEDTLS_PK_CAN_ECDH) || defined(MBEDTLS_PK_CAN_ECDSA_SOME) || \
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
/* /*
* Function for parsing a supported groups (TLS 1.3) or supported elliptic * Function for parsing a supported groups (TLS 1.3) or supported elliptic
@ -266,11 +266,9 @@ static int ssl_parse_supported_point_formats(mbedtls_ssl_context *ssl,
while (list_size > 0) { while (list_size > 0) {
if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
p[0] == MBEDTLS_ECP_PF_COMPRESSED) { p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ #if !defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECDH_C)
(defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C))
ssl->handshake->ecdh_ctx.point_format = p[0]; ssl->handshake->ecdh_ctx.point_format = p[0];
#endif /* !MBEDTLS_USE_PSA_CRYPTO && #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_ECDH_C */
( MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ) */
#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx, mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx,
@ -286,7 +284,7 @@ static int ssl_parse_supported_point_formats(mbedtls_ssl_context *ssl,
return 0; return 0;
} }
#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || #endif /* MBEDTLS_PK_CAN_ECDH || MBEDTLS_PK_CAN_ECDSA_SOME ||
MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
@ -662,7 +660,7 @@ static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
/* /*
* Return 0 if the given key uses one of the acceptable curves, -1 otherwise * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
*/ */
#if defined(MBEDTLS_ECDSA_C) #if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
MBEDTLS_CHECK_RETURN_CRITICAL MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_check_key_curve(mbedtls_pk_context *pk, static int ssl_check_key_curve(mbedtls_pk_context *pk,
uint16_t *curves_tls_id) uint16_t *curves_tls_id)
@ -681,7 +679,7 @@ static int ssl_check_key_curve(mbedtls_pk_context *pk,
return -1; return -1;
} }
#endif /* MBEDTLS_ECDSA_C */ #endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
/* /*
* Try picking a certificate for this ciphersuite, * Try picking a certificate for this ciphersuite,
@ -766,7 +764,7 @@ static int ssl_pick_cert(mbedtls_ssl_context *ssl,
continue; continue;
} }
#if defined(MBEDTLS_ECDSA_C) #if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
if (pk_alg == MBEDTLS_PK_ECDSA && if (pk_alg == MBEDTLS_PK_ECDSA &&
ssl_check_key_curve(&cur->cert->pk, ssl_check_key_curve(&cur->cert->pk,
ssl->handshake->curves_tls_id) != 0) { ssl->handshake->curves_tls_id) != 0) {
@ -830,7 +828,7 @@ static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id,
#endif #endif
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) #if defined(MBEDTLS_PK_CAN_ECDH) || defined(MBEDTLS_PK_CAN_ECDSA_SOME)
if (mbedtls_ssl_ciphersuite_uses_ec(suite_info) && if (mbedtls_ssl_ciphersuite_uses_ec(suite_info) &&
(ssl->handshake->curves_tls_id == NULL || (ssl->handshake->curves_tls_id == NULL ||
ssl->handshake->curves_tls_id[0] == 0)) { ssl->handshake->curves_tls_id[0] == 0)) {
@ -1369,7 +1367,7 @@ read_record_header:
break; break;
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ #if defined(MBEDTLS_PK_CAN_ECDH) || defined(MBEDTLS_PK_CAN_ECDSA_SOME) || \
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS: case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
MBEDTLS_SSL_DEBUG_MSG(3, ("found supported elliptic curves extension")); MBEDTLS_SSL_DEBUG_MSG(3, ("found supported elliptic curves extension"));
@ -1389,7 +1387,7 @@ read_record_header:
return ret; return ret;
} }
break; break;
#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || #endif /* MBEDTLS_PK_CAN_ECDH || MBEDTLS_PK_CAN_ECDSA_SOME ||
MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
@ -1499,7 +1497,7 @@ read_record_header:
if (!sig_hash_alg_ext_present) { if (!sig_hash_alg_ext_present) {
uint16_t *received_sig_algs = ssl->handshake->received_sig_algs; uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
const uint16_t default_sig_algs[] = { const uint16_t default_sig_algs[] = {
#if defined(MBEDTLS_ECDSA_C) #if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA,
MBEDTLS_SSL_HASH_SHA1), MBEDTLS_SSL_HASH_SHA1),
#endif #endif

368
tests/scripts/all.sh
View File

@ -2103,94 +2103,6 @@ component_test_psa_crypto_config_accel_ecdsa () {
make test make test
} }
# Auxiliary function to build config for ECDSA with and without drivers
config_psa_crypto_config_ecdsa_use_psa () {
DRIVER_ONLY="$1"
# start with config full for maximum coverage (also enables USE_PSA)
scripts/config.py full
# enable support for drivers and configuring PSA-only algorithms
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
if [ "$DRIVER_ONLY" -eq 1 ]; then
# Disable the module that's accelerated
scripts/config.py unset MBEDTLS_ECDSA_C
fi
# Restartable feature is not yet supported by PSA. Once it will in
# the future, the following line could be removed (see issues
# 6061, 6332 and following ones)
scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
# Dynamic secure element support is a deprecated feature and needs to be disabled here.
# This is done to have the same form of psa_key_attributes_s for libdriver and library.
scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
}
# Keep in sync with component_test_psa_crypto_config_reference_ecdsa_use_psa
component_test_psa_crypto_config_accel_ecdsa_use_psa () {
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA + USE_PSA"
# Algorithms and key types to accelerate
loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA KEY_TYPE_ECC_KEY_PAIR KEY_TYPE_ECC_PUBLIC_KEY"
# Configure and build the test driver library
# -------------------------------------------
# Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having
# partial support for cipher operations in the driver test library.
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
# SHA-1 and all variants of SHA-2 are needed for ECDSA and X.509 tests
loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_1"
loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_224"
loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_256"
loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_384"
loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_512"
make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"
# Configure and build the main libraries with drivers enabled
# -----------------------------------------------------------
# Use the same config as reference, only without built-in ECDSA
config_psa_crypto_config_ecdsa_use_psa 1
# Build the library
loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
make CFLAGS="$ASAN_CFLAGS -O -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
# Make sure ECDSA was not re-enabled by accident (additive config)
not grep mbedtls_ecdsa_ library/ecdsa.o
# Run the tests
# -------------
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA + USE_PSA"
make test
msg "test: ssl-opt.sh"
tests/ssl-opt.sh
}
# Keep in sync with component_test_psa_crypto_config_accel_ecdsa_use_psa.
# Used by tests/scripts/analyze_outcomes.py for comparison purposes.
component_test_psa_crypto_config_reference_ecdsa_use_psa () {
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA + USE_PSA"
# To be aligned with the accel component that needs this
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
config_psa_crypto_config_ecdsa_use_psa 0
make
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA + USE_PSA"
make test
msg "test: ssl-opt.sh"
tests/ssl-opt.sh
}
component_test_psa_crypto_config_accel_ecdh () { component_test_psa_crypto_config_accel_ecdh () {
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH" msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH"
@ -2239,14 +2151,50 @@ component_test_psa_crypto_config_accel_ecdh () {
make test make test
} }
# Auxiliary function to build config for ECDH with and without drivers. component_test_psa_crypto_config_accel_pake() {
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated PAKE"
# Start with full
scripts/config.py full
# Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having
# partial support for cipher operations in the driver test library.
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
loc_accel_list="ALG_JPAKE"
loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
# Make build-in fallback not available
scripts/config.py unset MBEDTLS_ECJPAKE_C
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
# Dynamic secure element support is a deprecated feature and needs to be disabled here.
# This is done to have the same form of psa_key_attributes_s for libdriver and library.
scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
not grep mbedtls_ecjpake_init library/ecjpake.o
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated PAKE"
make test
}
# Auxiliary function to build config for all EC based algorithms (EC-JPAKE,
# ECDH, ECDSA) with and without drivers.
# #
# This is used by the two following components to ensure they always use the # This is used by the two following components to ensure they always use the
# same config, except for the use of driver or built-in ECDH: # same config, except for the use of driver or built-in EC algorithms:
# - component_test_psa_crypto_config_accel_ecdh_use_psa; # - component_test_psa_crypto_config_accel_all_ec_algs_use_psa;
# - component_test_psa_crypto_config_reference_ecdh_use_psa. # - component_test_psa_crypto_config_reference_all_ec_algs_use_psa.
# This support comparing their test coverage with analyze_outcomes.py. # This supports comparing their test coverage with analyze_outcomes.py.
config_psa_crypto_config_ecdh_use_psa () { config_psa_crypto_config_all_ec_algs_use_psa () {
DRIVER_ONLY="$1" DRIVER_ONLY="$1"
# start with config full for maximum coverage (also enables USE_PSA) # start with config full for maximum coverage (also enables USE_PSA)
scripts/config.py full scripts/config.py full
@ -2254,107 +2202,30 @@ config_psa_crypto_config_ecdh_use_psa () {
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
if [ "$DRIVER_ONLY" -eq 1 ]; then if [ "$DRIVER_ONLY" -eq 1 ]; then
# Disable the module that's accelerated # Disable modules that are accelerated
scripts/config.py unset MBEDTLS_ECDSA_C
scripts/config.py unset MBEDTLS_ECDH_C scripts/config.py unset MBEDTLS_ECDH_C
scripts/config.py unset MBEDTLS_ECJPAKE_C
fi fi
# Restartable feature is not yet supported by PSA. Once it will in # Restartable feature is not yet supported by PSA. Once it will in
# the future, the following line could be removed (see issues # the future, the following line could be removed (see issues
# 6061, 6332 and following ones) # 6061, 6332 and following ones)
scripts/config.py unset MBEDTLS_ECP_RESTARTABLE scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
}
# Keep in sync with component_test_psa_crypto_config_reference_ecdh_use_psa
component_test_psa_crypto_config_accel_ecdh_use_psa () {
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH + USE_PSA"
# Algorithms and key types to accelerate
loc_accel_list="ALG_ECDH KEY_TYPE_ECC_KEY_PAIR KEY_TYPE_ECC_PUBLIC_KEY"
# Configure and build the test driver library
# -------------------------------------------
# Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having
# partial support for cipher operations in the driver test library.
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
make -C tests libtestdriver1.a CFLAGS=" $ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"
# Configure and build the main libraries
# --------------------------------------
# Use the same config as reference, only without built-in ECDH
config_psa_crypto_config_ecdh_use_psa 1
# Build the main library
loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
make CFLAGS="$ASAN_CFLAGS -O -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
# Make sure this was not re-enabled by accident (additive config)
not grep mbedtls_ecdh_ library/ecdh.o
# Run the tests
# -------------
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH + USE_PSA"
make test
msg "test: ssl-opt.sh"
tests/ssl-opt.sh
}
# Keep in sync with component_test_psa_crypto_config_accel_ecdh_use_psa.
# Used by tests/scripts/analyze_outcomes.py for comparison purposes.
component_test_psa_crypto_config_reference_ecdh_use_psa () {
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with reference ECDH + USE_PSA"
# To be aligned with the accel component that needs this
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
config_psa_crypto_config_ecdh_use_psa 0
make
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with reference ECDH + USE_PSA"
make test
msg "test: ssl-opt.sh"
tests/ssl-opt.sh
}
# Auxiliary function to build config for EC JPAKE with and without drivers.
#
# This is used by the two following components to ensure they always use the
# same config, except for the use of driver or built-in ECJPAKE:
# - component_test_psa_crypto_config_accel_ecjpake_use_psa;
# - component_test_psa_crypto_config_reference_ecjpake_use_psa.
# This support comparing their test coverage with analyze_outcomes.py.
config_psa_crypto_config_ecjpake_use_psa () {
DRIVER_ONLY="$1"
# start with config full for maximum coverage (also enables USE_PSA)
scripts/config.py full
# enable support for drivers and configuring PSA-only algorithms
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
if [ "$DRIVER_ONLY" -eq 1 ]; then
# Disable the module that's accelerated
scripts/config.py unset MBEDTLS_ECJPAKE_C
fi
# Dynamic secure element support is a deprecated feature and needs to be disabled here. # Dynamic secure element support is a deprecated feature and needs to be disabled here.
# This is done to have the same form of psa_key_attributes_s for libdriver and library. # This is done to have the same form of psa_key_attributes_s for libdriver and library.
scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
} }
# Keep in sync with component_test_psa_crypto_config_reference_ecjpake_use_psa # Keep in sync with component_test_psa_crypto_config_reference_all_ec_algs_use_psa
component_test_psa_crypto_config_accel_ecjpake_use_psa () { component_test_psa_crypto_config_accel_all_ec_algs_use_psa () {
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECJPAKE + USE_PSA" msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated EC algs + USE_PSA"
# Algorithms and key types to accelerate # Algorithms and key types to accelerate
loc_accel_list="ALG_JPAKE KEY_TYPE_ECC_KEY_PAIR KEY_TYPE_ECC_PUBLIC_KEY" loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
ALG_ECDH \
ALG_JPAKE \
KEY_TYPE_ECC_KEY_PAIR KEY_TYPE_ECC_PUBLIC_KEY"
# Configure and build the test driver library # Configure and build the test driver library
# ------------------------------------------- # -------------------------------------------
@ -2364,110 +2235,56 @@ component_test_psa_crypto_config_accel_ecjpake_use_psa () {
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) # Things we wanted supported in libtestdriver1, but not accelerated in the main library:
make -C tests libtestdriver1.a CFLAGS=" $ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" # SHA-1 and all SHA-2 variants, as they are used by ECDSA deterministic.
loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512"
loc_accel_flags=$( echo "$loc_accel_list $loc_extra_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"
# Configure and build the main libraries # Configure and build the main libraries with drivers enabled
# -------------------------------------- # -----------------------------------------------------------
# Use the same config as reference, only without built-in JPAKE # Use the same config as reference, only without built-in EC algs
config_psa_crypto_config_ecjpake_use_psa 1 config_psa_crypto_config_all_ec_algs_use_psa 1
# Build the main library # Build the library
loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
make CFLAGS="$ASAN_CFLAGS -O -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
# Make sure this was not re-enabled by accident (additive config) # Make sure any built-in EC alg was not re-enabled by accident (additive config)
not grep mbedtls_ecdsa_ library/ecdsa.o
not grep mbedtls_ecdh_ library/ecdh.o
not grep mbedtls_ecjpake_ library/ecjpake.o not grep mbedtls_ecjpake_ library/ecjpake.o
# Run the tests # Run the tests
# ------------- # -------------
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated JPAKE + USE_PSA" msg "test suites: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated EC algs + USE_PSA"
make test make test
msg "test: ssl-opt.sh" msg "ssl-opt: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated EC algs + USE_PSA"
tests/ssl-opt.sh tests/ssl-opt.sh
} }
# Keep in sync with component_test_psa_crypto_config_accel_ecjpake_use_psa. # Keep in sync with component_test_psa_crypto_config_accel_all_ec_algs_use_psa
# Used by tests/scripts/analyze_outcomes.py for comparison purposes. component_test_psa_crypto_config_reference_all_ec_algs_use_psa () {
component_test_psa_crypto_config_reference_ecjpake_use_psa () { msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with non-accelerated EC algs + USE_PSA"
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with reference ECJPAKE + USE_PSA"
# To be aligned with the accel component that needs this # To be aligned with component_test_psa_crypto_config_accel_all_ec_algs_use_psa()
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
config_psa_crypto_config_ecjpake_use_psa 0 config_psa_crypto_config_all_ec_algs_use_psa 0
make make
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with reference ECJPAKE + USE_PSA" msg "test suites: MBEDTLS_PSA_CRYPTO_CONFIG with non-accelerated EC algs + USE_PSA"
make test make test
msg "test: ssl-opt.sh" msg "ssl-opt: MBEDTLS_PSA_CRYPTO_CONFIG with non-accelerated EC algs + USE_PSA"
tests/ssl-opt.sh tests/ssl-opt.sh
} }
component_test_psa_crypto_config_accel_ecc () {
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECC"
# Algorithms and key types to accelerate
loc_accel_list="ALG_ECDH ALG_ECDSA ALG_DETERMINISTIC_ECDSA ALG_JPAKE KEY_TYPE_ECC_KEY_PAIR KEY_TYPE_ECC_PUBLIC_KEY"
# Configure and build the test driver library
# --------------------------------------------
# Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having
# partial support for cipher operations in the driver test library.
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
# These hashes are needed for some ECDSA signature tests.
loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_224"
loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_256"
loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_384"
loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_512"
make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"
# Configure and build the main libraries
# ---------------------------------------
# start with default + driver support
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
# disable modules for which we have drivers
scripts/config.py unset MBEDTLS_ECDSA_C
scripts/config.py unset MBEDTLS_ECDH_C
scripts/config.py unset MBEDTLS_ECJPAKE_C
# dependencies
#scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 # not in default anyway
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
# build and link with test drivers
loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
make CFLAGS="$ASAN_CFLAGS -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
# make sure these were not auto-re-enabled by accident
not grep mbedtls_ecdh_ library/ecdh.o
not grep mbedtls_ecdsa_ library/ecdsa.o
not grep mbedtls_ecjpake_ library/ecjpake.o
# Run the tests
# -------------
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECC"
make test
}
component_test_psa_crypto_config_accel_rsa_signature () { component_test_psa_crypto_config_accel_rsa_signature () {
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated RSA signature" msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated RSA signature"
@ -2766,41 +2583,6 @@ component_test_psa_crypto_config_accel_aead () {
make test make test
} }
component_test_psa_crypto_config_accel_pake() {
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated PAKE"
# Start with full
scripts/config.py full
# Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having
# partial support for cipher operations in the driver test library.
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
loc_accel_list="ALG_JPAKE"
loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
# Make build-in fallback not available
scripts/config.py unset MBEDTLS_ECJPAKE_C
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
# Dynamic secure element support is a deprecated feature and needs to be disabled here.
# This is done to have the same form of psa_key_attributes_s for libdriver and library.
scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
not grep mbedtls_ecjpake_init library/ecjpake.o
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated PAKE"
make test
}
component_test_psa_crypto_config_no_driver() { component_test_psa_crypto_config_no_driver() {
# full plus MBEDTLS_PSA_CRYPTO_CONFIG # full plus MBEDTLS_PSA_CRYPTO_CONFIG
msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG minus MBEDTLS_PSA_CRYPTO_DRIVERS" msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG minus MBEDTLS_PSA_CRYPTO_DRIVERS"

35
tests/scripts/analyze_outcomes.py
View File

@ -168,13 +168,16 @@ TASKS = {
} }
} }
}, },
'analyze_driver_vs_reference_ecdsa': { 'analyze_driver_vs_reference_all_ec_algs': {
'test_function': do_analyze_driver_vs_reference, 'test_function': do_analyze_driver_vs_reference,
'args': { 'args': {
'component_ref': 'test_psa_crypto_config_reference_ecdsa_use_psa', 'component_ref': 'test_psa_crypto_config_reference_all_ec_algs_use_psa',
'component_driver': 'test_psa_crypto_config_accel_ecdsa_use_psa', 'component_driver': 'test_psa_crypto_config_accel_all_ec_algs_use_psa',
# ignore the suites of the accelerated components
'ignored_suites': [ 'ignored_suites': [
'ecdsa', # the software implementation that's excluded 'ecdsa',
'ecdh',
'ecjpake',
], ],
'ignored_tests': { 'ignored_tests': {
'test_suite_random': [ 'test_suite_random': [
@ -183,30 +186,6 @@ TASKS = {
} }
} }
}, },
'analyze_driver_vs_reference_ecdh': {
'test_function': do_analyze_driver_vs_reference,
'args': {
'component_ref': 'test_psa_crypto_config_reference_ecdh_use_psa',
'component_driver': 'test_psa_crypto_config_accel_ecdh_use_psa',
'ignored_suites': [
'ecdh', # the software implementation that's excluded
],
'ignored_tests': {
}
}
},
'analyze_driver_vs_reference_ecjpake': {
'test_function': do_analyze_driver_vs_reference,
'args': {
'component_ref': 'test_psa_crypto_config_reference_ecjpake_use_psa',
'component_driver': 'test_psa_crypto_config_accel_ecjpake_use_psa',
'ignored_suites': [
'ecjpake', # the software implementation that's excluded
],
'ignored_tests': {
}
}
},
} }
def main(): def main():