Try to load the list of tests that TF-PSA-Crypto wants us to ignore in three
ways, depending on the age of the tf-psa-crypto submodule:
* Modern: import `tf_psa_crypto_test_case_info` as an ordinary module,
expected to be found in `tf-psa-crypto/scripts/project_knowledge`.
* First location, quickly superseded: load
`tf-psa-crypto/tests/scripts/tf_psa_crypto_test_case_info.py`,
in a hackish way because we don't want to put that directory on the
load path.
* Oldest: there is no `tf_psa_crypto_test_case_info.py`. Use a hard-coded
list.
Once all the TF-PSA-Crypto branches we care about (e.g. pull requests
in progress) are updated with
`tf-psa-crypto/scripts/project_knowledge/tf_psa_crypto_test_case_info.py`,
we can drop the backward compatibilty hacks and simply
`import tf_psa_crypto_test_case_info` unconditionally and use
`tf_psa_crypto_test_case_info.INTERNAL_TEST_CASES` unconditionally.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This way, when Mbed TLS's `analyze_outcomes.py` loads the python module from
TF-PSA-Crypto (because it needs to know the value of `INTERNAL_TEST_CASES`),
there's no risk that the subproject and the superproject will have different
requirements on auxiliary modules such as `mbedtls_framework.outcome_analysis`.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
If we can't read `INTERNAL_TEST_CASES` from
`tf-psa-crypto/tests/scripts/analyze_outcomes.py` because the script doesn't
exist, hard-code the legacy value of that information.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
If the `tf-psa-crypto` submodule has `tests/scripts/analyze_outcomes.py`,
require it to define a global variable `INTERNAL_TEST_CASES`. Those test
cases will be ignored in Mbed TLS's coverage analysis.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Cleanup following the removal in TF-PSA-Crypto of:
- MBEDTLS_NO_PLATFORM_ENTROPY
- MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
- MBEDTLS_ENTROPY_HARDWARE_ALT
- MBEDTLS_ENTROPY_MIN_HARDWARE
Only MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES was still
present in Mbed TLS.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
We cannot remove it completely yet.
It must remain in config.py so that it is not
included in the full configuration.
A temporary exception is required for it in
analyze_outcomes.py.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
For the component test_psa_crypto_config_accel_rsa_crypto,
ignore the test cases depending on MBEDTLS_GENPRIME being
enabled. When all RSA crypto is provided by drivers
MBEDTLS_GENPRIME will not be enabled when it is not
a configuration option anymore.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
In preparation of the removal of the configuration
option MBEDTLS_POLY1305_C, disable it in
test_psa_crypto_config_accel_cipher_aead_cmac as
it will be not possible to enable it when
CHACHA20_POLY1305 is accelerated.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
With the removal of the component_test_psa_inject_entropy test,
MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES is no longer set in any tests, and so
the CI will complain unless it is added to the ignore list.
Signed-off-by: Felix Conway <felix.conway@arm.com>
Remove all code guarded by `PSA_WANT_ECC_SECP_K1_224`, which is not and will
not be implemented. (It would be K1_225 anyway, but we don't intend to
implement it anyway.)
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
ECDSA has two variants: deterministic (PSA_ALG_DETERMINISTIC_ECDSA) and
randomized (PSA_ALG_ECDSA). The two variants are different for signature but
identical for verification. Mbed TLS accepts either variant as the algorithm
parameter for verification even when only the other variant is supported,
so we need to handle this as a special case when generating not-supported
test cases.
In this commit:
* Add manually written not-supported test cases for the signature
operation when exactly one variant is supported.
* Add manually written positive test cases for the verification
operation when exactly one variant is supported.
* Register that !ECDSA but DETERMINISTIC_ECDSA is not tested yet
(https://github.com/Mbed-TLS/mbedtls/issues/9592).
A commit in the framework will take care of automatically generated test cases.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Run the function on a few different curves with shorter, just-right and
larger buffer sizes. Perform some basic sanity checks on the output (which
is random).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Do not assume that tests with !PSA_WANT_ALG_TLS12_PRF will not
be executed in AnalyzeCoverage task.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
With the `depend.py` using the crypto config the `PBKDF2_HMAC` can be
enabled so thest cases can be run.
The equivalence (synonym) between `PSA_WANT_ALG_RSA_PSS_ANY_SALT` and
`PSA_WANT_ALG_RSA_PSS` is now done properly, the test can be run.
Dependencies for `MBEDTLS_CIPHER_PADDING_PKCS7' has been updated and
now it can be actually disabled.
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
TLS only supports actual restartable ECDH with the legacy code that's going
away, not with the MBEDTLS_USE_PSA_CRYPTO code that's becoming the only
variant. This leaves a few test cases that validate restartable ECDH in TLS
as desirable, but not currently able to pass.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
For each ignore list entry, link to a GitHub issue for its resolution,
except for a few configurations which there is a good reason to leave
uncovered.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
For each ignore list entry, link to a GitHub issue for its resolution,
except for ssl-opt Valgrind tests which we never intend to run on the CI.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Ignore certain test cases which either should not be generated or should be
executed. For each ignore list entry, link to a GitHub issue whose
definition of done includes removing the entry.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Some negative tests involving unsupported mechanisms are executed, because
they're testing what happens if the mechanism is unsupported. Refine the
ignore list for `test_suite_psa_crypto_generate_key.generated` and
`test_suite_psa_crypto_op_fail.generated` accordingly.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This clears more than half of the test cases that are not executed.
This also captures a few negative test cases that are executed.
Subsequent commits will refine the filtering.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Gilles Peskine