diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index bafca0a838..d24da47ded 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2410,6 +2410,113 @@ component_test_psa_crypto_config_reference_ecjpake_use_psa () { tests/ssl-opt.sh } +# Auxiliary function to build config for all EC based algorithms (EC-JPAKE, +# ECDH, ECDSA) with and without drivers. +# +# This is used by the two following components to ensure they always use the +# same config, except for the use of driver or built-in EC algorithms: +# - component_test_psa_crypto_config_accel_all_ec_algs_use_psa; +# - component_test_psa_crypto_config_reference_all_ec_algs_use_psa. +# This support comparing their test coverage with analyze_outcomes.py. +config_psa_crypto_config_all_ec_algs_use_psa () { + DRIVER_ONLY="$1" + # start with config full for maximum coverage (also enables USE_PSA) + scripts/config.py full + # enable support for drivers and configuring PSA-only algorithms + scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG + scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS + if [ "$DRIVER_ONLY" -eq 1 ]; then + # Disable modules that are accelerated + scripts/config.py unset MBEDTLS_ECDSA_C + scripts/config.py unset MBEDTLS_ECDH_C + scripts/config.py unset MBEDTLS_ECJPAKE_C + fi + + # Restartable feature is not yet supported by PSA. Once it will in + # the future, the following line could be removed (see issues + # 6061, 6332 and following ones) + scripts/config.py unset MBEDTLS_ECP_RESTARTABLE + # Dynamic secure element support is a deprecated feature and needs to be disabled here. + # This is done to have the same form of psa_key_attributes_s for libdriver and library. + scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C +} + +# Keep in sync with component_test_psa_crypto_config_reference_all_ec_algs_use_psa +component_test_psa_crypto_config_accel_all_ec_algs_use_psa () { + msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated EC algs + USE_PSA" + + # Algorithms and key types to accelerate + loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ + ALG_ECDH \ + ALG_JPAKE \ + KEY_TYPE_ECC_KEY_PAIR KEY_TYPE_ECC_PUBLIC_KEY" + + # Configure and build the test driver library + # ------------------------------------------- + + # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having + # partial support for cipher operations in the driver test library. + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING + + loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) + # SHA-1 and all variants of SHA-2 are needed for ECDSA and X.509 tests. + # Note = we are NOT adding these ALG_SHA_xxx to the "loc_accel_flags" list + # because we need that support on the driver side (ex: hash-and-sign + # algorithms), but we do not want to accelerate other hash only tests. + # Indeed the same "loc_accel_list" variable is also used later when + # building the library. + loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_1" + loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_224" + loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_256" + loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_384" + loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_512" + make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" + + # Configure and build the main libraries with drivers enabled + # ----------------------------------------------------------- + + # Use the same config as reference, only without built-in EC algs + config_psa_crypto_config_all_ec_algs_use_psa 1 + + # Build the library + loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" + make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" + + # Make sure any built-in EC alg was not re-enabled by accident (additive config) + not grep mbedtls_ecdsa_ library/ecdsa.o + not grep mbedtls_ecdh_ library/ecdh.o + not grep mbedtls_ecjpake_ library/ecjpake.o + + # Run the tests + # ------------- + + msg "test suites: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated EC algs + USE_PSA" + make test + + msg "ssl-opt: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated EC algs + USE_PSA" + tests/ssl-opt.sh +} + +# Keep in sync with component_test_psa_crypto_config_accel_all_ec_algs_use_psa +component_test_psa_crypto_config_reference_all_ec_algs_use_psa () { + msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with non-accelerated EC algs + USE_PSA" + + # To be aligned with the accel component that needs this + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING + + config_psa_crypto_config_all_ec_algs_use_psa 0 + + make + + msg "test suites: MBEDTLS_PSA_CRYPTO_CONFIG with non-accelerated EC algs + USE_PSA" + make test + + msg "ssl-opt: MBEDTLS_PSA_CRYPTO_CONFIG with non-accelerated EC algs + USE_PSA" + tests/ssl-opt.sh +} + component_test_psa_crypto_config_accel_ecc () { msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECC" diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 800b744cae..0b8e7a30cb 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -207,6 +207,24 @@ TASKS = { } } }, + 'analyze_driver_vs_reference_all_ec_algs': { + 'test_function': do_analyze_driver_vs_reference, + 'args': { + 'component_ref': 'test_psa_crypto_config_reference_all_ec_algs_use_psa', + 'component_driver': 'test_psa_crypto_config_accel_all_ec_algs_use_psa', + # ignore the suites of the accelerated components + 'ignored_suites': [ + 'ecdsa', + 'ecdh', + 'ecjpake', + ], + 'ignored_tests': { + 'test_suite_random': [ + 'PSA classic wrapper: ECDSA signature (SECP256R1)', + ], + } + } + }, } def main():