Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Driver-only ECDH starter #7142

Merged
merged 7 commits into from
Mar 7, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
128 changes: 121 additions & 7 deletions tests/scripts/all.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2063,8 +2063,8 @@ component_test_psa_crypto_config_accel_ecdsa () {
loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"

# Configure and build the test driver library
# -------------------------------------------
# Configure and build the main libraries
# --------------------------------------

# Start from default config (no USE_PSA) + driver support + TLS 1.3
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
Expand All @@ -2082,7 +2082,7 @@ component_test_psa_crypto_config_accel_ecdsa () {
loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
make CFLAGS="$ASAN_CFLAGS -O -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"

# Make sure ECDSA was not re-enabled by accident (additive config)
# Make sure this was not re-enabled by accident (additive config)
not grep mbedtls_ecdsa_ library/ecdsa.o

# Run the tests
Expand All @@ -2092,7 +2092,7 @@ component_test_psa_crypto_config_accel_ecdsa () {
make test
}

# Auxiliary function to build config for hashes with and without drivers
# Auxiliary function to build config for ECDSA with and without drivers
config_psa_crypto_config_ecdsa_use_psa () {
DRIVER_ONLY="$1"
# start with config full for maximum coverage (also enables USE_PSA)
Expand Down Expand Up @@ -2183,35 +2183,149 @@ component_test_psa_crypto_config_reference_ecdsa_use_psa () {
component_test_psa_crypto_config_accel_ecdh () {
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH"

# Algorithms and key types to accelerate
loc_accel_list="ALG_ECDH KEY_TYPE_ECC_KEY_PAIR KEY_TYPE_ECC_PUBLIC_KEY"

# Configure and build the test driver library
# -------------------------------------------

# Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having
# partial support for cipher operations in the driver test library.
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING

loc_accel_list="ALG_ECDH KEY_TYPE_ECC_KEY_PAIR KEY_TYPE_ECC_PUBLIC_KEY"
loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
make -C tests libtestdriver1.a CFLAGS=" $ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"

# Configure and build the main libraries
# --------------------------------------

# Start from default config (no USE_PSA or TLS 1.3) + driver support
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3

# Disable the module that's accelerated
scripts/config.py unset MBEDTLS_ECDH_C

# Disable things that depend on it
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
AndrzejKurek marked this conversation as resolved.
Show resolved Hide resolved
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED

# Build the main library
loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
make CFLAGS="$ASAN_CFLAGS -O -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"

# Make sure this was not re-enabled by accident (additive config)
not grep mbedtls_ecdh_ library/ecdh.o

# Run the tests
# -------------

msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH"
make test
}

# Auxiliary function to build config for ECDH with and without drivers.
#
# This is used by the two following components to ensure they always use the
# same config, except for the use of driver or built-in ECDH:
# - component_test_psa_crypto_config_accel_ecdh_use_psa;
# - component_test_psa_crypto_config_reference_ecdh_use_psa.
# This support comparing their test coverage with analyze_outcomes.py.
config_psa_crypto_config_ecdh_use_psa () {
DRIVER_ONLY="$1"
# start with config full for maximum coverage (also enables USE_PSA)
scripts/config.py full
# enable support for drivers and configuring PSA-only algorithms
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
if [ "$DRIVER_ONLY" -eq 1 ]; then
# Disable the module that's accelerated
scripts/config.py unset MBEDTLS_ECDH_C
fi
# Disable things that depend on it (regardless of driver or built-in)
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED

scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
# Note: the above two lines should be enough, but currently there's a bug
# that prevents tests from passing TLS 1.3 with only PSK (no ephemeral)
# when TLS 1.2 is also enabled, see #6848.
# So, as a temporary measure disable all of TLS 1.3.
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3

# Restartable feature is not yet supported by PSA. Once it will in
# the future, the following line could be removed (see issues
# 6061, 6332 and following ones)
scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
}

# Keep in sync with component_test_psa_crypto_config_reference_ecdh_use_psa
component_test_psa_crypto_config_accel_ecdh_use_psa () {
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH + USE_PSA"

# Algorithms and key types to accelerate
loc_accel_list="ALG_ECDH KEY_TYPE_ECC_KEY_PAIR KEY_TYPE_ECC_PUBLIC_KEY"

# Configure and build the test driver library
# -------------------------------------------

# Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having
# partial support for cipher operations in the driver test library.
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING

loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
make -C tests libtestdriver1.a CFLAGS=" $ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"

# Configure and build the main libraries
# --------------------------------------

# Use the same config as reference, only without built-in ECDH
config_psa_crypto_config_ecdh_use_psa 1

# Build the main library
loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
make CFLAGS="$ASAN_CFLAGS -O -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"

# Make sure this was not re-enabled by accident (additive config)
not grep mbedtls_ecdh_ library/ecdh.o

# Run the tests
# -------------

msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH + USE_PSA"
make test

# ssl-opt.sh later (probably doesn't pass right now)
}

# Keep in sync with component_test_psa_crypto_config_accel_ecdh_use_psa.
# Used by tests/scripts/analyze_outcomes.py for comparison purposes.
component_test_psa_crypto_config_reference_ecdh_use_psa () {
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with reference ECDH + USE_PSA"

# To be aligned with the accel component that needs this
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING

config_psa_crypto_config_ecdh_use_psa 0

make

msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with reference ECDH + USE_PSA"
make test

# ssl-opt.sh later when the accel component is ready
}

component_test_psa_crypto_config_accel_rsa_signature () {
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated RSA signature"

Expand Down
12 changes: 12 additions & 0 deletions tests/scripts/analyze_outcomes.py
Original file line number Diff line number Diff line change
Expand Up @@ -183,6 +183,18 @@ def do_analyze_driver_vs_reference(outcome_file, args):
}
}
},
'analyze_driver_vs_reference_ecdh': {
'test_function': do_analyze_driver_vs_reference,
'args': {
'component_ref': 'test_psa_crypto_config_reference_ecdh_use_psa',
'component_driver': 'test_psa_crypto_config_accel_ecdh_use_psa',
'ignored_suites': [
'ecdh', # the software implementation that's excluded
],
'ignored_tests': {
}
}
},
}

def main():
Expand Down
4 changes: 2 additions & 2 deletions tests/suites/test_suite_psa_crypto.data
Original file line number Diff line number Diff line change
Expand Up @@ -1061,7 +1061,7 @@ depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MB
raw_agreement_key_policy:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_FFDH:PSA_ERROR_NOT_PERMITTED

PSA key policy: raw agreement, key permits raw agreement, but algorithm is not raw
depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_ECDH_C
depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
raw_agreement_key_policy:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_ERROR_NOT_SUPPORTED

PSA key policy: raw agreement, key specifies KDF
Expand Down Expand Up @@ -6232,7 +6232,7 @@ depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY
key_agreement_setup:PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):"04d12dfb5289c8d4f81208b70270398c342296970a0bccb74c736fc7554494bf6356fbf3ca366cc23e8157854c13c58d6aac23f046ada30f8353e74f33039872ab":"04d12dfb5289c8d4f81208b70270398c342296970a0bccb74c736fc7554494bf6356fbf3ca366cc23e8157854c13c58d6aac23f046ada30f8353e74f33039872ab":PSA_ERROR_INVALID_ARGUMENT

PSA key agreement setup: ECDH, unknown KDF
depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_ECDH_C
depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_ALG_HKDF:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
key_agreement_setup:PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(0)):PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(0)):"c88f01f510d9ac3f70a292daa2316de544e9aab8afe84049c62a9c57862d1433":"04d12dfb5289c8d4f81208b70270398c342296970a0bccb74c736fc7554494bf6356fbf3ca366cc23e8157854c13c58d6aac23f046ada30f8353e74f33039872ab":PSA_ERROR_NOT_SUPPORTED

PSA key agreement setup: bad key agreement algorithm
Expand Down