Merge pull request #9841 from gilles-peskine-arm/psa-storage-test-cases-never-supported-positive-dev

Switch generate_psa_test.py to automatic dependencies for positive test cases

Author: gilles-peskine-arm

Makefile

@@ -49,11 +49,14 @@ tests: mbedtls_test
 mbedtls_test:
 	$(MAKE) -C tests mbedtls_test
 
-library/%:
+.PHONY: FORCE
+FORCE:
+
+library/%: FORCE
 	$(MAKE) -C library $*
-programs/%:
+programs/%: FORCE
 	$(MAKE) -C programs $*
-tests/%:
+tests/%: FORCE
 	$(MAKE) -C tests $*
 
 .PHONY: generated_files

configs/ext/crypto_config_profile_medium.h

@@ -198,12 +198,6 @@
 //#define PSA_WANT_ECC_MONTGOMERY_255             1
 //#define PSA_WANT_ECC_MONTGOMERY_448             1
 //#define PSA_WANT_ECC_SECP_K1_192                1
-/*
- * SECP224K1 is buggy via the PSA API in Mbed TLS
- * (https://github.com/Mbed-TLS/mbedtls/issues/3541). Thus, do not enable it by
- * default.
- */
-//#define PSA_WANT_ECC_SECP_K1_224                1
 //#define PSA_WANT_ECC_SECP_K1_256                1
 //#define PSA_WANT_ECC_SECP_R1_192                1
 //#define PSA_WANT_ECC_SECP_R1_224                1

include/mbedtls/check_config.h

@@ -43,7 +43,6 @@
     defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_255) || \
     defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_448) || \
     defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192) || \
-    defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_224) || \
     defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256) || \
     defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_192) || \
     defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_224) || \

library/ssl_tls.c

@@ -6251,9 +6251,6 @@ static const struct {
 #if defined(PSA_WANT_ECC_SECP_R1_224)
     { 21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224 },
 #endif
-#if defined(PSA_WANT_ECC_SECP_K1_224)
-    { 20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224 },
-#endif
 #if defined(PSA_WANT_ECC_SECP_R1_192)
     { 19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192 },
 #endif

programs/ssl/ssl_test_lib.c

@@ -518,11 +518,6 @@ static const struct {
 #else
     { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1", 0 },
 #endif
-#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_224)
-    { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1, "secp224k1", 1 },
-#else
-    { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1, "secp224k1", 0 },
-#endif
 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_192)
     { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1", 1 },
 #else

scripts/config.py

@@ -60,13 +60,8 @@ def realfull_adapter(_name, _value, _active):
     'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR'
 ])
 
-PSA_UNSTABLE_FEATURE = frozenset([
-    'PSA_WANT_ECC_SECP_K1_224'
-])
-
 EXCLUDE_FROM_CRYPTO = PSA_UNSUPPORTED_FEATURE | \
-                      PSA_DEPRECATED_FEATURE | \
-                      PSA_UNSTABLE_FEATURE
+                      PSA_DEPRECATED_FEATURE
 
 # The goal of the full configuration is to have everything that can be tested
 # together. This includes deprecated or insecure options. It excludes:
@@ -114,7 +109,6 @@ def realfull_adapter(_name, _value, _active):
     'MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE', # only relevant for embedded devices
     *PSA_UNSUPPORTED_FEATURE,
     *PSA_DEPRECATED_FEATURE,
-    *PSA_UNSTABLE_FEATURE
 ])
 
 def is_seamless_alt(name):
@@ -367,8 +361,6 @@ def set(self, name, value='1'):
 
         if name in PSA_UNSUPPORTED_FEATURE:
             raise ValueError(f'Feature is unsupported: \'{name}\'')
-        if name in PSA_UNSTABLE_FEATURE:
-            raise ValueError(f'Feature is unstable: \'{name}\'')
 
         if name not in self.settings:
             self._get_configfile().templates.append((name, '', '#define ' + name + ' '))
@@ -417,8 +409,6 @@ def set(self, name, value=None):
         if configfile == self.crypto_configfile:
             if name in PSA_UNSUPPORTED_FEATURE:
                 raise ValueError(f'Feature is unsupported: \'{name}\'')
-            if name in PSA_UNSTABLE_FEATURE:
-                raise ValueError(f'Feature is unstable: \'{name}\'')
 
             # The default value in the crypto config is '1'
             if not value and re.match(self._crypto_regexp, name):

tests/Makefile

@@ -127,6 +127,7 @@ generated_psa_test_data: ../framework/scripts/mbedtls_framework/crypto_knowledge
 generated_psa_test_data: ../framework/scripts/mbedtls_framework/macro_collector.py
 generated_psa_test_data: ../framework/scripts/mbedtls_framework/psa_information.py
 generated_psa_test_data: ../framework/scripts/mbedtls_framework/psa_storage.py
+generated_psa_test_data: ../framework/scripts/mbedtls_framework/psa_test_case.py
 generated_psa_test_data: ../framework/scripts/mbedtls_framework/test_case.py
 generated_psa_test_data: ../framework/scripts/mbedtls_framework/test_data_generation.py
 ## The generated file only depends on the options that are present in

tests/scripts/analyze_outcomes.py

@@ -132,8 +132,6 @@ def _has_word_re(words: typing.Iterable[str],
             'Config: PSA_WANT_ALG_CBC_MAC',
             # Algorithm declared but not supported.
             'Config: PSA_WANT_ALG_XTS',
-            # Family declared but not supported.
-            'Config: PSA_WANT_ECC_SECP_K1_224',
             # More granularity of key pair type enablement macros
             # than we care to test.
             # https://github.com/Mbed-TLS/mbedtls/issues/9590
@@ -200,16 +198,6 @@ def _has_word_re(words: typing.Iterable[str],
             # https://github.com/Mbed-TLS/mbedtls/issues/9592
             re.compile(r'.*ECDSA.*only deterministic supported'),
         ],
-        'test_suite_psa_crypto_generate_key.generated': [
-            # Ignore mechanisms that are not implemented, except
-            # for public keys for which we always test that
-            # psa_generate_key() returns PSA_ERROR_INVALID_ARGUMENT
-            # regardless of whether the specific key type is supported.
-            _has_word_re((mech
-                          for mech in _PSA_MECHANISMS_NOT_IMPLEMENTED
-                          if not mech.startswith('ECC_PUB')),
-                         exclude=r'ECC_PUB'),
-        ],
         'test_suite_psa_crypto_metadata': [
             # Algorithms declared but not supported.
             # https://github.com/Mbed-TLS/mbedtls/issues/9579
@@ -223,10 +211,6 @@ def _has_word_re(words: typing.Iterable[str],
             'MAC: CBC_MAC-AES-256',
         ],
         'test_suite_psa_crypto_not_supported.generated': [
-            # It is a bug that not-supported test cases aren't getting
-            # run for never-implemented key types.
-            # https://github.com/Mbed-TLS/mbedtls/issues/7915
-            PSA_MECHANISM_NOT_IMPLEMENTED_SEARCH_RE,
             # We never test with DH key support disabled but support
             # for a DH group enabled. The dependencies of these test
             # cases don't really make sense.
@@ -265,12 +249,6 @@ def _has_word_re(words: typing.Iterable[str],
             # https://github.com/Mbed-TLS/mbedtls/issues/9592
             'PSA sign DETERMINISTIC_ECDSA(SHA_256): !ECDSA but DETERMINISTIC_ECDSA with ECC_KEY_PAIR(SECP_R1)', #pylint: disable=line-too-long
         ],
-        'test_suite_psa_crypto_storage_format.current': [
-            PSA_MECHANISM_NOT_IMPLEMENTED_SEARCH_RE,
-        ],
-        'test_suite_psa_crypto_storage_format.v0': [
-            PSA_MECHANISM_NOT_IMPLEMENTED_SEARCH_RE,
-        ],
         'tls13-misc': [
             # Disabled due to OpenSSL bug.
             # https://github.com/openssl/openssl/issues/10714

tests/ssl-opt.sh

@@ -2690,13 +2690,6 @@ requires_config_enabled PSA_WANT_ECC_BRAINPOOL_P_R1_256
 run_test_psa_force_curve "brainpoolP256r1"
 requires_config_enabled PSA_WANT_ECC_SECP_R1_224
 run_test_psa_force_curve "secp224r1"
-## SECP224K1 is buggy via the PSA API
-## (https://github.com/Mbed-TLS/mbedtls/issues/3541),
-## so it is disabled in PSA even when it's enabled in Mbed TLS.
-## The proper dependency would be on PSA_WANT_ECC_SECP_K1_224 but
-## dependencies on PSA symbols in ssl-opt.sh are not implemented yet.
-#requires_config_enabled PSA_WANT_ECC_SECP_K1_224
-#run_test_psa_force_curve "secp224k1"
 requires_config_enabled PSA_WANT_ECC_SECP_R1_192
 run_test_psa_force_curve "secp192r1"
 requires_config_enabled PSA_WANT_ECC_SECP_K1_192

tests/suites/test_suite_ssl.function

@@ -3595,11 +3595,6 @@ void elliptic_curve_get_properties()
 #else
     TEST_UNAVAILABLE_ECC(21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224);
 #endif
-#if defined(PSA_WANT_ECC_SECP_K1_224)
-    TEST_AVAILABLE_ECC(20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224);
-#else
-    TEST_UNAVAILABLE_ECC(20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224);
-#endif
 #if defined(PSA_WANT_ECC_SECP_R1_192)
     TEST_AVAILABLE_ECC(19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192);
 #else