diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index f1f53e3ca..77c6ef511 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2070,8 +2070,8 @@ component_test_psa_crypto_config_accel_ecdsa () { loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" - # Configure and build the test driver library - # ------------------------------------------- + # Configure and build the main libraries + # -------------------------------------- # Start from default config (no USE_PSA) + driver support + TLS 1.3 scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS @@ -2089,7 +2089,7 @@ component_test_psa_crypto_config_accel_ecdsa () { loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" make CFLAGS="$ASAN_CFLAGS -O -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" - # Make sure ECDSA was not re-enabled by accident (additive config) + # Make sure this was not re-enabled by accident (additive config) not grep mbedtls_ecdsa_ library/ecdsa.o # Run the tests @@ -2099,7 +2099,7 @@ component_test_psa_crypto_config_accel_ecdsa () { make test } -# Auxiliary function to build config for hashes with and without drivers +# Auxiliary function to build config for ECDSA with and without drivers config_psa_crypto_config_ecdsa_use_psa () { DRIVER_ONLY="$1" # start with config full for maximum coverage (also enables USE_PSA) @@ -2190,35 +2190,149 @@ component_test_psa_crypto_config_reference_ecdsa_use_psa () { component_test_psa_crypto_config_accel_ecdh () { msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH" + # Algorithms and key types to accelerate + loc_accel_list="ALG_ECDH KEY_TYPE_ECC_KEY_PAIR KEY_TYPE_ECC_PUBLIC_KEY" + + # Configure and build the test driver library + # ------------------------------------------- + # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having # partial support for cipher operations in the driver test library. scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING - loc_accel_list="ALG_ECDH KEY_TYPE_ECC_KEY_PAIR KEY_TYPE_ECC_PUBLIC_KEY" loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) make -C tests libtestdriver1.a CFLAGS=" $ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" + # Configure and build the main libraries + # -------------------------------------- + + # Start from default config (no USE_PSA or TLS 1.3) + driver support scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + + # Disable the module that's accelerated scripts/config.py unset MBEDTLS_ECDH_C + + # Disable things that depend on it scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED + # Build the main library loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" make CFLAGS="$ASAN_CFLAGS -O -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" + # Make sure this was not re-enabled by accident (additive config) not grep mbedtls_ecdh_ library/ecdh.o + # Run the tests + # ------------- + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH" make test } +# Auxiliary function to build config for ECDH with and without drivers. +# +# This is used by the two following components to ensure they always use the +# same config, except for the use of driver or built-in ECDH: +# - component_test_psa_crypto_config_accel_ecdh_use_psa; +# - component_test_psa_crypto_config_reference_ecdh_use_psa. +# This support comparing their test coverage with analyze_outcomes.py. +config_psa_crypto_config_ecdh_use_psa () { + DRIVER_ONLY="$1" + # start with config full for maximum coverage (also enables USE_PSA) + scripts/config.py full + # enable support for drivers and configuring PSA-only algorithms + scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG + scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS + if [ "$DRIVER_ONLY" -eq 1 ]; then + # Disable the module that's accelerated + scripts/config.py unset MBEDTLS_ECDH_C + fi + # Disable things that depend on it (regardless of driver or built-in) + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED + + scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED + scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED + # Note: the above two lines should be enough, but currently there's a bug + # that prevents tests from passing TLS 1.3 with only PSK (no ephemeral) + # when TLS 1.2 is also enabled, see #6848. + # So, as a temporary measure disable all of TLS 1.3. + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + + # Restartable feature is not yet supported by PSA. Once it will in + # the future, the following line could be removed (see issues + # 6061, 6332 and following ones) + scripts/config.py unset MBEDTLS_ECP_RESTARTABLE +} + +# Keep in sync with component_test_psa_crypto_config_reference_ecdh_use_psa +component_test_psa_crypto_config_accel_ecdh_use_psa () { + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH + USE_PSA" + + # Algorithms and key types to accelerate + loc_accel_list="ALG_ECDH KEY_TYPE_ECC_KEY_PAIR KEY_TYPE_ECC_PUBLIC_KEY" + + # Configure and build the test driver library + # ------------------------------------------- + + # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having + # partial support for cipher operations in the driver test library. + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING + + loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) + make -C tests libtestdriver1.a CFLAGS=" $ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" + + # Configure and build the main libraries + # -------------------------------------- + + # Use the same config as reference, only without built-in ECDH + config_psa_crypto_config_ecdh_use_psa 1 + + # Build the main library + loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" + make CFLAGS="$ASAN_CFLAGS -O -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" + + # Make sure this was not re-enabled by accident (additive config) + not grep mbedtls_ecdh_ library/ecdh.o + + # Run the tests + # ------------- + + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH + USE_PSA" + make test + + # ssl-opt.sh later (probably doesn't pass right now) +} + +# Keep in sync with component_test_psa_crypto_config_accel_ecdh_use_psa. +# Used by tests/scripts/analyze_outcomes.py for comparison purposes. +component_test_psa_crypto_config_reference_ecdh_use_psa () { + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with reference ECDH + USE_PSA" + + # To be aligned with the accel component that needs this + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING + + config_psa_crypto_config_ecdh_use_psa 0 + + make + + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with reference ECDH + USE_PSA" + make test + + # ssl-opt.sh later when the accel component is ready +} + component_test_psa_crypto_config_accel_rsa_signature () { msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated RSA signature" diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 44c62f71f..3fd24e98d 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -183,6 +183,18 @@ TASKS = { } } }, + 'analyze_driver_vs_reference_ecdh': { + 'test_function': do_analyze_driver_vs_reference, + 'args': { + 'component_ref': 'test_psa_crypto_config_reference_ecdh_use_psa', + 'component_driver': 'test_psa_crypto_config_accel_ecdh_use_psa', + 'ignored_suites': [ + 'ecdh', # the software implementation that's excluded + ], + 'ignored_tests': { + } + } + }, } def main(): diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index cfcdac102..7b55c5f86 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -1061,7 +1061,7 @@ depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MB raw_agreement_key_policy:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_FFDH:PSA_ERROR_NOT_PERMITTED PSA key policy: raw agreement, key permits raw agreement, but algorithm is not raw -depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_ECDH_C +depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 raw_agreement_key_policy:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_ERROR_NOT_SUPPORTED PSA key policy: raw agreement, key specifies KDF @@ -6400,7 +6400,7 @@ depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY key_agreement_setup:PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):"04d12dfb5289c8d4f81208b70270398c342296970a0bccb74c736fc7554494bf6356fbf3ca366cc23e8157854c13c58d6aac23f046ada30f8353e74f33039872ab":"04d12dfb5289c8d4f81208b70270398c342296970a0bccb74c736fc7554494bf6356fbf3ca366cc23e8157854c13c58d6aac23f046ada30f8353e74f33039872ab":PSA_ERROR_INVALID_ARGUMENT PSA key agreement setup: ECDH, unknown KDF -depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_ECDH_C +depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_ALG_HKDF:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 key_agreement_setup:PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(0)):PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(0)):"c88f01f510d9ac3f70a292daa2316de544e9aab8afe84049c62a9c57862d1433":"04d12dfb5289c8d4f81208b70270398c342296970a0bccb74c736fc7554494bf6356fbf3ca366cc23e8157854c13c58d6aac23f046ada30f8353e74f33039872ab":PSA_ERROR_NOT_SUPPORTED PSA key agreement setup: bad key agreement algorithm