TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 8729b10f264f1749658c92fd8cf3ffccd405034c^! / . / tests / scripts / analyze_outcomes.py
commit8729b10f264f1749658c92fd8cf3ffccd405034c[log] [tgz]
authorGilles Peskine <Gilles.Peskine@arm.com>Fri Apr 19 19:08:34 2024 +0200
committerGilles Peskine <Gilles.Peskine@arm.com>Thu Nov 21 09:48:35 2024 +0100
tree3e86b021cceb01291a00f7f1027fe22c975a55e2
parent85bc82c28029e80ac787373312ac17c374cf10fc [diff] [blame]
Fix edge case with half-supported ECDSA (manual test cases)

ECDSA has two variants: deterministic (PSA_ALG_DETERMINISTIC_ECDSA) and
randomized (PSA_ALG_ECDSA). The two variants are different for signature but
identical for verification. Mbed TLS accepts either variant as the algorithm
parameter for verification even when only the other variant is supported,
so we need to handle this as a special case when generating not-supported
test cases.

In this commit:

* Add manually written not-supported test cases for the signature
  operation when exactly one variant is supported.
* Add manually written positive test cases for the verification
  operation when exactly one variant is supported.
* Register that !ECDSA but DETERMINISTIC_ECDSA is not tested yet
  (https://github.com/Mbed-TLS/mbedtls/issues/9592).

A commit in the framework will take care of automatically generated test cases.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index 18c8bde..09e1245 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py

@@ -206,6 +206,11 @@
             'PBES2 Encrypt, pad=6 (PKCS7 padding disabled)',
             'PBES2 Encrypt, pad=8 (PKCS7 padding disabled)',
         ],
+        'test_suite_psa_crypto': [
+            # We don't test this unusual, but sensible configuration.
+            # https://github.com/Mbed-TLS/mbedtls/issues/9592
+            re.compile(r'.*ECDSA.*only deterministic supported'),
+        ],
         'test_suite_psa_crypto_generate_key.generated': [
             # Ignore mechanisms that are not implemented, except
             # for public keys for which we always test that
@@ -258,6 +263,9 @@
             # "PSA test case generation: dependency inference class: operation fail"
             # from https://github.com/Mbed-TLS/mbedtls/pull/9025 .
             re.compile(r'.* with (?:DH|ECC)_(?:KEY_PAIR|PUBLIC_KEY)\(.*'),
+            # We don't test this unusual, but sensible configuration.
+            # https://github.com/Mbed-TLS/mbedtls/issues/9592
+            re.compile(r'.*: !ECDSA but DETERMINISTIC_ECDSA with ECC_.*'),
             # PBKDF2_HMAC is not in the default configuration, so we don't
             # enable it in depends.py where we remove hashes.
             # https://github.com/Mbed-TLS/mbedtls/issues/9576
@@ -272,6 +280,11 @@
             # https://github.com/Mbed-TLS/mbedtls/issues/9578
             re.compile(r'PSA sign RSA_PSS_ANY_SALT.*!(?:MD|RIPEMD|SHA).*'),
         ],
+        'test_suite_psa_crypto_op_fail.misc': [
+            # We don't test this unusual, but sensible configuration.
+            # https://github.com/Mbed-TLS/mbedtls/issues/9592
+            'PSA sign DETERMINISTIC_ECDSA(SHA_256): !ECDSA but DETERMINISTIC_ECDSA with ECC_KEY_PAIR(SECP_R1)', #pylint: disable=line-too-long
+        ],
         'test_suite_psa_crypto_storage_format.current': [
             PSA_MECHANISM_NOT_IMPLEMENTED_SEARCH_RE,
         ],