Merge pull request #9907 from mpg/conf-curves-3.6
[3.6 backport]: mbedtls_conf_curves()
diff --git a/framework b/framework
index 71171b7..8296a73 160000
--- a/framework
+++ b/framework
@@ -1 +1 @@
-Subproject commit 71171b77f50302206cc87b93bc8bf76f16b6e1c4
+Subproject commit 8296a73ce0cb31fadf411b6929a3201beece37a5
diff --git a/library/ecp.c b/library/ecp.c
index 427059b..fdd00a5 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -3056,7 +3056,7 @@
/* see RFC 7748 sec. 5 para. 5 */
if (mbedtls_mpi_get_bit(d, 0) != 0 ||
mbedtls_mpi_get_bit(d, 1) != 0 ||
- mbedtls_mpi_bitlen(d) - 1 != grp->nbits) { /* mbedtls_mpi_bitlen is one-based! */
+ mbedtls_mpi_bitlen(d) != grp->nbits + 1) { /* mbedtls_mpi_bitlen is one-based! */
return MBEDTLS_ERR_ECP_INVALID_KEY;
}
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 2bbe3a5..b576f95 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3969,9 +3969,13 @@
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
size_t required_hash_length;
- if (!PSA_KEY_TYPE_IS_ECC(attributes->type)) {
+ if (!PSA_KEY_TYPE_IS_ECC_KEY_PAIR(attributes->type)) {
return PSA_ERROR_NOT_SUPPORTED;
}
+ psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->type);
+ if (!PSA_ECC_FAMILY_IS_WEIERSTRASS(curve)) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
if (!can_do_interruptible_sign_verify(alg)) {
return PSA_ERROR_NOT_SUPPORTED;
@@ -4188,6 +4192,10 @@
if (!PSA_KEY_TYPE_IS_ECC(attributes->type)) {
return PSA_ERROR_NOT_SUPPORTED;
}
+ psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->type);
+ if (!PSA_ECC_FAMILY_IS_WEIERSTRASS(curve)) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
if (!can_do_interruptible_sign_verify(alg)) {
return PSA_ERROR_NOT_SUPPORTED;
diff --git a/scripts/config.py b/scripts/config.py
index 957127e..47d74ce 100755
--- a/scripts/config.py
+++ b/scripts/config.py
@@ -286,11 +286,7 @@
# Temporary, while Mbed TLS does not just rely on the TF-PSA-Crypto
# build system to build its crypto library. When it does, the
# condition can just be removed.
- _path_in_tree = ('include/psa/crypto_config.h'
- if not os.path.isdir(os.path.join(os.path.dirname(__file__),
- os.pardir,
- 'tf-psa-crypto')) else
- 'tf-psa-crypto/include/psa/crypto_config.h')
+ _path_in_tree = 'include/psa/crypto_config.h'
default_path = [_path_in_tree,
os.path.join(os.path.dirname(__file__),
os.pardir,
diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index 31d678d..35a1eb2 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -33,41 +33,6 @@
r'.*\b(?:' + r'|'.join(words) + r')\b.*',
re.DOTALL)
- # generate_psa_tests.py generates test cases involving cryptographic
- # mechanisms (key types, families, algorithms) that are declared but
- # not implemented. Until we improve the Python scripts, ignore those
- # test cases in the analysis.
- # https://github.com/Mbed-TLS/mbedtls/issues/9572
- _PSA_MECHANISMS_NOT_IMPLEMENTED = [
- r'CBC_MAC',
- r'DETERMINISTIC_DSA',
- r'DET_DSA',
- r'DSA',
- r'ECC_KEY_PAIR\(BRAINPOOL_P_R1\) (?:160|192|224|320)-bit',
- r'ECC_KEY_PAIR\(SECP_K1\) 225-bit',
- r'ECC_PAIR\(BP_R1\) (?:160|192|224|320)-bit',
- r'ECC_PAIR\(SECP_K1\) 225-bit',
- r'ECC_PUBLIC_KEY\(BRAINPOOL_P_R1\) (?:160|192|224|320)-bit',
- r'ECC_PUBLIC_KEY\(SECP_K1\) 225-bit',
- r'ECC_PUB\(BP_R1\) (?:160|192|224|320)-bit',
- r'ECC_PUB\(SECP_K1\) 225-bit',
- r'ED25519PH',
- r'ED448PH',
- r'PEPPER',
- r'PURE_EDDSA',
- r'SECP_R2',
- r'SECT_K1',
- r'SECT_R1',
- r'SECT_R2',
- r'SHAKE256_512',
- r'SHA_512_224',
- r'SHA_512_256',
- r'TWISTED_EDWARDS',
- r'XTS',
- ]
- PSA_MECHANISM_NOT_IMPLEMENTED_SEARCH_RE = \
- _has_word_re(_PSA_MECHANISMS_NOT_IMPLEMENTED)
-
IGNORED_TESTS = {
'ssl-opt': [
# We don't run ssl-opt.sh with Valgrind on the CI because
@@ -237,18 +202,6 @@
'PSA import DH_PUBLIC_KEY(RFC7919) 2048-bit group not supported',
],
'test_suite_psa_crypto_op_fail.generated': [
- # Ignore mechanisms that are not implemented, except
- # for test cases that assume the mechanism is not supported.
- _has_word_re(_PSA_MECHANISMS_NOT_IMPLEMENTED,
- exclude=(r'.*: !(?:' +
- r'|'.join(_PSA_MECHANISMS_NOT_IMPLEMENTED) +
- r')\b')),
- # Incorrect dependency generation. To be fixed as part of the
- # resolution of https://github.com/Mbed-TLS/mbedtls/issues/9167
- # by forward-porting the commit
- # "PSA test case generation: dependency inference class: operation fail"
- # from https://github.com/Mbed-TLS/mbedtls/pull/9025 .
- re.compile(r'.* with (?:DH|ECC)_(?:KEY_PAIR|PUBLIC_KEY)\(.*'),
# We don't test this unusual, but sensible configuration.
# https://github.com/Mbed-TLS/mbedtls/issues/9592
re.compile(r'.*: !ECDSA but DETERMINISTIC_ECDSA with ECC_.*'),
@@ -265,6 +218,12 @@
# differing from PSA_WANT_ALG_RSA_PSS.
# https://github.com/Mbed-TLS/mbedtls/issues/9578
re.compile(r'PSA sign RSA_PSS_ANY_SALT.*!(?:MD|RIPEMD|SHA).*'),
+ # We don't test with ECDH disabled but the key type enabled.
+ # https://github.com/Mbed-TLS/TF-PSA-Crypto/issues/161
+ re.compile(r'PSA key_agreement.* !ECDH with ECC_KEY_PAIR\(.*'),
+ # We don't test with FFDH disabled but the key type enabled.
+ # https://github.com/Mbed-TLS/TF-PSA-Crypto/issues/160
+ re.compile(r'PSA key_agreement.* !FFDH with DH_KEY_PAIR\(.*'),
],
'test_suite_psa_crypto_op_fail.misc': [
# We don't test this unusual, but sensible configuration.
diff --git a/tests/scripts/components-build-system.sh b/tests/scripts/components-build-system.sh
index 0db7885..a6da8e6 100644
--- a/tests/scripts/components-build-system.sh
+++ b/tests/scripts/components-build-system.sh
@@ -115,7 +115,11 @@
make
./cmake_package
if [[ "$OSTYPE" == linux* ]]; then
- PKG_CONFIG_PATH="${build_variant_dir}/mbedtls/pkgconfig" ${root_dir}/tests/scripts/pkgconfig.sh
+ PKG_CONFIG_PATH="${build_variant_dir}/mbedtls/pkgconfig" \
+ ${root_dir}/framework/scripts/pkgconfig.sh \
+ mbedtls mbedx509 mbedcrypto
+ # These are the EXPECTED package names. Renaming these could break
+ # consumers of pkg-config, consider carefully.
fi
}
@@ -212,4 +216,3 @@
support_build_cmake_programs_no_testing () {
support_test_cmake_out_of_source
}
-
diff --git a/tests/scripts/pkgconfig.sh b/tests/scripts/pkgconfig.sh
deleted file mode 100755
index 2702bfa..0000000
--- a/tests/scripts/pkgconfig.sh
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/bin/sh
-#
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
-#
-# Purpose
-#
-# Test pkgconfig files.
-#
-# For each of the build pkg-config files, .pc files, check that
-# they validate and do some basic sanity testing on the output,
-# i.e. that the strings are non-empty.
-#
-# NOTE: This requires the built pc files to be on the pkg-config
-# search path, this can be controlled with env variable
-# PKG_CONFIG_PATH. See man(1) pkg-config for details.
-#
-
-set -e -u
-
-# These are the EXPECTED package names. Renaming these could break
-# consumers of pkg-config, consider carefully.
-all_pcs="mbedtls mbedx509 mbedcrypto"
-
-for pc in $all_pcs; do
- printf "testing package config file: ${pc} ... "
- pkg-config --validate "${pc}"
- version="$(pkg-config --modversion "${pc}")"
- test -n "$version"
- cflags="$(pkg-config --cflags "${pc}")"
- test -n "$cflags"
- libs="$(pkg-config --libs "${pc}")"
- test -n "$libs"
- printf "passed\n"
-done
-
-exit 0