-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixup or re-enable tests with Use PSA #5742
Fixup or re-enable tests with Use PSA #5742
Conversation
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
…te_mfl tests with PSA Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
@mpg the only remaining test with !MBEDTLS_USE_PSA_CRYPTO is :
in But there is an alternate one for PSA, because the wrong salt len doesn't return Where this should be documented, can we add comments into |
Those were disabled in original submission, but it works fine with PSA crypto enabled. Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
Found a very explicit comment in mbedtls/library/psa_crypto_rsa.c Lines 520 to 522 in 473d585
tests/suites/test_suite_pk.data to document the PSA specific test need
|
62a19c7
to
9b3899e
Compare
I think a comment in the data file explaining why there are two versions of the test's data is good, but actually I'd prefer to handle that in the test function, for example: #if defined(MBEDTLS_USE_PSA_CRYTPO)
if( result == MBEDTLS_ERR_RSA_INVALID_PADDING )
result = MBEDTLS_ERR_RSA_VERIFY_FAILED;
#endif (with a comment explaining why). Do you think that would work as well? The reason I think this is preferable is that having no test case that depends on Actually, this makes me think: perhaps we should add a component in |
@mpg Ok ! I'll move it to the function instead with the same comment. I'll also try to detect the non-PSA test cases in |
Cool, thanks! Also, if you don't mind me expanding the scope of the task a bit: we should check in I just did, and found two tests that have Can you remove those and also add that to the |
@mpg sure will do |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm happy with the code, but I'm requesting further tuning of the comment.
* error depending on which path was taken. | ||
* If the PSA path is used, it won't because Mbed TLS | ||
* distinguishes "invalid padding" from "valid padding but | ||
* the rest of the signature is invalid". This has little use in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for picking on grammar, but I don't think we should have a full stop here, the explanation introduced by the "because" is not complete yet - the reason is "and PSA doesn't report this distinction". While editing this comment, I think we might want to expand on why a non-PSA path might be taken while USE_PSA
is active.
Here's a suggestion:
/* Mbed TLS distinguishes "invalid padding" from "valid padding but
* the rest of the signature is invalid". This has little use in
* practice and PSA doesn't report this distinction.
* In this case, PSA returns PSA_ERROR_INVALID_SIGNATURE translated
* to MBEDTLS_ERR_RSA_VERIFY_FAILED.
* However, currently `mbedtls_pk_verify_ext()` may use either the PSA or the
* Mbed TLS API, depending on the PSS options used. So, it may return either
* INVALID_PADDING or INVALID_SIGNATURE.
*/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm ok with that, I'll update the comment
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
We've decided not to check it, see Mbed-TLS#5277 Also, remove the check about no test depending on !USE_PSA - here it's clearly the right thing to do, and adding this check to all.sh was already controversial in the first place [1] so let's not keep it if it becomes an annoyance. [1]: Mbed-TLS#5742 (comment) Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
We've decided not to check it, see Mbed-TLS#5277 Also, remove the check about no test depending on !USE_PSA - here it's clearly the right thing to do, and adding this check to all.sh was already controversial in the first place [1] so let's not keep it if it becomes an annoyance. [1]: Mbed-TLS#5742 (comment) Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
The previous commit declared that some tests cases in ssl-opt.sh depend on USE_PSA being disabled, which is the right thing to do. We had a check that forbade that - it was mainly meant to prevent accidental re-introduction of such dependencies after we cleaned up a number of cases where it was not warranted, but already at the time that was controversial [1]. Now it's preventing us from doing the right thing, so let's just remove it. [1]: Mbed-TLS#5742 (comment) See also Mbed-TLS#5907 which also removes this for a similar reason. Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
The previous commit declared that some tests cases in ssl-opt.sh depend on USE_PSA being disabled, which is the right thing to do. We had a check that forbade that - it was mainly meant to prevent accidental re-introduction of such dependencies after we cleaned up a number of cases where it was not warranted, but already at the time that was controversial [1]. Now it's preventing us from doing the right thing, so let's just remove it. [1]: Mbed-TLS#5742 (comment) See also Mbed-TLS#5907 which also removes this for a similar reason. Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
The previous commit declared that some tests cases in ssl-opt.sh depend on USE_PSA being disabled, which is the right thing to do. We had a check that forbade that - it was mainly meant to prevent accidental re-introduction of such dependencies after we cleaned up a number of cases where it was not warranted, but already at the time that was controversial [1]. Now it's preventing us from doing the right thing, so let's just remove it. [1]: Mbed-TLS#5742 (comment) See also Mbed-TLS#5907 which also removes this for a similar reason. Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Description
There are a number of tests that currently depend on
!MBEDTLS_USE_PSA_CRYPTO
. Since thisUSE_PSA
is meant to become the default, and even the only option at some point, it is should enjoy at least as much test coverage as the non-PSA variant.Resolves #5669
Status
READY
Requires Backporting
NO
Migrations
NO
Additional comments
N/A
Todos
Steps to test or reproduce
test_suite_ssl must run clean