From 1c49cff468c4b56ec076638f63c91ce24e8c3025 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Mon, 23 Sep 2024 14:38:59 +0200 Subject: [PATCH 1/5] Use PSA macros for the `curves` domain Exclude the SECP224K1 curve due it is unstable via the PSA API. Signed-off-by: Gabor Mezei --- tests/scripts/depends.py | 68 ++++++++++++++++++++++++++-------------- 1 file changed, 44 insertions(+), 24 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index f7fc60f579..2765e72b3d 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -274,21 +274,21 @@ REVERSE_DEPENDENCIES = { 'MBEDTLS_CIPHER_PADDING_ZEROS': ['MBEDTLS_CIPHER_MODE_CBC'], 'MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN': ['MBEDTLS_CIPHER_MODE_CBC'], - 'MBEDTLS_ECP_DP_BP256R1_ENABLED': ['PSA_WANT_ECC_BRAINPOOL_P_R1_256'], - 'MBEDTLS_ECP_DP_BP384R1_ENABLED': ['PSA_WANT_ECC_BRAINPOOL_P_R1_384'], - 'MBEDTLS_ECP_DP_BP512R1_ENABLED': ['PSA_WANT_ECC_BRAINPOOL_P_R1_512'], - 'MBEDTLS_ECP_DP_CURVE25519_ENABLED': ['PSA_WANT_ECC_MONTGOMERY_255'], - 'MBEDTLS_ECP_DP_CURVE448_ENABLED': ['PSA_WANT_ECC_MONTGOMERY_448'], - 'MBEDTLS_ECP_DP_SECP192R1_ENABLED': ['PSA_WANT_ECC_SECP_R1_192'], - 'MBEDTLS_ECP_DP_SECP224R1_ENABLED': ['PSA_WANT_ECC_SECP_R1_224'], - 'MBEDTLS_ECP_DP_SECP256R1_ENABLED': ['PSA_WANT_ECC_SECP_R1_256', - 'PSA_WANT_ALG_JPAKE', - 'MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'], - 'MBEDTLS_ECP_DP_SECP384R1_ENABLED': ['PSA_WANT_ECC_SECP_R1_384'], - 'MBEDTLS_ECP_DP_SECP512R1_ENABLED': ['PSA_WANT_ECC_SECP_R1_512'], - 'MBEDTLS_ECP_DP_SECP521R1_ENABLED': ['PSA_WANT_ECC_SECP_R1_521'], - 'MBEDTLS_ECP_DP_SECP192K1_ENABLED': ['PSA_WANT_ECC_SECP_K1_192'], - 'MBEDTLS_ECP_DP_SECP256K1_ENABLED': ['PSA_WANT_ECC_SECP_K1_256'], + 'PSA_WANT_ECC_BRAINPOOL_P_R1_256': ['MBEDTLS_ECP_DP_BP256R1_ENABLED'], + 'PSA_WANT_ECC_BRAINPOOL_P_R1_384': ['MBEDTLS_ECP_DP_BP384R1_ENABLED'], + 'PSA_WANT_ECC_BRAINPOOL_P_R1_512': ['MBEDTLS_ECP_DP_BP512R1_ENABLED'], + 'PSA_WANT_ECC_MONTGOMERY_255': ['MBEDTLS_ECP_DP_CURVE25519_ENABLED'], + 'PSA_WANT_ECC_MONTGOMERY_448': ['MBEDTLS_ECP_DP_CURVE448_ENABLED'], + 'PSA_WANT_ECC_SECP_R1_192': ['MBEDTLS_ECP_DP_SECP192R1_ENABLED'], + 'PSA_WANT_ECC_SECP_R1_224': ['MBEDTLS_ECP_DP_SECP224R1_ENABLED'], + 'PSA_WANT_ECC_SECP_R1_256': ['MBEDTLS_ECJPAKE_C', + 'MBEDTLS_ECP_DP_SECP256R1_ENABLED'], + 'PSA_WANT_ECC_SECP_R1_384': ['MBEDTLS_ECP_DP_SECP384R1_ENABLED'], + 'PSA_WANT_ECC_SECP_R1_512': ['MBEDTLS_ECP_DP_SECP512R1_ENABLED'], + 'PSA_WANT_ECC_SECP_R1_521': ['MBEDTLS_ECP_DP_SECP521R1_ENABLED'], + 'PSA_WANT_ECC_SECP_K1_192': ['MBEDTLS_ECP_DP_SECP192K1_ENABLED'], + 'PSA_WANT_ECC_SECP_K1_224': ['MBEDTLS_ECP_DP_SECP224K1_ENABLED'], + 'PSA_WANT_ECC_SECP_K1_256': ['MBEDTLS_ECP_DP_SECP256K1_ENABLED'], 'MBEDTLS_ECDSA_C': ['MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED', 'MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED', @@ -362,12 +362,12 @@ REVERSE_DEPENDENCIES = { EXCLUSIVE_GROUPS = { 'MBEDTLS_SHA512_C': ['-MBEDTLS_SSL_COOKIE_C', '-MBEDTLS_SSL_TLS_C'], - 'MBEDTLS_ECP_DP_CURVE448_ENABLED': ['-MBEDTLS_ECDSA_C', - '-MBEDTLS_ECDSA_DETERMINISTIC', - '-MBEDTLS_ECJPAKE_C',], - 'MBEDTLS_ECP_DP_CURVE25519_ENABLED': ['-MBEDTLS_ECDSA_C', - '-MBEDTLS_ECDSA_DETERMINISTIC', - '-MBEDTLS_ECJPAKE_C'], + 'PSA_WANT_ECC_MONTGOMERY_448': ['-MBEDTLS_ECDSA_C', + '-MBEDTLS_ECDSA_DETERMINISTIC', + '-MBEDTLS_ECJPAKE_C',], + 'PSA_WANT_ECC_MONTGOMERY_255': ['-MBEDTLS_ECDSA_C', + '-MBEDTLS_ECDSA_DETERMINISTIC', + '-MBEDTLS_ECJPAKE_C'], 'PSA_WANT_KEY_TYPE_ARIA': ['-PSA_WANT_ALG_CMAC', '-PSA_WANT_ALG_CCM', '-PSA_WANT_ALG_GCM', @@ -512,8 +512,23 @@ class DomainData: # Find hash modules by name. hash_symbols = self.config_symbols_matching(r'MBEDTLS_(MD|RIPEMD|SHA)[0-9]+_C\Z') - # Find elliptic curve enabling macros by name. - curve_symbols = self.config_symbols_matching(r'MBEDTLS_ECP_DP_\w+_ENABLED\Z') + + # Find elliptic curve enabling macros + # Mapping is needed for PSA_WANT_ECC_SECP_K1_224 because it actually uses 225 bits. + key_type_mapping = {('PSA_ECC_FAMILY_SECP_K1', '225'): ('PSA_ECC_FAMILY_SECP_K1', '224')} + def get_symbol_from_key_type(key_type_family, bit_size): + (family_name, corrected_bit_size) = key_type_mapping.get((key_type_family, bit_size), + (key_type_family, bit_size)) + symbol = psa_information.finish_family_dependency(family_name, corrected_bit_size) + return psa_information.psa_want_symbol(symbol) + + curve_symbols = {symbol + for symbol in (get_symbol_from_key_type(key_type.family_name, bit_size) + for key_type in key_types + if key_type.family_name in psa_info.ecc_curves + for bit_size in key_type.sizes_to_test()) + if symbol in self.all_config_symbols} + # Find key exchange enabling macros by name. key_exchange_symbols = self.config_symbols_matching(r'MBEDTLS_KEY_EXCHANGE_\w+_ENABLED\Z') @@ -541,8 +556,13 @@ class DomainData: 'cipher_padding': ExclusiveDomain(cipher_padding_symbols, build_and_test), + # Elliptic curves. Run the test suites. - 'curves': ExclusiveDomain(curve_symbols, build_and_test), + # The SECP_K1_224 is not stable via the PSA API. + # See https://github.com/Mbed-TLS/mbedtls/issues/3541 + 'curves': ExclusiveDomain(curve_symbols, + build_and_test, + exclude=r'PSA_WANT_ECC_SECP_K1_224'), # Hash algorithms. Excluding exclusive domains of MD, RIPEMD, SHA1, # SHA224 and SHA384 because MBEDTLS_ENTROPY_C is extensively used # across various modules, but it depends on either SHA256 or SHA512. From 0a2f257492a239138537d78e3aec23069adf9a96 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Fri, 10 Jan 2025 17:39:55 +0100 Subject: [PATCH 2/5] Use symbol matching for the curves domain Instead of using the `crypto_knowledge.py`, use basic symbol matching for the `PSA_WANT_ECC_*` macros to search for in the `curves` domain of `depend.py`. Signed-off-by: Gabor Mezei --- tests/scripts/depends.py | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) mode change 100755 => 100644 tests/scripts/depends.py diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py old mode 100755 new mode 100644 index 2765e72b3d..2d5f49b8ae --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -514,20 +514,7 @@ class DomainData: hash_symbols = self.config_symbols_matching(r'MBEDTLS_(MD|RIPEMD|SHA)[0-9]+_C\Z') # Find elliptic curve enabling macros - # Mapping is needed for PSA_WANT_ECC_SECP_K1_224 because it actually uses 225 bits. - key_type_mapping = {('PSA_ECC_FAMILY_SECP_K1', '225'): ('PSA_ECC_FAMILY_SECP_K1', '224')} - def get_symbol_from_key_type(key_type_family, bit_size): - (family_name, corrected_bit_size) = key_type_mapping.get((key_type_family, bit_size), - (key_type_family, bit_size)) - symbol = psa_information.finish_family_dependency(family_name, corrected_bit_size) - return psa_information.psa_want_symbol(symbol) - - curve_symbols = {symbol - for symbol in (get_symbol_from_key_type(key_type.family_name, bit_size) - for key_type in key_types - if key_type.family_name in psa_info.ecc_curves - for bit_size in key_type.sizes_to_test()) - if symbol in self.all_config_symbols} + curve_symbols = self.config_symbols_matching(r'PSA_WANT_ECC_\w+\Z') # Find key exchange enabling macros by name. key_exchange_symbols = self.config_symbols_matching(r'MBEDTLS_KEY_EXCHANGE_\w+_ENABLED\Z') From 069e3e6fe7201263f5ed48efea4a1e275dfacfe3 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Fri, 10 Jan 2025 17:44:41 +0100 Subject: [PATCH 3/5] Remove reference for `PSA_WANT_ALG_SECP_K1_224` The `PSA_WANT_ALG_SECP_K1_224` symbol has been removed. Signed-off-by: Gabor Mezei --- tests/scripts/depends.py | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) mode change 100644 => 100755 tests/scripts/depends.py diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py old mode 100644 new mode 100755 index 2d5f49b8ae..8db4ec9426 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -287,7 +287,6 @@ REVERSE_DEPENDENCIES = { 'PSA_WANT_ECC_SECP_R1_512': ['MBEDTLS_ECP_DP_SECP512R1_ENABLED'], 'PSA_WANT_ECC_SECP_R1_521': ['MBEDTLS_ECP_DP_SECP521R1_ENABLED'], 'PSA_WANT_ECC_SECP_K1_192': ['MBEDTLS_ECP_DP_SECP192K1_ENABLED'], - 'PSA_WANT_ECC_SECP_K1_224': ['MBEDTLS_ECP_DP_SECP224K1_ENABLED'], 'PSA_WANT_ECC_SECP_K1_256': ['MBEDTLS_ECP_DP_SECP256K1_ENABLED'], 'MBEDTLS_ECDSA_C': ['MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED', @@ -545,11 +544,8 @@ class DomainData: build_and_test), # Elliptic curves. Run the test suites. - # The SECP_K1_224 is not stable via the PSA API. - # See https://github.com/Mbed-TLS/mbedtls/issues/3541 - 'curves': ExclusiveDomain(curve_symbols, - build_and_test, - exclude=r'PSA_WANT_ECC_SECP_K1_224'), + 'curves': ExclusiveDomain(curve_symbols, build_and_test), + # Hash algorithms. Excluding exclusive domains of MD, RIPEMD, SHA1, # SHA224 and SHA384 because MBEDTLS_ENTROPY_C is extensively used # across various modules, but it depends on either SHA256 or SHA512. From fe14d85b7cb07c14fdce6ec7d510aff881823549 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Fri, 17 Jan 2025 12:41:58 +0100 Subject: [PATCH 4/5] Remove unused symbol Signed-off-by: Gabor Mezei --- tests/scripts/depends.py | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 8db4ec9426..ac3ba9c466 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -284,7 +284,6 @@ REVERSE_DEPENDENCIES = { 'PSA_WANT_ECC_SECP_R1_256': ['MBEDTLS_ECJPAKE_C', 'MBEDTLS_ECP_DP_SECP256R1_ENABLED'], 'PSA_WANT_ECC_SECP_R1_384': ['MBEDTLS_ECP_DP_SECP384R1_ENABLED'], - 'PSA_WANT_ECC_SECP_R1_512': ['MBEDTLS_ECP_DP_SECP512R1_ENABLED'], 'PSA_WANT_ECC_SECP_R1_521': ['MBEDTLS_ECP_DP_SECP521R1_ENABLED'], 'PSA_WANT_ECC_SECP_K1_192': ['MBEDTLS_ECP_DP_SECP192K1_ENABLED'], 'PSA_WANT_ECC_SECP_K1_256': ['MBEDTLS_ECP_DP_SECP256K1_ENABLED'], From 7554eeaf4c6000116fec9c19c3237601d95a6e22 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Mon, 27 Jan 2025 11:17:10 +0100 Subject: [PATCH 5/5] Disable 224K1 while testing the other curves Signed-off-by: Gabor Mezei --- tests/scripts/depends.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index ac3ba9c466..2e8df33b58 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -512,7 +512,9 @@ class DomainData: hash_symbols = self.config_symbols_matching(r'MBEDTLS_(MD|RIPEMD|SHA)[0-9]+_C\Z') # Find elliptic curve enabling macros - curve_symbols = self.config_symbols_matching(r'PSA_WANT_ECC_\w+\Z') + # MBEDTLS_ECP_DP_SECP224K1_ENABLED added to disable it for all curves + curve_symbols = self.config_symbols_matching(r'PSA_WANT_ECC_\w+\Z|' + r'MBEDTLS_ECP_DP_SECP224K1_ENABLED') # Find key exchange enabling macros by name. key_exchange_symbols = self.config_symbols_matching(r'MBEDTLS_KEY_EXCHANGE_\w+_ENABLED\Z') @@ -543,7 +545,8 @@ class DomainData: build_and_test), # Elliptic curves. Run the test suites. - 'curves': ExclusiveDomain(curve_symbols, build_and_test), + 'curves': ExclusiveDomain(curve_symbols, build_and_test, + exclude=r'MBEDTLS_ECP_DP_SECP224K1_ENABLED'), # Hash algorithms. Excluding exclusive domains of MD, RIPEMD, SHA1, # SHA224 and SHA384 because MBEDTLS_ENTROPY_C is extensively used