Merge pull request #9830 from gilles-peskine-arm/9798-backport-3.6
Backport 3.6: Added debug print in tls13 ssl_tls13_write_key_share_ext
diff --git a/CMakeLists.txt b/CMakeLists.txt
index c6d31dc..99e2169 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -315,7 +315,7 @@
endif()
if (NOT EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/framework/CMakeLists.txt")
- if (EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/.git/")
+ if (EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/.git")
message(FATAL_ERROR "${CMAKE_CURRENT_SOURCE_DIR}CMakeLists.txt not found (and does appear to be a git checkout). Run `git submodule update --init` from the source tree to fetch the submodule contents.")
else ()
message(FATAL_ERROR "${CMAKE_CURRENT_SOURCE_DIR}/CMakeLists.txt not found (and does not appear to be a git checkout). Please ensure you have downloaded the right archive from the release page on GitHub.")
@@ -354,18 +354,18 @@
if(GEN_FILES)
add_custom_command(
OUTPUT
- ${CMAKE_CURRENT_SOURCE_DIR}/framework/tests/src/test_keys.h
+ ${CMAKE_CURRENT_SOURCE_DIR}/framework/tests/include/test/test_keys.h
WORKING_DIRECTORY
${CMAKE_CURRENT_SOURCE_DIR}/tests
COMMAND
"${MBEDTLS_PYTHON_EXECUTABLE}"
"${CMAKE_CURRENT_SOURCE_DIR}/framework/scripts/generate_test_keys.py"
"--output"
- "${CMAKE_CURRENT_SOURCE_DIR}/framework/tests/src/test_keys.h"
+ "${CMAKE_CURRENT_SOURCE_DIR}/framework/tests/include/test/test_keys.h"
DEPENDS
${CMAKE_CURRENT_SOURCE_DIR}/framework/scripts/generate_test_keys.py
)
- add_custom_target(test_keys_header DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/framework/tests/src/test_keys.h)
+ add_custom_target(test_keys_header DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/framework/tests/include/test/test_keys.h)
add_custom_command(
OUTPUT
${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_certs.h
diff --git a/ChangeLog.d/fix-aesni-asm-clobbers.txt b/ChangeLog.d/fix-aesni-asm-clobbers.txt
new file mode 100644
index 0000000..538f0c5
--- /dev/null
+++ b/ChangeLog.d/fix-aesni-asm-clobbers.txt
@@ -0,0 +1,5 @@
+Bugfix
+ * Fix missing constraints on the AES-NI inline assembly which is used on
+ GCC-like compilers when building AES for generic x86_64 targets. This
+ may have resulted in incorrect code with some compilers, depending on
+ optimizations. Fixes #9819.
diff --git a/Makefile b/Makefile
index 4615a44..e0edde4 100644
--- a/Makefile
+++ b/Makefile
@@ -6,7 +6,7 @@
ifeq (,$(wildcard framework/exported.make))
# Use the define keyword to get a multi-line message.
# GNU make appends ". Stop.", so tweak the ending of our message accordingly.
- ifeq (,$(wildcard .git))
+ ifneq (,$(wildcard .git))
define error_message
${MBEDTLS_PATH}/framework/exported.make not found (and does appear to be a git checkout). Run `git submodule update --init` from the source tree to fetch the submodule contents.
This is a fatal error
@@ -91,6 +91,8 @@
# present before it runs. It doesn't matter if the files aren't up-to-date,
# they just need to be present.
$(VISUALC_FILES): | library/generated_files
+$(VISUALC_FILES): | programs/generated_files
+$(VISUALC_FILES): | tests/generated_files
$(VISUALC_FILES): $(gen_file_dep) scripts/generate_visualc_files.pl
$(VISUALC_FILES): $(gen_file_dep) scripts/data_files/vs2017-app-template.vcxproj
$(VISUALC_FILES): $(gen_file_dep) scripts/data_files/vs2017-main-template.vcxproj
diff --git a/docs/architecture/psa-migration/strategy.md b/docs/architecture/psa-migration/strategy.md
index a89fe67..5c5d83f 100644
--- a/docs/architecture/psa-migration/strategy.md
+++ b/docs/architecture/psa-migration/strategy.md
@@ -36,7 +36,9 @@
We currently have a few compile-time options that are relevant to the migration:
- `MBEDTLS_PSA_CRYPTO_C` - enabled by default, controls the presence of the PSA
- Crypto APIs.
+ Crypto APIs with their implementations. (Builds with only
+ `MBEDTLS_PSA_CRYPTO_CLIENT`, where PSA crypto APIs are present but
+ implemented via third-party code, are out of scope of this document.)
- `MBEDTLS_USE_PSA_CRYPTO` - disabled by default (enabled in "full" config),
controls usage of PSA Crypto APIs to perform operations in X.509 and TLS
(G1 above), as well as the availability of some new APIs (G2 above).
diff --git a/docs/driver-only-builds.md b/docs/driver-only-builds.md
index 6bd9262..e85496a 100644
--- a/docs/driver-only-builds.md
+++ b/docs/driver-only-builds.md
@@ -278,9 +278,11 @@
removing builtin support (i.e. `MBEDTLS_DHM_C`).
Note that the PSA API only supports FFDH with RFC 7919 groups, whereas the
-Mbed TLS legacy API supports custom groups. As a consequence, the TLS layer
-of Mbed TLS only supports DHE cipher suites if built-in FFDH
+Mbed TLS legacy API supports custom groups. As a consequence, the TLS 1.2
+layer of Mbed TLS only supports DHE cipher suites if built-in FFDH
(`MBEDTLS_DHM_C`) is present, even when `MBEDTLS_USE_PSA_CRYPTO` is enabled.
+(The TLS 1.3 layer uses PSA, and this is not a limitation because the
+protocol does not allow custom FFDH groups.)
RSA
---
diff --git a/framework b/framework
index df0144c..81dfe00 160000
--- a/framework
+++ b/framework
@@ -1 +1 @@
-Subproject commit df0144c4a3c0fc9beea606afde07cf8708233675
+Subproject commit 81dfe001e19c8d2c09d2ac1df2f5d655b0f04a7d
diff --git a/library/aesni.c b/library/aesni.c
index 8e5bd55..4fc1cb9 100644
--- a/library/aesni.c
+++ b/library/aesni.c
@@ -489,7 +489,7 @@
"movdqu %%xmm0, (%4) \n\t" // export output
:
: "r" (ctx->nr), "r" (ctx->buf + ctx->rk_offset), "r" (mode), "r" (input), "r" (output)
- : "memory", "cc", "xmm0", "xmm1");
+ : "memory", "cc", "xmm0", "xmm1", "0", "1");
return 0;
@@ -679,7 +679,7 @@
AESKEYGENA(xmm0_xmm1, "0x36") "call 1b \n\t"
:
: "r" (rk), "r" (key)
- : "memory", "cc", "0");
+ : "memory", "cc", "xmm0", "xmm1", "0");
}
/*
@@ -737,7 +737,7 @@
:
: "r" (rk), "r" (key)
- : "memory", "cc", "0");
+ : "memory", "cc", "xmm0", "xmm1", "xmm2", "0");
}
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
@@ -805,7 +805,7 @@
AESKEYGENA(xmm1_xmm2, "0x40") "call 1b \n\t"
:
: "r" (rk), "r" (key)
- : "memory", "cc", "0");
+ : "memory", "cc", "xmm0", "xmm1", "xmm2", "0");
}
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index f0ccf3d..2bbe3a5 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -2319,6 +2319,58 @@
/* Message digests */
/****************************************************************/
+static int is_hash_supported(psa_algorithm_t alg)
+{
+ switch (alg) {
+#if defined(PSA_WANT_ALG_MD5)
+ case PSA_ALG_MD5:
+ return 1;
+#endif
+#if defined(PSA_WANT_ALG_RIPEMD160)
+ case PSA_ALG_RIPEMD160:
+ return 1;
+#endif
+#if defined(PSA_WANT_ALG_SHA_1)
+ case PSA_ALG_SHA_1:
+ return 1;
+#endif
+#if defined(PSA_WANT_ALG_SHA_224)
+ case PSA_ALG_SHA_224:
+ return 1;
+#endif
+#if defined(PSA_WANT_ALG_SHA_256)
+ case PSA_ALG_SHA_256:
+ return 1;
+#endif
+#if defined(PSA_WANT_ALG_SHA_384)
+ case PSA_ALG_SHA_384:
+ return 1;
+#endif
+#if defined(PSA_WANT_ALG_SHA_512)
+ case PSA_ALG_SHA_512:
+ return 1;
+#endif
+#if defined(PSA_WANT_ALG_SHA3_224)
+ case PSA_ALG_SHA3_224:
+ return 1;
+#endif
+#if defined(PSA_WANT_ALG_SHA3_256)
+ case PSA_ALG_SHA3_256:
+ return 1;
+#endif
+#if defined(PSA_WANT_ALG_SHA3_384)
+ case PSA_ALG_SHA3_384:
+ return 1;
+#endif
+#if defined(PSA_WANT_ALG_SHA3_512)
+ case PSA_ALG_SHA3_512:
+ return 1;
+#endif
+ default:
+ return 0;
+ }
+}
+
psa_status_t psa_hash_abort(psa_hash_operation_t *operation)
{
/* Aborting a non-active operation is allowed */
@@ -2962,16 +3014,44 @@
if (!PSA_ALG_IS_SIGN_MESSAGE(alg)) {
return PSA_ERROR_INVALID_ARGUMENT;
}
+ }
- if (PSA_ALG_IS_SIGN_HASH(alg)) {
- if (!PSA_ALG_IS_HASH(PSA_ALG_SIGN_GET_HASH(alg))) {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
- }
- } else {
- if (!PSA_ALG_IS_SIGN_HASH(alg)) {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
+ psa_algorithm_t hash_alg = 0;
+ if (PSA_ALG_IS_SIGN_HASH(alg)) {
+ hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
+ }
+
+ /* Now hash_alg==0 if alg by itself doesn't need a hash.
+ * This is good enough for sign-hash, but a guaranteed failure for
+ * sign-message which needs to hash first for all algorithms
+ * supported at the moment. */
+
+ if (hash_alg == 0 && input_is_message) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ if (hash_alg == PSA_ALG_ANY_HASH) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ /* Give up immediately if the hash is not supported. This has
+ * several advantages:
+ * - For mechanisms that don't use the hash at all (e.g.
+ * ECDSA verification, randomized ECDSA signature), without
+ * this check, the operation would succeed even though it has
+ * been given an invalid argument. This would not be insecure
+ * since the hash was not necessary, but it would be weird.
+ * - For mechanisms that do use the hash, we avoid an error
+ * deep inside the execution. In principle this doesn't matter,
+ * but there is a little more risk of a bug in error handling
+ * deep inside than in this preliminary check.
+ * - When calling a driver, the driver might be capable of using
+ * a hash that the core doesn't support. This could potentially
+ * result in a buffer overflow if the hash is larger than the
+ * maximum hash size assumed by the core.
+ * - Returning a consistent error makes it possible to test
+ * not-supported hashes in a consistent way.
+ */
+ if (hash_alg != 0 && !is_hash_supported(hash_alg)) {
+ return PSA_ERROR_NOT_SUPPORTED;
}
return PSA_SUCCESS;
@@ -3852,6 +3932,34 @@
* defined( MBEDTLS_ECP_RESTARTABLE ) */
}
+/* Detect supported interruptible sign/verify mechanisms precisely.
+ * This is not strictly needed: we could accept everything, and let the
+ * code fail later during complete() if the mechanism is unsupported
+ * (e.g. attempting deterministic ECDSA when only the randomized variant
+ * is available). But it's easier for applications and especially for our
+ * test code to detect all not-supported errors during start().
+ *
+ * Note that this function ignores the hash component. The core code
+ * is supposed to check the hash part by calling is_hash_supported().
+ */
+static inline int can_do_interruptible_sign_verify(psa_algorithm_t alg)
+{
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
+ if (PSA_ALG_IS_DETERMINISTIC_ECDSA(alg)) {
+ return 1;
+ }
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA)
+ if (PSA_ALG_IS_RANDOMIZED_ECDSA(alg)) {
+ return 1;
+ }
+#endif
+#endif /* defined(MBEDTLS_ECP_RESTARTABLE) */
+ (void) alg;
+ return 0;
+}
+
psa_status_t mbedtls_psa_sign_hash_start(
mbedtls_psa_sign_hash_interruptible_operation_t *operation,
const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
@@ -3865,7 +3973,7 @@
return PSA_ERROR_NOT_SUPPORTED;
}
- if (!PSA_ALG_IS_ECDSA(alg)) {
+ if (!can_do_interruptible_sign_verify(alg)) {
return PSA_ERROR_NOT_SUPPORTED;
}
@@ -4081,7 +4189,7 @@
return PSA_ERROR_NOT_SUPPORTED;
}
- if (!PSA_ALG_IS_ECDSA(alg)) {
+ if (!can_do_interruptible_sign_verify(alg)) {
return PSA_ERROR_NOT_SUPPORTED;
}
diff --git a/scripts/code_style.py b/scripts/code_style.py
deleted file mode 100755
index e98fb2b..0000000
--- a/scripts/code_style.py
+++ /dev/null
@@ -1,277 +0,0 @@
-#!/usr/bin/env python3
-"""Check or fix the code style by running Uncrustify.
-
-This script must be run from the root of a Git work tree containing Mbed TLS.
-"""
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
-import argparse
-import os
-import re
-import subprocess
-import sys
-from typing import FrozenSet, List, Optional
-
-UNCRUSTIFY_SUPPORTED_VERSION = "0.75.1"
-CONFIG_FILE = ".uncrustify.cfg"
-UNCRUSTIFY_EXE = "uncrustify"
-UNCRUSTIFY_ARGS = ["-c", CONFIG_FILE]
-CHECK_GENERATED_FILES = "tests/scripts/check-generated-files.sh"
-
-def print_err(*args):
- print("Error: ", *args, file=sys.stderr)
-
-# Print the file names that will be skipped and the help message
-def print_skip(files_to_skip):
- print()
- print(*files_to_skip, sep=", SKIP\n", end=", SKIP\n")
- print("Warning: The listed files will be skipped because\n"
- "they are not known to git.")
- print()
-
-# Match FILENAME(s) in "check SCRIPT (FILENAME...)"
-CHECK_CALL_RE = re.compile(r"\n\s*check\s+[^\s#$&*?;|]+([^\n#$&*?;|]+)",
- re.ASCII)
-def list_generated_files() -> FrozenSet[str]:
- """Return the names of generated files.
-
- We don't reformat generated files, since the result might be different
- from the output of the generator. Ideally the result of the generator
- would conform to the code style, but this would be difficult, especially
- with respect to the placement of line breaks in long logical lines.
- """
- # Parse check-generated-files.sh to get an up-to-date list of
- # generated files. Read the file rather than calling it so that
- # this script only depends on Git, Python and uncrustify, and not other
- # tools such as sh or grep which might not be available on Windows.
- # This introduces a limitation: check-generated-files.sh must have
- # the expected format and must list the files explicitly, not through
- # wildcards or command substitution.
- content = open(CHECK_GENERATED_FILES, encoding="utf-8").read()
- checks = re.findall(CHECK_CALL_RE, content)
- return frozenset(word for s in checks for word in s.split())
-
-# Check for comment string indicating an auto-generated file
-AUTOGEN_RE = re.compile(r"Warning[ :-]+This file is (now )?auto[ -]?generated",
- re.ASCII | re.IGNORECASE)
-def is_file_autogenerated(filename):
- content = open(filename, encoding="utf-8").read()
- return AUTOGEN_RE.search(content) is not None
-
-def get_src_files(since: Optional[str]) -> List[str]:
- """
- Use git to get a list of the source files.
-
- The optional argument since is a commit, indicating to only list files
- that have changed since that commit. Without this argument, list all
- files known to git.
-
- Only C files are included, and certain files (generated, or 3rdparty)
- are excluded.
- """
- file_patterns = ["*.[hc]",
- "tests/suites/*.function",
- "scripts/data_files/*.fmt"]
- output = subprocess.check_output(["git", "ls-files"] + file_patterns,
- universal_newlines=True)
- src_files = output.split()
-
- # When this script is called from a git hook, some environment variables
- # are set by default which force all git commands to use the main repository
- # (i.e. prevent us from performing commands on the framework repo).
- # Create an environment without these variables for running commands on the
- # framework repo.
- framework_env = os.environ.copy()
- # Get a list of environment vars that git sets
- git_env_vars = subprocess.check_output(["git", "rev-parse", "--local-env-vars"],
- universal_newlines=True)
- # Remove the vars from the environment
- for var in git_env_vars.split():
- framework_env.pop(var, None)
-
- output = subprocess.check_output(["git", "-C", "framework", "ls-files"]
- + file_patterns,
- universal_newlines=True,
- env=framework_env)
- framework_src_files = output.split()
-
- if since:
- # get all files changed in commits since the starting point in ...
- # ... the main repository
- cmd = ["git", "log", since + "..HEAD", "--ignore-submodules",
- "--name-only", "--pretty=", "--"] + src_files
- output = subprocess.check_output(cmd, universal_newlines=True)
- committed_changed_files = output.split()
-
- # ... the framework submodule
- framework_since = get_submodule_hash(since, "framework")
- cmd = ["git", "-C", "framework", "log", framework_since + "..HEAD",
- "--name-only", "--pretty=", "--"] + framework_src_files
- output = subprocess.check_output(cmd, universal_newlines=True,
- env=framework_env)
- committed_changed_files += ["framework/" + s for s in output.split()]
-
- # and also get all files with uncommitted changes in ...
- # ... the main repository
- cmd = ["git", "diff", "--name-only", "--"] + src_files
- output = subprocess.check_output(cmd, universal_newlines=True)
- uncommitted_changed_files = output.split()
- # ... the framework submodule
- cmd = ["git", "-C", "framework", "diff", "--name-only", "--"] + \
- framework_src_files
- output = subprocess.check_output(cmd, universal_newlines=True,
- env=framework_env)
- uncommitted_changed_files += ["framework/" + s for s in output.split()]
-
- src_files = committed_changed_files + uncommitted_changed_files
- else:
- src_files += ["framework/" + s for s in framework_src_files]
-
- generated_files = list_generated_files()
- # Don't correct style for third-party files (and, for simplicity,
- # companion files in the same subtree), or for automatically
- # generated files (we're correcting the templates instead).
- src_files = [filename for filename in src_files
- if not (filename.startswith("3rdparty/") or
- filename in generated_files or
- is_file_autogenerated(filename))]
- return src_files
-
-def get_submodule_hash(commit: str, submodule: str) -> str:
- """Get the commit hash of a submodule at a given commit in the Git repository."""
- cmd = ["git", "ls-tree", commit, submodule]
- output = subprocess.check_output(cmd, universal_newlines=True)
- return output.split()[2]
-
-def get_uncrustify_version() -> str:
- """
- Get the version string from Uncrustify
- """
- result = subprocess.run([UNCRUSTIFY_EXE, "--version"],
- stdout=subprocess.PIPE, stderr=subprocess.PIPE,
- check=False)
- if result.returncode != 0:
- print_err("Could not get Uncrustify version:", str(result.stderr, "utf-8"))
- return ""
- else:
- return str(result.stdout, "utf-8")
-
-def check_style_is_correct(src_file_list: List[str]) -> bool:
- """
- Check the code style and output a diff for each file whose style is
- incorrect.
- """
- style_correct = True
- for src_file in src_file_list:
- uncrustify_cmd = [UNCRUSTIFY_EXE] + UNCRUSTIFY_ARGS + [src_file]
- result = subprocess.run(uncrustify_cmd, stdout=subprocess.PIPE,
- stderr=subprocess.PIPE, check=False)
- if result.returncode != 0:
- print_err("Uncrustify returned " + str(result.returncode) +
- " correcting file " + src_file)
- return False
-
- # Uncrustify makes changes to the code and places the result in a new
- # file with the extension ".uncrustify". To get the changes (if any)
- # simply diff the 2 files.
- diff_cmd = ["diff", "-u", src_file, src_file + ".uncrustify"]
- cp = subprocess.run(diff_cmd, check=False)
-
- if cp.returncode == 1:
- print(src_file + " changed - code style is incorrect.")
- style_correct = False
- elif cp.returncode != 0:
- raise subprocess.CalledProcessError(cp.returncode, cp.args,
- cp.stdout, cp.stderr)
-
- # Tidy up artifact
- os.remove(src_file + ".uncrustify")
-
- return style_correct
-
-def fix_style_single_pass(src_file_list: List[str]) -> bool:
- """
- Run Uncrustify once over the source files.
- """
- code_change_args = UNCRUSTIFY_ARGS + ["--no-backup"]
- for src_file in src_file_list:
- uncrustify_cmd = [UNCRUSTIFY_EXE] + code_change_args + [src_file]
- result = subprocess.run(uncrustify_cmd, check=False)
- if result.returncode != 0:
- print_err("Uncrustify with file returned: " +
- str(result.returncode) + " correcting file " +
- src_file)
- return False
- return True
-
-def fix_style(src_file_list: List[str]) -> int:
- """
- Fix the code style. This takes 2 passes of Uncrustify.
- """
- if not fix_style_single_pass(src_file_list):
- return 1
- if not fix_style_single_pass(src_file_list):
- return 1
-
- # Guard against future changes that cause the codebase to require
- # more passes.
- if not check_style_is_correct(src_file_list):
- print_err("Code style still incorrect after second run of Uncrustify.")
- return 1
- else:
- return 0
-
-def main() -> int:
- """
- Main with command line arguments.
- """
- uncrustify_version = get_uncrustify_version().strip()
- if UNCRUSTIFY_SUPPORTED_VERSION not in uncrustify_version:
- print("Warning: Using unsupported Uncrustify version '" +
- uncrustify_version + "'")
- print("Note: The only supported version is " +
- UNCRUSTIFY_SUPPORTED_VERSION)
-
- parser = argparse.ArgumentParser()
- parser.add_argument('-f', '--fix', action='store_true',
- help=('modify source files to fix the code style '
- '(default: print diff, do not modify files)'))
- parser.add_argument('-s', '--since', metavar='COMMIT', const='development', nargs='?',
- help=('only check files modified since the specified commit'
- ' (e.g. --since=HEAD~3 or --since=development). If no'
- ' commit is specified, default to development.'))
- # --subset is almost useless: it only matters if there are no files
- # ('code_style.py' without arguments checks all files known to Git,
- # 'code_style.py --subset' does nothing). In particular,
- # 'code_style.py --fix --subset ...' is intended as a stable ("porcelain")
- # way to restyle a possibly empty set of files.
- parser.add_argument('--subset', action='store_true',
- help='only check the specified files (default with non-option arguments)')
- parser.add_argument('operands', nargs='*', metavar='FILE',
- help='files to check (files MUST be known to git, if none: check all)')
-
- args = parser.parse_args()
-
- covered = frozenset(get_src_files(args.since))
- # We only check files that are known to git
- if args.subset or args.operands:
- src_files = [f for f in args.operands if f in covered]
- skip_src_files = [f for f in args.operands if f not in covered]
- if skip_src_files:
- print_skip(skip_src_files)
- else:
- src_files = list(covered)
-
- if args.fix:
- # Fix mode
- return fix_style(src_files)
- else:
- # Check mode
- if check_style_is_correct(src_files):
- print("Checked {} files, style ok.".format(len(src_files)))
- return 0
- else:
- return 1
-
-if __name__ == '__main__':
- sys.exit(main())
diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja
index d3b7d6f..ed5c9a0 100644
--- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja
+++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja
@@ -307,8 +307,7 @@
#endif /* PSA_CRYPTO_DRIVER_TEST */
#if defined (MBEDTLS_PSA_P256M_DRIVER_ENABLED)
if( PSA_KEY_TYPE_IS_ECC( psa_get_key_type(attributes) ) &&
- PSA_ALG_IS_ECDSA(alg) &&
- !PSA_ALG_ECDSA_IS_DETERMINISTIC( alg ) &&
+ PSA_ALG_IS_RANDOMIZED_ECDSA(alg) &&
PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(attributes)) == PSA_ECC_FAMILY_SECP_R1 &&
psa_get_key_bits(attributes) == 256 )
{
@@ -412,7 +411,6 @@
#if defined (MBEDTLS_PSA_P256M_DRIVER_ENABLED)
if( PSA_KEY_TYPE_IS_ECC( psa_get_key_type(attributes) ) &&
PSA_ALG_IS_ECDSA(alg) &&
- !PSA_ALG_ECDSA_IS_DETERMINISTIC( alg ) &&
PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(attributes)) == PSA_ECC_FAMILY_SECP_R1 &&
psa_get_key_bits(attributes) == 256 )
{
diff --git a/scripts/make_generated_files.bat b/scripts/make_generated_files.bat
index 29687cb..0c15c38 100644
--- a/scripts/make_generated_files.bat
+++ b/scripts/make_generated_files.bat
@@ -26,6 +26,6 @@
python framework\scripts\generate_config_tests.py || exit /b 1
python framework\scripts\generate_ecp_tests.py || exit /b 1
python framework\scripts\generate_psa_tests.py || exit /b 1
-python framework\scripts\generate_test_keys.py --output framework\tests\src\test_keys.h || exit /b 1
+python framework\scripts\generate_test_keys.py --output framework\tests\include\test\test_keys.h || exit /b 1
python framework\scripts\generate_test_cert_macros.py --output tests\src\test_certs.h || exit /b 1
python framework\scripts\generate_tls13_compat_tests.py || exit /b 1
diff --git a/scripts/output_env.sh b/scripts/output_env.sh
deleted file mode 100755
index 32f1f86..0000000
--- a/scripts/output_env.sh
+++ /dev/null
@@ -1,183 +0,0 @@
-#! /usr/bin/env sh
-
-# output_env.sh
-#
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
-#
-# Purpose
-#
-# To print out all the relevant information about the development environment.
-#
-# This includes:
-# - architecture of the system
-# - type and version of the operating system
-# - version of make and cmake
-# - version of armcc, clang, gcc-arm and gcc compilers
-# - version of libc, clang, asan and valgrind if installed
-# - version of gnuTLS and OpenSSL
-
-print_version()
-{
- BIN="$1"
- shift
- ARGS="$1"
- shift
- VARIANT="$1"
- shift
-
- if [ -n "$VARIANT" ]; then
- VARIANT=" ($VARIANT)"
- fi
-
- if ! type "$BIN" > /dev/null 2>&1; then
- echo " * ${BIN##*/}$VARIANT: Not found."
- return 0
- fi
-
- BIN=`which "$BIN"`
- VERSION_STR=`$BIN $ARGS 2>&1`
-
- # Apply all filters
- while [ $# -gt 0 ]; do
- FILTER="$1"
- shift
- VERSION_STR=`echo "$VERSION_STR" | $FILTER`
- done
-
- if [ -z "$VERSION_STR" ]; then
- VERSION_STR="Version could not be determined."
- fi
-
- echo " * ${BIN##*/}$VARIANT: ${BIN} : ${VERSION_STR} "
-}
-
-echo "** Platform:"
-echo
-
-if [ `uname -s` = "Linux" ]; then
- echo "Linux variant"
- lsb_release -d -c
-else
- echo "Unknown Unix variant"
-fi
-
-echo
-
-print_version "uname" "-a" ""
-
-echo
-echo
-echo "** Tool Versions:"
-echo
-
-print_version "make" "--version" "" "head -n 1"
-echo
-
-print_version "cmake" "--version" "" "head -n 1"
-echo
-
-if [ "${RUN_ARMCC:-1}" -ne 0 ]; then
- : "${ARMC6_CC:=armclang}"
- print_version "$ARMC6_CC" "--vsn" "" "head -n 2"
- echo
-fi
-
-print_version "arm-none-eabi-gcc" "--version" "" "head -n 1"
-echo
-
-print_version "gcc" "--version" "" "head -n 1"
-echo
-
-if [ -n "${GCC_EARLIEST+set}" ]; then
- print_version "${GCC_EARLIEST}" "--version" "" "head -n 1"
-else
- echo " GCC_EARLIEST : Not configured."
-fi
-echo
-
-if [ -n "${GCC_LATEST+set}" ]; then
- print_version "${GCC_LATEST}" "--version" "" "head -n 1"
-else
- echo " GCC_LATEST : Not configured."
-fi
-echo
-
-print_version "clang" "--version" "" "head -n 2"
-echo
-
-if [ -n "${CLANG_EARLIEST+set}" ]; then
- print_version "${CLANG_EARLIEST}" "--version" "" "head -n 2"
-else
- echo " CLANG_EARLIEST : Not configured."
-fi
-echo
-
-if [ -n "${CLANG_LATEST+set}" ]; then
- print_version "${CLANG_LATEST}" "--version" "" "head -n 2"
-else
- echo " CLANG_LATEST : Not configured."
-fi
-echo
-
-print_version "ldd" "--version" "" "head -n 1"
-echo
-
-print_version "valgrind" "--version" ""
-echo
-
-print_version "gdb" "--version" "" "head -n 1"
-echo
-
-print_version "perl" "--version" "" "head -n 2" "grep ."
-echo
-
-print_version "python" "--version" "" "head -n 1"
-echo
-
-print_version "python3" "--version" "" "head -n 1"
-echo
-
-# Find the installed version of Pylint. Installed as a distro package this can
-# be pylint3 and as a PEP egg, pylint. In test scripts We prefer pylint over
-# pylint3
-if type pylint >/dev/null 2>/dev/null; then
- print_version "pylint" "--version" "" "sed /^.*config/d" "grep pylint"
-elif type pylint3 >/dev/null 2>/dev/null; then
- print_version "pylint3" "--version" "" "sed /^.*config/d" "grep pylint"
-else
- echo " * pylint or pylint3: Not found."
-fi
-echo
-
-: ${OPENSSL:=openssl}
-print_version "$OPENSSL" "version" "default"
-echo
-
-if [ -n "${OPENSSL_NEXT+set}" ]; then
- print_version "$OPENSSL_NEXT" "version" "next"
-else
- echo " * openssl (next): Not configured."
-fi
-echo
-
-: ${GNUTLS_CLI:=gnutls-cli}
-print_version "$GNUTLS_CLI" "--version" "default" "head -n 1"
-echo
-
-: ${GNUTLS_SERV:=gnutls-serv}
-print_version "$GNUTLS_SERV" "--version" "default" "head -n 1"
-echo
-
-echo " * Installed asan versions:"
-if type dpkg-query >/dev/null 2>/dev/null; then
- if ! dpkg-query -f '${Status} ${Package}: ${Version}\n' -W 'libasan*' |
- awk '$3 == "installed" && $4 !~ /-/ {print $4, $5}' |
- grep .
- then
- echo " No asan versions installed."
- fi
-else
- echo " Unable to determine the asan version without dpkg."
-fi
-echo
diff --git a/tests/Makefile b/tests/Makefile
index baeb7f7..2c6489c 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -53,7 +53,7 @@
GENERATED_DATA_FILES += $(GENERATED_PSA_DATA_FILES)
GENERATED_FILES = $(GENERATED_DATA_FILES)
-GENERATED_FILES += ../framework/tests/src/test_keys.h src/test_certs.h
+GENERATED_FILES += ../framework/tests/include/test/test_keys.h src/test_certs.h
# Generated files needed to (fully) run ssl-opt.sh
.PHONY: ssl-opt
@@ -161,7 +161,7 @@
echo " Gen $@"
$(PYTHON) ../framework/scripts/generate_test_cert_macros.py --output $@
-../framework/tests/src/test_keys.h: ../framework/scripts/generate_test_keys.py
+../framework/tests/include/test/test_keys.h: ../framework/scripts/generate_test_keys.py
echo " Gen $@"
$(PYTHON) ../framework/scripts/generate_test_keys.py --output $@
@@ -172,7 +172,7 @@
# therefore the wildcard enumeration above doesn't include it.
TEST_OBJS_DEPS += ../framework/tests/include/test/instrument_record_status.h
endif
-TEST_OBJS_DEPS += src/test_certs.h ../framework/tests/src/test_keys.h
+TEST_OBJS_DEPS += src/test_certs.h ../framework/tests/include/test/test_keys.h
# Rule to compile common test C files in framework
../framework/tests/src/%.o : ../framework/tests/src/%.c $(TEST_OBJS_DEPS)
diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index 18c8bde..09e1245 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -206,6 +206,11 @@
'PBES2 Encrypt, pad=6 (PKCS7 padding disabled)',
'PBES2 Encrypt, pad=8 (PKCS7 padding disabled)',
],
+ 'test_suite_psa_crypto': [
+ # We don't test this unusual, but sensible configuration.
+ # https://github.com/Mbed-TLS/mbedtls/issues/9592
+ re.compile(r'.*ECDSA.*only deterministic supported'),
+ ],
'test_suite_psa_crypto_generate_key.generated': [
# Ignore mechanisms that are not implemented, except
# for public keys for which we always test that
@@ -258,6 +263,9 @@
# "PSA test case generation: dependency inference class: operation fail"
# from https://github.com/Mbed-TLS/mbedtls/pull/9025 .
re.compile(r'.* with (?:DH|ECC)_(?:KEY_PAIR|PUBLIC_KEY)\(.*'),
+ # We don't test this unusual, but sensible configuration.
+ # https://github.com/Mbed-TLS/mbedtls/issues/9592
+ re.compile(r'.*: !ECDSA but DETERMINISTIC_ECDSA with ECC_.*'),
# PBKDF2_HMAC is not in the default configuration, so we don't
# enable it in depends.py where we remove hashes.
# https://github.com/Mbed-TLS/mbedtls/issues/9576
@@ -272,6 +280,11 @@
# https://github.com/Mbed-TLS/mbedtls/issues/9578
re.compile(r'PSA sign RSA_PSS_ANY_SALT.*!(?:MD|RIPEMD|SHA).*'),
],
+ 'test_suite_psa_crypto_op_fail.misc': [
+ # We don't test this unusual, but sensible configuration.
+ # https://github.com/Mbed-TLS/mbedtls/issues/9592
+ 'PSA sign DETERMINISTIC_ECDSA(SHA_256): !ECDSA but DETERMINISTIC_ECDSA with ECC_KEY_PAIR(SECP_R1)', #pylint: disable=line-too-long
+ ],
'test_suite_psa_crypto_storage_format.current': [
PSA_MECHANISM_NOT_IMPLEMENTED_SEARCH_RE,
],
diff --git a/tests/scripts/basic-build-test.sh b/tests/scripts/basic-build-test.sh
index d2e955f..5df2d02 100755
--- a/tests/scripts/basic-build-test.sh
+++ b/tests/scripts/basic-build-test.sh
@@ -65,7 +65,7 @@
OPENSSL="$OPENSSL" \
GNUTLS_CLI="$GNUTLS_CLI" \
GNUTLS_SERV="$GNUTLS_SERV" \
- scripts/output_env.sh
+ framework/scripts/output_env.sh
echo
# Step 1 - Make and instrumented build for code coverage
diff --git a/tests/scripts/check-generated-files.sh b/tests/scripts/check-generated-files.sh
index d796cc0..b61c5ac 100755
--- a/tests/scripts/check-generated-files.sh
+++ b/tests/scripts/check-generated-files.sh
@@ -111,7 +111,7 @@
}
# Note: if the format of calls to the "check" function changes, update
-# scripts/code_style.py accordingly. For generated C source files (*.h or *.c),
+# framework/scripts/code_style.py accordingly. For generated C source files (*.h or *.c),
# the format must be "check SCRIPT FILENAME...". For other source files,
# any shell syntax is permitted (including e.g. command substitution).
@@ -126,7 +126,7 @@
check framework/scripts/generate_config_tests.py $(framework/scripts/generate_config_tests.py --list)
check framework/scripts/generate_ecp_tests.py $(framework/scripts/generate_ecp_tests.py --list)
check framework/scripts/generate_psa_tests.py $(framework/scripts/generate_psa_tests.py --list)
-check framework/scripts/generate_test_keys.py framework/tests/src/test_keys.h
+check framework/scripts/generate_test_keys.py framework/tests/include/test/test_keys.h
check scripts/generate_driver_wrappers.py $library_dir/psa_crypto_driver_wrappers.h $library_dir/psa_crypto_driver_wrappers_no_static.c
# Additional checks for Mbed TLS only
diff --git a/tests/scripts/check_files.py b/tests/scripts/check_files.py
deleted file mode 100755
index 2a5d64b..0000000
--- a/tests/scripts/check_files.py
+++ /dev/null
@@ -1,546 +0,0 @@
-#!/usr/bin/env python3
-
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
-
-"""
-This script checks the current state of the source code for minor issues,
-including incorrect file permissions, presence of tabs, non-Unix line endings,
-trailing whitespace, and presence of UTF-8 BOM.
-Note: requires python 3, must be run from Mbed TLS root.
-"""
-
-import argparse
-import codecs
-import inspect
-import logging
-import os
-import re
-import subprocess
-import sys
-try:
- from typing import FrozenSet, Optional, Pattern # pylint: disable=unused-import
-except ImportError:
- pass
-
-import scripts_path # pylint: disable=unused-import
-from mbedtls_framework import build_tree
-
-
-class FileIssueTracker:
- """Base class for file-wide issue tracking.
-
- To implement a checker that processes a file as a whole, inherit from
- this class and implement `check_file_for_issue` and define ``heading``.
-
- ``suffix_exemptions``: files whose name ends with a string in this set
- will not be checked.
-
- ``path_exemptions``: files whose path (relative to the root of the source
- tree) matches this regular expression will not be checked. This can be
- ``None`` to match no path. Paths are normalized and converted to ``/``
- separators before matching.
-
- ``heading``: human-readable description of the issue
- """
-
- suffix_exemptions = frozenset() #type: FrozenSet[str]
- path_exemptions = None #type: Optional[Pattern[str]]
- # heading must be defined in derived classes.
- # pylint: disable=no-member
-
- def __init__(self):
- self.files_with_issues = {}
-
- @staticmethod
- def normalize_path(filepath):
- """Normalize ``filepath`` with / as the directory separator."""
- filepath = os.path.normpath(filepath)
- # On Windows, we may have backslashes to separate directories.
- # We need slashes to match exemption lists.
- seps = os.path.sep
- if os.path.altsep is not None:
- seps += os.path.altsep
- return '/'.join(filepath.split(seps))
-
- def should_check_file(self, filepath):
- """Whether the given file name should be checked.
-
- Files whose name ends with a string listed in ``self.suffix_exemptions``
- or whose path matches ``self.path_exemptions`` will not be checked.
- """
- for files_exemption in self.suffix_exemptions:
- if filepath.endswith(files_exemption):
- return False
- if self.path_exemptions and \
- re.match(self.path_exemptions, self.normalize_path(filepath)):
- return False
- return True
-
- def check_file_for_issue(self, filepath):
- """Check the specified file for the issue that this class is for.
-
- Subclasses must implement this method.
- """
- raise NotImplementedError
-
- def record_issue(self, filepath, line_number):
- """Record that an issue was found at the specified location."""
- if filepath not in self.files_with_issues.keys():
- self.files_with_issues[filepath] = []
- self.files_with_issues[filepath].append(line_number)
-
- def output_file_issues(self, logger):
- """Log all the locations where the issue was found."""
- if self.files_with_issues.values():
- logger.info(self.heading)
- for filename, lines in sorted(self.files_with_issues.items()):
- if lines:
- logger.info("{}: {}".format(
- filename, ", ".join(str(x) for x in lines)
- ))
- else:
- logger.info(filename)
- logger.info("")
-
-BINARY_FILE_PATH_RE_LIST = [
- r'docs/.*\.pdf\Z',
- r'docs/.*\.png\Z',
- r'programs/fuzz/corpuses/[^.]+\Z',
- r'framework/data_files/[^.]+\Z',
- r'framework/data_files/.*\.(crt|csr|db|der|key|pubkey)\Z',
- r'framework/data_files/.*\.req\.[^/]+\Z',
- r'framework/data_files/.*malformed[^/]+\Z',
- r'framework/data_files/format_pkcs12\.fmt\Z',
- r'framework/data_files/.*\.bin\Z',
-]
-BINARY_FILE_PATH_RE = re.compile('|'.join(BINARY_FILE_PATH_RE_LIST))
-
-class LineIssueTracker(FileIssueTracker):
- """Base class for line-by-line issue tracking.
-
- To implement a checker that processes files line by line, inherit from
- this class and implement `line_with_issue`.
- """
-
- # Exclude binary files.
- path_exemptions = BINARY_FILE_PATH_RE
-
- def issue_with_line(self, line, filepath, line_number):
- """Check the specified line for the issue that this class is for.
-
- Subclasses must implement this method.
- """
- raise NotImplementedError
-
- def check_file_line(self, filepath, line, line_number):
- if self.issue_with_line(line, filepath, line_number):
- self.record_issue(filepath, line_number)
-
- def check_file_for_issue(self, filepath):
- """Check the lines of the specified file.
-
- Subclasses must implement the ``issue_with_line`` method.
- """
- with open(filepath, "rb") as f:
- for i, line in enumerate(iter(f.readline, b"")):
- self.check_file_line(filepath, line, i + 1)
-
-
-def is_windows_file(filepath):
- _root, ext = os.path.splitext(filepath)
- return ext in ('.bat', '.dsp', '.dsw', '.sln', '.vcxproj')
-
-
-class ShebangIssueTracker(FileIssueTracker):
- """Track files with a bad, missing or extraneous shebang line.
-
- Executable scripts must start with a valid shebang (#!) line.
- """
-
- heading = "Invalid shebang line:"
-
- # Allow either /bin/sh, /bin/bash, or /usr/bin/env.
- # Allow at most one argument (this is a Linux limitation).
- # For sh and bash, the argument if present must be options.
- # For env, the argument must be the base name of the interpreter.
- _shebang_re = re.compile(rb'^#! ?(?:/bin/(bash|sh)(?: -[^\n ]*)?'
- rb'|/usr/bin/env ([^\n /]+))$')
- _extensions = {
- b'bash': 'sh',
- b'perl': 'pl',
- b'python3': 'py',
- b'sh': 'sh',
- }
-
- path_exemptions = re.compile(r'tests/scripts/quiet/.*')
-
- def is_valid_shebang(self, first_line, filepath):
- m = re.match(self._shebang_re, first_line)
- if not m:
- return False
- interpreter = m.group(1) or m.group(2)
- if interpreter not in self._extensions:
- return False
- if not filepath.endswith('.' + self._extensions[interpreter]):
- return False
- return True
-
- def check_file_for_issue(self, filepath):
- is_executable = os.access(filepath, os.X_OK)
- with open(filepath, "rb") as f:
- first_line = f.readline()
- if first_line.startswith(b'#!'):
- if not is_executable:
- # Shebang on a non-executable file
- self.files_with_issues[filepath] = None
- elif not self.is_valid_shebang(first_line, filepath):
- self.files_with_issues[filepath] = [1]
- elif is_executable:
- # Executable without a shebang
- self.files_with_issues[filepath] = None
-
-
-class EndOfFileNewlineIssueTracker(FileIssueTracker):
- """Track files that end with an incomplete line
- (no newline character at the end of the last line)."""
-
- heading = "Missing newline at end of file:"
-
- path_exemptions = BINARY_FILE_PATH_RE
-
- def check_file_for_issue(self, filepath):
- with open(filepath, "rb") as f:
- try:
- f.seek(-1, 2)
- except OSError:
- # This script only works on regular files. If we can't seek
- # 1 before the end, it means that this position is before
- # the beginning of the file, i.e. that the file is empty.
- return
- if f.read(1) != b"\n":
- self.files_with_issues[filepath] = None
-
-
-class Utf8BomIssueTracker(FileIssueTracker):
- """Track files that start with a UTF-8 BOM.
- Files should be ASCII or UTF-8. Valid UTF-8 does not start with a BOM."""
-
- heading = "UTF-8 BOM present:"
-
- suffix_exemptions = frozenset([".vcxproj", ".sln"])
- path_exemptions = BINARY_FILE_PATH_RE
-
- def check_file_for_issue(self, filepath):
- with open(filepath, "rb") as f:
- if f.read().startswith(codecs.BOM_UTF8):
- self.files_with_issues[filepath] = None
-
-
-class UnicodeIssueTracker(LineIssueTracker):
- """Track lines with invalid characters or invalid text encoding."""
-
- heading = "Invalid UTF-8 or forbidden character:"
-
- # Only allow valid UTF-8, and only other explicitly allowed characters.
- # We deliberately exclude all characters that aren't a simple non-blank,
- # non-zero-width glyph, apart from a very small set (tab, ordinary space,
- # line breaks, "basic" no-break space and soft hyphen). In particular,
- # non-ASCII control characters, combinig characters, and Unicode state
- # changes (e.g. right-to-left text) are forbidden.
- # Note that we do allow some characters with a risk of visual confusion,
- # for example '-' (U+002D HYPHEN-MINUS) vs '' (U+00AD SOFT HYPHEN) vs
- # '‐' (U+2010 HYPHEN), or 'A' (U+0041 LATIN CAPITAL LETTER A) vs
- # 'Α' (U+0391 GREEK CAPITAL LETTER ALPHA).
- GOOD_CHARACTERS = ''.join([
- '\t\n\r -~', # ASCII (tabs and line endings are checked separately)
- '\u00A0-\u00FF', # Latin-1 Supplement (for NO-BREAK SPACE and punctuation)
- '\u2010-\u2027\u2030-\u205E', # General Punctuation (printable)
- '\u2070\u2071\u2074-\u208E\u2090-\u209C', # Superscripts and Subscripts
- '\u2190-\u21FF', # Arrows
- '\u2200-\u22FF', # Mathematical Symbols
- '\u2500-\u257F' # Box Drawings characters used in markdown trees
- ])
- # Allow any of the characters and ranges above, and anything classified
- # as a word constituent.
- GOOD_CHARACTERS_RE = re.compile(r'[\w{}]+\Z'.format(GOOD_CHARACTERS))
-
- def issue_with_line(self, line, _filepath, line_number):
- try:
- text = line.decode('utf-8')
- except UnicodeDecodeError:
- return True
- if line_number == 1 and text.startswith('\uFEFF'):
- # Strip BOM (U+FEFF ZERO WIDTH NO-BREAK SPACE) at the beginning.
- # Which files are allowed to have a BOM is handled in
- # Utf8BomIssueTracker.
- text = text[1:]
- return not self.GOOD_CHARACTERS_RE.match(text)
-
-class UnixLineEndingIssueTracker(LineIssueTracker):
- """Track files with non-Unix line endings (i.e. files with CR)."""
-
- heading = "Non-Unix line endings:"
-
- def should_check_file(self, filepath):
- if not super().should_check_file(filepath):
- return False
- return not is_windows_file(filepath)
-
- def issue_with_line(self, line, _filepath, _line_number):
- return b"\r" in line
-
-
-class WindowsLineEndingIssueTracker(LineIssueTracker):
- """Track files with non-Windows line endings (i.e. CR or LF not in CRLF)."""
-
- heading = "Non-Windows line endings:"
-
- def should_check_file(self, filepath):
- if not super().should_check_file(filepath):
- return False
- return is_windows_file(filepath)
-
- def issue_with_line(self, line, _filepath, _line_number):
- return not line.endswith(b"\r\n") or b"\r" in line[:-2]
-
-
-class TrailingWhitespaceIssueTracker(LineIssueTracker):
- """Track lines with trailing whitespace."""
-
- heading = "Trailing whitespace:"
- suffix_exemptions = frozenset([".dsp", ".md"])
-
- def issue_with_line(self, line, _filepath, _line_number):
- return line.rstrip(b"\r\n") != line.rstrip()
-
-
-class TabIssueTracker(LineIssueTracker):
- """Track lines with tabs."""
-
- heading = "Tabs present:"
- suffix_exemptions = frozenset([
- ".make",
- ".pem", # some openssl dumps have tabs
- ".sln",
- "/.gitmodules",
- "/Makefile",
- "/Makefile.inc",
- "/generate_visualc_files.pl",
- ])
-
- def issue_with_line(self, line, _filepath, _line_number):
- return b"\t" in line
-
-
-class MergeArtifactIssueTracker(LineIssueTracker):
- """Track lines with merge artifacts.
- These are leftovers from a ``git merge`` that wasn't fully edited."""
-
- heading = "Merge artifact:"
-
- def issue_with_line(self, line, _filepath, _line_number):
- # Detect leftover git conflict markers.
- if line.startswith(b'<<<<<<< ') or line.startswith(b'>>>>>>> '):
- return True
- if line.startswith(b'||||||| '): # from merge.conflictStyle=diff3
- return True
- if line.rstrip(b'\r\n') == b'=======' and \
- not _filepath.endswith('.md'):
- return True
- return False
-
-
-def this_location():
- frame = inspect.currentframe()
- assert frame is not None
- info = inspect.getframeinfo(frame)
- return os.path.basename(info.filename), info.lineno
-THIS_FILE_BASE_NAME, LINE_NUMBER_BEFORE_LICENSE_ISSUE_TRACKER = this_location()
-
-class LicenseIssueTracker(LineIssueTracker):
- """Check copyright statements and license indications.
-
- This class only checks that statements are correct if present. It does
- not enforce the presence of statements in each file.
- """
-
- heading = "License issue:"
-
- LICENSE_EXEMPTION_RE_LIST = [
- # Third-party code, other than whitelisted third-party modules,
- # may be under a different license.
- r'3rdparty/(?!(p256-m)/.*)',
- # Documentation explaining the license may have accidental
- # false positives.
- r'(ChangeLog|LICENSE|framework\/LICENSE|[-0-9A-Z_a-z]+\.md)\Z',
- # Files imported from TF-M, and not used except in test builds,
- # may be under a different license.
- r'configs/ext/crypto_config_profile_medium\.h\Z',
- r'configs/ext/tfm_mbedcrypto_config_profile_medium\.h\Z',
- r'configs/ext/README\.md\Z',
- # Third-party file.
- r'dco\.txt\Z',
- r'framework\/dco\.txt\Z',
- ]
- path_exemptions = re.compile('|'.join(BINARY_FILE_PATH_RE_LIST +
- LICENSE_EXEMPTION_RE_LIST))
-
- COPYRIGHT_HOLDER = rb'The Mbed TLS Contributors'
- # Catch "Copyright foo", "Copyright (C) foo", "Copyright © foo", etc.
- COPYRIGHT_RE = re.compile(rb'.*\bcopyright\s+((?:\w|\s|[()]|[^ -~])*\w)', re.I)
-
- SPDX_HEADER_KEY = b'SPDX-License-Identifier'
- LICENSE_IDENTIFIER = b'Apache-2.0 OR GPL-2.0-or-later'
- SPDX_RE = re.compile(br'.*?(' +
- re.escape(SPDX_HEADER_KEY) +
- br')(:\s*(.*?)\W*\Z|.*)', re.I)
-
- LICENSE_MENTION_RE = re.compile(rb'.*(?:' + rb'|'.join([
- rb'Apache License',
- rb'General Public License',
- ]) + rb')', re.I)
-
- def __init__(self):
- super().__init__()
- # Record what problem was caused. We can't easily report it due to
- # the structure of the script. To be fixed after
- # https://github.com/Mbed-TLS/mbedtls/pull/2506
- self.problem = None
-
- def issue_with_line(self, line, filepath, line_number):
- #pylint: disable=too-many-return-statements
-
- # Use endswith() rather than the more correct os.path.basename()
- # because experimentally, it makes a significant difference to
- # the running time.
- if filepath.endswith(THIS_FILE_BASE_NAME) and \
- line_number > LINE_NUMBER_BEFORE_LICENSE_ISSUE_TRACKER:
- # Avoid false positives from the code in this class.
- # Also skip the rest of this file, which is highly unlikely to
- # contain any problematic statements since we put those near the
- # top of files.
- return False
-
- m = self.COPYRIGHT_RE.match(line)
- if m and m.group(1) != self.COPYRIGHT_HOLDER:
- self.problem = 'Invalid copyright line'
- return True
-
- m = self.SPDX_RE.match(line)
- if m:
- if m.group(1) != self.SPDX_HEADER_KEY:
- self.problem = 'Misspelled ' + self.SPDX_HEADER_KEY.decode()
- return True
- if not m.group(3):
- self.problem = 'Improperly formatted SPDX license identifier'
- return True
- if m.group(3) != self.LICENSE_IDENTIFIER:
- self.problem = 'Wrong SPDX license identifier'
- return True
-
- m = self.LICENSE_MENTION_RE.match(line)
- if m:
- self.problem = 'Suspicious license mention'
- return True
-
- return False
-
-
-class IntegrityChecker:
- """Sanity-check files under the current directory."""
-
- def __init__(self, log_file):
- """Instantiate the sanity checker.
- Check files under the current directory.
- Write a report of issues to log_file."""
- build_tree.check_repo_path()
- self.logger = None
- self.setup_logger(log_file)
- self.issues_to_check = [
- ShebangIssueTracker(),
- EndOfFileNewlineIssueTracker(),
- Utf8BomIssueTracker(),
- UnicodeIssueTracker(),
- UnixLineEndingIssueTracker(),
- WindowsLineEndingIssueTracker(),
- TrailingWhitespaceIssueTracker(),
- TabIssueTracker(),
- MergeArtifactIssueTracker(),
- LicenseIssueTracker(),
- ]
-
- def setup_logger(self, log_file, level=logging.INFO):
- """Log to log_file if provided, or to stderr if None."""
- self.logger = logging.getLogger()
- self.logger.setLevel(level)
- if log_file:
- handler = logging.FileHandler(log_file)
- self.logger.addHandler(handler)
- else:
- console = logging.StreamHandler()
- self.logger.addHandler(console)
-
- @staticmethod
- def collect_files():
- """Return the list of files to check.
-
- These are the regular files commited into Git.
- """
- bytes_output = subprocess.check_output(['git', '-C', 'framework',
- 'ls-files', '-z'])
- bytes_framework_filepaths = bytes_output.split(b'\0')[:-1]
- bytes_framework_filepaths = ["framework/".encode() + filepath
- for filepath in bytes_framework_filepaths]
-
- bytes_output = subprocess.check_output(['git', 'ls-files', '-z'])
- bytes_filepaths = bytes_output.split(b'\0')[:-1] + \
- bytes_framework_filepaths
- ascii_filepaths = map(lambda fp: fp.decode('ascii'), bytes_filepaths)
-
- # Filter out directories. Normally Git doesn't list directories
- # (it only knows about the files inside them), but there is
- # at least one case where 'git ls-files' includes a directory:
- # submodules. Just skip submodules (and any other directories).
- ascii_filepaths = [fp for fp in ascii_filepaths
- if os.path.isfile(fp)]
- # Prepend './' to files in the top-level directory so that
- # something like `'/Makefile' in fp` matches in the top-level
- # directory as well as in subdirectories.
- return [fp if os.path.dirname(fp) else os.path.join(os.curdir, fp)
- for fp in ascii_filepaths]
-
- def check_files(self):
- """Check all files for all issues."""
- for issue_to_check in self.issues_to_check:
- for filepath in self.collect_files():
- if issue_to_check.should_check_file(filepath):
- issue_to_check.check_file_for_issue(filepath)
-
- def output_issues(self):
- """Log the issues found and their locations.
-
- Return 1 if there were issues, 0 otherwise.
- """
- integrity_return_code = 0
- for issue_to_check in self.issues_to_check:
- if issue_to_check.files_with_issues:
- integrity_return_code = 1
- issue_to_check.output_file_issues(self.logger)
- return integrity_return_code
-
-
-def run_main():
- parser = argparse.ArgumentParser(description=__doc__)
- parser.add_argument(
- "-l", "--log_file", type=str, help="path to optional output log",
- )
- check_args = parser.parse_args()
- integrity_check = IntegrityChecker(check_args.log_file)
- integrity_check.check_files()
- return_code = integrity_check.output_issues()
- sys.exit(return_code)
-
-
-if __name__ == "__main__":
- run_main()
diff --git a/tests/scripts/components-basic-checks.sh b/tests/scripts/components-basic-checks.sh
index 7b60b49..0ff7f44 100644
--- a/tests/scripts/components-basic-checks.sh
+++ b/tests/scripts/components-basic-checks.sh
@@ -41,7 +41,7 @@
component_check_files () {
msg "Check: file sanity checks (permissions, encodings)" # < 1s
- tests/scripts/check_files.py
+ framework/scripts/check_files.py
}
component_check_changelog () {
@@ -137,7 +137,7 @@
component_check_code_style () {
msg "Check C code style"
- ./scripts/code_style.py
+ ./framework/scripts/code_style.py
}
support_check_code_style () {
diff --git a/tests/scripts/quiet/cmake b/tests/scripts/quiet/cmake
deleted file mode 100755
index a34365b..0000000
--- a/tests/scripts/quiet/cmake
+++ /dev/null
@@ -1,19 +0,0 @@
-#! /usr/bin/env bash
-#
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
-#
-# This swallows the output of the wrapped tool, unless there is an error.
-# This helps reduce excess logging in the CI.
-
-# If you are debugging a build / CI issue, you can get complete unsilenced logs
-# by un-commenting the following line (or setting VERBOSE_LOGS in your environment):
-
-# export VERBOSE_LOGS=1
-
-# don't silence invocations containing these arguments
-NO_SILENCE=" --version "
-
-TOOL="cmake"
-
-. "$(dirname "$0")/quiet.sh"
diff --git a/tests/scripts/quiet/make b/tests/scripts/quiet/make
deleted file mode 100755
index 920e5b8..0000000
--- a/tests/scripts/quiet/make
+++ /dev/null
@@ -1,19 +0,0 @@
-#! /usr/bin/env bash
-#
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
-#
-# This swallows the output of the wrapped tool, unless there is an error.
-# This helps reduce excess logging in the CI.
-
-# If you are debugging a build / CI issue, you can get complete unsilenced logs
-# by un-commenting the following line (or setting VERBOSE_LOGS in your environment):
-
-# export VERBOSE_LOGS=1
-
-# don't silence invocations containing these arguments
-NO_SILENCE=" --version | test "
-
-TOOL="make"
-
-. "$(dirname "$0")/quiet.sh"
diff --git a/tests/scripts/quiet/quiet.sh b/tests/scripts/quiet/quiet.sh
deleted file mode 100644
index 0f26184..0000000
--- a/tests/scripts/quiet/quiet.sh
+++ /dev/null
@@ -1,79 +0,0 @@
-# -*-mode: sh; sh-shell: bash -*-
-#
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
-#
-# This swallows the output of the wrapped tool, unless there is an error.
-# This helps reduce excess logging in the CI.
-
-# If you are debugging a build / CI issue, you can get complete unsilenced logs
-# by un-commenting the following line (or setting VERBOSE_LOGS in your environment):
-#
-# VERBOSE_LOGS=1
-#
-# This script provides most of the functionality for the adjacent make and cmake
-# wrappers.
-#
-# It requires two variables to be set:
-#
-# TOOL - the name of the tool that is being wrapped (with no path), e.g. "make"
-#
-# NO_SILENCE - a regex that describes the commandline arguments for which output will not
-# be silenced, e.g. " --version | test ". In this example, "make lib test" will
-# not be silent, but "make lib" will be.
-
-# Identify path to original tool. There is an edge-case here where the quiet wrapper is on the path via
-# a symlink or relative path, but "type -ap" yields the wrapper with it's normalised path. We use
-# the -ef operator to compare paths, to avoid picking the wrapper in this case (to avoid infinitely
-# recursing).
-while IFS= read -r ORIGINAL_TOOL; do
- if ! [[ $ORIGINAL_TOOL -ef "$0" ]]; then break; fi
-done < <(type -ap -- "$TOOL")
-
-print_quoted_args() {
- # similar to printf '%q' "$@"
- # but produce more human-readable results for common/simple cases like "a b"
- for a in "$@"; do
- # Get bash to quote the string
- printf -v q '%q' "$a"
- simple_pattern="^([-[:alnum:]_+./:@]+=)?([^']*)$"
- if [[ "$a" != "$q" && $a =~ $simple_pattern ]]; then
- # a requires some quoting (a != q), but has no single quotes, so we can
- # simplify the quoted form - e.g.:
- # a b -> 'a b'
- # CFLAGS=a b -> CFLAGS='a b'
- q="${BASH_REMATCH[1]}'${BASH_REMATCH[2]}'"
- fi
- printf " %s" "$q"
- done
-}
-
-if [[ ! " $* " =~ " --version " ]]; then
- # Display the command being invoked - if it succeeds, this is all that will
- # be displayed. Don't do this for invocations with --version, because
- # this output is often parsed by scripts, so we don't want to modify it.
- printf %s "${TOOL}" 1>&2
- print_quoted_args "$@" 1>&2
- echo 1>&2
-fi
-
-if [[ " $@ " =~ $NO_SILENCE || -n "${VERBOSE_LOGS}" ]]; then
- # Run original command with no output supression
- exec "${ORIGINAL_TOOL}" "$@"
-else
- # Run original command and capture output & exit status
- TMPFILE=$(mktemp "quiet-${TOOL}.XXXXXX")
- "${ORIGINAL_TOOL}" "$@" > "${TMPFILE}" 2>&1
- EXIT_STATUS=$?
-
- if [[ $EXIT_STATUS -ne 0 ]]; then
- # On error, display the full output
- cat "${TMPFILE}"
- fi
-
- # Remove tmpfile
- rm "${TMPFILE}"
-
- # Propagate the exit status
- exit $EXIT_STATUS
-fi
diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function
index f197d04..a8cf711 100644
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@@ -181,7 +181,7 @@
#define MBEDTLS_MD_ALG_FOR_TEST MBEDTLS_MD_SHA512
#endif
-#include <../src/test_keys.h>
+#include <test/test_keys.h>
/* Define an RSA key size we know it's present in predefined_key[] array. */
#define RSA_KEY_SIZE 1024
@@ -243,7 +243,7 @@
/** Setup the provided PK context.
*
- * Predefined keys used for the setup are taken from "test/src/test_keys.h"
+ * Predefined keys used for the setup are taken from <test/test_keys.h>
* which is automatically generated using "framework/scripts/generate_test_keys.py".
*
* \param pk The PK object to fill. It must have been initialized
diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index bbf7575..8c53fdc 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -156,10 +156,6 @@
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:PSA_CRYPTO_DRIVER_TEST
import_export:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_EXPORT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( PSA_KEY_PERSISTENCE_VOLATILE, TEST_DRIVER_LOCATION ):1024:-1:PSA_ERROR_BUFFER_TOO_SMALL:1
-PSA import/export RSA keypair: trailing garbage rejected, opaque
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:PSA_CRYPTO_DRIVER_TEST
-import_with_data:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b2400":PSA_KEY_TYPE_RSA_KEY_PAIR:1024:PSA_ERROR_INVALID_ARGUMENT
-
PSA import RSA keypair: truncated
depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
import_with_data:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b":PSA_KEY_TYPE_RSA_KEY_PAIR:0:PSA_ERROR_INVALID_ARGUMENT
@@ -422,7 +418,7 @@
PSA import/export-public EC brainpool512r1: good, opaque
depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_BRAINPOOL_P_R1_512:PSA_CRYPTO_DRIVER_TEST
-import_export_public_key:"372c9778f69f726cbca3f4a268f16b4d617d10280d79a6a029cd51879fe1012934dfe5395455337df6906dc7d6d2eea4dbb2065c0228f73b3ed716480e7d71d2":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):PSA_ALG_ECDSA_ANY:0:0:PSA_SUCCESS:"0438b7ec92b61c5c6c7fbc28a4ec759d48fcd4e2e374defd5c4968a54dbef7510e517886fbfc38ea39aa529359d70a7156c35d3cbac7ce776bdb251dd64bce71234424ee7049eed072f0dbc4d79996e175d557e263763ae97095c081e73e7db2e38adc3d4c9a0487b1ede876dc1fca61c902e9a1d8722b8612928f18a24845591a"
+import_export_public_key:"372c9778f69f726cbca3f4a268f16b4d617d10280d79a6a029cd51879fe1012934dfe5395455337df6906dc7d6d2eea4dbb2065c0228f73b3ed716480e7d71d2":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):PSA_ALG_ECDSA_ANY:PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( PSA_KEY_PERSISTENCE_VOLATILE, TEST_DRIVER_LOCATION ):0:PSA_SUCCESS:"0438b7ec92b61c5c6c7fbc28a4ec759d48fcd4e2e374defd5c4968a54dbef7510e517886fbfc38ea39aa529359d70a7156c35d3cbac7ce776bdb251dd64bce71234424ee7049eed072f0dbc4d79996e175d557e263763ae97095c081e73e7db2e38adc3d4c9a0487b1ede876dc1fca61c902e9a1d8722b8612928f18a24845591a"
PSA import/export EC curve25519 key pair: good (already properly masked), opaque
depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_MONTGOMERY_255:PSA_CRYPTO_DRIVER_TEST
@@ -4489,11 +4485,11 @@
PSA sign hash int (ops=inf): det ECDSA not supported
depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_384
-sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
PSA sign hash int (ops=min): det ECDSA not supported
depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_384
-sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:0
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:0
PSA sign/verify hash: RSA PKCS#1 v1.5, raw
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
@@ -4735,6 +4731,29 @@
depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_384
verify_hash_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04d9c662b50ba29ca47990450e043aeaf4f0c69b15676d112f622a71c93059af999691c5680d2b44d111579db12f4a413a2ed5c45fcfb67b5b63e00b91ebe59d09a6b1ac2c0c4282aa12317ed5914f999bc488bb132e8342cc36f2ca5e3379c747":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"bed412df472eef873fb0839f91a6867d1c6824d4c5781d4b851faa43c7df904d99dbdd28c0d2fd3a4a006e89d34993a120aff166deb4974e96449a7ffe93c66726ad9443b14b87330c86bdde3faff5fd1cbfdc9afe46f8090376f9664cb116b4":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+# The next 4 test cases check what happens if only one of the two ECDSA
+# variants is supported. The ECDSA variants (deterministic and randomized)
+# are different signature algorithms that can be enabled independently,
+# but they have the same verification. Mbed TLS accepts either variant
+# as the algorithm requested for verification even if that variant is not
+# supported. Test that this works. It would also be acceptable if the
+# library returned NOT_SUPPORTED in this case.
+PSA verify hash: ECDSA SECP256R1, only deterministic supported
+depends_on:!PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_256
+verify_hash:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f"
+
+PSA verify hash with keypair: ECDSA SECP256R1, only deterministic supported
+depends_on:!PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_ECC_SECP_R1_256
+verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f"
+
+PSA verify hash: deterministic ECDSA SECP256R1, only randomized supported
+depends_on:PSA_WANT_ALG_ECDSA:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+verify_hash:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f"
+
+PSA verify hash with keypair: deterministic ECDSA SECP256R1, only randomized supported
+depends_on:PSA_WANT_ALG_ECDSA:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f"
+
PSA verify hash: ECDSA SECP256R1, wrong signature size (correct but ASN1-encoded)
depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_256
verify_hash_fail:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"304502206a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151022100ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE
@@ -4844,14 +4863,14 @@
sign_message_fail:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PKCS1V15_SIGN_RAW:"616263":0:PSA_ERROR_INVALID_ARGUMENT
PSA sign message: RSA PKCS#1 v1.5 SHA-256, invalid key type
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_CHACHA20
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_CHACHA20
sign_message_fail:PSA_KEY_TYPE_CHACHA20:"4bddc98c551a95395ef719557f813656b566bc45aac04eca3866324cc75489f2":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):"616263":128:PSA_ERROR_INVALID_ARGUMENT
-PSA sign message: ECDSA SECP256R1 SHA-256, invalid hash (wildcard)
+PSA sign message: ECDSA SECP256R1, invalid hash (wildcard)
depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256
sign_message_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):"616263":64:PSA_ERROR_INVALID_ARGUMENT
-PSA sign message: ECDSA SECP256R1 SHA-256, invalid hash algorithm (0)
+PSA sign message: ECDSA SECP256R1, invalid hash algorithm (0)
depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256
sign_message_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(0):"616263":64:PSA_ERROR_INVALID_ARGUMENT
diff --git a/tests/suites/test_suite_psa_crypto_not_supported.function b/tests/suites/test_suite_psa_crypto_not_supported.function
index e5e66f4..4f15a3f 100644
--- a/tests/suites/test_suite_psa_crypto_not_supported.function
+++ b/tests/suites/test_suite_psa_crypto_not_supported.function
@@ -20,10 +20,28 @@
PSA_ASSERT(psa_crypto_init());
psa_set_key_type(&attributes, key_type);
- TEST_EQUAL(psa_import_key(&attributes,
- key_material->x, key_material->len,
- &key_id),
- PSA_ERROR_NOT_SUPPORTED);
+ psa_status_t actual_status =
+ psa_import_key(&attributes, key_material->x, key_material->len, &key_id);
+
+#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
+ if (actual_status == PSA_ERROR_INVALID_ARGUMENT) {
+ /* Edge case: when importing an ECC public key with an unspecified
+ * bit-size (as we do here), the implementation of psa_import_key()
+ * infers the bit-size from the input. If the key type specifies an
+ * unknown curve, the validation might reject the data as invalid
+ * before it checks that the curve is supported. If so, that's ok.
+ * In practice, at the time of writing, this happens with Ed25519,
+ * for which a valid but unsupported 32-byte input causes
+ * psa_import_key() to fail because it assumes a Weierstrass curve
+ * which must have an odd-length encoding.
+ *
+ * In other cases, we do not expect an INVALID_ARGUMENT error here. */
+ TEST_ASSERT(PSA_KEY_TYPE_IS_ECC(key_type));
+ } else
+#endif /* defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) */
+ {
+ TEST_EQUAL(actual_status, PSA_ERROR_NOT_SUPPORTED);
+ }
TEST_ASSERT(mbedtls_svc_key_id_equal(key_id, MBEDTLS_SVC_KEY_ID_INIT));
exit:
diff --git a/tests/suites/test_suite_psa_crypto_op_fail.function b/tests/suites/test_suite_psa_crypto_op_fail.function
index 9289869..1d299b9 100644
--- a/tests/suites/test_suite_psa_crypto_op_fail.function
+++ b/tests/suites/test_suite_psa_crypto_op_fail.function
@@ -223,12 +223,9 @@
size_t length = SIZE_MAX;
psa_sign_hash_interruptible_operation_t sign_operation =
psa_sign_hash_interruptible_operation_init();
-
psa_verify_hash_interruptible_operation_t verify_operation =
psa_verify_hash_interruptible_operation_init();
-
-
PSA_INIT();
psa_set_key_type(&attributes, key_type);
@@ -252,8 +249,8 @@
PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
if (!private_only) {
- /* Determine a plausible signature size to avoid an INVALID_SIGNATURE
- * error based on this. */
+ /* Construct a signature candidate of a plausible size to avoid an
+ * INVALID_SIGNATURE error based on an early size verification. */
PSA_ASSERT(psa_get_key_attributes(key_id, &attributes));
size_t key_bits = psa_get_key_bits(&attributes);
size_t output_length = sizeof(output);
@@ -277,6 +274,8 @@
}
exit:
+ psa_sign_hash_abort(&sign_operation);
+ psa_verify_hash_abort(&verify_operation);
psa_destroy_key(key_id);
psa_reset_key_attributes(&attributes);
PSA_DONE();
diff --git a/tests/suites/test_suite_psa_crypto_op_fail.misc.data b/tests/suites/test_suite_psa_crypto_op_fail.misc.data
index 7158f2d..0c69fa8 100644
--- a/tests/suites/test_suite_psa_crypto_op_fail.misc.data
+++ b/tests/suites/test_suite_psa_crypto_op_fail.misc.data
@@ -13,3 +13,24 @@
PSA sign RSA_PSS(SHA_256): RSA_PSS not enabled, key pair
depends_on:!PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
sign_fail:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):0:PSA_ERROR_NOT_SUPPORTED
+
+# There is a special case with ECDSA: deterministic and randomized ECDSA are
+# different signature algorithms that can be enabled independently, but
+# the verification algorithms are the same. Mbed TLS supports verification
+# of either variant when either variant is enabled. (It would also be correct
+# to reject the not-supported algorithm, but it would require a few more lines
+# of code.) In the automatically generated test cases, we avoid this difficulty
+# by making the not-supported test cases require neither variant to be
+# enabled. Here, test the signature operation when one variant is supported
+# but not the other. Testing the positive cases for the verification
+# operation is the job of test_suite_psa_crypto.
+#
+# We only test with one curve and one hash, because we know from a gray-box
+# approach that the curve and hash don't matter here.
+PSA sign DETERMINISTIC_ECDSA(SHA_256): !DETERMINISTIC_ECDSA but ECDSA with ECC_KEY_PAIR(SECP_R1)
+depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_ECC_SECP_R1_192:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
+sign_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"d83b57a59c51358d9c8bbb898aff507f44dd14cf16917190":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):1:PSA_ERROR_NOT_SUPPORTED
+
+PSA sign DETERMINISTIC_ECDSA(SHA_256): !ECDSA but DETERMINISTIC_ECDSA with ECC_KEY_PAIR(SECP_R1)
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:!PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_ECC_SECP_R1_192:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
+sign_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"d83b57a59c51358d9c8bbb898aff507f44dd14cf16917190":PSA_ALG_ECDSA(PSA_ALG_SHA_256):1:PSA_ERROR_NOT_SUPPORTED
diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function b/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function
index efd24e9..b430096 100644
--- a/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function
+++ b/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function
@@ -196,6 +196,9 @@
return mock_export_public_data.return_value;
}
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT) && \
+ defined(PSA_WANT_ALG_ECDSA) && \
+ defined(PSA_WANT_ALG_SHA_256)
static psa_status_t mock_sign(psa_drv_se_context_t *context,
psa_key_slot_number_t key_slot,
psa_algorithm_t alg,
@@ -218,7 +221,9 @@
return mock_sign_data.return_value;
}
+#endif
+#if defined(PSA_WANT_ALG_ECDSA) && defined(PSA_WANT_ALG_SHA_256)
static psa_status_t mock_verify(psa_drv_se_context_t *context,
psa_key_slot_number_t key_slot,
psa_algorithm_t alg,
@@ -239,6 +244,7 @@
return mock_verify_data.return_value;
}
+#endif
static psa_status_t mock_allocate(psa_drv_se_context_t *drv_context,
void *persistent_data,
@@ -550,7 +556,7 @@
}
/* END_CASE */
-/* BEGIN_CASE */
+/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256 */
void mock_sign(int mock_sign_return_value, int expected_result)
{
psa_drv_se_t driver;
@@ -611,7 +617,7 @@
}
/* END_CASE */
-/* BEGIN_CASE */
+/* BEGIN_CASE depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256 */
void mock_verify(int mock_verify_return_value, int expected_result)
{
psa_drv_se_t driver;