From 465e4ed56b8de28d2fee48408f6538fd33de8b00 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 12 Feb 2024 19:54:53 +0100 Subject: [PATCH] Prioritize SHA2 over MD5 for KNOWN_SUPPORTED_HASH_ALG This fixes the ability to exercise keys in configurations where MD5 is supported for direct use, but not inside some accelerated algorithms. This is the case in `all.sh test_psa_crypto_config_accel_ecc_ecp_light_only` and some other accelerated-ECC components of `all.sh`, where the driver is built without MD5 support but built-in MD5 remains enabled. This is only a hack, not a theoretically correct fix, but a correct fix is out of scope of my current work. Signed-off-by: Gilles Peskine --- tests/include/test/psa_exercise_key.h | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tests/include/test/psa_exercise_key.h b/tests/include/test/psa_exercise_key.h index 82ef2ad562..7d51a4c536 100644 --- a/tests/include/test/psa_exercise_key.h +++ b/tests/include/test/psa_exercise_key.h @@ -20,15 +20,7 @@ * * This is used in some smoke tests. */ -#if defined(PSA_WANT_ALG_MD5) -#define KNOWN_SUPPORTED_HASH_ALG PSA_ALG_MD5 -/* PSA_WANT_ALG_RIPEMD160 omitted. This is necessary for the sake of - * exercise_signature_key() because Mbed TLS doesn't support RIPEMD160 - * in RSA PKCS#1v1.5 signatures. A RIPEMD160-only configuration would be - * implausible anyway. */ -#elif defined(PSA_WANT_ALG_SHA_1) -#define KNOWN_SUPPORTED_HASH_ALG PSA_ALG_SHA_1 -#elif defined(PSA_WANT_ALG_SHA_256) +#if defined(PSA_WANT_ALG_SHA_256) #define KNOWN_SUPPORTED_HASH_ALG PSA_ALG_SHA_256 #elif defined(PSA_WANT_ALG_SHA_384) #define KNOWN_SUPPORTED_HASH_ALG PSA_ALG_SHA_384 @@ -36,6 +28,14 @@ #define KNOWN_SUPPORTED_HASH_ALG PSA_ALG_SHA_512 #elif defined(PSA_WANT_ALG_SHA3_256) #define KNOWN_SUPPORTED_HASH_ALG PSA_ALG_SHA3_256 +#elif defined(PSA_WANT_ALG_SHA_1) +#define KNOWN_SUPPORTED_HASH_ALG PSA_ALG_SHA_1 +#elif defined(PSA_WANT_ALG_MD5) +#define KNOWN_SUPPORTED_HASH_ALG PSA_ALG_MD5 +/* PSA_WANT_ALG_RIPEMD160 omitted. This is necessary for the sake of + * exercise_signature_key() because Mbed TLS doesn't support RIPEMD160 + * in RSA PKCS#1v1.5 signatures. A RIPEMD160-only configuration would be + * implausible anyway. */ #else #undef KNOWN_SUPPORTED_HASH_ALG #endif