Merge pull request #10344 from valeriosetti/issue10283-development

[development] Remove 224-bit curves & Remove 192-bit curves from TLS & X.509 (2/3)

tests/scripts/depends.py

@@ -257,20 +257,27 @@ REVERSE_DEPENDENCIES = {
     'PSA_WANT_ALG_CCM': ['PSA_WANT_ALG_CCM_STAR_NO_TAG'],
     'PSA_WANT_ALG_CMAC': ['PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128'],
 
+    # These reverse dependencies can be removed as part of issue
+    # tf-psa-crypto#364.
     'PSA_WANT_ECC_BRAINPOOL_P_R1_256': ['MBEDTLS_ECP_DP_BP256R1_ENABLED'],
     'PSA_WANT_ECC_BRAINPOOL_P_R1_384': ['MBEDTLS_ECP_DP_BP384R1_ENABLED'],
     'PSA_WANT_ECC_BRAINPOOL_P_R1_512': ['MBEDTLS_ECP_DP_BP512R1_ENABLED'],
     'PSA_WANT_ECC_MONTGOMERY_255': ['MBEDTLS_ECP_DP_CURVE25519_ENABLED'],
     'PSA_WANT_ECC_MONTGOMERY_448': ['MBEDTLS_ECP_DP_CURVE448_ENABLED'],
-    'PSA_WANT_ECC_SECP_R1_192': ['MBEDTLS_ECP_DP_SECP192R1_ENABLED'],
-    'PSA_WANT_ECC_SECP_R1_224': ['MBEDTLS_ECP_DP_SECP224R1_ENABLED'],
     'PSA_WANT_ECC_SECP_R1_256': ['PSA_WANT_ALG_JPAKE',
                                  'MBEDTLS_ECP_DP_SECP256R1_ENABLED'],
     'PSA_WANT_ECC_SECP_R1_384': ['MBEDTLS_ECP_DP_SECP384R1_ENABLED'],
     'PSA_WANT_ECC_SECP_R1_521': ['MBEDTLS_ECP_DP_SECP521R1_ENABLED'],
-    'PSA_WANT_ECC_SECP_K1_192': ['MBEDTLS_ECP_DP_SECP192K1_ENABLED'],
     'PSA_WANT_ECC_SECP_K1_256': ['MBEDTLS_ECP_DP_SECP256K1_ENABLED'],
 
+    # Support for secp224[k|r]1 was removed in tfpsacrypto#408 while
+    # secp192[k|r]1 were kept only for internal testing (hidden to the end
+    # user). We need to keep these reverse dependencies here until
+    # symbols are hidden/removed from crypto_config.h.
+    'PSA_WANT_ECC_SECP_R1_192': ['MBEDTLS_ECP_DP_SECP192R1_ENABLED'],
+    'PSA_WANT_ECC_SECP_R1_224': ['MBEDTLS_ECP_DP_SECP224R1_ENABLED'],
+    'PSA_WANT_ECC_SECP_K1_192': ['MBEDTLS_ECP_DP_SECP192K1_ENABLED'],
+
     'PSA_WANT_ALG_ECDSA': ['PSA_WANT_ALG_DETERMINISTIC_ECDSA',
                            'MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED',
                            'MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED',
@@ -482,9 +489,7 @@ class DomainData:
                         if alg.can_do(crypto_knowledge.AlgorithmCategory.HASH)}
 
         # Find elliptic curve enabling macros by name.
-        # MBEDTLS_ECP_DP_SECP224K1_ENABLED added to disable it for all curves
-        curve_symbols = self.config_symbols_matching(r'PSA_WANT_ECC_\w+\Z|'
-                                                     r'MBEDTLS_ECP_DP_SECP224K1_ENABLED')
+        curve_symbols = self.config_symbols_matching(r'PSA_WANT_ECC_\w+\Z')
 
         # Find key exchange enabling macros by name.
         key_exchange_symbols = self.config_symbols_matching(r'MBEDTLS_KEY_EXCHANGE_\w+_ENABLED\Z')

tests/scripts/set_psa_test_dependencies.py

@@ -27,13 +27,9 @@ CLASSIC_DEPENDENCIES = frozenset([
     'MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS',
     'MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN',
     'MBEDTLS_CIPHER_PADDING_ZEROS',
-    #curve#'MBEDTLS_ECP_DP_SECP192R1_ENABLED',
-    #curve#'MBEDTLS_ECP_DP_SECP224R1_ENABLED',
     #curve#'MBEDTLS_ECP_DP_SECP256R1_ENABLED',
     #curve#'MBEDTLS_ECP_DP_SECP384R1_ENABLED',
     #curve#'MBEDTLS_ECP_DP_SECP521R1_ENABLED',
-    #curve#'MBEDTLS_ECP_DP_SECP192K1_ENABLED',
-    #curve#'MBEDTLS_ECP_DP_SECP224K1_ENABLED',
     #curve#'MBEDTLS_ECP_DP_SECP256K1_ENABLED',
     #curve#'MBEDTLS_ECP_DP_BP256R1_ENABLED',
     #curve#'MBEDTLS_ECP_DP_BP384R1_ENABLED',

tests/ssl-opt.sh

@@ -2659,12 +2659,6 @@ requires_config_enabled PSA_WANT_ECC_SECP_K1_256
 run_test_psa_force_curve "secp256k1"
 requires_config_enabled PSA_WANT_ECC_BRAINPOOL_P_R1_256
 run_test_psa_force_curve "brainpoolP256r1"
-requires_config_enabled PSA_WANT_ECC_SECP_R1_224
-run_test_psa_force_curve "secp224r1"
-requires_config_enabled PSA_WANT_ECC_SECP_R1_192
-run_test_psa_force_curve "secp192r1"
-requires_config_enabled PSA_WANT_ECC_SECP_K1_192
-run_test_psa_force_curve "secp192k1"
 
 # Test current time in ServerHello
 requires_config_enabled MBEDTLS_HAVE_TIME

tests/suites/test_suite_ssl.function

@@ -3537,9 +3537,9 @@ exit:
 /* BEGIN_CASE */
 void conf_group()
 {
-    uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1,
-                                       MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1,
-                                       MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
+    uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
+                                       MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
+                                       MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1,
                                        MBEDTLS_SSL_IANA_TLS_GROUP_NONE };
 
     mbedtls_ssl_config conf;
@@ -4050,21 +4050,6 @@ void elliptic_curve_get_properties()
 #else
     TEST_UNAVAILABLE_ECC(26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256);
 #endif
-#if defined(PSA_WANT_ECC_SECP_R1_224)
-    TEST_AVAILABLE_ECC(21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224);
-#else
-    TEST_UNAVAILABLE_ECC(21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224);
-#endif
-#if defined(PSA_WANT_ECC_SECP_R1_192)
-    TEST_AVAILABLE_ECC(19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192);
-#else
-    TEST_UNAVAILABLE_ECC(19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192);
-#endif
-#if defined(PSA_WANT_ECC_SECP_K1_192)
-    TEST_AVAILABLE_ECC(18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192);
-#else
-    TEST_UNAVAILABLE_ECC(18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192);
-#endif
 #if defined(PSA_WANT_ECC_MONTGOMERY_255)
     TEST_AVAILABLE_ECC(29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255);
 #else