Merge pull request #9796 from gilles-peskine-arm/psa-storage-test-cas…

…es-never-supported-positive-3.6 Backport 3.6: Switch generate_psa_test.py to automatic dependencies for positive test cases
Mbed-TLS · Jan 9, 2025 · 9058998 · 9058998
2 parents 70d83c9 + b62279d
commit 9058998
Show file tree

Hide file tree

Showing 10 changed files with 9 additions and 100 deletions.
diff --git a/Makefile b/Makefile
@@ -46,11 +46,14 @@ tests: lib mbedtls_test
 mbedtls_test:
 	$(MAKE) -C tests mbedtls_test
 
-library/%:
+.PHONY: FORCE
+FORCE:
+
+library/%: FORCE
 	$(MAKE) -C library $*
-programs/%:
+programs/%: FORCE
 	$(MAKE) -C programs $*
-tests/%:
+tests/%: FORCE
 	$(MAKE) -C tests $*
 
 .PHONY: generated_files

diff --git a/include/mbedtls/config_adjust_legacy_from_psa.h b/include/mbedtls/config_adjust_legacy_from_psa.h
@@ -69,7 +69,6 @@
     (defined(PSA_WANT_ECC_SECP_R1_384) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_384)) || \
     (defined(PSA_WANT_ECC_SECP_R1_521) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_521)) || \
     (defined(PSA_WANT_ECC_SECP_K1_192) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192)) || \
-    (defined(PSA_WANT_ECC_SECP_K1_224) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_224)) || \
     (defined(PSA_WANT_ECC_SECP_K1_256) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256))
 #define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
 #define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES
@@ -225,17 +224,6 @@
 #endif /* missing accel */
 #endif /* PSA_WANT_ECC_SECP_K1_192 */
 
-#if defined(PSA_WANT_ECC_SECP_K1_224)
-#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_224) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
-#define MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_224 1
-#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
-/* https://github.com/Mbed-TLS/mbedtls/issues/3541 */
-#error "SECP224K1 is buggy via the PSA API in Mbed TLS."
-#endif /* missing accel */
-#endif /* PSA_WANT_ECC_SECP_K1_224 */
-
 #if defined(PSA_WANT_ECC_SECP_K1_256)
 #if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256) || \
     defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
@@ -782,13 +770,6 @@
 #define PSA_HAVE_SOFT_BLOCK_CIPHER 1
 #endif
 
-#if defined(PSA_WANT_ALG_CBC_MAC)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_MAC)
-#error "CBC-MAC is not yet supported via the PSA API in Mbed TLS."
-#define MBEDTLS_PSA_BUILTIN_ALG_CBC_MAC 1
-#endif /* !MBEDTLS_PSA_ACCEL_ALG_CBC_MAC */
-#endif /* PSA_WANT_ALG_CBC_MAC */
-
 #if defined(PSA_WANT_ALG_CMAC)
 #if !defined(MBEDTLS_PSA_ACCEL_ALG_CMAC) || \
     defined(PSA_HAVE_SOFT_BLOCK_CIPHER)

diff --git a/include/mbedtls/config_adjust_psa_superset_legacy.h b/include/mbedtls/config_adjust_psa_superset_legacy.h
@@ -136,13 +136,6 @@
 #endif /* PSA_WANT_ECC_SECP_K1_192 */
 #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
 
-/* SECP224K1 is buggy via the PSA API (https://github.com/Mbed-TLS/mbedtls/issues/3541) */
-#if 0 && defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
-#if !defined(PSA_WANT_ECC_SECP_K1_224)
-#define PSA_WANT_ECC_SECP_K1_224 1
-#endif /* PSA_WANT_ECC_SECP_K1_224 */
-#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
-
 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
 #if !defined(PSA_WANT_ECC_SECP_K1_256)
 #define PSA_WANT_ECC_SECP_K1_256 1

diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h
@@ -38,10 +38,6 @@
 #ifndef PSA_CRYPTO_CONFIG_H
 #define PSA_CRYPTO_CONFIG_H
 
-/*
- * CBC-MAC is not yet supported via the PSA API in Mbed TLS.
- */
-//#define PSA_WANT_ALG_CBC_MAC                    1
 #define PSA_WANT_ALG_CBC_NO_PADDING             1
 #define PSA_WANT_ALG_CBC_PKCS7                  1
 #define PSA_WANT_ALG_CCM                        1
@@ -84,22 +80,12 @@
 #define PSA_WANT_ALG_TLS12_PSK_TO_MS            1
 #define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS       1
 
-/* XTS is not yet supported via the PSA API in Mbed TLS.
- * Note: when adding support, also adjust include/mbedtls/config_psa.h */
-//#define PSA_WANT_ALG_XTS                        1
-
 #define PSA_WANT_ECC_BRAINPOOL_P_R1_256         1
 #define PSA_WANT_ECC_BRAINPOOL_P_R1_384         1
 #define PSA_WANT_ECC_BRAINPOOL_P_R1_512         1
 #define PSA_WANT_ECC_MONTGOMERY_255             1
 #define PSA_WANT_ECC_MONTGOMERY_448             1
 #define PSA_WANT_ECC_SECP_K1_192                1
-/*
- * SECP224K1 is buggy via the PSA API in Mbed TLS
- * (https://github.com/Mbed-TLS/mbedtls/issues/3541). Thus, do not enable it by
- * default.
- */
-//#define PSA_WANT_ECC_SECP_K1_224                1
 #define PSA_WANT_ECC_SECP_K1_256                1
 #define PSA_WANT_ECC_SECP_R1_192                1
 #define PSA_WANT_ECC_SECP_R1_224                1

diff --git a/library/psa_crypto_cipher.c b/library/psa_crypto_cipher.c
@@ -71,9 +71,6 @@ static psa_status_t mbedtls_cipher_validate_values(
 #if !defined(PSA_WANT_ALG_OFB)
     MBEDTLS_ASSUME(alg != PSA_ALG_OFB);
 #endif
-#if !defined(PSA_WANT_ALG_XTS)
-    MBEDTLS_ASSUME(alg != PSA_ALG_XTS);
-#endif
 #if !defined(PSA_WANT_ALG_ECB_NO_PADDING)
     MBEDTLS_ASSUME(alg != PSA_ALG_ECB_NO_PADDING);
 #endif

diff --git a/scripts/config.py b/scripts/config.py
@@ -48,8 +48,6 @@ def realfull_adapter(_name, _value, _active):
     return True
 
 PSA_UNSUPPORTED_FEATURE = frozenset([
-    'PSA_WANT_ALG_CBC_MAC',
-    'PSA_WANT_ALG_XTS',
     'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE',
     'PSA_WANT_KEY_TYPE_DH_KEY_PAIR_DERIVE'
 ])
@@ -59,13 +57,8 @@ def realfull_adapter(_name, _value, _active):
     'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR'
 ])
 
-PSA_UNSTABLE_FEATURE = frozenset([
-    'PSA_WANT_ECC_SECP_K1_224'
-])
-
 EXCLUDE_FROM_CRYPTO = PSA_UNSUPPORTED_FEATURE | \
-                      PSA_DEPRECATED_FEATURE | \
-                      PSA_UNSTABLE_FEATURE
+                      PSA_DEPRECATED_FEATURE
 
 # The goal of the full configuration is to have everything that can be tested
 # together. This includes deprecated or insecure options. It excludes:
@@ -357,8 +350,6 @@ def set(self, name, value='1'):
 
         if name in PSA_UNSUPPORTED_FEATURE:
             raise ValueError(f'Feature is unsupported: \'{name}\'')
-        if name in PSA_UNSTABLE_FEATURE:
-            raise ValueError(f'Feature is unstable: \'{name}\'')
 
         if name not in self.settings:
             self._get_configfile().templates.append((name, '', '#define ' + name + ' '))

diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
@@ -156,6 +156,7 @@ if(GEN_FILES)
             ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/macro_collector.py
             ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/psa_information.py
             ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/psa_storage.py
+            ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/psa_test_case.py
             ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/test_case.py
             ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/test_data_generation.py
             ${CMAKE_CURRENT_SOURCE_DIR}/../include/psa/crypto_config.h

diff --git a/tests/Makefile b/tests/Makefile
@@ -120,6 +120,7 @@ generated_psa_test_data: ../framework/scripts/mbedtls_framework/crypto_knowledge
 generated_psa_test_data: ../framework/scripts/mbedtls_framework/macro_collector.py
 generated_psa_test_data: ../framework/scripts/mbedtls_framework/psa_information.py
 generated_psa_test_data: ../framework/scripts/mbedtls_framework/psa_storage.py
+generated_psa_test_data: ../framework/scripts/mbedtls_framework/psa_test_case.py
 generated_psa_test_data: ../framework/scripts/mbedtls_framework/test_case.py
 generated_psa_test_data: ../framework/scripts/mbedtls_framework/test_data_generation.py
 ## The generated file only depends on the options that are present in

diff --git a/tests/configs/crypto_config_test_driver_extension.h b/tests/configs/crypto_config_test_driver_extension.h
@@ -127,14 +127,6 @@
 #endif
 #endif
 
-#if defined(PSA_WANT_ECC_SECP_K1_224)
-#if defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_224)
-#undef MBEDTLS_PSA_ACCEL_ECC_SECP_K1_224
-#else
-#define MBEDTLS_PSA_ACCEL_ECC_SECP_K1_224 1
-#endif
-#endif
-
 #if defined(PSA_WANT_ECC_SECP_K1_256)
 #if defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256)
 #undef MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256
@@ -367,14 +359,6 @@
 #endif
 #endif
 
-#if defined(PSA_WANT_ALG_XTS)
-#if defined(MBEDTLS_PSA_ACCEL_ALG_XTS)
-#undef MBEDTLS_PSA_ACCEL_ALG_XTS
-#else
-#define MBEDTLS_PSA_ACCEL_ALG_XTS 1
-#endif
-#endif
-
 #if defined(PSA_WANT_ALG_CHACHA20_POLY1305)
 #if defined(MBEDTLS_PSA_ACCEL_ALG_CHACHA20_POLY1305)
 #undef MBEDTLS_PSA_ACCEL_ALG_CHACHA20_POLY1305
@@ -600,14 +584,6 @@
 #endif
 #endif
 
-#if defined(PSA_WANT_ALG_CBC_MAC)
-#if defined(MBEDTLS_PSA_ACCEL_ALG_CBC_MAC)
-#undef MBEDTLS_PSA_ACCEL_ALG_CBC_MAC
-#else
-#define MBEDTLS_PSA_ACCEL_ALG_CBC_MAC 1
-#endif
-#endif
-
 #if defined(PSA_WANT_ALG_HMAC)
 #if defined(MBEDTLS_PSA_ACCEL_ALG_HMAC)
 #undef MBEDTLS_PSA_ACCEL_ALG_HMAC

diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
@@ -211,16 +211,6 @@ def _has_word_re(words: typing.Iterable[str],
             # https://github.com/Mbed-TLS/mbedtls/issues/9592
             re.compile(r'.*ECDSA.*only deterministic supported'),
         ],
-        'test_suite_psa_crypto_generate_key.generated': [
-            # Ignore mechanisms that are not implemented, except
-            # for public keys for which we always test that
-            # psa_generate_key() returns PSA_ERROR_INVALID_ARGUMENT
-            # regardless of whether the specific key type is supported.
-            _has_word_re((mech
-                          for mech in _PSA_MECHANISMS_NOT_IMPLEMENTED
-                          if not mech.startswith('ECC_PUB')),
-                         exclude=r'ECC_PUB'),
-        ],
         'test_suite_psa_crypto_metadata': [
             # Algorithms declared but not supported.
             # https://github.com/Mbed-TLS/mbedtls/issues/9579
@@ -234,10 +224,6 @@ def _has_word_re(words: typing.Iterable[str],
             'MAC: CBC_MAC-AES-256',
         ],
         'test_suite_psa_crypto_not_supported.generated': [
-            # It is a bug that not-supported test cases aren't getting
-            # run for never-implemented key types.
-            # https://github.com/Mbed-TLS/mbedtls/issues/7915
-            PSA_MECHANISM_NOT_IMPLEMENTED_SEARCH_RE,
             # We never test with DH key support disabled but support
             # for a DH group enabled. The dependencies of these test
             # cases don't really make sense.
@@ -285,12 +271,6 @@ def _has_word_re(words: typing.Iterable[str],
             # https://github.com/Mbed-TLS/mbedtls/issues/9592
             'PSA sign DETERMINISTIC_ECDSA(SHA_256): !ECDSA but DETERMINISTIC_ECDSA with ECC_KEY_PAIR(SECP_R1)', #pylint: disable=line-too-long
         ],
-        'test_suite_psa_crypto_storage_format.current': [
-            PSA_MECHANISM_NOT_IMPLEMENTED_SEARCH_RE,
-        ],
-        'test_suite_psa_crypto_storage_format.v0': [
-            PSA_MECHANISM_NOT_IMPLEMENTED_SEARCH_RE,
-        ],
         'tls13-misc': [
             # Disabled due to OpenSSL bug.
             # https://github.com/openssl/openssl/issues/10714