diff --git a/docs/architecture/testing/driver-interface-test-strategy.md b/docs/architecture/testing/driver-interface-test-strategy.md index 380fd39c43..5fc5e18e6d 100644 --- a/docs/architecture/testing/driver-interface-test-strategy.md +++ b/docs/architecture/testing/driver-interface-test-strategy.md @@ -114,7 +114,7 @@ We should have at least one driver that covers the whole interface: A PKCS#11 driver would be a good candidate. It would be useful as part of our product offering. -## Transparent driver interface testing +## Unified driver interface testing The [unified driver interface](../../proposed/psa-driver-interface.md) defines interfaces for accelerators. @@ -128,6 +128,470 @@ Every cryptographic mechanism for which a transparent driver interface exists (k The driver interface includes a fallback mechanism so that a driver can reject a request at runtime and let another driver handle the request. For each entry point, there must be at least three test runs with two or more drivers available with driver A configured to fall back to driver B, with one run where A returns `PSA_SUCCESS`, one where A returns `PSA_ERROR_NOT_SUPPORTED` and B is invoked, and one where A returns a different error and B is not invoked. -## Entropy and randomness interface testing +### Test drivers -TODO +We have test drivers that are enabled by `PSA_CRYPTO_DRIVER_TEST` (not present +in the usual config files, must be defined on the command line or in a custom +config file). Those test drivers are implemented in `tests/src/drivers/*.c` +and their API is declared in `tests/include/test/drivers/*.h`. + +We have two test driver registered: `mbedtls_test_opaque_driver` and +`mbedtls_test_transparent_driver`. These are described in +`scripts/data_files/driver_jsons/mbedtls_test_xxx_driver.json` (as much as our +JSON support currently allows). Each of the drivers can potentially implement +support for several mechanism; conversely, each of the file mentioned in the +previous paragraph can potentially contribute to both the opaque and the +transparent test driver. + +Each entry point is instrumented to record the number of hits for each part of +the driver (same division as the files) and the status of the last call. It is +also possible to force the next call to return a specified status, and +sometimes more things can be forced: see the various +`mbedtls_test_driver_XXX_hooks_t` structures declared by each driver (and +subsections below). + +The drivers can use one of two back-ends: +- internal: this requires the built-in implementation to be present. +- libtestdriver1: this allows the built-in implementation to be omitted from + the build. + +Historical note: internal was initially the only back-end; then support for +libtestdriver1 was added gradually. Support for libtestdriver1 is now complete +(see following sub-sections), so we could remove internal now. Note it's +useful to have builds with both a driver and the built-in, in order to test +fallback to built-in, which is currently done only with internal, but this can +be achieved with libtestdriver1 just as well. + +Note on instrumentation: originally, when only the internal backend was +available, hits were how we knew that the driver was called, as opposed to +directly calling the built-in code. With libtestdriver1, we can check that by +ensuring that the built-in code is not present, so if the operation gives the +correct result, only a driver call can have calculated that result. So, +nowadays there is low value in checking the hit count. There is still some +value for hit counts, e.g. checking that we don't call a multipart entry point +when we intended to call the one-shot entry point, but it's limited. + +Note: our test drivers tend to provide all possible entry points (with a few +exceptions that may not be intentional, see the next sections). However, in +some cases, when an entry point is not available, the core is supposed to +implement it using other entry points, for example: +- `mac_verify` may use `mac_compute` if the driver does no provide verify; +- for things that have both one-shot and multi-part API, the driver can + provide only the multi-part entry points, and the core is supposed to +implement one-shot on top of it (but still call the one-shot entry points when +they're available); +- `sign/verify_message` can be implemented on top of `sign/verify_hash` for + some algorithms; +- (not sure if the list is exhaustive). + +Ideally, we'd want build options for the test drivers so that we can test with +different combinations of entry points present, and make sure the core behaves +appropriately when some entry points are absent but other entry points allow +implementing the operation. This will remain hard to test until we have proper +support for JSON-defined drivers with auto-generation of dispatch code. +(The `MBEDTLS_PSA_ACCEL_xxx` macros we currently use are not expressive enough +to specify which entry points are supported for a given mechanism.) + +Our implementation of PSA Crypto is structured in a way that the built-in +implementation of each operation follows the driver API, see +[`../architecture/psa-crypto-implementation-structure.md`](../architecture/psa-crypto-implementation-structure.html). +This makes implementing the test drivers very easy: each entry point has a +corresponding `mbedtls_psa_xxx()` function that it can call as its +implementation - with the `libtestdriver1` back-end the function is called +`libtestdriver1_mbedtls_psa_xxx()` instead. + +A nice consequence of that strategy is that when an entry point has +test-driver support, most of the time, it automatically works for all +algorithms and key types supported by the library. (The exception being when +the driver needs to call a different function for different key types, as is +the case with some asymmetric key management operations.) (Note: it's still +useful to test drivers in configurations with partial algorithm support, and +that can still be done by configuring libtestdriver1 and the main library as +desired.) + +The renaming process for `libtestdriver1` is implemented as a few Perl regexes +applied to a copy of the library code, see the `libtestdriver1.a` target in +`tests/Makefile`. Another modification that's done to this copy is appending +`tests/include/test/drivers/crypto_config_test_driver_extension.h` to +`psa/crypto_config.h`. This file reverses the `ACCEL`/`BUILTIN` macros so that +`libtestdriver1` includes as built-in what the main `libmbedcrypto.a` will +have accelerated; see that file's initial comment for details. See also +`helper_libtestdriver1_` functions and the preceding comment in `all.sh` for +how libtestdriver is used in practice. + +This general framework needs specific code for each family of operations. At a +given point in time, not all operations have the same level of support. The +following sub-sections describe the status of the test driver support, mostly +following the structure and order of sections 9.6 and 10.2 to 10.10 of the +[PSA Crypto standard](https://arm-software.github.io/psa-api/crypto/1.1/) as +that is also a natural division for implementing test drivers (that's how the +code is divided into files). + +#### Key management + +The following entry points are declared in `test/drivers/key_management.h`: + +- `"init"` (transparent and opaque) +- `"generate_key"` (transparent and opaque) +- `"export_public_key"` (transparent and opaque) +- `"import_key"` (transparent and opaque) +- `"export_key"` (opaque only) +- `"get_builtin_key"` (opaque only) +- `"copy_key"` (opaque only) + +The transparent driver fully implements the declared entry points, and can use +any backend: internal or libtestdriver1. + +The opaque's driver implementation status is as follows: +- `"generate_key"`: not implemented, always returns `NOT_SUPPORTED`. +- `"export_public_key"`: implemented only for ECC and RSA keys, both backends. +- `"import_key"`: implemented except for DH keys, both backends. +- `"export_key"`: implemented for built-in keys (ECC and AES), and for + non-builtin keys except DH keys. (Backend not relevant.) +- `"get_builtin_key"`: implemented - provisioned keys: AES-128 and ECC + secp2456r1. (Backend not relevant.) +- `"copy_key"`: implemented - emulates a SE without storage. (Backend not + relevant.) + +Note: the `"init"` entry point is not part of the "key management" family, but +listed here as it's declared and implemented in the same file. With the +transparent driver and the libtestdriver1 backend, it calls +`libtestdriver1_psa_crypto_init()`, which partially but not fully ensures +that this entry point is called before other entry points in the test drivers. +With the opaque driver, this entry point just does nothing an returns success. + +The following entry points are defined by the driver interface but missing +from our test drivers: +- `"allocate_key"`, `"destroy_key"`: this is for opaque drivers that store the + key material internally. + +Note: the instrumentation also allows forcing the output and its length. + +#### Message digests (Hashes) + +The following entry points are declared (transparent only): +- `"hash_compute"` +- `"hash_setup"` +- `"hash_clone"` +- `"hash_update"` +- `"hash_finish"` +- `"hash_abort"` + +The transparent driver fully implements the declared entry points, and can use +any backend: internal or libtestdriver1. + +This familly is not part of the opaque driver as it doesn't use keys. + +#### Message authentication codes (MAC) + +The following entry points are declared (transparent and opaque): +- `"mac_compute"` +- `"mac_sign_setup"` +- `"mac_verify_setup"` +- `"mac_update"` +- `"mac_sign_finish"` +- `"mac_verify_finish"` +- `"mac_abort"` + +The transparent driver fully implements the declared entry points, and can use +any backend: internal or libtestdriver1. + +The opaque driver only implements the instrumentation but not the actual +operations: entry points will always return `NOT_SUPPORTED`, unless another +status is forced. + +The following entry points are not implemented: +- `mac_verify`: this mostly makes sense for opaque drivers; the core will fall + back to using `"mac_compute"` if this is not implemented. So, perhaps +ideally we should test both with `"mac_verify"` implemented and with it not +implemented? Anyway, we have a test gap here. + +#### Unauthenticated ciphers + +The following entry points are declared (transparent and opaque): +- `"cipher_encrypt"` +- `"cipher_decrypt"` +- `"cipher_encrypt_setup"` +- `"cipher_decrypt_setup"` +- `"cipher_set_iv"` +- `"cipher_update"` +- `"cipher_finish"` +- `"cipher_abort"` + +The transparent driver fully implements the declared entry points, and can use +any backend: internal or libtestdriver1. + +The opaque driver is not implemented at all, neither instumentation nor the +operation: entry points always return `NOT_SUPPORTED`. + +Note: the instrumentation also allows forcing a specific output and output +length. + +#### Authenticated encryption with associated data (AEAD) + +The following entry points are declared (transparent only): +- `"aead_encrypt"` +- `"aead_decrypt"` +- `"aead_encrypt_setup"` +- `"aead_decrypt_setup"` +- `"aead_set_nonce"` +- `"aead_set_lengths"` +- `"aead_update_ad"` +- `"aead_update"` +- `"aead_finish"` +- `"aead_verify"` +- `"aead_abort"` + +The transparent driver fully implements the declared entry points, and can use +any backend: internal or libtestdriver1. + +The opaque driver does not implement or even declare entry points for this +family. + +Note: the instrumentation records the number of hits per entry point, not just +the total number of hits for this family. + +#### Key derivation + +Not covered at all by the test drivers. + +That's a test gap which reflects a feature gap: the driver interface does +define a key derivation family of entry points, but we don't currently +implement that part of the driver interface, see #5488 and related issues. + +#### Asymmetric signature + +The following entry points are declared (transparent and opaque): + +- `"sign_message"` +- `"verify_message"` +- `"sign_hash"` +- `"verify_hash"` + +The transparent driver fully implements the declared entry points, and can use +any backend: internal or libtestdriver1. + +The opaque driver is not implemented at all, neither instumentation nor the +operation: entry points always return `NOT_SUPPORTED`. + +Note: the instrumentation also allows forcing a specific output and output +length, and has two instance of the hooks structure: one for sign, the other +for verify. + +Note: when a driver implements only the `"xxx_hash"` entry points, the core is +supposed to implement the `psa_xxx_message()` functions by computing the hash +itself before calling the `"xxx_hash"` entry point. Since the test driver does +implement the `"xxx_message"` entry point, it's not exercising that part of +the core's expected behaviour. + +#### Asymmetric encryption + +The following entry points are declared (transparent and opaque): + +- `"asymmetric_encrypt"` +- `"asymmetric_decrypt"` + +The transparent driver fully implements the declared entry points, and can use +any backend: internal or libtestdriver1. + +The opaque driver implements the declared entry points, and can use any +backend: internal or libtestdriver1. However it does not implement the +instrumentation (hits, forced output/status), as this [was not an immediate +priority](https://github.com/Mbed-TLS/mbedtls/pull/8700#issuecomment-1892466159). + +Note: the instrumentation also allows forcing a specific output and output +length. + +#### Key agreement + +The following entry points are declared (transparent and opaque): + +- `"key_agreement"` + +The transparent driver fully implements the declared entry points, and can use +any backend: internal or libtestdriver1. + +The opaque driver is not implemented at all, neither instumentation nor the +operation: entry points always return `NOT_SUPPORTED`. + +Note: the instrumentation also allows forcing a specific output and output +length. + +#### Other cryptographic services (Random number generation) + +Not covered at all by the test drivers. + +The driver interface defines a `"get_entropy"` entry point, as well as a +"Random generation" family of entry points. None of those are currently +implemented in the library. Part of it will be planned for 4.0, see #8150. + +#### PAKE extension + +The following entry points are declared (transparent only): +- `"pake_setup"` +- `"pake_output"` +- `"pake_input"` +- `"pake_get_implicit_key"` +- `"pake_abort"` + +Note: the instrumentation records hits per entry point and allows forcing the +output and its length, as well as forcing the status of setup independently +from the others. + +The transparent driver fully implements the declared entry points, and can use +any backend: internal or libtestdriver1. + +The opaque driver does not implement or even declare entry points for this +family. + +### Driver wrapper test suite + +We have a test suite dedicated to driver dispatch, which takes advantage of the +instrumentation in the test drivers described in the previous section, in +order to check that drivers are called when they're supposed to, and that the +core behaves as expected when they return errors (in particular, that we fall +back to the built-in implementation when the driver returns `NOT_SUPPORTED`). + +This is `test_suite_psa_crypto_driver_wrappers`, which is maintained manually +(that is, the test cases in the `.data` files are not auto-generated). The +entire test suite depends on the test drivers being enabled +(`PSA_CRYPTO_DRIVER_TEST`), which is not the case in the default or full +config. + +The test suite is focused on driver usage (mostly by checking the expected +number of hits) but also does some validation of the results: for +deterministic algorithms, known-answers tests are used, and for the rest, some +consistency checks are done (more or less detailled depending on the algorithm +and build configuration). + +#### Configurations coverage + +The driver wrappers test suite has cases that expect both the driver and the +built-in to be present, and also cases that expect the driver to be present +but not the built-in. As such, it's impossible for a single configuration to +run all test cases, and we need at least two: driver+built-in, and +driver-only. + +- The driver+built-in case is covered by `test_psa_crypto_drivers` in `all.sh`. +This covers all areas (key types and algs) at once. +- The driver-only case is split into multiple `all.sh` components whose names + start with `test_psa_crypto_config_accel`; we have one or more component per +area, see below. + +Here's a summary of driver-only coverage, grouped by families of key types. + +Hash (key types: none) +- `test_psa_crypto_config_accel_hash`: all algs, default config, no parity + testing. +- `test_psa_crypto_config_accel_hash_use_psa`: all algs, full config, with + parity testing. + +HMAC (key type: HMAC) +- `test_psa_crypto_config_accel_hmac`: all algs, full config except a few + exclusions (PKCS5, PKCS7, HMAC-DRBG, legacy HKDF, deterministic ECDSA), with +parity testing. + +Cipher, AEAD and CMAC (key types: DES, AES, ARIA, CHACHA20, CAMELLIA): +- `test_psa_crypto_config_accel_cipher_aead_cmac`: all key types and algs, full + config with a few exclusions (NIST-KW), with parity testing. +- `test_psa_crypto_config_accel_des`: only DES (with all algs), full + config, no parity testing. +- `test_psa_crypto_config_accel_aead`: only AEAD algs (with all relevant key + types), full config, no parity testing. + +Key derivation (key types: `DERIVE`, `RAW_DATA`, `PASSWORD`, `PEPPER`, +`PASSWORD_HASH`): +- No testing as we don't have driver support yet (see previous section). + +RSA (key types: `RSA_KEY_PAIR_xxx`, `RSA_PUBLIC_KEY`): +- `test_psa_crypto_config_accel_rsa_crypto`: all 4 algs (encryption & + signature, v1.5 & v2.1), config `crypto_full`, with parity testing excluding +PK. + +DH (key types: `DH_KEY_PAIR_xxx`, `DH_PUBLIC_KEY`): +- `test_psa_crypto_config_accel_ffdh`: all key types and algs, full config, + with parity testing. +- `test_psa_crypto_config_accel_ecc_ffdh_no_bignum`: with also bignum removed. + +ECC (key types: `ECC_KEY_PAIR_xxx`, `ECC_PUBLIC_KEY`): +- Single algorithm accelerated (both key types, all curves): + - `test_psa_crypto_config_accel_ecdh`: default config, no parity testing. + - `test_psa_crypto_config_accel_ecdsa`: default config, no parity testing. + - `test_psa_crypto_config_accel_pake`: full config, no parity testing. +- All key types, algs and curves accelerated (full config with exceptions, + with parity testing): + - `test_psa_crypto_config_accel_ecc_ecp_light_only`: `ECP_C` mostly disabled + - `test_psa_crypto_config_accel_ecc_no_ecp_at_all`: `ECP_C` fully disabled + - `test_psa_crypto_config_accel_ecc_no_bignum`: `BIGNUM_C` disabled (DH disabled) + - `test_psa_crypto_config_accel_ecc_ffdh_no_bignum`: `BIGNUM_C` disabled (DH accelerated) +- Other - all algs accelerated but only some algs/curves (full config with + exceptions, no parity testing): + - `test_psa_crypto_config_accel_ecc_some_key_types` + - `test_psa_crypto_config_accel_ecc_non_weierstrass_curves` + - `test_psa_crypto_config_accel_ecc_weierstrass_curves` + +Note: `analyze_outcomes.py` provides a list of test cases that are not +executed in any configuration tested on the CI. We're missing driver-only HMAC +testing, but no test is flagged as never executed there; this reveals we don't +have "fallback not available" cases for MAC, see #8565. + +#### Test case coverage + +Since `test_suite_psa_crypto_driver_wrappers.data` is maintained manually, +we need to make sure it exercises all the cases that need to be tested. In the +future, this file should be generated in order to ensure exhaustiveness. + +In the meantime, one way to observe (lack of) completeness is to look at line +coverage in test driver implementaitons - this doesn't reveal all gaps, but it +does reveal cases where we thought about something when writing the test +driver, but not when writing test functions/data. + +Key management: +- `mbedtls_test_transparent_generate_key()` is not tested with RSA keys. +- `mbedtls_test_transparent_import_key()` is not tested with DH keys. +- `mbedtls_test_opaque_import_key()` is not tested with unstructured keys nor + with RSA keys (nor DH keys since that's not implemented). +- `mbedtls_test_opaque_export_key()` is not tested with non-built-in keys. +- `mbedtls_test_transparent_export_public_key()` is not tested with RSA or DH keys. +- `mbedtls_test_opaque_export_public_key()` is not tested with non-built-in keys. +- `mbedtls_test_opaque_copy_key()` is not tested at all. + +Hash: +- `mbedtls_test_transparent_hash_finish()` is not tested with a forced status. + +MAC: +- The following are not tested with a forced status: + - `mbedtls_test_transparent_mac_sign_setup()` + - `mbedtls_test_transparent_mac_verify_setup()` + - `mbedtls_test_transparent_mac_update()` + - `mbedtls_test_transparent_mac_verify_finish()` + - `mbedtls_test_transparent_mac_abort()` +- No opaque entry point is tested (they're not implemented either). + +Cipher: +- The following are not tested with a forced status nor with a forced output: + - `mbedtls_test_transparent_cipher_encrypt()` + - `mbedtls_test_transparent_cipher_finish()` +- No opaque entry point is tested (they're not implemented either). + +AEAD: +- The following are not tested with a forced status: + - `mbedtls_test_transparent_aead_set_nonce()` + - `mbedtls_test_transparent_aead_set_lengths()` + - `mbedtls_test_transparent_aead_update_ad()` + - `mbedtls_test_transparent_aead_update()` + - `mbedtls_test_transparent_aead_finish()` + - `mbedtls_test_transparent_aead_verify()` +- `mbedtls_test_transparent_aead_verify()` is not tested with an invalid tag + (though it might be in another test suite). + +Signature: +- `sign_hash()` is not tested with RSA-PSS +- No opaque entry point is tested (they're not implemented either). + +Key agreement: +- `mbedtls_test_transparent_key_agreement()` is not tested with FFDH. +- No opaque entry point is tested (they're not implemented either). + +PAKE: +- All lines are covered. diff --git a/tests/configs/user-config-for-test.h b/tests/configs/user-config-for-test.h index 639496be60..f40f83895f 100644 --- a/tests/configs/user-config-for-test.h +++ b/tests/configs/user-config-for-test.h @@ -37,24 +37,61 @@ #endif /* Use the accelerator driver for all cryptographic mechanisms for which - * the test driver implemented. */ + * the test driver is implemented. This is copied from psa/crypto_config.h + * with the parts not implemented by the test driver commented out. */ +#define MBEDTLS_PSA_ACCEL_KEY_TYPE_DERIVE +#define MBEDTLS_PSA_ACCEL_KEY_TYPE_PASSWORD +#define MBEDTLS_PSA_ACCEL_KEY_TYPE_PASSWORD_HASH +#define MBEDTLS_PSA_ACCEL_KEY_TYPE_HMAC #define MBEDTLS_PSA_ACCEL_KEY_TYPE_AES +#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ARIA #define MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA +#define MBEDTLS_PSA_ACCEL_KEY_TYPE_CHACHA20 +#define MBEDTLS_PSA_ACCEL_KEY_TYPE_DES #define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY #define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC #define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT #define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT #define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_GENERATE -#define MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR +//#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE +#define MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_PUBLIC_KEY +#define MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_BASIC +#define MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_IMPORT +#define MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_EXPORT +#define MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_GENERATE +#define MBEDTLS_PSA_ACCEL_KEY_TYPE_RAW_DATA +#define MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_BASIC +#define MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_IMPORT +#define MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_EXPORT +#define MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_GENERATE +#define MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY + #define MBEDTLS_PSA_ACCEL_ALG_CBC_NO_PADDING #define MBEDTLS_PSA_ACCEL_ALG_CBC_PKCS7 -#define MBEDTLS_PSA_ACCEL_ALG_CTR +#define MBEDTLS_PSA_ACCEL_ALG_CCM +#define MBEDTLS_PSA_ACCEL_ALG_CCM_STAR_NO_TAG +#define MBEDTLS_PSA_ACCEL_ALG_CMAC #define MBEDTLS_PSA_ACCEL_ALG_CFB -#define MBEDTLS_PSA_ACCEL_ALG_ECDSA +#define MBEDTLS_PSA_ACCEL_ALG_CHACHA20_POLY1305 +#define MBEDTLS_PSA_ACCEL_ALG_CTR #define MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA +#define MBEDTLS_PSA_ACCEL_ALG_ECB_NO_PADDING +#define MBEDTLS_PSA_ACCEL_ALG_ECDH +#define MBEDTLS_PSA_ACCEL_ALG_FFDH +#define MBEDTLS_PSA_ACCEL_ALG_ECDSA +#define MBEDTLS_PSA_ACCEL_ALG_JPAKE +#define MBEDTLS_PSA_ACCEL_ALG_GCM +//#define MBEDTLS_PSA_ACCEL_ALG_HKDF +//#define MBEDTLS_PSA_ACCEL_ALG_HKDF_EXTRACT +//#define MBEDTLS_PSA_ACCEL_ALG_HKDF_EXPAND +#define MBEDTLS_PSA_ACCEL_ALG_HMAC #define MBEDTLS_PSA_ACCEL_ALG_MD5 #define MBEDTLS_PSA_ACCEL_ALG_OFB +//#define MBEDTLS_PSA_ACCEL_ALG_PBKDF2_HMAC +//#define MBEDTLS_PSA_ACCEL_ALG_PBKDF2_AES_CMAC_PRF_128 #define MBEDTLS_PSA_ACCEL_ALG_RIPEMD160 +#define MBEDTLS_PSA_ACCEL_ALG_RSA_OAEP +#define MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT #define MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN #define MBEDTLS_PSA_ACCEL_ALG_RSA_PSS #define MBEDTLS_PSA_ACCEL_ALG_SHA_1 @@ -62,9 +99,14 @@ #define MBEDTLS_PSA_ACCEL_ALG_SHA_256 #define MBEDTLS_PSA_ACCEL_ALG_SHA_384 #define MBEDTLS_PSA_ACCEL_ALG_SHA_512 -#define MBEDTLS_PSA_ACCEL_ALG_XTS -#define MBEDTLS_PSA_ACCEL_ALG_CMAC -#define MBEDTLS_PSA_ACCEL_ALG_HMAC +#define MBEDTLS_PSA_ACCEL_ALG_SHA3_224 +#define MBEDTLS_PSA_ACCEL_ALG_SHA3_256 +#define MBEDTLS_PSA_ACCEL_ALG_SHA3_384 +#define MBEDTLS_PSA_ACCEL_ALG_SHA3_512 +#define MBEDTLS_PSA_ACCEL_ALG_STREAM_CIPHER +//#define MBEDTLS_PSA_ACCEL_ALG_TLS12_PRF +//#define MBEDTLS_PSA_ACCEL_ALG_TLS12_PSK_TO_MS +//#define MBEDTLS_PSA_ACCEL_ALG_TLS12_ECJPAKE_TO_PMS #endif /* PSA_CRYPTO_DRIVER_TEST_ALL */ diff --git a/tests/include/test/drivers/crypto_config_test_driver_extension.h b/tests/include/test/drivers/crypto_config_test_driver_extension.h index dac07acd33..66378e7def 100644 --- a/tests/include/test/drivers/crypto_config_test_driver_extension.h +++ b/tests/include/test/drivers/crypto_config_test_driver_extension.h @@ -1,9 +1,24 @@ /** - * This file is intended to be used to build PSA test driver libraries. It is - * intended to be appended by the test build system to the crypto_config.h file - * of the Mbed TLS library the test library will be linked to. It mirrors the - * PSA_ACCEL_* macros defining the cryptographic operations the test library - * supports. + * This file is intended to be used to build PSA external test driver + * libraries (libtestdriver1). + * + * It is intended to be appended by the test build system to the + * crypto_config.h file of the Mbed TLS library the test library will be + * linked to (see `tests/Makefile` libtestdriver1 target). This is done in + * order to insert it at the right time: after the main configuration + * (PSA_WANT) but before the logic that determines what built-ins to enable + * based on PSA_WANT and MBEDTLS_PSA_ACCEL macros. + * + * It reverses the PSA_ACCEL_* macros defining the cryptographic operations + * that will be accelerated in the main library: + * - When something is accelerated in the main library, we need it supported + * in libtestdriver1, so we disable the accel macro in order to the built-in + * to be enabled. + * - When something is NOT accelerated in the main library, we don't need it + * in libtestdriver1, so we enable its accel macro in order to the built-in + * to be disabled, to keep libtestdriver1 minimal. (We can't adjust the + * PSA_WANT macros as they need to be the same between libtestdriver1 and + * the main library, since they determine the ABI between the two.) */ #include "psa/crypto_legacy.h" diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index b12a86fa92..2c800ffb09 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -916,6 +916,39 @@ helper_libtestdriver1_adjust_config() { fi } +# Build the drivers library libtestdriver1.a (with ASan). +# +# Parameters: +# 1. a space-separated list of things to accelerate; +# 2. optional: a space-separate list of things to also support. +# Here "things" are PSA_WANT_ symbols but with PSA_WANT_ removed. +helper_libtestdriver1_make_drivers() { + loc_accel_flags=$( echo "$1 ${2-}" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) + make CC=$ASAN_CC -C tests libtestdriver1.a CFLAGS=" $ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" +} + +# Build the main libraries, programs and tests, +# linking to the drivers library (with ASan). +# +# Parameters: +# 1. a space-separated list of things to accelerate; +# *. remaining arguments if any are passed directly to make +# (examples: lib, -C tests test_suite_xxx, etc.) +# Here "things" are PSA_WANT_ symbols but with PSA_WANT_ removed. +helper_libtestdriver1_make_main() { + loc_accel_list=$1 + shift + + # we need flags both with and without the LIBTESTDRIVER1_ prefix + loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) + loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" + make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" "$@" +} + +################################################################ +#### Configuration helpers +################################################################ + # When called with no parameter this function disables all builtin curves. # The function optionally accepts 1 parameter: a space-separated list of the # curves that should be kept enabled. @@ -969,35 +1002,6 @@ helper_get_psa_key_type_list() { echo "$loc_list" } -# Build the drivers library libtestdriver1.a (with ASan). -# -# Parameters: -# 1. a space-separated list of things to accelerate; -# 2. optional: a space-separate list of things to also support. -# Here "things" are PSA_WANT_ symbols but with PSA_WANT_ removed. -helper_libtestdriver1_make_drivers() { - loc_accel_flags=$( echo "$1 ${2-}" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) - make CC=$ASAN_CC -C tests libtestdriver1.a CFLAGS=" $ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" -} - -# Build the main libraries, programs and tests, -# linking to the drivers library (with ASan). -# -# Parameters: -# 1. a space-separated list of things to accelerate; -# *. remaining arguments if any are passed directly to make -# (examples: lib, -C tests test_suite_xxx, etc.) -# Here "things" are PSA_WANT_ symbols but with PSA_WANT_ removed. -helper_libtestdriver1_make_main() { - loc_accel_list=$1 - shift - - # we need flags both with and without the LIBTESTDRIVER1_ prefix - loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) - loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" "$@" -} - ################################################################ #### Basic checks ################################################################ @@ -3705,26 +3709,6 @@ component_test_psa_crypto_config_accel_hash () { make test } -component_test_psa_crypto_config_accel_hash_keep_builtins () { - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated+builtin hash" - # This component ensures that all the test cases for - # md_psa_dynamic_dispatch with legacy+driver in test_suite_md are run. - - loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \ - ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ - ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" - - # Start from default config (no USE_PSA) - helper_libtestdriver1_adjust_config "default" - - helper_libtestdriver1_make_drivers "$loc_accel_list" - - helper_libtestdriver1_make_main "$loc_accel_list" - - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated+builtin hash" - make test -} - # Auxiliary function to build config for hashes with and without drivers config_psa_crypto_hash_use_psa () { driver_only="$1" @@ -4178,254 +4162,6 @@ component_test_ccm_aes_sha256() { make test } -# This should be renamed to test and updated once the accelerator ECDH code is in place and ready to test. -component_build_psa_accel_alg_ecdh() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_ECDH without MBEDTLS_ECDH_C" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py unset MBEDTLS_ECDH_C - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_ECDH -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - -# This should be renamed to test and updated once the accelerator HMAC code is in place and ready to test. -component_build_psa_accel_alg_hmac() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_HMAC" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_HMAC -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - -# This should be renamed to test and updated once the accelerator HKDF code is in place and ready to test. -component_build_psa_accel_alg_hkdf() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_HKDF without MBEDTLS_HKDF_C" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_HKDF_C - # Make sure to unset TLS1_3 since it requires HKDF_C and will not build properly without it. - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_HKDF -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - -# This should be renamed to test and updated once the accelerator MD5 code is in place and ready to test. -component_build_psa_accel_alg_md5() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_MD5 - other hashes" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS - scripts/config.py unset MBEDTLS_LMS_C - scripts/config.py unset MBEDTLS_LMS_PRIVATE - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_MD5 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - -# This should be renamed to test and updated once the accelerator RIPEMD160 code is in place and ready to test. -component_build_psa_accel_alg_ripemd160() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RIPEMD160 - other hashes" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS - scripts/config.py unset MBEDTLS_LMS_C - scripts/config.py unset MBEDTLS_LMS_PRIVATE - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RIPEMD160 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - -# This should be renamed to test and updated once the accelerator SHA1 code is in place and ready to test. -component_build_psa_accel_alg_sha1() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_1 - other hashes" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS - scripts/config.py unset MBEDTLS_LMS_C - scripts/config.py unset MBEDTLS_LMS_PRIVATE - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_1 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - -# This should be renamed to test and updated once the accelerator SHA224 code is in place and ready to test. -component_build_psa_accel_alg_sha224() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_224 - other hashes" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_224 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - -# This should be renamed to test and updated once the accelerator SHA256 code is in place and ready to test. -component_build_psa_accel_alg_sha256() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_256 - other hashes" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512 - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_256 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - -# This should be renamed to test and updated once the accelerator SHA384 code is in place and ready to test. -component_build_psa_accel_alg_sha384() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_384 - other hashes" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS - scripts/config.py unset MBEDTLS_LMS_C - scripts/config.py unset MBEDTLS_LMS_PRIVATE - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_384 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - -# This should be renamed to test and updated once the accelerator SHA512 code is in place and ready to test. -component_build_psa_accel_alg_sha512() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_512 - other hashes" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS - scripts/config.py unset MBEDTLS_LMS_C - scripts/config.py unset MBEDTLS_LMS_PRIVATE - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_512 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - -# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. -component_build_psa_accel_alg_rsa_pkcs1v15_crypt() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_PKCS1V15_CRYPT + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 1 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_SIGN - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_OAEP - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PSS - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - -# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. -component_build_psa_accel_alg_rsa_pkcs1v15_sign() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_PKCS1V15_SIGN + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PKCS1V15_SIGN 1 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_OAEP - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PSS - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - -# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. -component_build_psa_accel_alg_rsa_oaep() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_OAEP + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_OAEP 1 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_SIGN - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PSS - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_OAEP -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - -# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. -component_build_psa_accel_alg_rsa_pss() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_PSS + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PSS 1 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_SIGN - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_OAEP - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PSS -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - -# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. -component_build_psa_accel_key_type_rsa_key_pair() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_xxx + PSA_WANT_ALG_RSA_PSS" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PSS 1 - scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC 1 - scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT 1 - scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT 1 - scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE 1 - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - -# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. -component_build_psa_accel_key_type_rsa_public_key() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY + PSA_WANT_ALG_RSA_PSS" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PSS 1 - scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1 - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - - support_build_tfm_armcc () { support_build_armcc } diff --git a/tests/src/drivers/test_driver_pake.c b/tests/src/drivers/test_driver_pake.c index a0b6c1cb0c..52395e4d0e 100644 --- a/tests/src/drivers/test_driver_pake.c +++ b/tests/src/drivers/test_driver_pake.c @@ -1,5 +1,5 @@ /* - * Test driver for MAC entry points. + * Test driver for PAKE entry points. */ /* Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later