Merge pull request #9823 from gilles-peskine-arm/docs-3.6-backport-9818
Backport 3.6: Fix discussions of MBEDTLS_USE_PSA_CRYPTO in standalone documentation
diff --git a/CMakeLists.txt b/CMakeLists.txt
index c6d31dc..99e2169 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -315,7 +315,7 @@
endif()
if (NOT EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/framework/CMakeLists.txt")
- if (EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/.git/")
+ if (EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/.git")
message(FATAL_ERROR "${CMAKE_CURRENT_SOURCE_DIR}CMakeLists.txt not found (and does appear to be a git checkout). Run `git submodule update --init` from the source tree to fetch the submodule contents.")
else ()
message(FATAL_ERROR "${CMAKE_CURRENT_SOURCE_DIR}/CMakeLists.txt not found (and does not appear to be a git checkout). Please ensure you have downloaded the right archive from the release page on GitHub.")
@@ -354,18 +354,18 @@
if(GEN_FILES)
add_custom_command(
OUTPUT
- ${CMAKE_CURRENT_SOURCE_DIR}/framework/tests/src/test_keys.h
+ ${CMAKE_CURRENT_SOURCE_DIR}/framework/tests/include/test/test_keys.h
WORKING_DIRECTORY
${CMAKE_CURRENT_SOURCE_DIR}/tests
COMMAND
"${MBEDTLS_PYTHON_EXECUTABLE}"
"${CMAKE_CURRENT_SOURCE_DIR}/framework/scripts/generate_test_keys.py"
"--output"
- "${CMAKE_CURRENT_SOURCE_DIR}/framework/tests/src/test_keys.h"
+ "${CMAKE_CURRENT_SOURCE_DIR}/framework/tests/include/test/test_keys.h"
DEPENDS
${CMAKE_CURRENT_SOURCE_DIR}/framework/scripts/generate_test_keys.py
)
- add_custom_target(test_keys_header DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/framework/tests/src/test_keys.h)
+ add_custom_target(test_keys_header DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/framework/tests/include/test/test_keys.h)
add_custom_command(
OUTPUT
${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_certs.h
diff --git a/ChangeLog.d/fix-aesni-asm-clobbers.txt b/ChangeLog.d/fix-aesni-asm-clobbers.txt
new file mode 100644
index 0000000..538f0c5
--- /dev/null
+++ b/ChangeLog.d/fix-aesni-asm-clobbers.txt
@@ -0,0 +1,5 @@
+Bugfix
+ * Fix missing constraints on the AES-NI inline assembly which is used on
+ GCC-like compilers when building AES for generic x86_64 targets. This
+ may have resulted in incorrect code with some compilers, depending on
+ optimizations. Fixes #9819.
diff --git a/Makefile b/Makefile
index 4615a44..e0edde4 100644
--- a/Makefile
+++ b/Makefile
@@ -6,7 +6,7 @@
ifeq (,$(wildcard framework/exported.make))
# Use the define keyword to get a multi-line message.
# GNU make appends ". Stop.", so tweak the ending of our message accordingly.
- ifeq (,$(wildcard .git))
+ ifneq (,$(wildcard .git))
define error_message
${MBEDTLS_PATH}/framework/exported.make not found (and does appear to be a git checkout). Run `git submodule update --init` from the source tree to fetch the submodule contents.
This is a fatal error
@@ -91,6 +91,8 @@
# present before it runs. It doesn't matter if the files aren't up-to-date,
# they just need to be present.
$(VISUALC_FILES): | library/generated_files
+$(VISUALC_FILES): | programs/generated_files
+$(VISUALC_FILES): | tests/generated_files
$(VISUALC_FILES): $(gen_file_dep) scripts/generate_visualc_files.pl
$(VISUALC_FILES): $(gen_file_dep) scripts/data_files/vs2017-app-template.vcxproj
$(VISUALC_FILES): $(gen_file_dep) scripts/data_files/vs2017-main-template.vcxproj
diff --git a/framework b/framework
index df0144c..2db6804 160000
--- a/framework
+++ b/framework
@@ -1 +1 @@
-Subproject commit df0144c4a3c0fc9beea606afde07cf8708233675
+Subproject commit 2db68049e1ba586407a1db6a37e94a1f9836142f
diff --git a/library/aesni.c b/library/aesni.c
index 8e5bd55..4fc1cb9 100644
--- a/library/aesni.c
+++ b/library/aesni.c
@@ -489,7 +489,7 @@
"movdqu %%xmm0, (%4) \n\t" // export output
:
: "r" (ctx->nr), "r" (ctx->buf + ctx->rk_offset), "r" (mode), "r" (input), "r" (output)
- : "memory", "cc", "xmm0", "xmm1");
+ : "memory", "cc", "xmm0", "xmm1", "0", "1");
return 0;
@@ -679,7 +679,7 @@
AESKEYGENA(xmm0_xmm1, "0x36") "call 1b \n\t"
:
: "r" (rk), "r" (key)
- : "memory", "cc", "0");
+ : "memory", "cc", "xmm0", "xmm1", "0");
}
/*
@@ -737,7 +737,7 @@
:
: "r" (rk), "r" (key)
- : "memory", "cc", "0");
+ : "memory", "cc", "xmm0", "xmm1", "xmm2", "0");
}
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
@@ -805,7 +805,7 @@
AESKEYGENA(xmm1_xmm2, "0x40") "call 1b \n\t"
:
: "r" (rk), "r" (key)
- : "memory", "cc", "0");
+ : "memory", "cc", "xmm0", "xmm1", "xmm2", "0");
}
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index f0ccf3d..2bbe3a5 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -2319,6 +2319,58 @@
/* Message digests */
/****************************************************************/
+static int is_hash_supported(psa_algorithm_t alg)
+{
+ switch (alg) {
+#if defined(PSA_WANT_ALG_MD5)
+ case PSA_ALG_MD5:
+ return 1;
+#endif
+#if defined(PSA_WANT_ALG_RIPEMD160)
+ case PSA_ALG_RIPEMD160:
+ return 1;
+#endif
+#if defined(PSA_WANT_ALG_SHA_1)
+ case PSA_ALG_SHA_1:
+ return 1;
+#endif
+#if defined(PSA_WANT_ALG_SHA_224)
+ case PSA_ALG_SHA_224:
+ return 1;
+#endif
+#if defined(PSA_WANT_ALG_SHA_256)
+ case PSA_ALG_SHA_256:
+ return 1;
+#endif
+#if defined(PSA_WANT_ALG_SHA_384)
+ case PSA_ALG_SHA_384:
+ return 1;
+#endif
+#if defined(PSA_WANT_ALG_SHA_512)
+ case PSA_ALG_SHA_512:
+ return 1;
+#endif
+#if defined(PSA_WANT_ALG_SHA3_224)
+ case PSA_ALG_SHA3_224:
+ return 1;
+#endif
+#if defined(PSA_WANT_ALG_SHA3_256)
+ case PSA_ALG_SHA3_256:
+ return 1;
+#endif
+#if defined(PSA_WANT_ALG_SHA3_384)
+ case PSA_ALG_SHA3_384:
+ return 1;
+#endif
+#if defined(PSA_WANT_ALG_SHA3_512)
+ case PSA_ALG_SHA3_512:
+ return 1;
+#endif
+ default:
+ return 0;
+ }
+}
+
psa_status_t psa_hash_abort(psa_hash_operation_t *operation)
{
/* Aborting a non-active operation is allowed */
@@ -2962,16 +3014,44 @@
if (!PSA_ALG_IS_SIGN_MESSAGE(alg)) {
return PSA_ERROR_INVALID_ARGUMENT;
}
+ }
- if (PSA_ALG_IS_SIGN_HASH(alg)) {
- if (!PSA_ALG_IS_HASH(PSA_ALG_SIGN_GET_HASH(alg))) {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
- }
- } else {
- if (!PSA_ALG_IS_SIGN_HASH(alg)) {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
+ psa_algorithm_t hash_alg = 0;
+ if (PSA_ALG_IS_SIGN_HASH(alg)) {
+ hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
+ }
+
+ /* Now hash_alg==0 if alg by itself doesn't need a hash.
+ * This is good enough for sign-hash, but a guaranteed failure for
+ * sign-message which needs to hash first for all algorithms
+ * supported at the moment. */
+
+ if (hash_alg == 0 && input_is_message) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ if (hash_alg == PSA_ALG_ANY_HASH) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ /* Give up immediately if the hash is not supported. This has
+ * several advantages:
+ * - For mechanisms that don't use the hash at all (e.g.
+ * ECDSA verification, randomized ECDSA signature), without
+ * this check, the operation would succeed even though it has
+ * been given an invalid argument. This would not be insecure
+ * since the hash was not necessary, but it would be weird.
+ * - For mechanisms that do use the hash, we avoid an error
+ * deep inside the execution. In principle this doesn't matter,
+ * but there is a little more risk of a bug in error handling
+ * deep inside than in this preliminary check.
+ * - When calling a driver, the driver might be capable of using
+ * a hash that the core doesn't support. This could potentially
+ * result in a buffer overflow if the hash is larger than the
+ * maximum hash size assumed by the core.
+ * - Returning a consistent error makes it possible to test
+ * not-supported hashes in a consistent way.
+ */
+ if (hash_alg != 0 && !is_hash_supported(hash_alg)) {
+ return PSA_ERROR_NOT_SUPPORTED;
}
return PSA_SUCCESS;
@@ -3852,6 +3932,34 @@
* defined( MBEDTLS_ECP_RESTARTABLE ) */
}
+/* Detect supported interruptible sign/verify mechanisms precisely.
+ * This is not strictly needed: we could accept everything, and let the
+ * code fail later during complete() if the mechanism is unsupported
+ * (e.g. attempting deterministic ECDSA when only the randomized variant
+ * is available). But it's easier for applications and especially for our
+ * test code to detect all not-supported errors during start().
+ *
+ * Note that this function ignores the hash component. The core code
+ * is supposed to check the hash part by calling is_hash_supported().
+ */
+static inline int can_do_interruptible_sign_verify(psa_algorithm_t alg)
+{
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
+ if (PSA_ALG_IS_DETERMINISTIC_ECDSA(alg)) {
+ return 1;
+ }
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA)
+ if (PSA_ALG_IS_RANDOMIZED_ECDSA(alg)) {
+ return 1;
+ }
+#endif
+#endif /* defined(MBEDTLS_ECP_RESTARTABLE) */
+ (void) alg;
+ return 0;
+}
+
psa_status_t mbedtls_psa_sign_hash_start(
mbedtls_psa_sign_hash_interruptible_operation_t *operation,
const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
@@ -3865,7 +3973,7 @@
return PSA_ERROR_NOT_SUPPORTED;
}
- if (!PSA_ALG_IS_ECDSA(alg)) {
+ if (!can_do_interruptible_sign_verify(alg)) {
return PSA_ERROR_NOT_SUPPORTED;
}
@@ -4081,7 +4189,7 @@
return PSA_ERROR_NOT_SUPPORTED;
}
- if (!PSA_ALG_IS_ECDSA(alg)) {
+ if (!can_do_interruptible_sign_verify(alg)) {
return PSA_ERROR_NOT_SUPPORTED;
}
diff --git a/scripts/code_style.py b/scripts/code_style.py
deleted file mode 100755
index e98fb2b..0000000
--- a/scripts/code_style.py
+++ /dev/null
@@ -1,277 +0,0 @@
-#!/usr/bin/env python3
-"""Check or fix the code style by running Uncrustify.
-
-This script must be run from the root of a Git work tree containing Mbed TLS.
-"""
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
-import argparse
-import os
-import re
-import subprocess
-import sys
-from typing import FrozenSet, List, Optional
-
-UNCRUSTIFY_SUPPORTED_VERSION = "0.75.1"
-CONFIG_FILE = ".uncrustify.cfg"
-UNCRUSTIFY_EXE = "uncrustify"
-UNCRUSTIFY_ARGS = ["-c", CONFIG_FILE]
-CHECK_GENERATED_FILES = "tests/scripts/check-generated-files.sh"
-
-def print_err(*args):
- print("Error: ", *args, file=sys.stderr)
-
-# Print the file names that will be skipped and the help message
-def print_skip(files_to_skip):
- print()
- print(*files_to_skip, sep=", SKIP\n", end=", SKIP\n")
- print("Warning: The listed files will be skipped because\n"
- "they are not known to git.")
- print()
-
-# Match FILENAME(s) in "check SCRIPT (FILENAME...)"
-CHECK_CALL_RE = re.compile(r"\n\s*check\s+[^\s#$&*?;|]+([^\n#$&*?;|]+)",
- re.ASCII)
-def list_generated_files() -> FrozenSet[str]:
- """Return the names of generated files.
-
- We don't reformat generated files, since the result might be different
- from the output of the generator. Ideally the result of the generator
- would conform to the code style, but this would be difficult, especially
- with respect to the placement of line breaks in long logical lines.
- """
- # Parse check-generated-files.sh to get an up-to-date list of
- # generated files. Read the file rather than calling it so that
- # this script only depends on Git, Python and uncrustify, and not other
- # tools such as sh or grep which might not be available on Windows.
- # This introduces a limitation: check-generated-files.sh must have
- # the expected format and must list the files explicitly, not through
- # wildcards or command substitution.
- content = open(CHECK_GENERATED_FILES, encoding="utf-8").read()
- checks = re.findall(CHECK_CALL_RE, content)
- return frozenset(word for s in checks for word in s.split())
-
-# Check for comment string indicating an auto-generated file
-AUTOGEN_RE = re.compile(r"Warning[ :-]+This file is (now )?auto[ -]?generated",
- re.ASCII | re.IGNORECASE)
-def is_file_autogenerated(filename):
- content = open(filename, encoding="utf-8").read()
- return AUTOGEN_RE.search(content) is not None
-
-def get_src_files(since: Optional[str]) -> List[str]:
- """
- Use git to get a list of the source files.
-
- The optional argument since is a commit, indicating to only list files
- that have changed since that commit. Without this argument, list all
- files known to git.
-
- Only C files are included, and certain files (generated, or 3rdparty)
- are excluded.
- """
- file_patterns = ["*.[hc]",
- "tests/suites/*.function",
- "scripts/data_files/*.fmt"]
- output = subprocess.check_output(["git", "ls-files"] + file_patterns,
- universal_newlines=True)
- src_files = output.split()
-
- # When this script is called from a git hook, some environment variables
- # are set by default which force all git commands to use the main repository
- # (i.e. prevent us from performing commands on the framework repo).
- # Create an environment without these variables for running commands on the
- # framework repo.
- framework_env = os.environ.copy()
- # Get a list of environment vars that git sets
- git_env_vars = subprocess.check_output(["git", "rev-parse", "--local-env-vars"],
- universal_newlines=True)
- # Remove the vars from the environment
- for var in git_env_vars.split():
- framework_env.pop(var, None)
-
- output = subprocess.check_output(["git", "-C", "framework", "ls-files"]
- + file_patterns,
- universal_newlines=True,
- env=framework_env)
- framework_src_files = output.split()
-
- if since:
- # get all files changed in commits since the starting point in ...
- # ... the main repository
- cmd = ["git", "log", since + "..HEAD", "--ignore-submodules",
- "--name-only", "--pretty=", "--"] + src_files
- output = subprocess.check_output(cmd, universal_newlines=True)
- committed_changed_files = output.split()
-
- # ... the framework submodule
- framework_since = get_submodule_hash(since, "framework")
- cmd = ["git", "-C", "framework", "log", framework_since + "..HEAD",
- "--name-only", "--pretty=", "--"] + framework_src_files
- output = subprocess.check_output(cmd, universal_newlines=True,
- env=framework_env)
- committed_changed_files += ["framework/" + s for s in output.split()]
-
- # and also get all files with uncommitted changes in ...
- # ... the main repository
- cmd = ["git", "diff", "--name-only", "--"] + src_files
- output = subprocess.check_output(cmd, universal_newlines=True)
- uncommitted_changed_files = output.split()
- # ... the framework submodule
- cmd = ["git", "-C", "framework", "diff", "--name-only", "--"] + \
- framework_src_files
- output = subprocess.check_output(cmd, universal_newlines=True,
- env=framework_env)
- uncommitted_changed_files += ["framework/" + s for s in output.split()]
-
- src_files = committed_changed_files + uncommitted_changed_files
- else:
- src_files += ["framework/" + s for s in framework_src_files]
-
- generated_files = list_generated_files()
- # Don't correct style for third-party files (and, for simplicity,
- # companion files in the same subtree), or for automatically
- # generated files (we're correcting the templates instead).
- src_files = [filename for filename in src_files
- if not (filename.startswith("3rdparty/") or
- filename in generated_files or
- is_file_autogenerated(filename))]
- return src_files
-
-def get_submodule_hash(commit: str, submodule: str) -> str:
- """Get the commit hash of a submodule at a given commit in the Git repository."""
- cmd = ["git", "ls-tree", commit, submodule]
- output = subprocess.check_output(cmd, universal_newlines=True)
- return output.split()[2]
-
-def get_uncrustify_version() -> str:
- """
- Get the version string from Uncrustify
- """
- result = subprocess.run([UNCRUSTIFY_EXE, "--version"],
- stdout=subprocess.PIPE, stderr=subprocess.PIPE,
- check=False)
- if result.returncode != 0:
- print_err("Could not get Uncrustify version:", str(result.stderr, "utf-8"))
- return ""
- else:
- return str(result.stdout, "utf-8")
-
-def check_style_is_correct(src_file_list: List[str]) -> bool:
- """
- Check the code style and output a diff for each file whose style is
- incorrect.
- """
- style_correct = True
- for src_file in src_file_list:
- uncrustify_cmd = [UNCRUSTIFY_EXE] + UNCRUSTIFY_ARGS + [src_file]
- result = subprocess.run(uncrustify_cmd, stdout=subprocess.PIPE,
- stderr=subprocess.PIPE, check=False)
- if result.returncode != 0:
- print_err("Uncrustify returned " + str(result.returncode) +
- " correcting file " + src_file)
- return False
-
- # Uncrustify makes changes to the code and places the result in a new
- # file with the extension ".uncrustify". To get the changes (if any)
- # simply diff the 2 files.
- diff_cmd = ["diff", "-u", src_file, src_file + ".uncrustify"]
- cp = subprocess.run(diff_cmd, check=False)
-
- if cp.returncode == 1:
- print(src_file + " changed - code style is incorrect.")
- style_correct = False
- elif cp.returncode != 0:
- raise subprocess.CalledProcessError(cp.returncode, cp.args,
- cp.stdout, cp.stderr)
-
- # Tidy up artifact
- os.remove(src_file + ".uncrustify")
-
- return style_correct
-
-def fix_style_single_pass(src_file_list: List[str]) -> bool:
- """
- Run Uncrustify once over the source files.
- """
- code_change_args = UNCRUSTIFY_ARGS + ["--no-backup"]
- for src_file in src_file_list:
- uncrustify_cmd = [UNCRUSTIFY_EXE] + code_change_args + [src_file]
- result = subprocess.run(uncrustify_cmd, check=False)
- if result.returncode != 0:
- print_err("Uncrustify with file returned: " +
- str(result.returncode) + " correcting file " +
- src_file)
- return False
- return True
-
-def fix_style(src_file_list: List[str]) -> int:
- """
- Fix the code style. This takes 2 passes of Uncrustify.
- """
- if not fix_style_single_pass(src_file_list):
- return 1
- if not fix_style_single_pass(src_file_list):
- return 1
-
- # Guard against future changes that cause the codebase to require
- # more passes.
- if not check_style_is_correct(src_file_list):
- print_err("Code style still incorrect after second run of Uncrustify.")
- return 1
- else:
- return 0
-
-def main() -> int:
- """
- Main with command line arguments.
- """
- uncrustify_version = get_uncrustify_version().strip()
- if UNCRUSTIFY_SUPPORTED_VERSION not in uncrustify_version:
- print("Warning: Using unsupported Uncrustify version '" +
- uncrustify_version + "'")
- print("Note: The only supported version is " +
- UNCRUSTIFY_SUPPORTED_VERSION)
-
- parser = argparse.ArgumentParser()
- parser.add_argument('-f', '--fix', action='store_true',
- help=('modify source files to fix the code style '
- '(default: print diff, do not modify files)'))
- parser.add_argument('-s', '--since', metavar='COMMIT', const='development', nargs='?',
- help=('only check files modified since the specified commit'
- ' (e.g. --since=HEAD~3 or --since=development). If no'
- ' commit is specified, default to development.'))
- # --subset is almost useless: it only matters if there are no files
- # ('code_style.py' without arguments checks all files known to Git,
- # 'code_style.py --subset' does nothing). In particular,
- # 'code_style.py --fix --subset ...' is intended as a stable ("porcelain")
- # way to restyle a possibly empty set of files.
- parser.add_argument('--subset', action='store_true',
- help='only check the specified files (default with non-option arguments)')
- parser.add_argument('operands', nargs='*', metavar='FILE',
- help='files to check (files MUST be known to git, if none: check all)')
-
- args = parser.parse_args()
-
- covered = frozenset(get_src_files(args.since))
- # We only check files that are known to git
- if args.subset or args.operands:
- src_files = [f for f in args.operands if f in covered]
- skip_src_files = [f for f in args.operands if f not in covered]
- if skip_src_files:
- print_skip(skip_src_files)
- else:
- src_files = list(covered)
-
- if args.fix:
- # Fix mode
- return fix_style(src_files)
- else:
- # Check mode
- if check_style_is_correct(src_files):
- print("Checked {} files, style ok.".format(len(src_files)))
- return 0
- else:
- return 1
-
-if __name__ == '__main__':
- sys.exit(main())
diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja
index d3b7d6f..ed5c9a0 100644
--- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja
+++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja
@@ -307,8 +307,7 @@
#endif /* PSA_CRYPTO_DRIVER_TEST */
#if defined (MBEDTLS_PSA_P256M_DRIVER_ENABLED)
if( PSA_KEY_TYPE_IS_ECC( psa_get_key_type(attributes) ) &&
- PSA_ALG_IS_ECDSA(alg) &&
- !PSA_ALG_ECDSA_IS_DETERMINISTIC( alg ) &&
+ PSA_ALG_IS_RANDOMIZED_ECDSA(alg) &&
PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(attributes)) == PSA_ECC_FAMILY_SECP_R1 &&
psa_get_key_bits(attributes) == 256 )
{
@@ -412,7 +411,6 @@
#if defined (MBEDTLS_PSA_P256M_DRIVER_ENABLED)
if( PSA_KEY_TYPE_IS_ECC( psa_get_key_type(attributes) ) &&
PSA_ALG_IS_ECDSA(alg) &&
- !PSA_ALG_ECDSA_IS_DETERMINISTIC( alg ) &&
PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(attributes)) == PSA_ECC_FAMILY_SECP_R1 &&
psa_get_key_bits(attributes) == 256 )
{
diff --git a/scripts/make_generated_files.bat b/scripts/make_generated_files.bat
index 29687cb..0c15c38 100644
--- a/scripts/make_generated_files.bat
+++ b/scripts/make_generated_files.bat
@@ -26,6 +26,6 @@
python framework\scripts\generate_config_tests.py || exit /b 1
python framework\scripts\generate_ecp_tests.py || exit /b 1
python framework\scripts\generate_psa_tests.py || exit /b 1
-python framework\scripts\generate_test_keys.py --output framework\tests\src\test_keys.h || exit /b 1
+python framework\scripts\generate_test_keys.py --output framework\tests\include\test\test_keys.h || exit /b 1
python framework\scripts\generate_test_cert_macros.py --output tests\src\test_certs.h || exit /b 1
python framework\scripts\generate_tls13_compat_tests.py || exit /b 1
diff --git a/scripts/output_env.sh b/scripts/output_env.sh
deleted file mode 100755
index 32f1f86..0000000
--- a/scripts/output_env.sh
+++ /dev/null
@@ -1,183 +0,0 @@
-#! /usr/bin/env sh
-
-# output_env.sh
-#
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
-#
-# Purpose
-#
-# To print out all the relevant information about the development environment.
-#
-# This includes:
-# - architecture of the system
-# - type and version of the operating system
-# - version of make and cmake
-# - version of armcc, clang, gcc-arm and gcc compilers
-# - version of libc, clang, asan and valgrind if installed
-# - version of gnuTLS and OpenSSL
-
-print_version()
-{
- BIN="$1"
- shift
- ARGS="$1"
- shift
- VARIANT="$1"
- shift
-
- if [ -n "$VARIANT" ]; then
- VARIANT=" ($VARIANT)"
- fi
-
- if ! type "$BIN" > /dev/null 2>&1; then
- echo " * ${BIN##*/}$VARIANT: Not found."
- return 0
- fi
-
- BIN=`which "$BIN"`
- VERSION_STR=`$BIN $ARGS 2>&1`
-
- # Apply all filters
- while [ $# -gt 0 ]; do
- FILTER="$1"
- shift
- VERSION_STR=`echo "$VERSION_STR" | $FILTER`
- done
-
- if [ -z "$VERSION_STR" ]; then
- VERSION_STR="Version could not be determined."
- fi
-
- echo " * ${BIN##*/}$VARIANT: ${BIN} : ${VERSION_STR} "
-}
-
-echo "** Platform:"
-echo
-
-if [ `uname -s` = "Linux" ]; then
- echo "Linux variant"
- lsb_release -d -c
-else
- echo "Unknown Unix variant"
-fi
-
-echo
-
-print_version "uname" "-a" ""
-
-echo
-echo
-echo "** Tool Versions:"
-echo
-
-print_version "make" "--version" "" "head -n 1"
-echo
-
-print_version "cmake" "--version" "" "head -n 1"
-echo
-
-if [ "${RUN_ARMCC:-1}" -ne 0 ]; then
- : "${ARMC6_CC:=armclang}"
- print_version "$ARMC6_CC" "--vsn" "" "head -n 2"
- echo
-fi
-
-print_version "arm-none-eabi-gcc" "--version" "" "head -n 1"
-echo
-
-print_version "gcc" "--version" "" "head -n 1"
-echo
-
-if [ -n "${GCC_EARLIEST+set}" ]; then
- print_version "${GCC_EARLIEST}" "--version" "" "head -n 1"
-else
- echo " GCC_EARLIEST : Not configured."
-fi
-echo
-
-if [ -n "${GCC_LATEST+set}" ]; then
- print_version "${GCC_LATEST}" "--version" "" "head -n 1"
-else
- echo " GCC_LATEST : Not configured."
-fi
-echo
-
-print_version "clang" "--version" "" "head -n 2"
-echo
-
-if [ -n "${CLANG_EARLIEST+set}" ]; then
- print_version "${CLANG_EARLIEST}" "--version" "" "head -n 2"
-else
- echo " CLANG_EARLIEST : Not configured."
-fi
-echo
-
-if [ -n "${CLANG_LATEST+set}" ]; then
- print_version "${CLANG_LATEST}" "--version" "" "head -n 2"
-else
- echo " CLANG_LATEST : Not configured."
-fi
-echo
-
-print_version "ldd" "--version" "" "head -n 1"
-echo
-
-print_version "valgrind" "--version" ""
-echo
-
-print_version "gdb" "--version" "" "head -n 1"
-echo
-
-print_version "perl" "--version" "" "head -n 2" "grep ."
-echo
-
-print_version "python" "--version" "" "head -n 1"
-echo
-
-print_version "python3" "--version" "" "head -n 1"
-echo
-
-# Find the installed version of Pylint. Installed as a distro package this can
-# be pylint3 and as a PEP egg, pylint. In test scripts We prefer pylint over
-# pylint3
-if type pylint >/dev/null 2>/dev/null; then
- print_version "pylint" "--version" "" "sed /^.*config/d" "grep pylint"
-elif type pylint3 >/dev/null 2>/dev/null; then
- print_version "pylint3" "--version" "" "sed /^.*config/d" "grep pylint"
-else
- echo " * pylint or pylint3: Not found."
-fi
-echo
-
-: ${OPENSSL:=openssl}
-print_version "$OPENSSL" "version" "default"
-echo
-
-if [ -n "${OPENSSL_NEXT+set}" ]; then
- print_version "$OPENSSL_NEXT" "version" "next"
-else
- echo " * openssl (next): Not configured."
-fi
-echo
-
-: ${GNUTLS_CLI:=gnutls-cli}
-print_version "$GNUTLS_CLI" "--version" "default" "head -n 1"
-echo
-
-: ${GNUTLS_SERV:=gnutls-serv}
-print_version "$GNUTLS_SERV" "--version" "default" "head -n 1"
-echo
-
-echo " * Installed asan versions:"
-if type dpkg-query >/dev/null 2>/dev/null; then
- if ! dpkg-query -f '${Status} ${Package}: ${Version}\n' -W 'libasan*' |
- awk '$3 == "installed" && $4 !~ /-/ {print $4, $5}' |
- grep .
- then
- echo " No asan versions installed."
- fi
-else
- echo " Unable to determine the asan version without dpkg."
-fi
-echo
diff --git a/scripts/windows_msbuild.bat b/scripts/windows_msbuild.bat
deleted file mode 100644
index 2bc6a51..0000000
--- a/scripts/windows_msbuild.bat
+++ /dev/null
@@ -1,20 +0,0 @@
-@rem Build and test Mbed TLS with Visual Studio using msbuild.
-@rem Usage: windows_msbuild [RETARGET]
-@rem RETARGET: version of Visual Studio to emulate
-@rem https://docs.microsoft.com/en-us/cpp/build/how-to-modify-the-target-framework-and-platform-toolset
-
-@rem These parameters are hard-coded for now.
-set "arch=x64" & @rem "x86" or "x64"
-set "cfg=Release" & @rem "Debug" or "Release"
-set "vcvarsall=C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\VC\Auxiliary\Build\vcvarsall.bat"
-
-if not "%~1"=="" set "retarget=,PlatformToolset=%1"
-
-@rem If the %USERPROFILE%\Source directory exists, then running
-@rem vcvarsall.bat will silently change the directory to that directory.
-@rem Setting the VSCMD_START_DIR environment variable causes it to change
-@rem to that directory instead.
-set "VSCMD_START_DIR=%~dp0\..\visualc\VS2017"
-
-"%vcvarsall%" x64 && ^
-msbuild /t:Rebuild /p:Configuration=%cfg%%retarget% /m mbedTLS.sln
diff --git a/tests/Makefile b/tests/Makefile
index baeb7f7..2c6489c 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -53,7 +53,7 @@
GENERATED_DATA_FILES += $(GENERATED_PSA_DATA_FILES)
GENERATED_FILES = $(GENERATED_DATA_FILES)
-GENERATED_FILES += ../framework/tests/src/test_keys.h src/test_certs.h
+GENERATED_FILES += ../framework/tests/include/test/test_keys.h src/test_certs.h
# Generated files needed to (fully) run ssl-opt.sh
.PHONY: ssl-opt
@@ -161,7 +161,7 @@
echo " Gen $@"
$(PYTHON) ../framework/scripts/generate_test_cert_macros.py --output $@
-../framework/tests/src/test_keys.h: ../framework/scripts/generate_test_keys.py
+../framework/tests/include/test/test_keys.h: ../framework/scripts/generate_test_keys.py
echo " Gen $@"
$(PYTHON) ../framework/scripts/generate_test_keys.py --output $@
@@ -172,7 +172,7 @@
# therefore the wildcard enumeration above doesn't include it.
TEST_OBJS_DEPS += ../framework/tests/include/test/instrument_record_status.h
endif
-TEST_OBJS_DEPS += src/test_certs.h ../framework/tests/src/test_keys.h
+TEST_OBJS_DEPS += src/test_certs.h ../framework/tests/include/test/test_keys.h
# Rule to compile common test C files in framework
../framework/tests/src/%.o : ../framework/tests/src/%.c $(TEST_OBJS_DEPS)
diff --git a/tests/docker/bionic/Dockerfile b/tests/docker/bionic/Dockerfile
deleted file mode 100644
index e4c49fa..0000000
--- a/tests/docker/bionic/Dockerfile
+++ /dev/null
@@ -1,158 +0,0 @@
-# Dockerfile
-#
-# Purpose
-# -------
-# Defines a Docker container suitable to build and run all tests (all.sh),
-# except for those that use a proprietary toolchain.
-#
-# WARNING: this Dockerfile is no longer maintained! See
-# https://github.com/Mbed-TLS/mbedtls-test/blob/master/README.md#quick-start
-# for the set of Docker images we use on the CI.
-
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
-ARG MAKEFLAGS_PARALLEL=""
-ARG MY_REGISTRY=
-
-FROM ${MY_REGISTRY}ubuntu:bionic
-
-
-ENV DEBIAN_FRONTEND noninteractive
-
-RUN apt-get update \
- && apt-get -y install software-properties-common \
- && rm -rf /var/lib/apt/lists
-
-RUN add-apt-repository -y ppa:team-gcc-arm-embedded/ppa
-
-RUN apt-get update \
- && apt-get -y install \
- # mbedtls build/test dependencies
- build-essential \
- clang \
- cmake \
- doxygen \
- gcc-arm-none-eabi \
- gcc-mingw-w64-i686 \
- gcc-multilib \
- g++-multilib \
- gdb \
- git \
- graphviz \
- lsof \
- python \
- python3-pip \
- python3 \
- pylint3 \
- valgrind \
- wget \
- # libnettle build dependencies
- libgmp-dev \
- m4 \
- pkg-config \
- && rm -rf /var/lib/apt/lists/*
-
-# Jinja2 is required for driver dispatch code generation.
-RUN python3 -m pip install \
- jinja2==2.10.1 types-jinja2
-
-# Build a static, legacy openssl from sources with sslv3 enabled
-# Based on https://gist.github.com/bmaupin/8caca3a1e8c3c5686141 (build-openssl.sh)
-# Note: openssl-1.0.2 and earlier has known build issues with parallel make.
-RUN cd /tmp \
- && wget https://www.openssl.org/source/old/1.0.1/openssl-1.0.1j.tar.gz -qO- | tar xz \
- && cd openssl-1.0.1j \
- && ./config --openssldir=/usr/local/openssl-1.0.1j no-shared \
- && (make ${MAKEFLAGS_PARALLEL} || make -j 1) \
- && make install_sw \
- && rm -rf /tmp/openssl*
-ENV OPENSSL_LEGACY=/usr/local/openssl-1.0.1j/bin/openssl
-
-# Build OPENSSL as 1.0.2g
-RUN cd /tmp \
- && wget https://www.openssl.org/source/old/1.0.2/openssl-1.0.2g.tar.gz -qO- | tar xz \
- && cd openssl-1.0.2g \
- && ./config --openssldir=/usr/local/openssl-1.0.2g no-shared \
- && (make ${MAKEFLAGS_PARALLEL} || make -j 1) \
- && make install_sw \
- && rm -rf /tmp/openssl*
-ENV OPENSSL=/usr/local/openssl-1.0.2g/bin/openssl
-
-# Build a new openssl binary for ARIA/CHACHA20 support
-# Based on https://gist.github.com/bmaupin/8caca3a1e8c3c5686141 (build-openssl.sh)
-RUN cd /tmp \
- && wget https://www.openssl.org/source/openssl-1.1.1a.tar.gz -qO- | tar xz \
- && cd openssl-1.1.1a \
- && ./config --prefix=/usr/local/openssl-1.1.1a -Wl,--enable-new-dtags,-rpath,'${LIBRPATH}' no-shared \
- && make ${MAKEFLAGS_PARALLEL} \
- && make install_sw \
- && rm -rf /tmp/openssl*
-ENV OPENSSL_NEXT=/usr/local/openssl-1.1.1a/bin/openssl
-
-# Build libnettle 2.7.1 (needed by legacy gnutls)
-RUN cd /tmp \
- && wget https://ftp.gnu.org/gnu/nettle/nettle-2.7.1.tar.gz -qO- | tar xz \
- && cd nettle-2.7.1 \
- && ./configure --disable-documentation \
- && make ${MAKEFLAGS_PARALLEL} \
- && make install \
- && /sbin/ldconfig \
- && rm -rf /tmp/nettle*
-
-# Build legacy gnutls (3.3.8)
-RUN cd /tmp \
- && wget https://www.gnupg.org/ftp/gcrypt/gnutls/v3.3/gnutls-3.3.8.tar.xz -qO- | tar xJ \
- && cd gnutls-3.3.8 \
- && ./configure --prefix=/usr/local/gnutls-3.3.8 --exec_prefix=/usr/local/gnutls-3.3.8 --disable-shared --disable-guile --disable-doc \
- && make ${MAKEFLAGS_PARALLEL} \
- && make install \
- && rm -rf /tmp/gnutls*
-ENV GNUTLS_LEGACY_CLI=/usr/local/gnutls-3.3.8/bin/gnutls-cli
-ENV GNUTLS_LEGACY_SERV=/usr/local/gnutls-3.3.8/bin/gnutls-serv
-
-# Build libnettle 3.1 (needed by gnutls)
-RUN cd /tmp \
- && wget https://ftp.gnu.org/gnu/nettle/nettle-3.1.tar.gz -qO- | tar xz \
- && cd nettle-3.1 \
- && ./configure --disable-documentation \
- && make ${MAKEFLAGS_PARALLEL} \
- && make install \
- && /sbin/ldconfig \
- && rm -rf /tmp/nettle*
-
-# Build gnutls (3.4.10)
-RUN cd /tmp \
- && wget https://www.gnupg.org/ftp/gcrypt/gnutls/v3.4/gnutls-3.4.10.tar.xz -qO- | tar xJ \
- && cd gnutls-3.4.10 \
- && ./configure --prefix=/usr/local/gnutls-3.4.10 --exec_prefix=/usr/local/gnutls-3.4.10 \
- --with-included-libtasn1 --without-p11-kit \
- --disable-shared --disable-guile --disable-doc \
- && make ${MAKEFLAGS_PARALLEL} \
- && make install \
- && rm -rf /tmp/gnutls*
-ENV GNUTLS_CLI=/usr/local/gnutls-3.4.10/bin/gnutls-cli
-ENV GNUTLS_SERV=/usr/local/gnutls-3.4.10/bin/gnutls-serv
-
-# Build libnettle 3.7.3 (needed by gnutls next)
-RUN cd /tmp \
- && wget https://ftp.gnu.org/gnu/nettle/nettle-3.7.3.tar.gz -qO- | tar xz \
- && cd nettle-3.7.3 \
- && ./configure --disable-documentation \
- && make ${MAKEFLAGS_PARALLEL} \
- && make install \
- && /sbin/ldconfig \
- && rm -rf /tmp/nettle*
-
-# Build gnutls next (3.7.2)
-RUN cd /tmp \
- && wget https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/gnutls-3.7.2.tar.xz -qO- | tar xJ \
- && cd gnutls-3.7.2 \
- && ./configure --prefix=/usr/local/gnutls-3.7.2 --exec_prefix=/usr/local/gnutls-3.7.2 \
- --with-included-libtasn1 --with-included-unistring --without-p11-kit \
- --disable-shared --disable-guile --disable-doc \
- && make ${MAKEFLAGS_PARALLEL} \
- && make install \
- && rm -rf /tmp/gnutls*
-
-ENV GNUTLS_NEXT_CLI=/usr/local/gnutls-3.7.2/bin/gnutls-cli
-ENV GNUTLS_NEXT_SERV=/usr/local/gnutls-3.7.2/bin/gnutls-serv
diff --git a/tests/scripts/all-in-docker.sh b/tests/scripts/all-in-docker.sh
deleted file mode 100755
index b2a31c2..0000000
--- a/tests/scripts/all-in-docker.sh
+++ /dev/null
@@ -1,27 +0,0 @@
-#!/bin/bash -eu
-
-# all-in-docker.sh
-#
-# Purpose
-# -------
-# This runs all.sh (except for armcc) in a Docker container.
-#
-# WARNING: the Dockerfile used by this script is no longer maintained! See
-# https://github.com/Mbed-TLS/mbedtls-test/blob/master/README.md#quick-start
-# for the set of Docker images we use on the CI.
-#
-# Notes for users
-# ---------------
-# See docker_env.sh for prerequisites and other information.
-#
-# See also all.sh for notes about invocation of that script.
-
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
-
-source tests/scripts/docker_env.sh
-
-# Run tests that are possible with openly available compilers
-run_in_docker tests/scripts/all.sh \
- --no-armcc \
- $@
diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index 18c8bde..09e1245 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -206,6 +206,11 @@
'PBES2 Encrypt, pad=6 (PKCS7 padding disabled)',
'PBES2 Encrypt, pad=8 (PKCS7 padding disabled)',
],
+ 'test_suite_psa_crypto': [
+ # We don't test this unusual, but sensible configuration.
+ # https://github.com/Mbed-TLS/mbedtls/issues/9592
+ re.compile(r'.*ECDSA.*only deterministic supported'),
+ ],
'test_suite_psa_crypto_generate_key.generated': [
# Ignore mechanisms that are not implemented, except
# for public keys for which we always test that
@@ -258,6 +263,9 @@
# "PSA test case generation: dependency inference class: operation fail"
# from https://github.com/Mbed-TLS/mbedtls/pull/9025 .
re.compile(r'.* with (?:DH|ECC)_(?:KEY_PAIR|PUBLIC_KEY)\(.*'),
+ # We don't test this unusual, but sensible configuration.
+ # https://github.com/Mbed-TLS/mbedtls/issues/9592
+ re.compile(r'.*: !ECDSA but DETERMINISTIC_ECDSA with ECC_.*'),
# PBKDF2_HMAC is not in the default configuration, so we don't
# enable it in depends.py where we remove hashes.
# https://github.com/Mbed-TLS/mbedtls/issues/9576
@@ -272,6 +280,11 @@
# https://github.com/Mbed-TLS/mbedtls/issues/9578
re.compile(r'PSA sign RSA_PSS_ANY_SALT.*!(?:MD|RIPEMD|SHA).*'),
],
+ 'test_suite_psa_crypto_op_fail.misc': [
+ # We don't test this unusual, but sensible configuration.
+ # https://github.com/Mbed-TLS/mbedtls/issues/9592
+ 'PSA sign DETERMINISTIC_ECDSA(SHA_256): !ECDSA but DETERMINISTIC_ECDSA with ECC_KEY_PAIR(SECP_R1)', #pylint: disable=line-too-long
+ ],
'test_suite_psa_crypto_storage_format.current': [
PSA_MECHANISM_NOT_IMPLEMENTED_SEARCH_RE,
],
diff --git a/tests/scripts/basic-build-test.sh b/tests/scripts/basic-build-test.sh
index d2e955f..5df2d02 100755
--- a/tests/scripts/basic-build-test.sh
+++ b/tests/scripts/basic-build-test.sh
@@ -65,7 +65,7 @@
OPENSSL="$OPENSSL" \
GNUTLS_CLI="$GNUTLS_CLI" \
GNUTLS_SERV="$GNUTLS_SERV" \
- scripts/output_env.sh
+ framework/scripts/output_env.sh
echo
# Step 1 - Make and instrumented build for code coverage
diff --git a/tests/scripts/basic-in-docker.sh b/tests/scripts/basic-in-docker.sh
deleted file mode 100755
index 81ee8d6..0000000
--- a/tests/scripts/basic-in-docker.sh
+++ /dev/null
@@ -1,36 +0,0 @@
-#!/bin/bash -eu
-
-# basic-in-docker.sh
-#
-# Purpose
-# -------
-# This runs sanity checks and library tests in a Docker container. The tests
-# are run for both clang and gcc. The testing includes a full test run
-# in the default configuration, partial test runs in the reference
-# configurations, and some dependency tests.
-#
-# WARNING: the Dockerfile used by this script is no longer maintained! See
-# https://github.com/Mbed-TLS/mbedtls-test/blob/master/README.md#quick-start
-# for the set of Docker images we use on the CI.
-#
-# Notes for users
-# ---------------
-# See docker_env.sh for prerequisites and other information.
-
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
-
-source tests/scripts/docker_env.sh
-
-run_in_docker tests/scripts/all.sh 'check_*'
-
-for compiler in clang gcc; do
- run_in_docker -e CC=${compiler} cmake -D CMAKE_BUILD_TYPE:String="Check" .
- run_in_docker -e CC=${compiler} make
- run_in_docker -e CC=${compiler} make test
- run_in_docker programs/test/selftest
- run_in_docker -e OSSL_NO_DTLS=1 tests/compat.sh
- run_in_docker tests/ssl-opt.sh -e '\(DTLS\|SCSV\).*openssl'
- run_in_docker tests/scripts/depends.py curves
- run_in_docker tests/scripts/depends.py kex
-done
diff --git a/tests/scripts/check-generated-files.sh b/tests/scripts/check-generated-files.sh
index d796cc0..b61c5ac 100755
--- a/tests/scripts/check-generated-files.sh
+++ b/tests/scripts/check-generated-files.sh
@@ -111,7 +111,7 @@
}
# Note: if the format of calls to the "check" function changes, update
-# scripts/code_style.py accordingly. For generated C source files (*.h or *.c),
+# framework/scripts/code_style.py accordingly. For generated C source files (*.h or *.c),
# the format must be "check SCRIPT FILENAME...". For other source files,
# any shell syntax is permitted (including e.g. command substitution).
@@ -126,7 +126,7 @@
check framework/scripts/generate_config_tests.py $(framework/scripts/generate_config_tests.py --list)
check framework/scripts/generate_ecp_tests.py $(framework/scripts/generate_ecp_tests.py --list)
check framework/scripts/generate_psa_tests.py $(framework/scripts/generate_psa_tests.py --list)
-check framework/scripts/generate_test_keys.py framework/tests/src/test_keys.h
+check framework/scripts/generate_test_keys.py framework/tests/include/test/test_keys.h
check scripts/generate_driver_wrappers.py $library_dir/psa_crypto_driver_wrappers.h $library_dir/psa_crypto_driver_wrappers_no_static.c
# Additional checks for Mbed TLS only
diff --git a/tests/scripts/check_files.py b/tests/scripts/check_files.py
deleted file mode 100755
index 2a5d64b..0000000
--- a/tests/scripts/check_files.py
+++ /dev/null
@@ -1,546 +0,0 @@
-#!/usr/bin/env python3
-
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
-
-"""
-This script checks the current state of the source code for minor issues,
-including incorrect file permissions, presence of tabs, non-Unix line endings,
-trailing whitespace, and presence of UTF-8 BOM.
-Note: requires python 3, must be run from Mbed TLS root.
-"""
-
-import argparse
-import codecs
-import inspect
-import logging
-import os
-import re
-import subprocess
-import sys
-try:
- from typing import FrozenSet, Optional, Pattern # pylint: disable=unused-import
-except ImportError:
- pass
-
-import scripts_path # pylint: disable=unused-import
-from mbedtls_framework import build_tree
-
-
-class FileIssueTracker:
- """Base class for file-wide issue tracking.
-
- To implement a checker that processes a file as a whole, inherit from
- this class and implement `check_file_for_issue` and define ``heading``.
-
- ``suffix_exemptions``: files whose name ends with a string in this set
- will not be checked.
-
- ``path_exemptions``: files whose path (relative to the root of the source
- tree) matches this regular expression will not be checked. This can be
- ``None`` to match no path. Paths are normalized and converted to ``/``
- separators before matching.
-
- ``heading``: human-readable description of the issue
- """
-
- suffix_exemptions = frozenset() #type: FrozenSet[str]
- path_exemptions = None #type: Optional[Pattern[str]]
- # heading must be defined in derived classes.
- # pylint: disable=no-member
-
- def __init__(self):
- self.files_with_issues = {}
-
- @staticmethod
- def normalize_path(filepath):
- """Normalize ``filepath`` with / as the directory separator."""
- filepath = os.path.normpath(filepath)
- # On Windows, we may have backslashes to separate directories.
- # We need slashes to match exemption lists.
- seps = os.path.sep
- if os.path.altsep is not None:
- seps += os.path.altsep
- return '/'.join(filepath.split(seps))
-
- def should_check_file(self, filepath):
- """Whether the given file name should be checked.
-
- Files whose name ends with a string listed in ``self.suffix_exemptions``
- or whose path matches ``self.path_exemptions`` will not be checked.
- """
- for files_exemption in self.suffix_exemptions:
- if filepath.endswith(files_exemption):
- return False
- if self.path_exemptions and \
- re.match(self.path_exemptions, self.normalize_path(filepath)):
- return False
- return True
-
- def check_file_for_issue(self, filepath):
- """Check the specified file for the issue that this class is for.
-
- Subclasses must implement this method.
- """
- raise NotImplementedError
-
- def record_issue(self, filepath, line_number):
- """Record that an issue was found at the specified location."""
- if filepath not in self.files_with_issues.keys():
- self.files_with_issues[filepath] = []
- self.files_with_issues[filepath].append(line_number)
-
- def output_file_issues(self, logger):
- """Log all the locations where the issue was found."""
- if self.files_with_issues.values():
- logger.info(self.heading)
- for filename, lines in sorted(self.files_with_issues.items()):
- if lines:
- logger.info("{}: {}".format(
- filename, ", ".join(str(x) for x in lines)
- ))
- else:
- logger.info(filename)
- logger.info("")
-
-BINARY_FILE_PATH_RE_LIST = [
- r'docs/.*\.pdf\Z',
- r'docs/.*\.png\Z',
- r'programs/fuzz/corpuses/[^.]+\Z',
- r'framework/data_files/[^.]+\Z',
- r'framework/data_files/.*\.(crt|csr|db|der|key|pubkey)\Z',
- r'framework/data_files/.*\.req\.[^/]+\Z',
- r'framework/data_files/.*malformed[^/]+\Z',
- r'framework/data_files/format_pkcs12\.fmt\Z',
- r'framework/data_files/.*\.bin\Z',
-]
-BINARY_FILE_PATH_RE = re.compile('|'.join(BINARY_FILE_PATH_RE_LIST))
-
-class LineIssueTracker(FileIssueTracker):
- """Base class for line-by-line issue tracking.
-
- To implement a checker that processes files line by line, inherit from
- this class and implement `line_with_issue`.
- """
-
- # Exclude binary files.
- path_exemptions = BINARY_FILE_PATH_RE
-
- def issue_with_line(self, line, filepath, line_number):
- """Check the specified line for the issue that this class is for.
-
- Subclasses must implement this method.
- """
- raise NotImplementedError
-
- def check_file_line(self, filepath, line, line_number):
- if self.issue_with_line(line, filepath, line_number):
- self.record_issue(filepath, line_number)
-
- def check_file_for_issue(self, filepath):
- """Check the lines of the specified file.
-
- Subclasses must implement the ``issue_with_line`` method.
- """
- with open(filepath, "rb") as f:
- for i, line in enumerate(iter(f.readline, b"")):
- self.check_file_line(filepath, line, i + 1)
-
-
-def is_windows_file(filepath):
- _root, ext = os.path.splitext(filepath)
- return ext in ('.bat', '.dsp', '.dsw', '.sln', '.vcxproj')
-
-
-class ShebangIssueTracker(FileIssueTracker):
- """Track files with a bad, missing or extraneous shebang line.
-
- Executable scripts must start with a valid shebang (#!) line.
- """
-
- heading = "Invalid shebang line:"
-
- # Allow either /bin/sh, /bin/bash, or /usr/bin/env.
- # Allow at most one argument (this is a Linux limitation).
- # For sh and bash, the argument if present must be options.
- # For env, the argument must be the base name of the interpreter.
- _shebang_re = re.compile(rb'^#! ?(?:/bin/(bash|sh)(?: -[^\n ]*)?'
- rb'|/usr/bin/env ([^\n /]+))$')
- _extensions = {
- b'bash': 'sh',
- b'perl': 'pl',
- b'python3': 'py',
- b'sh': 'sh',
- }
-
- path_exemptions = re.compile(r'tests/scripts/quiet/.*')
-
- def is_valid_shebang(self, first_line, filepath):
- m = re.match(self._shebang_re, first_line)
- if not m:
- return False
- interpreter = m.group(1) or m.group(2)
- if interpreter not in self._extensions:
- return False
- if not filepath.endswith('.' + self._extensions[interpreter]):
- return False
- return True
-
- def check_file_for_issue(self, filepath):
- is_executable = os.access(filepath, os.X_OK)
- with open(filepath, "rb") as f:
- first_line = f.readline()
- if first_line.startswith(b'#!'):
- if not is_executable:
- # Shebang on a non-executable file
- self.files_with_issues[filepath] = None
- elif not self.is_valid_shebang(first_line, filepath):
- self.files_with_issues[filepath] = [1]
- elif is_executable:
- # Executable without a shebang
- self.files_with_issues[filepath] = None
-
-
-class EndOfFileNewlineIssueTracker(FileIssueTracker):
- """Track files that end with an incomplete line
- (no newline character at the end of the last line)."""
-
- heading = "Missing newline at end of file:"
-
- path_exemptions = BINARY_FILE_PATH_RE
-
- def check_file_for_issue(self, filepath):
- with open(filepath, "rb") as f:
- try:
- f.seek(-1, 2)
- except OSError:
- # This script only works on regular files. If we can't seek
- # 1 before the end, it means that this position is before
- # the beginning of the file, i.e. that the file is empty.
- return
- if f.read(1) != b"\n":
- self.files_with_issues[filepath] = None
-
-
-class Utf8BomIssueTracker(FileIssueTracker):
- """Track files that start with a UTF-8 BOM.
- Files should be ASCII or UTF-8. Valid UTF-8 does not start with a BOM."""
-
- heading = "UTF-8 BOM present:"
-
- suffix_exemptions = frozenset([".vcxproj", ".sln"])
- path_exemptions = BINARY_FILE_PATH_RE
-
- def check_file_for_issue(self, filepath):
- with open(filepath, "rb") as f:
- if f.read().startswith(codecs.BOM_UTF8):
- self.files_with_issues[filepath] = None
-
-
-class UnicodeIssueTracker(LineIssueTracker):
- """Track lines with invalid characters or invalid text encoding."""
-
- heading = "Invalid UTF-8 or forbidden character:"
-
- # Only allow valid UTF-8, and only other explicitly allowed characters.
- # We deliberately exclude all characters that aren't a simple non-blank,
- # non-zero-width glyph, apart from a very small set (tab, ordinary space,
- # line breaks, "basic" no-break space and soft hyphen). In particular,
- # non-ASCII control characters, combinig characters, and Unicode state
- # changes (e.g. right-to-left text) are forbidden.
- # Note that we do allow some characters with a risk of visual confusion,
- # for example '-' (U+002D HYPHEN-MINUS) vs '' (U+00AD SOFT HYPHEN) vs
- # '‐' (U+2010 HYPHEN), or 'A' (U+0041 LATIN CAPITAL LETTER A) vs
- # 'Α' (U+0391 GREEK CAPITAL LETTER ALPHA).
- GOOD_CHARACTERS = ''.join([
- '\t\n\r -~', # ASCII (tabs and line endings are checked separately)
- '\u00A0-\u00FF', # Latin-1 Supplement (for NO-BREAK SPACE and punctuation)
- '\u2010-\u2027\u2030-\u205E', # General Punctuation (printable)
- '\u2070\u2071\u2074-\u208E\u2090-\u209C', # Superscripts and Subscripts
- '\u2190-\u21FF', # Arrows
- '\u2200-\u22FF', # Mathematical Symbols
- '\u2500-\u257F' # Box Drawings characters used in markdown trees
- ])
- # Allow any of the characters and ranges above, and anything classified
- # as a word constituent.
- GOOD_CHARACTERS_RE = re.compile(r'[\w{}]+\Z'.format(GOOD_CHARACTERS))
-
- def issue_with_line(self, line, _filepath, line_number):
- try:
- text = line.decode('utf-8')
- except UnicodeDecodeError:
- return True
- if line_number == 1 and text.startswith('\uFEFF'):
- # Strip BOM (U+FEFF ZERO WIDTH NO-BREAK SPACE) at the beginning.
- # Which files are allowed to have a BOM is handled in
- # Utf8BomIssueTracker.
- text = text[1:]
- return not self.GOOD_CHARACTERS_RE.match(text)
-
-class UnixLineEndingIssueTracker(LineIssueTracker):
- """Track files with non-Unix line endings (i.e. files with CR)."""
-
- heading = "Non-Unix line endings:"
-
- def should_check_file(self, filepath):
- if not super().should_check_file(filepath):
- return False
- return not is_windows_file(filepath)
-
- def issue_with_line(self, line, _filepath, _line_number):
- return b"\r" in line
-
-
-class WindowsLineEndingIssueTracker(LineIssueTracker):
- """Track files with non-Windows line endings (i.e. CR or LF not in CRLF)."""
-
- heading = "Non-Windows line endings:"
-
- def should_check_file(self, filepath):
- if not super().should_check_file(filepath):
- return False
- return is_windows_file(filepath)
-
- def issue_with_line(self, line, _filepath, _line_number):
- return not line.endswith(b"\r\n") or b"\r" in line[:-2]
-
-
-class TrailingWhitespaceIssueTracker(LineIssueTracker):
- """Track lines with trailing whitespace."""
-
- heading = "Trailing whitespace:"
- suffix_exemptions = frozenset([".dsp", ".md"])
-
- def issue_with_line(self, line, _filepath, _line_number):
- return line.rstrip(b"\r\n") != line.rstrip()
-
-
-class TabIssueTracker(LineIssueTracker):
- """Track lines with tabs."""
-
- heading = "Tabs present:"
- suffix_exemptions = frozenset([
- ".make",
- ".pem", # some openssl dumps have tabs
- ".sln",
- "/.gitmodules",
- "/Makefile",
- "/Makefile.inc",
- "/generate_visualc_files.pl",
- ])
-
- def issue_with_line(self, line, _filepath, _line_number):
- return b"\t" in line
-
-
-class MergeArtifactIssueTracker(LineIssueTracker):
- """Track lines with merge artifacts.
- These are leftovers from a ``git merge`` that wasn't fully edited."""
-
- heading = "Merge artifact:"
-
- def issue_with_line(self, line, _filepath, _line_number):
- # Detect leftover git conflict markers.
- if line.startswith(b'<<<<<<< ') or line.startswith(b'>>>>>>> '):
- return True
- if line.startswith(b'||||||| '): # from merge.conflictStyle=diff3
- return True
- if line.rstrip(b'\r\n') == b'=======' and \
- not _filepath.endswith('.md'):
- return True
- return False
-
-
-def this_location():
- frame = inspect.currentframe()
- assert frame is not None
- info = inspect.getframeinfo(frame)
- return os.path.basename(info.filename), info.lineno
-THIS_FILE_BASE_NAME, LINE_NUMBER_BEFORE_LICENSE_ISSUE_TRACKER = this_location()
-
-class LicenseIssueTracker(LineIssueTracker):
- """Check copyright statements and license indications.
-
- This class only checks that statements are correct if present. It does
- not enforce the presence of statements in each file.
- """
-
- heading = "License issue:"
-
- LICENSE_EXEMPTION_RE_LIST = [
- # Third-party code, other than whitelisted third-party modules,
- # may be under a different license.
- r'3rdparty/(?!(p256-m)/.*)',
- # Documentation explaining the license may have accidental
- # false positives.
- r'(ChangeLog|LICENSE|framework\/LICENSE|[-0-9A-Z_a-z]+\.md)\Z',
- # Files imported from TF-M, and not used except in test builds,
- # may be under a different license.
- r'configs/ext/crypto_config_profile_medium\.h\Z',
- r'configs/ext/tfm_mbedcrypto_config_profile_medium\.h\Z',
- r'configs/ext/README\.md\Z',
- # Third-party file.
- r'dco\.txt\Z',
- r'framework\/dco\.txt\Z',
- ]
- path_exemptions = re.compile('|'.join(BINARY_FILE_PATH_RE_LIST +
- LICENSE_EXEMPTION_RE_LIST))
-
- COPYRIGHT_HOLDER = rb'The Mbed TLS Contributors'
- # Catch "Copyright foo", "Copyright (C) foo", "Copyright © foo", etc.
- COPYRIGHT_RE = re.compile(rb'.*\bcopyright\s+((?:\w|\s|[()]|[^ -~])*\w)', re.I)
-
- SPDX_HEADER_KEY = b'SPDX-License-Identifier'
- LICENSE_IDENTIFIER = b'Apache-2.0 OR GPL-2.0-or-later'
- SPDX_RE = re.compile(br'.*?(' +
- re.escape(SPDX_HEADER_KEY) +
- br')(:\s*(.*?)\W*\Z|.*)', re.I)
-
- LICENSE_MENTION_RE = re.compile(rb'.*(?:' + rb'|'.join([
- rb'Apache License',
- rb'General Public License',
- ]) + rb')', re.I)
-
- def __init__(self):
- super().__init__()
- # Record what problem was caused. We can't easily report it due to
- # the structure of the script. To be fixed after
- # https://github.com/Mbed-TLS/mbedtls/pull/2506
- self.problem = None
-
- def issue_with_line(self, line, filepath, line_number):
- #pylint: disable=too-many-return-statements
-
- # Use endswith() rather than the more correct os.path.basename()
- # because experimentally, it makes a significant difference to
- # the running time.
- if filepath.endswith(THIS_FILE_BASE_NAME) and \
- line_number > LINE_NUMBER_BEFORE_LICENSE_ISSUE_TRACKER:
- # Avoid false positives from the code in this class.
- # Also skip the rest of this file, which is highly unlikely to
- # contain any problematic statements since we put those near the
- # top of files.
- return False
-
- m = self.COPYRIGHT_RE.match(line)
- if m and m.group(1) != self.COPYRIGHT_HOLDER:
- self.problem = 'Invalid copyright line'
- return True
-
- m = self.SPDX_RE.match(line)
- if m:
- if m.group(1) != self.SPDX_HEADER_KEY:
- self.problem = 'Misspelled ' + self.SPDX_HEADER_KEY.decode()
- return True
- if not m.group(3):
- self.problem = 'Improperly formatted SPDX license identifier'
- return True
- if m.group(3) != self.LICENSE_IDENTIFIER:
- self.problem = 'Wrong SPDX license identifier'
- return True
-
- m = self.LICENSE_MENTION_RE.match(line)
- if m:
- self.problem = 'Suspicious license mention'
- return True
-
- return False
-
-
-class IntegrityChecker:
- """Sanity-check files under the current directory."""
-
- def __init__(self, log_file):
- """Instantiate the sanity checker.
- Check files under the current directory.
- Write a report of issues to log_file."""
- build_tree.check_repo_path()
- self.logger = None
- self.setup_logger(log_file)
- self.issues_to_check = [
- ShebangIssueTracker(),
- EndOfFileNewlineIssueTracker(),
- Utf8BomIssueTracker(),
- UnicodeIssueTracker(),
- UnixLineEndingIssueTracker(),
- WindowsLineEndingIssueTracker(),
- TrailingWhitespaceIssueTracker(),
- TabIssueTracker(),
- MergeArtifactIssueTracker(),
- LicenseIssueTracker(),
- ]
-
- def setup_logger(self, log_file, level=logging.INFO):
- """Log to log_file if provided, or to stderr if None."""
- self.logger = logging.getLogger()
- self.logger.setLevel(level)
- if log_file:
- handler = logging.FileHandler(log_file)
- self.logger.addHandler(handler)
- else:
- console = logging.StreamHandler()
- self.logger.addHandler(console)
-
- @staticmethod
- def collect_files():
- """Return the list of files to check.
-
- These are the regular files commited into Git.
- """
- bytes_output = subprocess.check_output(['git', '-C', 'framework',
- 'ls-files', '-z'])
- bytes_framework_filepaths = bytes_output.split(b'\0')[:-1]
- bytes_framework_filepaths = ["framework/".encode() + filepath
- for filepath in bytes_framework_filepaths]
-
- bytes_output = subprocess.check_output(['git', 'ls-files', '-z'])
- bytes_filepaths = bytes_output.split(b'\0')[:-1] + \
- bytes_framework_filepaths
- ascii_filepaths = map(lambda fp: fp.decode('ascii'), bytes_filepaths)
-
- # Filter out directories. Normally Git doesn't list directories
- # (it only knows about the files inside them), but there is
- # at least one case where 'git ls-files' includes a directory:
- # submodules. Just skip submodules (and any other directories).
- ascii_filepaths = [fp for fp in ascii_filepaths
- if os.path.isfile(fp)]
- # Prepend './' to files in the top-level directory so that
- # something like `'/Makefile' in fp` matches in the top-level
- # directory as well as in subdirectories.
- return [fp if os.path.dirname(fp) else os.path.join(os.curdir, fp)
- for fp in ascii_filepaths]
-
- def check_files(self):
- """Check all files for all issues."""
- for issue_to_check in self.issues_to_check:
- for filepath in self.collect_files():
- if issue_to_check.should_check_file(filepath):
- issue_to_check.check_file_for_issue(filepath)
-
- def output_issues(self):
- """Log the issues found and their locations.
-
- Return 1 if there were issues, 0 otherwise.
- """
- integrity_return_code = 0
- for issue_to_check in self.issues_to_check:
- if issue_to_check.files_with_issues:
- integrity_return_code = 1
- issue_to_check.output_file_issues(self.logger)
- return integrity_return_code
-
-
-def run_main():
- parser = argparse.ArgumentParser(description=__doc__)
- parser.add_argument(
- "-l", "--log_file", type=str, help="path to optional output log",
- )
- check_args = parser.parse_args()
- integrity_check = IntegrityChecker(check_args.log_file)
- integrity_check.check_files()
- return_code = integrity_check.output_issues()
- sys.exit(return_code)
-
-
-if __name__ == "__main__":
- run_main()
diff --git a/tests/scripts/components-basic-checks.sh b/tests/scripts/components-basic-checks.sh
index 7b60b49..0ff7f44 100644
--- a/tests/scripts/components-basic-checks.sh
+++ b/tests/scripts/components-basic-checks.sh
@@ -41,7 +41,7 @@
component_check_files () {
msg "Check: file sanity checks (permissions, encodings)" # < 1s
- tests/scripts/check_files.py
+ framework/scripts/check_files.py
}
component_check_changelog () {
@@ -137,7 +137,7 @@
component_check_code_style () {
msg "Check C code style"
- ./scripts/code_style.py
+ ./framework/scripts/code_style.py
}
support_check_code_style () {
diff --git a/tests/scripts/components-configuration-x509.sh b/tests/scripts/components-configuration-x509.sh
index e8ef283..800d98e 100644
--- a/tests/scripts/components-configuration-x509.sh
+++ b/tests/scripts/components-configuration-x509.sh
@@ -11,9 +11,9 @@
component_test_no_x509_info () {
msg "build: full + MBEDTLS_X509_REMOVE_INFO" # ~ 10s
- scripts/config.pl full
- scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests
- scripts/config.pl set MBEDTLS_X509_REMOVE_INFO
+ scripts/config.py full
+ scripts/config.py unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests
+ scripts/config.py set MBEDTLS_X509_REMOVE_INFO
make CFLAGS='-Werror -O2'
msg "test: full + MBEDTLS_X509_REMOVE_INFO" # ~ 10s
diff --git a/tests/scripts/docker_env.sh b/tests/scripts/docker_env.sh
deleted file mode 100755
index cfc98df..0000000
--- a/tests/scripts/docker_env.sh
+++ /dev/null
@@ -1,90 +0,0 @@
-#!/bin/bash -eu
-
-# docker_env.sh
-#
-# Purpose
-# -------
-#
-# This is a helper script to enable running tests under a Docker container,
-# thus making it easier to get set up as well as isolating test dependencies
-# (which include legacy/insecure configurations of openssl and gnutls).
-#
-# WARNING: the Dockerfile used by this script is no longer maintained! See
-# https://github.com/Mbed-TLS/mbedtls-test/blob/master/README.md#quick-start
-# for the set of Docker images we use on the CI.
-#
-# Notes for users
-# ---------------
-# This script expects a Linux x86_64 system with a recent version of Docker
-# installed and available for use, as well as http/https access. If a proxy
-# server must be used, invoke this script with the usual environment variables
-# (http_proxy and https_proxy) set appropriately. If an alternate Docker
-# registry is needed, specify MBEDTLS_DOCKER_REGISTRY to point at the
-# host name.
-#
-#
-# Running this script directly will check for Docker availability and set up
-# the Docker image.
-
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
-
-
-# default values, can be overridden by the environment
-: ${MBEDTLS_DOCKER_GUEST:=bionic}
-
-
-DOCKER_IMAGE_TAG="armmbed/mbedtls-test:${MBEDTLS_DOCKER_GUEST}"
-
-# Make sure docker is available
-if ! which docker > /dev/null; then
- echo "Docker is required but doesn't seem to be installed. See https://www.docker.com/ to get started"
- exit 1
-fi
-
-# Figure out if we need to 'sudo docker'
-if groups | grep docker > /dev/null; then
- DOCKER="docker"
-else
- echo "Using sudo to invoke docker since you're not a member of the docker group..."
- DOCKER="sudo docker"
-fi
-
-# Figure out the number of processors available
-if [ "$(uname)" == "Darwin" ]; then
- NUM_PROC="$(sysctl -n hw.logicalcpu)"
-else
- NUM_PROC="$(nproc)"
-fi
-
-# Build the Docker image
-echo "Getting docker image up to date (this may take a few minutes)..."
-${DOCKER} image build \
- -t ${DOCKER_IMAGE_TAG} \
- --cache-from=${DOCKER_IMAGE_TAG} \
- --build-arg MAKEFLAGS_PARALLEL="-j ${NUM_PROC}" \
- --network host \
- ${http_proxy+--build-arg http_proxy=${http_proxy}} \
- ${https_proxy+--build-arg https_proxy=${https_proxy}} \
- ${MBEDTLS_DOCKER_REGISTRY+--build-arg MY_REGISTRY="${MBEDTLS_DOCKER_REGISTRY}/"} \
- tests/docker/${MBEDTLS_DOCKER_GUEST}
-
-run_in_docker()
-{
- ENV_ARGS=""
- while [ "$1" == "-e" ]; do
- ENV_ARGS="${ENV_ARGS} $1 $2"
- shift 2
- done
-
- ${DOCKER} container run -it --rm \
- --cap-add SYS_PTRACE \
- --user "$(id -u):$(id -g)" \
- --volume $PWD:$PWD \
- --workdir $PWD \
- -e MAKEFLAGS \
- -e PYLINTHOME=/tmp/.pylintd \
- ${ENV_ARGS} \
- ${DOCKER_IMAGE_TAG} \
- $@
-}
diff --git a/tests/scripts/quiet/cmake b/tests/scripts/quiet/cmake
deleted file mode 100755
index a34365b..0000000
--- a/tests/scripts/quiet/cmake
+++ /dev/null
@@ -1,19 +0,0 @@
-#! /usr/bin/env bash
-#
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
-#
-# This swallows the output of the wrapped tool, unless there is an error.
-# This helps reduce excess logging in the CI.
-
-# If you are debugging a build / CI issue, you can get complete unsilenced logs
-# by un-commenting the following line (or setting VERBOSE_LOGS in your environment):
-
-# export VERBOSE_LOGS=1
-
-# don't silence invocations containing these arguments
-NO_SILENCE=" --version "
-
-TOOL="cmake"
-
-. "$(dirname "$0")/quiet.sh"
diff --git a/tests/scripts/quiet/make b/tests/scripts/quiet/make
deleted file mode 100755
index 920e5b8..0000000
--- a/tests/scripts/quiet/make
+++ /dev/null
@@ -1,19 +0,0 @@
-#! /usr/bin/env bash
-#
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
-#
-# This swallows the output of the wrapped tool, unless there is an error.
-# This helps reduce excess logging in the CI.
-
-# If you are debugging a build / CI issue, you can get complete unsilenced logs
-# by un-commenting the following line (or setting VERBOSE_LOGS in your environment):
-
-# export VERBOSE_LOGS=1
-
-# don't silence invocations containing these arguments
-NO_SILENCE=" --version | test "
-
-TOOL="make"
-
-. "$(dirname "$0")/quiet.sh"
diff --git a/tests/scripts/quiet/quiet.sh b/tests/scripts/quiet/quiet.sh
deleted file mode 100644
index 0f26184..0000000
--- a/tests/scripts/quiet/quiet.sh
+++ /dev/null
@@ -1,79 +0,0 @@
-# -*-mode: sh; sh-shell: bash -*-
-#
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
-#
-# This swallows the output of the wrapped tool, unless there is an error.
-# This helps reduce excess logging in the CI.
-
-# If you are debugging a build / CI issue, you can get complete unsilenced logs
-# by un-commenting the following line (or setting VERBOSE_LOGS in your environment):
-#
-# VERBOSE_LOGS=1
-#
-# This script provides most of the functionality for the adjacent make and cmake
-# wrappers.
-#
-# It requires two variables to be set:
-#
-# TOOL - the name of the tool that is being wrapped (with no path), e.g. "make"
-#
-# NO_SILENCE - a regex that describes the commandline arguments for which output will not
-# be silenced, e.g. " --version | test ". In this example, "make lib test" will
-# not be silent, but "make lib" will be.
-
-# Identify path to original tool. There is an edge-case here where the quiet wrapper is on the path via
-# a symlink or relative path, but "type -ap" yields the wrapper with it's normalised path. We use
-# the -ef operator to compare paths, to avoid picking the wrapper in this case (to avoid infinitely
-# recursing).
-while IFS= read -r ORIGINAL_TOOL; do
- if ! [[ $ORIGINAL_TOOL -ef "$0" ]]; then break; fi
-done < <(type -ap -- "$TOOL")
-
-print_quoted_args() {
- # similar to printf '%q' "$@"
- # but produce more human-readable results for common/simple cases like "a b"
- for a in "$@"; do
- # Get bash to quote the string
- printf -v q '%q' "$a"
- simple_pattern="^([-[:alnum:]_+./:@]+=)?([^']*)$"
- if [[ "$a" != "$q" && $a =~ $simple_pattern ]]; then
- # a requires some quoting (a != q), but has no single quotes, so we can
- # simplify the quoted form - e.g.:
- # a b -> 'a b'
- # CFLAGS=a b -> CFLAGS='a b'
- q="${BASH_REMATCH[1]}'${BASH_REMATCH[2]}'"
- fi
- printf " %s" "$q"
- done
-}
-
-if [[ ! " $* " =~ " --version " ]]; then
- # Display the command being invoked - if it succeeds, this is all that will
- # be displayed. Don't do this for invocations with --version, because
- # this output is often parsed by scripts, so we don't want to modify it.
- printf %s "${TOOL}" 1>&2
- print_quoted_args "$@" 1>&2
- echo 1>&2
-fi
-
-if [[ " $@ " =~ $NO_SILENCE || -n "${VERBOSE_LOGS}" ]]; then
- # Run original command with no output supression
- exec "${ORIGINAL_TOOL}" "$@"
-else
- # Run original command and capture output & exit status
- TMPFILE=$(mktemp "quiet-${TOOL}.XXXXXX")
- "${ORIGINAL_TOOL}" "$@" > "${TMPFILE}" 2>&1
- EXIT_STATUS=$?
-
- if [[ $EXIT_STATUS -ne 0 ]]; then
- # On error, display the full output
- cat "${TMPFILE}"
- fi
-
- # Remove tmpfile
- rm "${TMPFILE}"
-
- # Propagate the exit status
- exit $EXIT_STATUS
-fi
diff --git a/tests/scripts/tcp_client.pl b/tests/scripts/tcp_client.pl
deleted file mode 100755
index 9aff22d..0000000
--- a/tests/scripts/tcp_client.pl
+++ /dev/null
@@ -1,89 +0,0 @@
-#!/usr/bin/env perl
-
-# A simple TCP client that sends some data and expects a response.
-# Usage: tcp_client.pl HOSTNAME PORT DATA1 RESPONSE1
-# DATA: hex-encoded data to send to the server
-# RESPONSE: regexp that must match the server's response
-#
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
-
-use warnings;
-use strict;
-use IO::Socket::INET;
-
-# Pack hex digits into a binary string, ignoring whitespace.
-sub parse_hex {
- my ($hex) = @_;
- $hex =~ s/\s+//g;
- return pack('H*', $hex);
-}
-
-## Open a TCP connection to the specified host and port.
-sub open_connection {
- my ($host, $port) = @_;
- my $socket = IO::Socket::INET->new(PeerAddr => $host,
- PeerPort => $port,
- Proto => 'tcp',
- Timeout => 1);
- die "Cannot connect to $host:$port: $!" unless $socket;
- return $socket;
-}
-
-## Close the TCP connection.
-sub close_connection {
- my ($connection) = @_;
- $connection->shutdown(2);
- # Ignore shutdown failures (at least for now)
- return 1;
-}
-
-## Write the given data, expressed as hexadecimal
-sub write_data {
- my ($connection, $hexdata) = @_;
- my $data = parse_hex($hexdata);
- my $total_sent = 0;
- while ($total_sent < length($data)) {
- my $sent = $connection->send($data, 0);
- if (!defined $sent) {
- die "Unable to send data: $!";
- }
- $total_sent += $sent;
- }
- return 1;
-}
-
-## Read a response and check it against an expected prefix
-sub read_response {
- my ($connection, $expected_hex) = @_;
- my $expected_data = parse_hex($expected_hex);
- my $start_offset = 0;
- while ($start_offset < length($expected_data)) {
- my $actual_data;
- my $ok = $connection->recv($actual_data, length($expected_data));
- if (!defined $ok) {
- die "Unable to receive data: $!";
- }
- if (($actual_data ^ substr($expected_data, $start_offset)) =~ /[^\000]/) {
- printf STDERR ("Received \\x%02x instead of \\x%02x at offset %d\n",
- ord(substr($actual_data, $-[0], 1)),
- ord(substr($expected_data, $start_offset + $-[0], 1)),
- $start_offset + $-[0]);
- return 0;
- }
- $start_offset += length($actual_data);
- }
- return 1;
-}
-
-if (@ARGV != 4) {
- print STDERR "Usage: $0 HOSTNAME PORT DATA1 RESPONSE1\n";
- exit(3);
-}
-my ($host, $port, $data1, $response1) = @ARGV;
-my $connection = open_connection($host, $port);
-write_data($connection, $data1);
-if (!read_response($connection, $response1)) {
- exit(1);
-}
-close_connection($connection);
diff --git a/tests/scripts/travis-log-failure.sh b/tests/scripts/travis-log-failure.sh
deleted file mode 100755
index 3daecf3..0000000
--- a/tests/scripts/travis-log-failure.sh
+++ /dev/null
@@ -1,35 +0,0 @@
-#!/bin/sh
-
-# travis-log-failure.sh
-#
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
-#
-# Purpose
-#
-# List the server and client logs on failed ssl-opt.sh and compat.sh tests.
-# This script is used to make the logs show up in the Travis test results.
-#
-# Some of the logs can be very long: this means usually a couple of megabytes
-# but it can be much more. For example, the client log of test 273 in ssl-opt.sh
-# is more than 630 Megabytes long.
-
-if [ -d include/mbedtls ]; then :; else
- echo "$0: must be run from root" >&2
- exit 1
-fi
-
-FILES="o-srv-*.log o-cli-*.log c-srv-*.log c-cli-*.log o-pxy-*.log"
-MAX_LOG_SIZE=1048576
-
-for PATTERN in $FILES; do
- for LOG in $( ls tests/$PATTERN 2>/dev/null ); do
- echo
- echo "****** BEGIN file: $LOG ******"
- echo
- tail -c $MAX_LOG_SIZE $LOG
- echo "****** END file: $LOG ******"
- echo
- rm $LOG
- done
-done
diff --git a/tests/ssl-opt-in-docker.sh b/tests/ssl-opt-in-docker.sh
deleted file mode 100755
index c0c85fc..0000000
--- a/tests/ssl-opt-in-docker.sh
+++ /dev/null
@@ -1,55 +0,0 @@
-#!/bin/bash -eu
-
-# ssl-opt-in-docker.sh
-#
-# Purpose
-# -------
-# This runs ssl-opt.sh in a Docker container.
-#
-# WARNING: the Dockerfile used by this script is no longer maintained! See
-# https://github.com/Mbed-TLS/mbedtls-test/blob/master/README.md#quick-start
-# for the set of Docker images we use on the CI.
-#
-# Notes for users
-# ---------------
-# If OPENSSL, GNUTLS_CLI, or GNUTLS_SERV are specified, the path must
-# correspond to an executable inside the Docker container. The special
-# values "next" and "legacy" are also allowed as shorthand for the
-# installations inside the container.
-#
-# See also:
-# - scripts/docker_env.sh for general Docker prerequisites and other information.
-# - ssl-opt.sh for notes about invocation of that script.
-
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
-
-source tests/scripts/docker_env.sh
-
-case "${OPENSSL:-default}" in
- "legacy") export OPENSSL="/usr/local/openssl-1.0.1j/bin/openssl";;
- "next") export OPENSSL="/usr/local/openssl-1.1.1a/bin/openssl";;
- *) ;;
-esac
-
-case "${GNUTLS_CLI:-default}" in
- "legacy") export GNUTLS_CLI="/usr/local/gnutls-3.3.8/bin/gnutls-cli";;
- "next") export GNUTLS_CLI="/usr/local/gnutls-3.7.2/bin/gnutls-cli";;
- *) ;;
-esac
-
-case "${GNUTLS_SERV:-default}" in
- "legacy") export GNUTLS_SERV="/usr/local/gnutls-3.3.8/bin/gnutls-serv";;
- "next") export GNUTLS_SERV="/usr/local/gnutls-3.7.2/bin/gnutls-serv";;
- *) ;;
-esac
-
-run_in_docker \
- -e P_SRV \
- -e P_CLI \
- -e P_PXY \
- -e GNUTLS_CLI \
- -e GNUTLS_SERV \
- -e OPENSSL \
- tests/ssl-opt.sh \
- $@
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 2750fa9..0376018 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -68,7 +68,6 @@
O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL s_client"
G_SRV="$GNUTLS_SERV --x509certfile $DATA_FILES_PATH/server5.crt --x509keyfile $DATA_FILES_PATH/server5.key"
G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt"
-TCP_CLIENT="$PERL scripts/tcp_client.pl"
# alternative versions of OpenSSL and GnuTLS (no default path)
diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function
index f197d04..a8cf711 100644
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@@ -181,7 +181,7 @@
#define MBEDTLS_MD_ALG_FOR_TEST MBEDTLS_MD_SHA512
#endif
-#include <../src/test_keys.h>
+#include <test/test_keys.h>
/* Define an RSA key size we know it's present in predefined_key[] array. */
#define RSA_KEY_SIZE 1024
@@ -243,7 +243,7 @@
/** Setup the provided PK context.
*
- * Predefined keys used for the setup are taken from "test/src/test_keys.h"
+ * Predefined keys used for the setup are taken from <test/test_keys.h>
* which is automatically generated using "framework/scripts/generate_test_keys.py".
*
* \param pk The PK object to fill. It must have been initialized
diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index bbf7575..8c53fdc 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -156,10 +156,6 @@
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:PSA_CRYPTO_DRIVER_TEST
import_export:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_EXPORT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( PSA_KEY_PERSISTENCE_VOLATILE, TEST_DRIVER_LOCATION ):1024:-1:PSA_ERROR_BUFFER_TOO_SMALL:1
-PSA import/export RSA keypair: trailing garbage rejected, opaque
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:PSA_CRYPTO_DRIVER_TEST
-import_with_data:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b2400":PSA_KEY_TYPE_RSA_KEY_PAIR:1024:PSA_ERROR_INVALID_ARGUMENT
-
PSA import RSA keypair: truncated
depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
import_with_data:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b":PSA_KEY_TYPE_RSA_KEY_PAIR:0:PSA_ERROR_INVALID_ARGUMENT
@@ -422,7 +418,7 @@
PSA import/export-public EC brainpool512r1: good, opaque
depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_BRAINPOOL_P_R1_512:PSA_CRYPTO_DRIVER_TEST
-import_export_public_key:"372c9778f69f726cbca3f4a268f16b4d617d10280d79a6a029cd51879fe1012934dfe5395455337df6906dc7d6d2eea4dbb2065c0228f73b3ed716480e7d71d2":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):PSA_ALG_ECDSA_ANY:0:0:PSA_SUCCESS:"0438b7ec92b61c5c6c7fbc28a4ec759d48fcd4e2e374defd5c4968a54dbef7510e517886fbfc38ea39aa529359d70a7156c35d3cbac7ce776bdb251dd64bce71234424ee7049eed072f0dbc4d79996e175d557e263763ae97095c081e73e7db2e38adc3d4c9a0487b1ede876dc1fca61c902e9a1d8722b8612928f18a24845591a"
+import_export_public_key:"372c9778f69f726cbca3f4a268f16b4d617d10280d79a6a029cd51879fe1012934dfe5395455337df6906dc7d6d2eea4dbb2065c0228f73b3ed716480e7d71d2":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):PSA_ALG_ECDSA_ANY:PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( PSA_KEY_PERSISTENCE_VOLATILE, TEST_DRIVER_LOCATION ):0:PSA_SUCCESS:"0438b7ec92b61c5c6c7fbc28a4ec759d48fcd4e2e374defd5c4968a54dbef7510e517886fbfc38ea39aa529359d70a7156c35d3cbac7ce776bdb251dd64bce71234424ee7049eed072f0dbc4d79996e175d557e263763ae97095c081e73e7db2e38adc3d4c9a0487b1ede876dc1fca61c902e9a1d8722b8612928f18a24845591a"
PSA import/export EC curve25519 key pair: good (already properly masked), opaque
depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_MONTGOMERY_255:PSA_CRYPTO_DRIVER_TEST
@@ -4489,11 +4485,11 @@
PSA sign hash int (ops=inf): det ECDSA not supported
depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_384
-sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
PSA sign hash int (ops=min): det ECDSA not supported
depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_384
-sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:0
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:0
PSA sign/verify hash: RSA PKCS#1 v1.5, raw
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
@@ -4735,6 +4731,29 @@
depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_384
verify_hash_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04d9c662b50ba29ca47990450e043aeaf4f0c69b15676d112f622a71c93059af999691c5680d2b44d111579db12f4a413a2ed5c45fcfb67b5b63e00b91ebe59d09a6b1ac2c0c4282aa12317ed5914f999bc488bb132e8342cc36f2ca5e3379c747":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"bed412df472eef873fb0839f91a6867d1c6824d4c5781d4b851faa43c7df904d99dbdd28c0d2fd3a4a006e89d34993a120aff166deb4974e96449a7ffe93c66726ad9443b14b87330c86bdde3faff5fd1cbfdc9afe46f8090376f9664cb116b4":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+# The next 4 test cases check what happens if only one of the two ECDSA
+# variants is supported. The ECDSA variants (deterministic and randomized)
+# are different signature algorithms that can be enabled independently,
+# but they have the same verification. Mbed TLS accepts either variant
+# as the algorithm requested for verification even if that variant is not
+# supported. Test that this works. It would also be acceptable if the
+# library returned NOT_SUPPORTED in this case.
+PSA verify hash: ECDSA SECP256R1, only deterministic supported
+depends_on:!PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_256
+verify_hash:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f"
+
+PSA verify hash with keypair: ECDSA SECP256R1, only deterministic supported
+depends_on:!PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_ECC_SECP_R1_256
+verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f"
+
+PSA verify hash: deterministic ECDSA SECP256R1, only randomized supported
+depends_on:PSA_WANT_ALG_ECDSA:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+verify_hash:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f"
+
+PSA verify hash with keypair: deterministic ECDSA SECP256R1, only randomized supported
+depends_on:PSA_WANT_ALG_ECDSA:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f"
+
PSA verify hash: ECDSA SECP256R1, wrong signature size (correct but ASN1-encoded)
depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_256
verify_hash_fail:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"304502206a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151022100ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE
@@ -4844,14 +4863,14 @@
sign_message_fail:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PKCS1V15_SIGN_RAW:"616263":0:PSA_ERROR_INVALID_ARGUMENT
PSA sign message: RSA PKCS#1 v1.5 SHA-256, invalid key type
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_CHACHA20
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_CHACHA20
sign_message_fail:PSA_KEY_TYPE_CHACHA20:"4bddc98c551a95395ef719557f813656b566bc45aac04eca3866324cc75489f2":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):"616263":128:PSA_ERROR_INVALID_ARGUMENT
-PSA sign message: ECDSA SECP256R1 SHA-256, invalid hash (wildcard)
+PSA sign message: ECDSA SECP256R1, invalid hash (wildcard)
depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256
sign_message_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):"616263":64:PSA_ERROR_INVALID_ARGUMENT
-PSA sign message: ECDSA SECP256R1 SHA-256, invalid hash algorithm (0)
+PSA sign message: ECDSA SECP256R1, invalid hash algorithm (0)
depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256
sign_message_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(0):"616263":64:PSA_ERROR_INVALID_ARGUMENT
diff --git a/tests/suites/test_suite_psa_crypto_not_supported.function b/tests/suites/test_suite_psa_crypto_not_supported.function
index e5e66f4..4f15a3f 100644
--- a/tests/suites/test_suite_psa_crypto_not_supported.function
+++ b/tests/suites/test_suite_psa_crypto_not_supported.function
@@ -20,10 +20,28 @@
PSA_ASSERT(psa_crypto_init());
psa_set_key_type(&attributes, key_type);
- TEST_EQUAL(psa_import_key(&attributes,
- key_material->x, key_material->len,
- &key_id),
- PSA_ERROR_NOT_SUPPORTED);
+ psa_status_t actual_status =
+ psa_import_key(&attributes, key_material->x, key_material->len, &key_id);
+
+#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
+ if (actual_status == PSA_ERROR_INVALID_ARGUMENT) {
+ /* Edge case: when importing an ECC public key with an unspecified
+ * bit-size (as we do here), the implementation of psa_import_key()
+ * infers the bit-size from the input. If the key type specifies an
+ * unknown curve, the validation might reject the data as invalid
+ * before it checks that the curve is supported. If so, that's ok.
+ * In practice, at the time of writing, this happens with Ed25519,
+ * for which a valid but unsupported 32-byte input causes
+ * psa_import_key() to fail because it assumes a Weierstrass curve
+ * which must have an odd-length encoding.
+ *
+ * In other cases, we do not expect an INVALID_ARGUMENT error here. */
+ TEST_ASSERT(PSA_KEY_TYPE_IS_ECC(key_type));
+ } else
+#endif /* defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) */
+ {
+ TEST_EQUAL(actual_status, PSA_ERROR_NOT_SUPPORTED);
+ }
TEST_ASSERT(mbedtls_svc_key_id_equal(key_id, MBEDTLS_SVC_KEY_ID_INIT));
exit:
diff --git a/tests/suites/test_suite_psa_crypto_op_fail.function b/tests/suites/test_suite_psa_crypto_op_fail.function
index 9289869..1d299b9 100644
--- a/tests/suites/test_suite_psa_crypto_op_fail.function
+++ b/tests/suites/test_suite_psa_crypto_op_fail.function
@@ -223,12 +223,9 @@
size_t length = SIZE_MAX;
psa_sign_hash_interruptible_operation_t sign_operation =
psa_sign_hash_interruptible_operation_init();
-
psa_verify_hash_interruptible_operation_t verify_operation =
psa_verify_hash_interruptible_operation_init();
-
-
PSA_INIT();
psa_set_key_type(&attributes, key_type);
@@ -252,8 +249,8 @@
PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
if (!private_only) {
- /* Determine a plausible signature size to avoid an INVALID_SIGNATURE
- * error based on this. */
+ /* Construct a signature candidate of a plausible size to avoid an
+ * INVALID_SIGNATURE error based on an early size verification. */
PSA_ASSERT(psa_get_key_attributes(key_id, &attributes));
size_t key_bits = psa_get_key_bits(&attributes);
size_t output_length = sizeof(output);
@@ -277,6 +274,8 @@
}
exit:
+ psa_sign_hash_abort(&sign_operation);
+ psa_verify_hash_abort(&verify_operation);
psa_destroy_key(key_id);
psa_reset_key_attributes(&attributes);
PSA_DONE();
diff --git a/tests/suites/test_suite_psa_crypto_op_fail.misc.data b/tests/suites/test_suite_psa_crypto_op_fail.misc.data
index 7158f2d..0c69fa8 100644
--- a/tests/suites/test_suite_psa_crypto_op_fail.misc.data
+++ b/tests/suites/test_suite_psa_crypto_op_fail.misc.data
@@ -13,3 +13,24 @@
PSA sign RSA_PSS(SHA_256): RSA_PSS not enabled, key pair
depends_on:!PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
sign_fail:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):0:PSA_ERROR_NOT_SUPPORTED
+
+# There is a special case with ECDSA: deterministic and randomized ECDSA are
+# different signature algorithms that can be enabled independently, but
+# the verification algorithms are the same. Mbed TLS supports verification
+# of either variant when either variant is enabled. (It would also be correct
+# to reject the not-supported algorithm, but it would require a few more lines
+# of code.) In the automatically generated test cases, we avoid this difficulty
+# by making the not-supported test cases require neither variant to be
+# enabled. Here, test the signature operation when one variant is supported
+# but not the other. Testing the positive cases for the verification
+# operation is the job of test_suite_psa_crypto.
+#
+# We only test with one curve and one hash, because we know from a gray-box
+# approach that the curve and hash don't matter here.
+PSA sign DETERMINISTIC_ECDSA(SHA_256): !DETERMINISTIC_ECDSA but ECDSA with ECC_KEY_PAIR(SECP_R1)
+depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_ECC_SECP_R1_192:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
+sign_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"d83b57a59c51358d9c8bbb898aff507f44dd14cf16917190":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):1:PSA_ERROR_NOT_SUPPORTED
+
+PSA sign DETERMINISTIC_ECDSA(SHA_256): !ECDSA but DETERMINISTIC_ECDSA with ECC_KEY_PAIR(SECP_R1)
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:!PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_ECC_SECP_R1_192:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
+sign_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"d83b57a59c51358d9c8bbb898aff507f44dd14cf16917190":PSA_ALG_ECDSA(PSA_ALG_SHA_256):1:PSA_ERROR_NOT_SUPPORTED
diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function b/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function
index efd24e9..b430096 100644
--- a/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function
+++ b/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function
@@ -196,6 +196,9 @@
return mock_export_public_data.return_value;
}
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT) && \
+ defined(PSA_WANT_ALG_ECDSA) && \
+ defined(PSA_WANT_ALG_SHA_256)
static psa_status_t mock_sign(psa_drv_se_context_t *context,
psa_key_slot_number_t key_slot,
psa_algorithm_t alg,
@@ -218,7 +221,9 @@
return mock_sign_data.return_value;
}
+#endif
+#if defined(PSA_WANT_ALG_ECDSA) && defined(PSA_WANT_ALG_SHA_256)
static psa_status_t mock_verify(psa_drv_se_context_t *context,
psa_key_slot_number_t key_slot,
psa_algorithm_t alg,
@@ -239,6 +244,7 @@
return mock_verify_data.return_value;
}
+#endif
static psa_status_t mock_allocate(psa_drv_se_context_t *drv_context,
void *persistent_data,
@@ -550,7 +556,7 @@
}
/* END_CASE */
-/* BEGIN_CASE */
+/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256 */
void mock_sign(int mock_sign_return_value, int expected_result)
{
psa_drv_se_t driver;
@@ -611,7 +617,7 @@
}
/* END_CASE */
-/* BEGIN_CASE */
+/* BEGIN_CASE depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256 */
void mock_verify(int mock_verify_return_value, int expected_result)
{
psa_drv_se_t driver;