Fix edge case with half-supported ECDSA

ECDSA has two variants: deterministic (PSA_ALG_DETERMINISTIC_ECDSA) and randomized (PSA_ALG_ECDSA). The two variants are different for signature but identical for verification. Mbed TLS accepts either variant as the algorithm parameter for verification even when only the other variant is supported, so we need to handle this as a special case when generating not-supported test cases. In this commit: * Automatically generated not-supported test cases for ECDSA now require both variants to be disabled. * Add manually written not-supported test cases for the signature operation when exactly one variant is supported. * Add manually written positive test cases for the verification operation when exactly one variant is supported. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-07-30 22:43:08 +03:00 · 2024-04-19 19:08:34 +02:00
parent 47398e06ef
commit 9ffffab4d6
6 changed files with 579 additions and 511 deletions
--- a/scripts/mbedtls_dev/psa_information.py
+++ b/scripts/mbedtls_dev/psa_information.py
@ -174,9 +174,16 @@ class TestCase(test_case.TestCase):
        """Set test case arguments and automatically infer dependencies."""
        super().set_arguments(arguments)
        dependencies = automatic_dependencies(*arguments)
-        for i in range(len(dependencies)): #pylint: disable=consider-using-enumerate
-            if dependencies[i] in self.negated_dependencies:
-                dependencies[i] = '!' + dependencies[i]
+        # In test cases for not-supported features, the dependencies for
+        # the not-supported feature(s) must be negated. We make sure that
+        # all negated dependencies are present in the result, even in edge
+        # cases where they would not be detected automatically (for example,
+        # to restrict ECDSA-not-supported test cases to configurations
+        # where neither deterministic ECDSA nor randomized ECDSA are supported,
+        # to avoid the edge case that both ECDSA verifications are the same).
+        dependencies = ([dep for dep in dependencies
+                         if dep not in self.negated_dependencies] +
+                        ['!' + dep for dep in self.negated_dependencies])
        if self.key_bits is not None:
            dependencies = finish_family_dependencies(dependencies, self.key_bits)
        self.dependencies += sorted(dependencies)