From f5408f0909a0fe12830686403cbe7aea2181e94a Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Fri, 14 Jun 2024 15:25:46 +0200 Subject: [PATCH 01/14] Enable usage of crypto config in `depends.py` Signed-off-by: Gabor Mezei --- tests/scripts/depends.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) mode change 100755 => 100644 tests/scripts/depends.py diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py old mode 100755 new mode 100644 index 509809965..bb4512973 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -147,7 +147,6 @@ derived.""" log_command(['config.py', 'full']) conf.adapt(config.full_adapter) set_config_option_value(conf, 'MBEDTLS_TEST_HOOKS', colors, False) - set_config_option_value(conf, 'MBEDTLS_PSA_CRYPTO_CONFIG', colors, False) if options.unset_use_psa: set_config_option_value(conf, 'MBEDTLS_USE_PSA_CRYPTO', colors, False) @@ -514,7 +513,10 @@ def main(): choices=['always', 'auto', 'never'], default='auto') parser.add_argument('-c', '--config', metavar='FILE', help='Configuration file to modify', - default='include/mbedtls/mbedtls_config.h') + default=config.MbedTLSConfigFile.default_path[0]) + parser.add_argument('-r', '--crypto-config', metavar='FILE', + help='Crypto configuration file to modify', + default=config.CryptoConfigFile.default_path[0]) parser.add_argument('-C', '--directory', metavar='DIR', help='Change to this directory before anything else', default='.') @@ -541,7 +543,8 @@ def main(): default=True) options = parser.parse_args() os.chdir(options.directory) - conf = config.MbedTLSConfig(options.config) + conf = config.CombinedConfig(config.MbedTLSConfigFile(options.config), + config.CryptoConfigFile(options.crypto_config)) domain_data = DomainData(options, conf) if options.tasks is True: From 035d7c8cfa77d83c132ca668c6ebc5c314202143 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 19 Jun 2024 15:46:21 +0200 Subject: [PATCH 02/14] Move file backup support to `config_common.py` Signed-off-by: Gabor Mezei --- tests/scripts/depends.py | 27 +++------------------------ 1 file changed, 3 insertions(+), 24 deletions(-) mode change 100644 => 100755 tests/scripts/depends.py diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py old mode 100644 new mode 100755 index bb4512973..09e14c476 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -47,7 +47,6 @@ a full config without a couple of slowing down or unnecessary options import argparse import os import re -import shutil import subprocess import sys import traceback @@ -99,24 +98,6 @@ def log_command(cmd): cmd is a list of strings: a command name and its arguments.""" log_line(' '.join(cmd), prefix='+') -def backup_config(options): - """Back up the library configuration file (mbedtls_config.h). -If the backup file already exists, it is presumed to be the desired backup, -so don't make another backup.""" - if os.path.exists(options.config_backup): - options.own_backup = False - else: - options.own_backup = True - shutil.copy(options.config, options.config_backup) - -def restore_config(options): - """Restore the library configuration file (mbedtls_config.h). -Remove the backup file if it was saved earlier.""" - if options.own_backup: - shutil.move(options.config_backup, options.config) - else: - shutil.copy(options.config_backup, options.config) - def option_exists(conf, option): return option in conf.settings @@ -463,15 +444,13 @@ def run_tests(options, domain_data, conf): domain_data should be a DomainData instance that describes the available domains and jobs. Run the jobs listed in options.tasks.""" - if not hasattr(options, 'config_backup'): - options.config_backup = options.config + '.bak' colors = Colors(options) jobs = [] failures = [] successes = [] for name in options.tasks: jobs += domain_data.get_jobs(name) - backup_config(options) + conf.backup() try: for job in jobs: success = run(options, job, conf, colors=colors) @@ -482,13 +461,13 @@ Run the jobs listed in options.tasks.""" return False else: successes.append(job.name) - restore_config(options) + conf.restore() except: # Restore the configuration, except in stop-on-error mode if there # was an error, where we leave the failing configuration up for # developer convenience. if options.keep_going: - restore_config(options) + conf.restore() raise if successes: log_line('{} passed'.format(' '.join(successes)), color=colors.bold_green) From 9ce6d244f1dfb53a1f53cffa1b848e81693e2d4d Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 19 Jun 2024 17:47:05 +0200 Subject: [PATCH 03/14] Remove `depends.py` option to use without PSA Also removed test which uses this option. Signed-off-by: Gabor Mezei --- .../components-configuration-crypto.sh | 41 +++---------------- tests/scripts/components-configuration-tls.sh | 5 --- tests/scripts/depends.py | 13 ++---- 3 files changed, 9 insertions(+), 50 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index de8ab2d0c..9cbcddb9c 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -545,62 +545,31 @@ support_build_crypto_baremetal () { # depends.py family of tests component_test_depends_py_cipher_id () { msg "test/build: depends.py cipher_id (gcc)" - tests/scripts/depends.py cipher_id --unset-use-psa + tests/scripts/depends.py cipher_id } component_test_depends_py_cipher_chaining () { msg "test/build: depends.py cipher_chaining (gcc)" - tests/scripts/depends.py cipher_chaining --unset-use-psa + tests/scripts/depends.py cipher_chaining } component_test_depends_py_cipher_padding () { msg "test/build: depends.py cipher_padding (gcc)" - tests/scripts/depends.py cipher_padding --unset-use-psa + tests/scripts/depends.py cipher_padding } component_test_depends_py_curves () { msg "test/build: depends.py curves (gcc)" - tests/scripts/depends.py curves --unset-use-psa + tests/scripts/depends.py curves } component_test_depends_py_hashes () { msg "test/build: depends.py hashes (gcc)" - tests/scripts/depends.py hashes --unset-use-psa + tests/scripts/depends.py hashes } component_test_depends_py_pkalgs () { msg "test/build: depends.py pkalgs (gcc)" - tests/scripts/depends.py pkalgs --unset-use-psa -} - -# PSA equivalents of the depends.py tests -component_test_depends_py_cipher_id_psa () { - msg "test/build: depends.py cipher_id (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" - tests/scripts/depends.py cipher_id -} - -component_test_depends_py_cipher_chaining_psa () { - msg "test/build: depends.py cipher_chaining (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" - tests/scripts/depends.py cipher_chaining -} - -component_test_depends_py_cipher_padding_psa () { - msg "test/build: depends.py cipher_padding (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" - tests/scripts/depends.py cipher_padding -} - -component_test_depends_py_curves_psa () { - msg "test/build: depends.py curves (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" - tests/scripts/depends.py curves -} - -component_test_depends_py_hashes_psa () { - msg "test/build: depends.py hashes (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" - tests/scripts/depends.py hashes -} - -component_test_depends_py_pkalgs_psa () { - msg "test/build: depends.py pkalgs (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" tests/scripts/depends.py pkalgs } diff --git a/tests/scripts/components-configuration-tls.sh b/tests/scripts/components-configuration-tls.sh index e1d33ad24..b8834d609 100644 --- a/tests/scripts/components-configuration-tls.sh +++ b/tests/scripts/components-configuration-tls.sh @@ -721,11 +721,6 @@ component_test_full_minus_session_tickets () { component_test_depends_py_kex () { msg "test/build: depends.py kex (gcc)" - tests/scripts/depends.py kex --unset-use-psa -} - -component_test_depends_py_kex_psa () { - msg "test/build: depends.py kex (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" tests/scripts/depends.py kex } diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 09e14c476..b77a2cf1a 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -120,7 +120,7 @@ which will make a symbol defined with a certain value.""" conf.set(option, value) return True -def set_reference_config(conf, options, colors): +def set_reference_config(conf, colors): """Change the library configuration file (mbedtls_config.h) to the reference state. The reference state is the one from which the tested configurations are derived.""" @@ -128,8 +128,6 @@ derived.""" log_command(['config.py', 'full']) conf.adapt(config.full_adapter) set_config_option_value(conf, 'MBEDTLS_TEST_HOOKS', colors, False) - if options.unset_use_psa: - set_config_option_value(conf, 'MBEDTLS_USE_PSA_CRYPTO', colors, False) class Job: """A job builds the library in a specific configuration and runs some tests.""" @@ -159,9 +157,9 @@ If what is False, announce that the job has failed.''' else: log_line('starting ' + self.name, color=colors.cyan) - def configure(self, conf, options, colors): + def configure(self, conf, colors): '''Set library configuration options as required for the job.''' - set_reference_config(conf, options, colors) + set_reference_config(conf, colors) for key, value in sorted(self.config_settings.items()): ret = set_config_option_value(conf, key, colors, value) if ret is False: @@ -431,7 +429,7 @@ def run(options, job, conf, colors=NO_COLORS): """Run the specified job (a Job instance).""" subprocess.check_call([options.make_command, 'clean']) job.announce(colors, None) - if not job.configure(conf, options, colors): + if not job.configure(conf, colors): job.announce(colors, False) return False conf.write() @@ -514,9 +512,6 @@ def main(): parser.add_argument('--make-command', metavar='CMD', help='Command to run instead of make (e.g. gmake)', action='store', default='make') - parser.add_argument('--unset-use-psa', - help='Unset MBEDTLS_USE_PSA_CRYPTO before any test', - action='store_true', dest='unset_use_psa') parser.add_argument('tasks', metavar='TASKS', nargs='*', help='The domain(s) or job(s) to test (default: all).', default=True) From 8ec990bc45e078bb9efc115d7df0091b307ebbac Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 31 Jul 2024 17:14:04 +0200 Subject: [PATCH 04/14] Apply config dependecies recursively Signed-off-by: Gabor Mezei --- tests/scripts/depends.py | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index b77a2cf1a..587dc2c8f 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -207,11 +207,9 @@ REVERSE_DEPENDENCIES = { 'MBEDTLS_ECP_RESTARTABLE', 'MBEDTLS_PK_PARSE_EC_EXTENDED', 'MBEDTLS_PK_PARSE_EC_COMPRESSED', - 'MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED', 'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED', 'MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED', 'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED', - 'MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED', 'MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED', 'MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED', 'MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED'], @@ -221,11 +219,8 @@ REVERSE_DEPENDENCIES = { 'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED', 'MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED', 'MBEDTLS_KEY_EXCHANGE_RSA_ENABLED'], - 'MBEDTLS_RSA_C': ['MBEDTLS_X509_RSASSA_PSS_SUPPORT', - 'MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED', - 'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED', - 'MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED', - 'MBEDTLS_KEY_EXCHANGE_RSA_ENABLED', + 'MBEDTLS_RSA_C': ['MBEDTLS_PKCS1_V15', + 'MBEDTLS_PKCS1_V21', 'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED'], 'MBEDTLS_SHA256_C': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED', 'MBEDTLS_ENTROPY_FORCE_SHA256', @@ -239,7 +234,6 @@ REVERSE_DEPENDENCIES = { 'MBEDTLS_ENTROPY_FORCE_SHA256', 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT', 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY'], - 'MBEDTLS_X509_RSASSA_PSS_SUPPORT': [] } # If an option is tested in an exclusive test, alter the following defines. @@ -250,14 +244,10 @@ EXCLUSIVE_GROUPS = { '-MBEDTLS_SSL_TLS_C'], 'MBEDTLS_ECP_DP_CURVE448_ENABLED': ['-MBEDTLS_ECDSA_C', '-MBEDTLS_ECDSA_DETERMINISTIC', - '-MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED', - '-MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED', '-MBEDTLS_ECJPAKE_C', '-MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'], 'MBEDTLS_ECP_DP_CURVE25519_ENABLED': ['-MBEDTLS_ECDSA_C', '-MBEDTLS_ECDSA_DETERMINISTIC', - '-MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED', - '-MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED', '-MBEDTLS_ECJPAKE_C', '-MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'], 'MBEDTLS_ARIA_C': ['-MBEDTLS_CMAC_C'], @@ -282,8 +272,11 @@ An option O is turned off if config_settings[O] is False.""" for key, value in sorted(config_settings.items()): if value is not False: continue - for dep in REVERSE_DEPENDENCIES.get(key, []): + revdep = set(REVERSE_DEPENDENCIES.get(key, [])) + while revdep: + dep = revdep.pop() config_settings[dep] = False + revdep.update(REVERSE_DEPENDENCIES.get(dep, [])) class BaseDomain: # pylint: disable=too-few-public-methods, unused-argument """A base class for all domains.""" From 610e6e2aeabb94c09eb1357d0c3a7f5a7d765d1e Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Sat, 3 Aug 2024 14:33:21 +0200 Subject: [PATCH 05/14] Add PSA macro dependencies Signed-off-by: Gabor Mezei --- tests/scripts/depends.py | 118 +++++++++++++++++++++++++++++++-------- 1 file changed, 94 insertions(+), 24 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 587dc2c8f..b0ea5c251 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -192,17 +192,55 @@ and subsequent commands are tests that cannot run if the build failed).''' # If the configuration option A requires B, make sure that # B in REVERSE_DEPENDENCIES[A]. -# All the information here should be contained in check_config.h. This -# file includes a copy because it changes rarely and it would be a pain +# All the information here should be contained in check_config.h or check_crypto_config.h. +# This file includes a copy because it changes rarely and it would be a pain # to extract automatically. REVERSE_DEPENDENCIES = { 'MBEDTLS_AES_C': ['MBEDTLS_CTR_DRBG_C', - 'MBEDTLS_NIST_KW_C'], - 'MBEDTLS_CHACHA20_C': ['MBEDTLS_CHACHAPOLY_C'], + 'MBEDTLS_NIST_KW_C', + 'PSA_WANT_KEY_TYPE_AES', + 'PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128'], + 'MBEDTLS_ARIA_C': ['PSA_WANT_KEY_TYPE_ARIA'], + 'MBEDTLS_CAMELLIA_C': ['PSA_WANT_KEY_TYPE_CAMELLIA'], + 'MBEDTLS_CCM_C': ['PSA_WANT_ALG_CCM', + 'PSA_WANT_ALG_CCM_STAR_NO_TAG'], + 'MBEDTLS_CHACHA20_C': ['MBEDTLS_CHACHAPOLY_C', + 'PSA_WANT_KEY_TYPE_CHACHA20', + 'PSA_WANT_ALG_CHACHA20_POLY1305'], + 'MBEDTLS_CMAC_C': ['PSA_WANT_ALG_CMAC', + 'PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128'], + 'MBEDTLS_DES_C': ['PSA_WANT_KEY_TYPE_DES'], + 'MBEDTLS_GCM_C': ['PSA_WANT_ALG_GCM'], + + 'MBEDTLS_CIPHER_MODE_CBC': ['PSA_WANT_ALG_CBC_PKCS7', + 'PSA_WANT_ALG_CBC_NO_PADDING'], + 'MBEDTLS_CIPHER_MODE_CFB': ['PSA_WANT_ALG_CFB'], + 'MBEDTLS_CIPHER_MODE_CTR': ['PSA_WANT_ALG_CTR'], + 'MBEDTLS_CIPHER_MODE_OFB': ['PSA_WANT_ALG_OFB'], + + 'MBEDTLS_CIPHER_PADDING_PKCS7': ['PSA_WANT_ALG_CBC_PKCS7'], + + 'MBEDTLS_ECP_DP_BP256R1_ENABLED': ['PSA_WANT_ECC_BRAINPOOL_P_R1_256'], + 'MBEDTLS_ECP_DP_BP384R1_ENABLED': ['PSA_WANT_ECC_BRAINPOOL_P_R1_384'], + 'MBEDTLS_ECP_DP_BP512R1_ENABLED': ['PSA_WANT_ECC_BRAINPOOL_P_R1_512'], + 'MBEDTLS_ECP_DP_CURVE25519_ENABLED': ['PSA_WANT_ECC_MONTGOMERY_255'], + 'MBEDTLS_ECP_DP_CURVE448_ENABLED': ['PSA_WANT_ECC_MONTGOMERY_448'], + 'MBEDTLS_ECP_DP_SECP192R1_ENABLED': ['PSA_WANT_ECC_SECP_R1_192'], + 'MBEDTLS_ECP_DP_SECP224R1_ENABLED': ['PSA_WANT_ECC_SECP_R1_224'], + 'MBEDTLS_ECP_DP_SECP256R1_ENABLED': ['MBEDTLS_ECJPAKE_C', + 'PSA_WANT_ECC_SECP_R1_256'], + 'MBEDTLS_ECP_DP_SECP384R1_ENABLED': ['PSA_WANT_ECC_SECP_R1_384'], + 'MBEDTLS_ECP_DP_SECP512R1_ENABLED': ['PSA_WANT_ECC_SECP_R1_512'], + 'MBEDTLS_ECP_DP_SECP521R1_ENABLED': ['PSA_WANT_ECC_SECP_R1_521'], + 'MBEDTLS_ECP_DP_SECP192K1_ENABLED': ['PSA_WANT_ECC_SECP_K1_192'], + 'MBEDTLS_ECP_DP_SECP256K1_ENABLED': ['PSA_WANT_ECC_SECP_K1_256'], + 'MBEDTLS_ECDSA_C': ['MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED', - 'MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED'], + 'MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED', + 'PSA_WANT_ALG_ECDSA', + 'PSA_WANT_ALG_DETERMINISTIC_ECDSA'], 'MBEDTLS_ECP_C': ['MBEDTLS_ECDSA_C', - 'MBEDTLS_ECDH_C', + 'MBEDTLS_ECDH_C', 'PSA_WANT_ALG_ECDH', 'MBEDTLS_ECJPAKE_C', 'MBEDTLS_ECP_RESTARTABLE', 'MBEDTLS_PK_PARSE_EC_EXTENDED', @@ -210,30 +248,58 @@ REVERSE_DEPENDENCIES = { 'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED', 'MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED', 'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED', - 'MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED', 'MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED', - 'MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED'], - 'MBEDTLS_ECP_DP_SECP256R1_ENABLED': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'], - 'MBEDTLS_PKCS1_V21': ['MBEDTLS_X509_RSASSA_PSS_SUPPORT'], + 'MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED', + 'PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY', + 'PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC', + 'PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT', + 'PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT', + 'PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE', + 'PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE'], + 'MBEDTLS_ECJPAKE_C': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED', + 'PSA_WANT_ALG_JPAKE'], + 'MBEDTLS_PKCS1_V21': ['MBEDTLS_X509_RSASSA_PSS_SUPPORT', + 'PSA_WANT_ALG_RSA_OAEP', + 'PSA_WANT_ALG_RSA_PSS'], 'MBEDTLS_PKCS1_V15': ['MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED', 'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED', 'MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED', - 'MBEDTLS_KEY_EXCHANGE_RSA_ENABLED'], + 'MBEDTLS_KEY_EXCHANGE_RSA_ENABLED', + 'PSA_WANT_ALG_RSA_PKCS1V15_CRYPT', + 'PSA_WANT_ALG_RSA_PKCS1V15_SIGN'], 'MBEDTLS_RSA_C': ['MBEDTLS_PKCS1_V15', 'MBEDTLS_PKCS1_V21', - 'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED'], + 'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED', + 'PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY', + 'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC', + 'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT', + 'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT', + 'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE'], + + 'MBEDTLS_MD5_C' : ['PSA_WANT_ALG_MD5'], + 'MBEDTLS_RIPEMD160_C' : ['PSA_WANT_ALG_RIPEMD160'], + 'MBEDTLS_SHA1_C' : ['PSA_WANT_ALG_SHA_1'], + 'MBEDTLS_SHA224_C': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED', + 'MBEDTLS_ENTROPY_FORCE_SHA256', + 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT', + 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY', + 'PSA_WANT_ALG_SHA_224'], 'MBEDTLS_SHA256_C': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED', 'MBEDTLS_ENTROPY_FORCE_SHA256', 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT', 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY', 'MBEDTLS_LMS_C', - 'MBEDTLS_LMS_PRIVATE'], + 'MBEDTLS_LMS_PRIVATE', + 'PSA_WANT_ALG_SHA_256', + 'PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS'], + 'MBEDTLS_SHA384_C' : ['PSA_WANT_ALG_SHA_384'], 'MBEDTLS_SHA512_C': ['MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT', - 'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY'], - 'MBEDTLS_SHA224_C': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED', - 'MBEDTLS_ENTROPY_FORCE_SHA256', - 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT', - 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY'], + 'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY', + 'PSA_WANT_ALG_SHA_512'], + 'MBEDTLS_SHA3_C' : ['PSA_WANT_ALG_SHA3_224', + 'PSA_WANT_ALG_SHA3_256', + 'PSA_WANT_ALG_SHA3_384', + 'PSA_WANT_ALG_SHA3_512'], } # If an option is tested in an exclusive test, alter the following defines. @@ -244,15 +310,19 @@ EXCLUSIVE_GROUPS = { '-MBEDTLS_SSL_TLS_C'], 'MBEDTLS_ECP_DP_CURVE448_ENABLED': ['-MBEDTLS_ECDSA_C', '-MBEDTLS_ECDSA_DETERMINISTIC', - '-MBEDTLS_ECJPAKE_C', - '-MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'], + '-MBEDTLS_ECJPAKE_C',], 'MBEDTLS_ECP_DP_CURVE25519_ENABLED': ['-MBEDTLS_ECDSA_C', '-MBEDTLS_ECDSA_DETERMINISTIC', - '-MBEDTLS_ECJPAKE_C', - '-MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'], - 'MBEDTLS_ARIA_C': ['-MBEDTLS_CMAC_C'], + '-MBEDTLS_ECJPAKE_C'], + 'MBEDTLS_ARIA_C': ['-MBEDTLS_CMAC_C', + '-MBEDTLS_CCM_C', + '-MBEDTLS_GCM_C', + '-MBEDTLS_SSL_TICKET_C', + '-MBEDTLS_SSL_CONTEXT_SERIALIZATION'], 'MBEDTLS_CAMELLIA_C': ['-MBEDTLS_CMAC_C'], - 'MBEDTLS_CHACHA20_C': ['-MBEDTLS_CMAC_C', '-MBEDTLS_CCM_C', '-MBEDTLS_GCM_C'], + 'MBEDTLS_CHACHA20_C': ['-MBEDTLS_CMAC_C', + '-MBEDTLS_CCM_C', + '-MBEDTLS_GCM_C'], 'MBEDTLS_DES_C': ['-MBEDTLS_CCM_C', '-MBEDTLS_GCM_C', '-MBEDTLS_SSL_TICKET_C', From 8f944851667d14d36c0a3b28bc3e19f525685dac Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Thu, 12 Sep 2024 16:24:38 +0200 Subject: [PATCH 06/14] Fix dependency Signed-off-by: Gabor Mezei --- tests/scripts/depends.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index b0ea5c251..5606403c7 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -218,7 +218,9 @@ REVERSE_DEPENDENCIES = { 'MBEDTLS_CIPHER_MODE_CTR': ['PSA_WANT_ALG_CTR'], 'MBEDTLS_CIPHER_MODE_OFB': ['PSA_WANT_ALG_OFB'], - 'MBEDTLS_CIPHER_PADDING_PKCS7': ['PSA_WANT_ALG_CBC_PKCS7'], + 'MBEDTLS_CIPHER_PADDING_PKCS7': ['MBEDTLS_PKCS5_C', + 'MBEDTLS_PKCS12_C', + 'PSA_WANT_ALG_CBC_PKCS7'], 'MBEDTLS_ECP_DP_BP256R1_ENABLED': ['PSA_WANT_ECC_BRAINPOOL_P_R1_256'], 'MBEDTLS_ECP_DP_BP384R1_ENABLED': ['PSA_WANT_ECC_BRAINPOOL_P_R1_384'], From 4e10d6c21d1ae5b550ebd7d57492040db61ff378 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Sat, 3 Aug 2024 14:26:13 +0200 Subject: [PATCH 07/14] Add consistency check for option avalability The PSA and MbedTLS options can switch the same functionality separately so add a check to ensure the cpnsistency. Signed-off-by: Gabor Mezei --- tests/scripts/depends.py | 47 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 5606403c7..7d107323b 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -55,6 +55,7 @@ from typing import Union # Add the Mbed TLS Python library directory to the module search path import scripts_path # pylint: disable=unused-import import config +from mbedtls_framework import c_build_helper class Colors: # pylint: disable=too-few-public-methods """Minimalistic support for colored output. @@ -166,6 +167,50 @@ If what is False, announce that the job has failed.''' return False return True + def _consistency_check(self): + '''Check if the testable option is consistent with the goal. + + The purpose of this function to ensure that every option is set or unset according to + the settings. + ''' + log_command(['consistency check']) + c_name = None + exe_name = None + header = '#include "mbedtls/build_info.h"\n' + + # Generate a C error directive for each setting to test if it is active + for option, value in sorted(self.config_settings.items()): + header += '#if ' + if value: + header += '!' + header += 'defined(' + option + ')\n' + header += '#error "' + option + '"\n' + header += '#endif\n' + include_path = ['include', 'tf-psa-crypto/include', + 'tf-psa-crypto/drivers/builtin/include'] + + try: + # Generate a C file, build and run it + c_file, c_name, exe_name = c_build_helper.create_c_file(self.name) + c_build_helper.generate_c_file(c_file, 'depends.py', header, lambda x: '') + c_file.close() + c_build_helper.compile_c_file(c_name, exe_name, include_path) + + return True + + except c_build_helper.CompileError as e: + # Read the command line output to find out which setting has been failed + failed = {m.group(1) for m in re.finditer('.*#error "(.*)"', e.message) if m} + log_line('Inconsistent config option(s):') + for option in sorted(failed): + log_line(' ' + option) + + return False + + finally: + c_build_helper.remove_file_if_exists(c_name) + c_build_helper.remove_file_if_exists(exe_name) + def test(self, options): '''Run the job's build and test commands. Return True if all the commands succeed and False otherwise. @@ -173,6 +218,8 @@ If options.keep_going is false, stop as soon as one command fails. Otherwise run all the commands, except that if the first command fails, none of the other commands are run (typically, the first command is a build command and subsequent commands are tests that cannot run if the build failed).''' + if not self._consistency_check(): + return False built = False success = True for command in self.commands: From fb06101b9f9330485f506707a42435f4d5d71660 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Tue, 24 Sep 2024 18:58:14 +0200 Subject: [PATCH 08/14] Fix recursive dependencies for cross referencing Signed-off-by: Gabor Mezei --- tests/scripts/depends.py | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 7d107323b..1d00a01ab 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -387,15 +387,23 @@ defines to be altered. """ def turn_off_dependencies(config_settings): """For every option turned off config_settings, also turn off what depends on it. -An option O is turned off if config_settings[O] is False.""" + + An option O is turned off if config_settings[O] is False. + Handle the dependencies recursively. + """ for key, value in sorted(config_settings.items()): if value is not False: continue + + # Save the processed settings to handle cross referencies revdep = set(REVERSE_DEPENDENCIES.get(key, [])) + history = set() while revdep: dep = revdep.pop() + history.add(dep) config_settings[dep] = False - revdep.update(REVERSE_DEPENDENCIES.get(dep, [])) + # Do not add symbols which are already processed + revdep.update(set(REVERSE_DEPENDENCIES.get(dep, [])) - history) class BaseDomain: # pylint: disable=too-few-public-methods, unused-argument """A base class for all domains.""" From 224152eec0323dedcaea8749c677b9d1cae6d5c8 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Thu, 26 Sep 2024 13:01:34 +0200 Subject: [PATCH 09/14] Remove unneeded newlines Signed-off-by: Gabor Mezei --- tests/scripts/depends.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 1d00a01ab..17063c4da 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -195,7 +195,6 @@ If what is False, announce that the job has failed.''' c_build_helper.generate_c_file(c_file, 'depends.py', header, lambda x: '') c_file.close() c_build_helper.compile_c_file(c_name, exe_name, include_path) - return True except c_build_helper.CompileError as e: @@ -204,7 +203,6 @@ If what is False, announce that the job has failed.''' log_line('Inconsistent config option(s):') for option in sorted(failed): log_line(' ' + option) - return False finally: From c9f01cf8b5d5cdf969315c3a5470f339b1e1e56a Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Thu, 26 Sep 2024 13:02:01 +0200 Subject: [PATCH 10/14] Use f-string instead of concatenation Signed-off-by: Gabor Mezei --- tests/scripts/depends.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 17063c4da..7cc0f5b5e 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -183,8 +183,8 @@ If what is False, announce that the job has failed.''' header += '#if ' if value: header += '!' - header += 'defined(' + option + ')\n' - header += '#error "' + option + '"\n' + header += f'defined({option})\n' + header += f'#error "{option}"\n' header += '#endif\n' include_path = ['include', 'tf-psa-crypto/include', 'tf-psa-crypto/drivers/builtin/include'] From f10402c0280beff64de042caf9d39580e1b97876 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Mon, 7 Oct 2024 16:40:16 +0200 Subject: [PATCH 11/14] Update macro dependencies Signed-off-by: Gabor Mezei --- tests/scripts/depends.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 7cc0f5b5e..3c3691060 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -251,7 +251,8 @@ REVERSE_DEPENDENCIES = { 'PSA_WANT_ALG_CCM_STAR_NO_TAG'], 'MBEDTLS_CHACHA20_C': ['MBEDTLS_CHACHAPOLY_C', 'PSA_WANT_KEY_TYPE_CHACHA20', - 'PSA_WANT_ALG_CHACHA20_POLY1305'], + 'PSA_WANT_ALG_CHACHA20_POLY1305', + 'PSA_WANT_ALG_STREAM_CIPHER'], 'MBEDTLS_CMAC_C': ['PSA_WANT_ALG_CMAC', 'PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128'], 'MBEDTLS_DES_C': ['PSA_WANT_KEY_TYPE_DES'], @@ -369,7 +370,8 @@ EXCLUSIVE_GROUPS = { 'MBEDTLS_CAMELLIA_C': ['-MBEDTLS_CMAC_C'], 'MBEDTLS_CHACHA20_C': ['-MBEDTLS_CMAC_C', '-MBEDTLS_CCM_C', - '-MBEDTLS_GCM_C'], + '-MBEDTLS_GCM_C', + '-PSA_WANT_ALG_ECB_NO_PADDING'], 'MBEDTLS_DES_C': ['-MBEDTLS_CCM_C', '-MBEDTLS_GCM_C', '-MBEDTLS_SSL_TICKET_C', From 4fef797450d88f65b7b8c8c461221d2a507275fc Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 9 Oct 2024 15:47:07 +0200 Subject: [PATCH 12/14] Update macro dependencies Signed-off-by: Gabor Mezei --- tests/scripts/depends.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 3c3691060..5eddaae79 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -275,8 +275,9 @@ REVERSE_DEPENDENCIES = { 'MBEDTLS_ECP_DP_CURVE448_ENABLED': ['PSA_WANT_ECC_MONTGOMERY_448'], 'MBEDTLS_ECP_DP_SECP192R1_ENABLED': ['PSA_WANT_ECC_SECP_R1_192'], 'MBEDTLS_ECP_DP_SECP224R1_ENABLED': ['PSA_WANT_ECC_SECP_R1_224'], - 'MBEDTLS_ECP_DP_SECP256R1_ENABLED': ['MBEDTLS_ECJPAKE_C', - 'PSA_WANT_ECC_SECP_R1_256'], + 'MBEDTLS_ECP_DP_SECP256R1_ENABLED': ['PSA_WANT_ECC_SECP_R1_256', + 'PSA_WANT_ALG_JPAKE', + 'MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'], 'MBEDTLS_ECP_DP_SECP384R1_ENABLED': ['PSA_WANT_ECC_SECP_R1_384'], 'MBEDTLS_ECP_DP_SECP512R1_ENABLED': ['PSA_WANT_ECC_SECP_R1_512'], 'MBEDTLS_ECP_DP_SECP521R1_ENABLED': ['PSA_WANT_ECC_SECP_R1_521'], From b8a20676a3fc47b3d380028b4c5832b0e6426162 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Mon, 21 Oct 2024 14:28:11 +0200 Subject: [PATCH 13/14] Update framework Signed-off-by: Gabor Mezei --- framework | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/framework b/framework index 3eafac12a..d68446c9d 160000 --- a/framework +++ b/framework @@ -1 +1 @@ -Subproject commit 3eafac12ae1ddc68cc1f0aefdff540d6d3d5a2fb +Subproject commit d68446c9da02e536279a7aaa5a3c9850742ba30c From 6a986d9122c2e2ccc5b1b02ec60fc2f6d804839e Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Tue, 22 Oct 2024 10:43:03 +0200 Subject: [PATCH 14/14] Update coverage datebase With the `depend.py` using the crypto config the `PBKDF2_HMAC` can be enabled so thest cases can be run. The equivalence (synonym) between `PSA_WANT_ALG_RSA_PSS_ANY_SALT` and `PSA_WANT_ALG_RSA_PSS` is now done properly, the test can be run. Dependencies for `MBEDTLS_CIPHER_PADDING_PKCS7' has been updated and now it can be actually disabled. Signed-off-by: Gabor Mezei --- tests/scripts/analyze_outcomes.py | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 2acf77a95..43982ce81 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -93,10 +93,6 @@ class CoverageTask(outcome_analysis.CoverageTask): 'Opaque key for server authentication: invalid key: ecdh with RSA key, no async', ], 'test_suite_config.mbedtls_boolean': [ - # We never test with CBC/PKCS5/PKCS12 enabled but - # PKCS7 padding disabled. - # https://github.com/Mbed-TLS/mbedtls/issues/9580 - 'Config: !MBEDTLS_CIPHER_PADDING_PKCS7', # https://github.com/Mbed-TLS/mbedtls/issues/9583 'Config: !MBEDTLS_ECP_NIST_OPTIM', # We never test without the PSA client code. Should we? @@ -260,10 +256,6 @@ class CoverageTask(outcome_analysis.CoverageTask): # "PSA test case generation: dependency inference class: operation fail" # from https://github.com/Mbed-TLS/mbedtls/pull/9025 . re.compile(r'.* with (?:DH|ECC)_(?:KEY_PAIR|PUBLIC_KEY)\(.*'), - # PBKDF2_HMAC is not in the default configuration, so we don't - # enable it in depends.py where we remove hashes. - # https://github.com/Mbed-TLS/mbedtls/issues/9576 - re.compile(r'PSA key_derivation PBKDF2_HMAC\(\w+\): !(?!PBKDF2_HMAC\Z).*'), # We never test with TLS12_PRF or TLS12_PSK_TO_MS disabled # but certain other things enabled. # https://github.com/Mbed-TLS/mbedtls/issues/9577 @@ -277,10 +269,6 @@ class CoverageTask(outcome_analysis.CoverageTask): # key type disabled. Those dependencies don't really make sense. # https://github.com/Mbed-TLS/mbedtls/issues/9573 re.compile(r'.* !HMAC with HMAC'), - # There's something wrong with PSA_WANT_ALG_RSA_PSS_ANY_SALT - # differing from PSA_WANT_ALG_RSA_PSS. - # https://github.com/Mbed-TLS/mbedtls/issues/9578 - re.compile(r'PSA sign RSA_PSS_ANY_SALT.*!(?:MD|RIPEMD|SHA).*'), ], 'test_suite_psa_crypto_storage_format.current': [ PSA_MECHANISM_NOT_IMPLEMENTED_SEARCH_RE,