Merge branch 'development-restricted' into copying-pake

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2025-07-29 11:41:15 +03:00 · 2024-03-06 11:18:28 +00:00
parent 7175d71328 714418f2dc
commit a5175634b0
201 changed files with 10795 additions and 4928 deletions
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@ -150,7 +150,7 @@ def analyze_driver_vs_reference(results: Results, outcomes: Outcomes,
        # but issue an error if they're not (means we have a bad entry).
        ignored = False
        if full_test_suite in ignored_tests:
-            for str_or_re in ignored_tests[test_suite]:
+            for str_or_re in ignored_tests[full_test_suite]:
                if name_matches_pattern(test_string, str_or_re):
                    ignored = True

@ -240,16 +240,16 @@ KNOWN_TASKS = {
            }
        }
    },
-    'analyze_driver_vs_reference_cipher_aead': {
+    'analyze_driver_vs_reference_cipher_aead_cmac': {
        'test_function': do_analyze_driver_vs_reference,
        'args': {
-            'component_ref': 'test_psa_crypto_config_reference_cipher_aead',
-            'component_driver': 'test_psa_crypto_config_accel_cipher_aead',
+            'component_ref': 'test_psa_crypto_config_reference_cipher_aead_cmac',
+            'component_driver': 'test_psa_crypto_config_accel_cipher_aead_cmac',
            # Modules replaced by drivers.
            'ignored_suites': [
                # low-level (block/stream) cipher modules
                'aes', 'aria', 'camellia', 'des', 'chacha20',
-                # AEAD modes
+                # AEAD modes and CMAC
                'ccm', 'chachapoly', 'cmac', 'gcm',
                # The Cipher abstraction layer
                'cipher',
@ -325,6 +325,7 @@ KNOWN_TASKS = {
                # is required.
                'test_suite_ecp': [
                    re.compile(r'ECP check public-private .*'),
+                    re.compile(r'ECP calculate public: .*'),
                    re.compile(r'ECP gen keypair .*'),
                    re.compile(r'ECP point muladd .*'),
                    re.compile(r'ECP point multiplication .*'),
@ -501,6 +502,97 @@ KNOWN_TASKS = {
                ],
            }
        }
+    },
+    'analyze_driver_vs_reference_rsa': {
+        'test_function': do_analyze_driver_vs_reference,
+        'args': {
+            'component_ref': 'test_psa_crypto_config_reference_rsa_crypto',
+            'component_driver': 'test_psa_crypto_config_accel_rsa_crypto',
+            'ignored_suites': [
+                # Modules replaced by drivers.
+                'rsa', 'pkcs1_v15', 'pkcs1_v21',
+                # We temporarily don't care about PK stuff.
+                'pk', 'pkwrite', 'pkparse'
+            ],
+            'ignored_tests': {
+                'test_suite_platform': [
+                    # Incompatible with sanitizers (e.g. ASan). If the driver
+                    # component uses a sanitizer but the reference component
+                    # doesn't, we have a PASS vs SKIP mismatch.
+                    'Check mbedtls_calloc overallocation',
+                ],
+                # Following tests depend on RSA_C but are not about
+                # them really, just need to know some error code is there.
+                'test_suite_error': [
+                    'Low and high error',
+                    'Single high error'
+                ],
+                # Constant time operations only used for PKCS1_V15
+                'test_suite_constant_time': [
+                    re.compile(r'mbedtls_ct_zeroize_if .*'),
+                    re.compile(r'mbedtls_ct_memmove_left .*')
+                ],
+            }
+        }
+    },
+    'analyze_block_cipher_dispatch': {
+        'test_function': do_analyze_driver_vs_reference,
+        'args': {
+            'component_ref': 'test_full_block_cipher_legacy_dispatch',
+            'component_driver': 'test_full_block_cipher_psa_dispatch',
+            'ignored_suites': [
+                # Skipped in the accelerated component
+                'aes', 'aria', 'camellia',
+                # These require AES_C, ARIA_C or CAMELLIA_C to be enabled in
+                # order for the cipher module (actually cipher_wrapper) to work
+                # properly. However these symbols are disabled in the accelerated
+                # component so we ignore them.
+                'cipher.ccm', 'cipher.gcm', 'cipher.aes', 'cipher.aria',
+                'cipher.camellia',
+            ],
+            'ignored_tests': {
+                'test_suite_cmac': [
+                    # Following tests require AES_C/ARIA_C/CAMELLIA_C to be enabled,
+                    # but these are not available in the accelerated component.
+                    'CMAC null arguments',
+                    re.compile('CMAC.* (AES|ARIA|Camellia).*'),
+                ],
+                'test_suite_cipher.padding': [
+                    # Following tests require AES_C/CAMELLIA_C to be enabled,
+                    # but these are not available in the accelerated component.
+                    re.compile('Set( non-existent)? padding with (AES|CAMELLIA).*'),
+                ],
+                'test_suite_pkparse': [
+                    # PEM (called by pkparse) requires AES_C in order to decrypt
+                    # the key, but this is not available in the accelerated
+                    # component.
+                    re.compile('Parse RSA Key.*(password|AES-).*'),
+                ],
+                'test_suite_pem': [
+                    # Following tests require AES_C, but this is diabled in the
+                    # accelerated component.
+                    'PEM read (AES-128-CBC + invalid iv)',
+                    'PEM read (malformed PEM AES-128-CBC)',
+                    'PEM read (unknown encryption algorithm)',
+                ],
+                'test_suite_error': [
+                    # Following tests depend on AES_C but are not about them
+                    # really, just need to know some error code is there.
+                    'Single low error',
+                    'Low and high error',
+                ],
+                'test_suite_version': [
+                    # Similar to test_suite_error above.
+                    'Check for MBEDTLS_AES_C when already present',
+                ],
+                'test_suite_platform': [
+                    # Incompatible with sanitizers (e.g. ASan). If the driver
+                    # component uses a sanitizer but the reference component
+                    # doesn't, we have a PASS vs SKIP mismatch.
+                    'Check mbedtls_calloc overallocation',
+                ],
+            }
+        }
    }
 }

--- a/tests/scripts/check-generated-files.sh
+++ b/tests/scripts/check-generated-files.sh
@ -22,8 +22,20 @@ EOF
    exit
 fi

-if [ -d library -a -d include -a -d tests ]; then :; else
-    echo "Must be run from Mbed TLS root" >&2
+in_mbedtls_repo () {
+    test -d include -a -d library -a -d programs -a -d tests
+}
+
+in_tf_psa_crypto_repo () {
+    test -d include -a -d core -a -d drivers -a -d programs -a -d tests
+}
+
+if in_mbedtls_repo; then
+    library_dir='library'
+elif in_tf_psa_crypto_repo; then
+    library_dir='core'
+else
+    echo "Must be run from Mbed TLS root or TF-PSA-Crypto root" >&2
    exit 1
 fi

@ -114,19 +126,24 @@ check()
 #   - **/CMakeLists.txt (to (re)build them with cmake)
 #   - scripts/make_generated_files.bat (to generate them under Windows)

-check scripts/generate_errors.pl library/error.c
-check scripts/generate_query_config.pl programs/test/query_config.c
-check scripts/generate_driver_wrappers.py library/psa_crypto_driver_wrappers.h library/psa_crypto_driver_wrappers_no_static.c
-check scripts/generate_features.pl library/version_features.c
-check scripts/generate_ssl_debug_helpers.py library/ssl_debug_helpers_generated.c
-# generate_visualc_files enumerates source files (library/*.c). It doesn't
-# care about their content, but the files must exist. So it must run after
-# the step that creates or updates these files.
-check scripts/generate_visualc_files.pl visualc/VS2013
+# These checks are common to Mbed TLS and TF-PSA-Crypto
 check scripts/generate_psa_constants.py programs/psa/psa_constant_names_generated.c
 check tests/scripts/generate_bignum_tests.py $(tests/scripts/generate_bignum_tests.py --list)
 check tests/scripts/generate_ecp_tests.py $(tests/scripts/generate_ecp_tests.py --list)
 check tests/scripts/generate_psa_tests.py $(tests/scripts/generate_psa_tests.py --list)
+check scripts/generate_driver_wrappers.py $library_dir/psa_crypto_driver_wrappers.h $library_dir/psa_crypto_driver_wrappers_no_static.c
+
+# Additional checks for Mbed TLS only
+if in_mbedtls_repo; then
+    check scripts/generate_errors.pl library/error.c
+    check scripts/generate_query_config.pl programs/test/query_config.c
+    check scripts/generate_features.pl library/version_features.c
+    check scripts/generate_ssl_debug_helpers.py library/ssl_debug_helpers_generated.c
+    # generate_visualc_files enumerates source files (library/*.c). It doesn't
+    # care about their content, but the files must exist. So it must run after
+    # the step that creates or updates these files.
+    check scripts/generate_visualc_files.pl visualc/VS2013
+fi

 # Generated files that are present in the repository even in the development
 # branch. (This is intended to be temporary, until the generator scripts are
--- a/tests/scripts/check_files.py
+++ b/tests/scripts/check_files.py
@ -105,6 +105,7 @@ class FileIssueTracker:

 BINARY_FILE_PATH_RE_LIST = [
    r'docs/.*\.pdf\Z',
+    r'docs/.*\.png\Z',
    r'programs/fuzz/corpuses/[^.]+\Z',
    r'tests/data_files/[^.]+\Z',
    r'tests/data_files/.*\.(crt|csr|db|der|key|pubkey)\Z',
@ -317,6 +318,7 @@ class TabIssueTracker(LineIssueTracker):

    heading = "Tabs present:"
    suffix_exemptions = frozenset([
+        ".make",
        ".pem", # some openssl dumps have tabs
        ".sln",
        "/Makefile",
@ -371,8 +373,9 @@ class LicenseIssueTracker(LineIssueTracker):
        r'(ChangeLog|LICENSE|[-0-9A-Z_a-z]+\.md)\Z',
        # Files imported from TF-M, and not used except in test builds,
        # may be under a different license.
-        r'configs/crypto_config_profile_medium\.h\Z',
-        r'configs/tfm_mbedcrypto_config_profile_medium\.h\Z',
+        r'configs/ext/crypto_config_profile_medium\.h\Z',
+        r'configs/ext/tfm_mbedcrypto_config_profile_medium\.h\Z',
+        r'configs/ext/README\.md\Z',
        # Third-party file.
        r'dco\.txt\Z',
    ]
--- a/tests/scripts/depends.py
+++ b/tests/scripts/depends.py
@ -381,7 +381,7 @@ class DomainData:

    def __init__(self, options, conf):
        """Gather data about the library and establish a list of domains to test."""
-        build_command = [options.make_command, 'CFLAGS=-Werror']
+        build_command = [options.make_command, 'CFLAGS=-Werror -O2']
        build_and_test = [build_command, [options.make_command, 'test']]
        self.all_config_symbols = set(conf.settings.keys())
        # Find hash modules by name.
--- a/tests/scripts/generate_psa_wrappers.py
+++ b/tests/scripts/generate_psa_wrappers.py
@ -142,9 +142,43 @@ class PSAWrapperGenerator(c_wrapper_generator.Base):
                                    _buffer_name: Optional[str]) -> bool:
        """Whether the specified buffer argument to a PSA function should be copied.
        """
+        #pylint: disable=too-many-return-statements
        if function_name.startswith('psa_pake'):
            return True
-        if function_name == 'psa_cipher_encrypt':
+        if function_name.startswith('psa_aead'):
+            return True
+        if function_name in {'psa_cipher_encrypt', 'psa_cipher_decrypt',
+                             'psa_cipher_update', 'psa_cipher_finish',
+                             'psa_cipher_generate_iv', 'psa_cipher_set_iv'}:
+            return True
+        if function_name in ('psa_key_derivation_output_bytes',
+                             'psa_key_derivation_input_bytes'):
+            return True
+        if function_name in ('psa_import_key',
+                             'psa_export_key',
+                             'psa_export_public_key'):
+            return True
+        if function_name in ('psa_sign_message',
+                             'psa_verify_message',
+                             'psa_sign_hash',
+                             'psa_verify_hash'):
+            return True
+        if function_name in ('psa_hash_update',
+                             'psa_hash_finish',
+                             'psa_hash_verify',
+                             'psa_hash_compute',
+                             'psa_hash_compare'):
+            return True
+        if function_name == 'psa_generate_random':
+            return True
+        if function_name in ('psa_mac_update',
+                             'psa_mac_sign_finish',
+                             'psa_mac_verify_finish',
+                             'psa_mac_compute',
+                             'psa_mac_verify'):
+            return True
+        if function_name in ('psa_asymmetric_encrypt',
+                             'psa_asymmetric_decrypt'):
            return True
        return False

--- a/tests/scripts/test_psa_compliance.py
+++ b/tests/scripts/test_psa_compliance.py
@ -50,12 +50,8 @@ def main(library_build_dir: str):

    in_tf_psa_crypto_repo = build_tree.looks_like_tf_psa_crypto_root(root_dir)

-    if in_tf_psa_crypto_repo:
-        crypto_name = 'tfpsacrypto'
-        library_subdir = 'core'
-    else:
-        crypto_name = 'mbedcrypto'
-        library_subdir = 'library'
+    crypto_name = build_tree.crypto_library_filename(root_dir)
+    library_subdir = build_tree.crypto_core_directory(root_dir, relative=True)

    crypto_lib_filename = (library_build_dir + '/' +
                           library_subdir + '/' +