Update psa-arch-tests to v25.02_API1.8_CRYPTO_1.2.1

gilles-peskine-arm · gilles-peskine-arm · commit 587f31a269f5 · 2025-09-12T17:59:35.000+02:00
We can now test compliance with version 1.2 of the PSA Crypto API.

Signed-off-by: Gilles Peskine &lt;Gilles.Peskine@arm.com&gt;
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@ README for TF-PSA-Crypto
 ========================
 
 The TF-PSA-Crypto repository provides an implementation of the
-[PSA Cryptography API](https://arm-software.github.io/psa-api) (version 1.1).
+[PSA Cryptography API](https://arm-software.github.io/psa-api) (version 1.2).
 This encompasses the on-going extensions to the PSA Cryptography API (e.g. PAKE).
 
 The PSA Cryptography API implementation is organized around the
diff --git a/scripts/data_files/psa-arch-tests/pal_crypto_config.patch b/scripts/data_files/psa-arch-tests/pal_crypto_config.patch
@@ -1,5 +1,5 @@
 diff --git a/api-tests/platform/targets/tgt_dev_apis_stdc/nspe/pal_crypto_config.h b/api-tests/platform/targets/tgt_dev_apis_stdc/nspe/pal_crypto_config.h
-index c5a54a9..682b151 100644
+index dad40ec..8d19699 100644
 --- a/api-tests/platform/targets/tgt_dev_apis_stdc/nspe/pal_crypto_config.h
 +++ b/api-tests/platform/targets/tgt_dev_apis_stdc/nspe/pal_crypto_config.h
 @@ -53,7 +53,7 @@
@@ -11,21 +11,6 @@ index c5a54a9..682b151 100644
  #define ARCH_TEST_ECC_CURVE_SECP256R1
  #define ARCH_TEST_ECC_CURVE_SECP384R1
  
-@@ -79,10 +79,10 @@
-  *
-  * Comment macros to disable the types
-  */
--#define ARCH_TEST_DES
--#define ARCH_TEST_DES_1KEY
--#define ARCH_TEST_DES_2KEY
--#define ARCH_TEST_DES_3KEY
-+//#define ARCH_TEST_DES
-+//#define ARCH_TEST_DES_1KEY
-+//#define ARCH_TEST_DES_2KEY
-+//#define ARCH_TEST_DES_3KEY
- 
- /**
-  * \def  ARCH_TEST_RAW
 @@ -105,7 +105,7 @@
   *
   * Enable the ARC4 key type.
@@ -34,4 +19,65 @@ index c5a54a9..682b151 100644
 +//#define ARCH_TEST_ARC4
  
  /**
-  * \def ARCH_TEST_CIPHER_MODE_CTR
+  * \def ARCH_TEST_CHACHA20
+@@ -251,8 +251,8 @@
+  */
+ // #define ARCH_TEST_MD2
+ // #define ARCH_TEST_MD4
+-//#define ARCH_TEST_MD5
+-//#define ARCH_TEST_RIPEMD160
++#define ARCH_TEST_MD5
++#define ARCH_TEST_RIPEMD160
+ #define ARCH_TEST_SHA1
+ #define ARCH_TEST_SHA224
+ #define ARCH_TEST_SHA256
+@@ -260,10 +260,10 @@
+ #define ARCH_TEST_SHA512
+ // #define ARCH_TEST_SHA512_224
+ // #define ARCH_TEST_SHA512_256
+-// #define ARCH_TEST_SHA3_224
+-// #define ARCH_TEST_SHA3_256
+-// #define ARCH_TEST_SHA3_384
+-// #define ARCH_TEST_SHA3_512
++#define ARCH_TEST_SHA3_224
++#define ARCH_TEST_SHA3_256
++#define ARCH_TEST_SHA3_384
++#define ARCH_TEST_SHA3_512
+ 
+ /**
+  * \def ARCH_TEST_HKDF
+@@ -291,8 +291,8 @@
+  * Enable the NIST SP800-108 Counter mode KDF algorithm
+  *
+ */
+-#define ARCH_TEST_SP800_108_COUNTER_HMAC
+-#define ARCH_TEST_SP800_108_COUNTER_CMAC
++//#define ARCH_TEST_SP800_108_COUNTER_HMAC
++//#define ARCH_TEST_SP800_108_COUNTER_CMAC
+ 
+ /**
+  * \def ARCH_TEST_xMAC
+@@ -369,7 +369,7 @@
+  * Enable deterministic ECDSA (RFC 6979).
+ */
+ #define ARCH_TEST_DETERMINISTIC_ECDSA
+-#define ARCH_TEST_TWISTED_EDWARDS
++//#define ARCH_TEST_TWISTED_EDWARDS
+ 
+ /**
+  * \def ARCH_TEST_ECC_ASYMMETRIC_API_SUPPORT
+@@ -397,10 +397,10 @@
+  *
+  * Enable support for augmented PAKE: SPAKE2P algorithm
+  */
+-#define ARCH_TEST_SPAKE2P
+-#define ARCH_TEST_SPAKE2P_HMAC
+-#define ARCH_TEST_SPAKE2P_CMAC
+-#define ARCH_TEST_SPAKE2P_MATTER
++//#define ARCH_TEST_SPAKE2P
++//#define ARCH_TEST_SPAKE2P_HMAC
++//#define ARCH_TEST_SPAKE2P_CMAC
++//#define ARCH_TEST_SPAKE2P_MATTER
+ 
+ #include "pal_crypto_config_check.h"
+ 
diff --git a/scripts/data_files/psa-arch-tests/test_c080.patch b/scripts/data_files/psa-arch-tests/test_c080.patch
@@ -0,0 +1,17 @@
+Minimal fix for a build failure in test_c080.c (independently done
+upstream in 232fb5801273dbc97789cb9079f1168499e34a2a).
+
+diff --git a/api-tests/dev_apis/crypto/test_c080/test_c080.c b/api-tests/dev_apis/crypto/test_c080/test_c080.c
+index ae62705..345a802 100644
+--- a/api-tests/dev_apis/crypto/test_c080/test_c080.c
++++ b/api-tests/dev_apis/crypto/test_c080/test_c080.c
+@@ -85,7 +85,8 @@ int32_t psa_key_agreement_test(caller_security_t caller __UNUSED)
+         TEST_ASSERT_DUAL(status, check1[i].expected_status[0],
+                                  check1[i].expected_status[1], TEST_CHECKPOINT_NUM(4));
+ 
+-        if (check1[i].expected_status == PSA_SUCCESS)
++        if (check1[i].expected_status[0] == PSA_SUCCESS &&
++            check1[i].derv_type == PSA_KEY_TYPE_DERIVE)
+         {
+         /* Set up a key derivation operation */
+         status =  val->crypto_function(VAL_CRYPTO_KEY_DERIVATION_SETUP,
diff --git a/tests/scripts/test_psa_compliance.py b/tests/scripts/test_psa_compliance.py
@@ -16,7 +16,7 @@
 import scripts_path # pylint: disable=unused-import
 from mbedtls_framework import psa_compliance
 
-PSA_ARCH_TESTS_REF = 'v23.06_API1.5_ADAC_EAC'
+PSA_ARCH_TESTS_REF = 'v25.02_API1.8_CRYPTO_1.2.1'
 
 # PSA Compliance tests we expect to fail due to known defects in Mbed TLS /
 # TF-PSA-Crypto (or the test suite).
