Move some scripts from mbedtls

scripts/check-python-files.sh

@@ -55,30 +55,39 @@ elif [ "$1" = "--can-mypy" ]; then
 fi
 
 echo 'Running pylint ...'
-# Temporary workaround while moving the bulk of abi_check.py to the framework
-# Check abi_check.py separately from the rest of the files, so it's not flagged
-# for code duplication.
-# Temporary workaround for the transitional wrapper framework/scripts/make_generated_files.py
-# as well. Once make_generated_files.py exists in both MbedTLS:development and
-# TF-PSA-Crypto:development branches, we will be able to remove
-# framework/scripts/make_generated_files.py and, consequently, this exception.
-find framework/scripts/*.py framework/scripts/mbedtls_framework/*.py scripts/*.py tests/scripts/*.py \
+# When we move Python code between repositories, there is a transition
+# period during which code is duplicated between the old repository and
+# the new repository.
+# Pylint looks for duplicate code inside files that are mentioned in the
+# same invocation. When we move some code from A to B, we want to skip
+# duplicate-code checks between A and B. So we arrange for two separate
+# runs of pylint: one for the A files, and one for the others.
+# Remove exceptions below once the A file (or the moved code in the A file)
+# has been removed from all consuming branches.
+find framework/scripts scripts tests/scripts -name '*.py' \( \
      ! -path scripts/abi_check.py \
+     ! -path scripts/code_size_compare.py \
+     ! -path scripts/ecp_comb_table.py \
+     ! -path tests/scripts/audit-validity-dates.py \
+     ! -path tests/scripts/generate_server9_bad_saltlen.py \
+     ! -path tests/scripts/psa_collect_statuses.py \
+     ! -path tests/scripts/run_demos.py \
+     ! -path tests/scripts/test_config_script.py \
      ! -path framework/scripts/make_generated_files.py \
         -exec $PYTHON -m pylint {} + \
-     -o -exec $PYTHON -m pylint {} + || {
+     -o -exec $PYTHON -m pylint {} + \) || {
     echo >&2 "pylint reported errors"
     ret=1
 }
 
 echo
 echo 'Running mypy ...'
-$PYTHON -m mypy framework/scripts/*.py framework/scripts/mbedtls_framework/*.py || {
+$PYTHON -m mypy framework/scripts || {
     echo >&2 "mypy reported errors in the framework"
     ret=1
 }
 
-$PYTHON -m mypy scripts/*.py tests/scripts/*.py || {
+$PYTHON -m mypy scripts tests/scripts || {
     echo >&2 "mypy reported errors in the parent repository"
     ret=1
 }

scripts/ci.requirements.txt

@@ -0,0 +1,11 @@
+# Python package requirements for Mbed TLS testing.
+
+# At the time of writing, only needed for scripts/audit-validity-dates.py.
+# It needs >=35.0.0 for correct operation, and that requires Python >=3.6.
+# >=35.0.0 also requires Rust to build from source, which we are forced to do on
+# FreeBSD, since PyPI doesn't carry binary wheels for the BSDs.
+cryptography >= 35.0.0; platform_system == 'Linux'
+
+# At the time of writing, only needed for
+# scripts/generate_server9_bad_saltlen.py.
+asn1crypto; platform_system == 'Linux'

scripts/ecp_comb_table.py

@@ -0,0 +1,237 @@
+#!/usr/bin/env python3
+"""
+Purpose
+
+This script dumps comb table of ec curve. When you add a new ec curve, you
+can use this script to generate codes to define `<curve>_T` in ecp_curves.c
+"""
+
+# Copyright The Mbed TLS Contributors
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+
+import os
+import subprocess
+import sys
+import tempfile
+
+HOW_TO_ADD_NEW_CURVE = """
+If you are trying to add new curve, you can follow these steps:
+
+1. Define curve parameters (<curve>_p, <curve>_gx, etc...) in ecp_curves.c.
+2. Add a macro to define <curve>_T to NULL following these parameters.
+3. Build mbedcrypto
+4. Run this script with an argument of new curve
+5. Copy the output of this script into ecp_curves.c and replace the macro added
+   in Step 2
+6. Rebuild and test if everything is ok
+
+Replace the <curve> in the above with the name of the curve you want to add."""
+
+CC = os.getenv('CC', 'cc')
+MBEDTLS_LIBRARY_PATH = os.getenv('MBEDTLS_LIBRARY_PATH', "library")
+
+SRC_DUMP_COMB_TABLE = r'''
+#include <stdio.h>
+#include <stdlib.h>
+#include "mbedtls/ecp.h"
+#include "mbedtls/error.h"
+
+static void dump_mpi_initialize( const char *name, const mbedtls_mpi *d )
+{
+    uint8_t buf[128] = {0};
+    size_t olen;
+    uint8_t *p;
+
+    olen = mbedtls_mpi_size( d );
+    mbedtls_mpi_write_binary_le( d, buf, olen );
+    printf("static const mbedtls_mpi_uint %s[] = {\n", name);
+    for (p = buf; p < buf + olen; p += 8) {
+        printf( "    BYTES_TO_T_UINT_8( 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X ),\n",
+                p[0], p[1], p[2], p[3], p[4], p[5], p[6], p[7] );
+    }
+    printf("};\n");
+}
+
+static void dump_T( const mbedtls_ecp_group *grp )
+{
+    char name[128];
+
+    printf( "#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1\n" );
+
+    for (size_t i = 0; i < grp->T_size; ++i) {
+        snprintf( name, sizeof(name), "%s_T_%zu_X", CURVE_NAME, i );
+        dump_mpi_initialize( name, &grp->T[i].X );
+
+        snprintf( name, sizeof(name), "%s_T_%zu_Y", CURVE_NAME, i );
+        dump_mpi_initialize( name, &grp->T[i].Y );
+    }
+    printf( "static const mbedtls_ecp_point %s_T[%zu] = {\n", CURVE_NAME, grp->T_size );
+    size_t olen;
+    for (size_t i = 0; i < grp->T_size; ++i) {
+        int z;
+        if ( mbedtls_mpi_cmp_int(&grp->T[i].Z, 0) == 0 ) {
+            z = 0;
+        } else if ( mbedtls_mpi_cmp_int(&grp->T[i].Z, 1) == 0 ) {
+            z = 1;
+        } else {
+            fprintf( stderr, "Unexpected value of Z (i = %d)\n", (int)i );
+            exit( 1 );
+        }
+        printf( "    ECP_POINT_INIT_XY_Z%d(%s_T_%zu_X, %s_T_%zu_Y),\n",
+                z,
+                CURVE_NAME, i,
+                CURVE_NAME, i
+        );
+    }
+    printf("};\n#endif\n\n");
+}
+
+int main()
+{
+    int rc;
+    mbedtls_mpi m;
+    mbedtls_ecp_point R;
+    mbedtls_ecp_group grp;
+
+    mbedtls_ecp_group_init( &grp );
+    rc = mbedtls_ecp_group_load( &grp, CURVE_ID );
+    if (rc != 0) {
+        char buf[100];
+        mbedtls_strerror( rc, buf, sizeof(buf) );
+        fprintf( stderr, "mbedtls_ecp_group_load: %s (-0x%x)\n", buf, -rc );
+        return 1;
+    }
+    grp.T = NULL;
+    mbedtls_ecp_point_init( &R );
+    mbedtls_mpi_init( &m);
+    mbedtls_mpi_lset( &m, 1 );
+    rc = mbedtls_ecp_mul( &grp, &R, &m, &grp.G, NULL, NULL );
+    if ( rc != 0 ) {
+        char buf[100];
+        mbedtls_strerror( rc, buf, sizeof(buf) );
+        fprintf( stderr, "mbedtls_ecp_mul: %s (-0x%x)\n", buf, -rc );
+        return 1;
+    }
+    if ( grp.T == NULL ) {
+        fprintf( stderr, "grp.T is not generated. Please make sure"
+                         "MBEDTLS_ECP_FIXED_POINT_OPTIM is enabled in mbedtls_config.h\n" );
+        return 1;
+    }
+    dump_T( &grp );
+    return 0;
+}
+'''
+
+SRC_DUMP_KNOWN_CURVE = r'''
+#include <stdio.h>
+#include <stdlib.h>
+#include "mbedtls/ecp.h"
+
+int main() {
+    const mbedtls_ecp_curve_info *info = mbedtls_ecp_curve_list();
+    mbedtls_ecp_group grp;
+
+    mbedtls_ecp_group_init( &grp );
+    while ( info->name != NULL ) {
+        mbedtls_ecp_group_load( &grp, info->grp_id );
+        if ( mbedtls_ecp_get_type(&grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS ) {
+            printf( " %s", info->name );
+        }
+        info++;
+    }
+    printf( "\n" );
+    return 0;
+}
+'''
+
+
+def join_src_path(*args):
+    return os.path.normpath(os.path.join(os.path.dirname(__file__), "..", *args))
+
+
+def run_c_source(src, cflags):
+    """
+    Compile and run C source code
+    :param src: the c language code to run
+    :param cflags: additional cflags passing to compiler
+    :return:
+    """
+    binname = tempfile.mktemp(prefix="mbedtls")
+    fd, srcname = tempfile.mkstemp(prefix="mbedtls", suffix=".c")
+    srcfile = os.fdopen(fd, mode="w")
+    srcfile.write(src)
+    srcfile.close()
+    args = [CC,
+            *cflags,
+            '-I' + join_src_path("include"),
+            "-o", binname,
+            '-L' + MBEDTLS_LIBRARY_PATH,
+            srcname,
+            '-lmbedcrypto']
+
+    p = subprocess.run(args=args, check=False)
+    if p.returncode != 0:
+        return False
+    p = subprocess.run(args=[binname], check=False, env={
+        'LD_LIBRARY_PATH': MBEDTLS_LIBRARY_PATH
+    })
+    if p.returncode != 0:
+        return False
+    os.unlink(srcname)
+    os.unlink(binname)
+    return True
+
+
+def compute_curve(curve):
+    """compute comb table for curve"""
+    r = run_c_source(
+        SRC_DUMP_COMB_TABLE,
+        [
+            '-g',
+            '-DCURVE_ID=MBEDTLS_ECP_DP_%s' % curve.upper(),
+            '-DCURVE_NAME="%s"' % curve.lower(),
+        ])
+    if not r:
+        print("""\
+Unable to compile and run utility.""", file=sys.stderr)
+        sys.exit(1)
+
+
+def usage():
+    print("""
+Usage: python %s <curve>...
+
+Arguments:
+    curve       Specify one or more curve names (e.g secp256r1)
+
+All possible curves: """ % sys.argv[0])
+    run_c_source(SRC_DUMP_KNOWN_CURVE, [])
+    print("""
+Environment Variable:
+    CC          Specify which c compile to use to compile utility.
+    MBEDTLS_LIBRARY_PATH
+                Specify the path to mbedcrypto library. (e.g. build/library/)
+
+How to add a new curve: %s""" % HOW_TO_ADD_NEW_CURVE)
+
+
+def run_main():
+    shared_lib_path = os.path.normpath(os.path.join(MBEDTLS_LIBRARY_PATH, "libmbedcrypto.so"))
+    static_lib_path = os.path.normpath(os.path.join(MBEDTLS_LIBRARY_PATH, "libmbedcrypto.a"))
+    if not os.path.exists(shared_lib_path) and not os.path.exists(static_lib_path):
+        print("Warning: both '%s' and '%s' are not exists. This script will use "
+              "the library from your system instead of the library compiled by "
+              "this source directory.\n"
+              "You can specify library path using environment variable "
+              "'MBEDTLS_LIBRARY_PATH'." % (shared_lib_path, static_lib_path),
+              file=sys.stderr)
+
+    if len(sys.argv) <= 1:
+        usage()
+    else:
+        for curve in sys.argv[1:]:
+            compute_curve(curve)
+
+
+if __name__ == '__main__':
+    run_main()

scripts/gen_ctr_drbg.pl

@@ -0,0 +1,96 @@
+#!/usr/bin/env perl
+#
+# Based on NIST CTR_DRBG.rsp validation file
+# Only uses AES-256-CTR cases that use a Derivation function
+# and concats nonce and personalization for initialization.
+#
+# Copyright The Mbed TLS Contributors
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+
+use strict;
+
+my $file = shift;
+
+open(TEST_DATA, "$file") or die "Opening test cases '$file': $!";
+
+sub get_suite_val($)
+{
+    my $name = shift;
+    my $val = "";
+
+    my $line = <TEST_DATA>;
+    ($val) = ($line =~ /\[$name\s\=\s(\w+)\]/);
+
+    return $val;
+}
+
+sub get_val($)
+{
+    my $name = shift;
+    my $val = "";
+    my $line;
+
+    while($line = <TEST_DATA>)
+    {
+        next if($line !~ /=/);
+        last;
+    }
+
+    ($val) = ($line =~ /^$name = (\w+)/);
+
+    return $val;
+}
+
+my $cnt = 1;;
+while (my $line = <TEST_DATA>)
+{
+    next if ($line !~ /^\[AES-256 use df/);
+
+    my $PredictionResistanceStr = get_suite_val("PredictionResistance");
+    my $PredictionResistance = 0;
+    $PredictionResistance = 1 if ($PredictionResistanceStr eq 'True');
+    my $EntropyInputLen = get_suite_val("EntropyInputLen");
+    my $NonceLen = get_suite_val("NonceLen");
+    my $PersonalizationStringLen = get_suite_val("PersonalizationStringLen");
+    my $AdditionalInputLen = get_suite_val("AdditionalInputLen");
+
+    for ($cnt = 0; $cnt < 15; $cnt++)
+    {
+        my $Count = get_val("COUNT");
+        my $EntropyInput = get_val("EntropyInput");
+        my $Nonce = get_val("Nonce");
+        my $PersonalizationString = get_val("PersonalizationString");
+        my $AdditionalInput1 = get_val("AdditionalInput");
+        my $EntropyInputPR1 = get_val("EntropyInputPR") if ($PredictionResistance == 1);
+        my $EntropyInputReseed = get_val("EntropyInputReseed") if ($PredictionResistance == 0);
+        my $AdditionalInputReseed = get_val("AdditionalInputReseed") if ($PredictionResistance == 0);
+        my $AdditionalInput2 = get_val("AdditionalInput");
+        my $EntropyInputPR2 = get_val("EntropyInputPR") if ($PredictionResistance == 1);
+        my $ReturnedBits = get_val("ReturnedBits");
+
+        if ($PredictionResistance == 1)
+        {
+            print("CTR_DRBG NIST Validation (AES-256 use df,$PredictionResistanceStr,$EntropyInputLen,$NonceLen,$PersonalizationStringLen,$AdditionalInputLen) #$Count\n");
+            print("ctr_drbg_validate_pr");
+            print(":\"$Nonce$PersonalizationString\"");
+            print(":\"$EntropyInput$EntropyInputPR1$EntropyInputPR2\"");
+            print(":\"$AdditionalInput1\"");
+            print(":\"$AdditionalInput2\"");
+            print(":\"$ReturnedBits\"");
+            print("\n\n");
+        }
+        else
+        {
+            print("CTR_DRBG NIST Validation (AES-256 use df,$PredictionResistanceStr,$EntropyInputLen,$NonceLen,$PersonalizationStringLen,$AdditionalInputLen) #$Count\n");
+            print("ctr_drbg_validate_nopr");
+            print(":\"$Nonce$PersonalizationString\"");
+            print(":\"$EntropyInput$EntropyInputReseed\"");
+            print(":\"$AdditionalInput1\"");
+            print(":\"$AdditionalInputReseed\"");
+            print(":\"$AdditionalInput2\"");
+            print(":\"$ReturnedBits\"");
+            print("\n\n");
+        }
+    }
+}
+close(TEST_DATA);