Support MBedTLS 3.5.1 (#184)

* Add in PSA Crypto Support and use MBedTLS 3.5.1 for Unit Tests * Change the CI to do the upload of coverage data if the build for it passes, some formatting tweaks, and add the coverage cop action.
FreeRTOS · Dec 11, 2023 · 8b5ec3b · 8b5ec3b
1 parent 6dd11e0
commit 8b5ec3b
Show file tree

Hide file tree

Showing 6 changed files with 74 additions and 18 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -32,7 +32,7 @@ jobs:
           make -C build/ all
 
       - name: Integration Tests
-        run:  ctest --test-dir build --output-on-failure | tee -a $GITHUB_STEP_SUMMARY
+        run:  ctest --test-dir build --output-on-failure
 
       - name: Archive Test Results
         if: success() || failure()
@@ -63,12 +63,12 @@ jobs:
           -DSYSTEM_TESTS=0 \
           -DCMAKE_C_FLAGS="${CFLAGS}"
           make -C build/ all
-          echo "::endgroup::"
 
+          echo "::endgroup::"
           echo -e "${{ env.bashPass }} ${{env.stepName}} ${{ env.bashEnd }}"
 
       - name: Run Unit Tests
-        run: ctest --test-dir build --output-on-failure | tee -a $GITHUB_STEP_SUMMARY
+        run: ctest --test-dir build --output-on-failure
 
   unit-tests:
     runs-on: ubuntu-latest
@@ -78,6 +78,8 @@ jobs:
 
       - env:
           stepName: Build corePKCS11 Unit Tests
+        id: build-unit-tests
+        shell: bash
         run: |
           # ${{ env.stepName }}
           echo -e "::group::${{ env.bashInfo }} ${{ env.stepName }} ${{ env.bashEnd }}"
@@ -91,15 +93,20 @@ jobs:
           -DSYSTEM_TESTS=0 \
           -DCMAKE_C_FLAGS="${CFLAGS}"
           make -C build/ all
-          echo "::endgroup::"
 
+          echo "::endgroup::"
           echo -e "${{ env.bashPass }} ${{env.stepName}} ${{ env.bashEnd }}"
 
       - name: Run Unit Tests
-        run: ctest --test-dir build --output-on-failure | tee -a $GITHUB_STEP_SUMMARY
+        id: run-unit-tests
+        shell: bash
+        run: ctest --test-dir build --output-on-failure
 
       - env:
           stepName: Line and Branch Coverage Build
+        if: steps.build-unit-tests.outcome == 'success'
+        id: line-and-branch-coverage
+        shell: bash
         run: |
           # ${{ env.stepName }}
           echo -e "::group::${{ env.bashInfo }} Build Coverage Target ${{ env.bashEnd }}"
@@ -111,11 +118,21 @@ jobs:
           lcov --rc lcov_branch_coverage=1 -r build/coverage.info -o build/coverage.info '*test*' '*CMakeCCompilerId*' '*mocks*'
           echo "::endgroup::"
 
-          lcov --list build/coverage.info
+          lcov --rc lcov_branch_coverage=1 --list build/coverage.info
           echo -e "${{ env.bashPass }} ${{env.stepName}} ${{ env.bashEnd }}"
 
+
+      - env:
+          stepName: Check Coverage
+        uses: FreeRTOS/CI-CD-Github-Actions/coverage-cop@main
+        if: steps.build-unit-tests.outcome == 'success'
+        with:
+          coverage-file: ./build/coverage.info
+          line-coverage-min: 99
+          branch-coverage-min: 90
+
       - name: Archive Test Results
-        if: success() || failure()
+        if: steps.build-unit-tests.outcome == 'success'
         uses: actions/upload-artifact@v3
         with:
           name: unit_test_results
@@ -127,7 +144,7 @@ jobs:
             build/Testing/Temporary/LastTest.log
 
       - name: Upload coverage data to Codecov
-        if: success()
+        if: steps.build-unit-tests.outcome == 'success'
         uses: codecov/codecov-action@v3
         with:
           files: build/coverage.info

diff --git a/source/core_pkcs11.c b/source/core_pkcs11.c
@@ -25,6 +25,7 @@
 #include "core_pkcs11_config.h"
 #include "core_pkcs11_config_defaults.h"
 #include "core_pkcs11.h"
+#include "pkcs11t.h"
 
 /* C runtime includes. */
 #include <stdio.h>
@@ -172,6 +173,10 @@ CK_RV xInitializePKCS11( void )
     {
         xResult = pxFunctionList->C_Initialize( &xInitArgs );
     }
+    else
+    {
+        xResult = CKR_DEVICE_ERROR;
+    }
 
     return xResult;
 }

diff --git a/source/portable/mbedtls/core_pkcs11_mbedtls.c b/source/portable/mbedtls/core_pkcs11_mbedtls.c
@@ -35,13 +35,14 @@
 #include "core_pkcs11.h"
 #include "core_pkcs11_pal.h"
 #include "core_pki_utils.h"
+#include "pkcs11t.h"
 
 /**
  *  @brief Declaring MBEDTLS_ALLOW_PRIVATE_ACCESS allows access to mbedtls "private" fields.
  */
 #define MBEDTLS_ALLOW_PRIVATE_ACCESS
 
-/* mbedTLS includes. */
+/* MbedTLS includes. */
 #include "mbedtls/pk.h"
 #include "mbedtls/x509_crt.h"
 #include "mbedtls/ctr_drbg.h"
@@ -52,6 +53,11 @@
 #include "mbedtls/threading.h"
 #include "mbedtls/error.h"
 
+#ifdef MBEDTLS_PSA_CRYPTO_C
+    #include "psa/crypto.h"
+    #include "psa/crypto_values.h"
+#endif /* MBEDTLS_PSA_CRYPTO_C */
+
 /* C runtime includes. */
 #include <string.h>
 
@@ -484,6 +490,26 @@ static CK_RV prvMbedTLS_Initialize( void )
     }
     else
     {
+        #ifdef MBEDTLS_PSA_CRYPTO_C
+            lMbedTLSResult = psa_crypto_init();
+
+            if( lMbedTLSResult != PSA_SUCCESS )
+            {
+                LogError( ( "Could not initialize PKCS #11. Failed to initialize PSA: MBedTLS error = %s : %s.",
+                            mbedtlsHighLevelCodeOrDefault( lMbedTLSResult ),
+                            mbedtlsLowLevelCodeOrDefault( lMbedTLSResult ) ) );
+                xResult = CKR_FUNCTION_FAILED;
+                /* MISRA Ref 10.5.1 [Essential type casting] */
+                /* More details at: https://github.com/FreeRTOS/corePKCS11/blob/main/MISRA.md#rule-105 */
+                /* coverity[misra_c_2012_rule_10_5_violation] */
+                xP11Context.xIsInitialized = ( CK_BBOOL ) CK_FALSE;
+            }
+            else
+            {
+                LogDebug( ( "MbedTLS PSA module was successfully initialized." ) );
+            }
+        #endif /* MBEDTLS_PSA_CRYPTO_C */
+
         /* MISRA Ref 10.5.1 [Essential type casting] */
         /* More details at: https://github.com/FreeRTOS/corePKCS11/blob/main/MISRA.md#rule-105 */
         /* coverity[misra_c_2012_rule_10_5_violation] */

diff --git a/source/portable/os/freertos_winsim/core_pkcs11_pal.c b/source/portable/os/freertos_winsim/core_pkcs11_pal.c
@@ -32,19 +32,27 @@
 
 /*-----------------------------------------------------------*/
 
+/* System Includes */
+#include <stdio.h>
+#include <string.h>
+
+#ifdef WIN32
+    #ifdef WIN32_LEAN_AND_MEAN
+        #include <winsock2.h>
+    #else
+        #include <winsock.h>
+    #endif /* WIN32_LEAN_AND_MEAN */
+#endif /* WIN32 */
+
+/* FreeRTOS Includes */
 #include "FreeRTOS.h"
+
+/* corePKCS11 Includes */
 #include "core_pkcs11.h"
 #include "core_pkcs11_config.h"
 #include "core_pkcs11_config_defaults.h"
-
-
-/* C runtime includes. */
-#include <stdio.h>
-#include <string.h>
-
 #include "core_pkcs11_pal_utils.h"
 
-
 /*-----------------------------------------------------------*/
 
 /**

diff --git a/test/wrapper_utest/core_pkcs11_utest.c b/test/wrapper_utest/core_pkcs11_utest.c
@@ -343,7 +343,7 @@ void test_IotPkcs11_xInitializePkcs11BadFunctionList( void )
     C_GetFunctionList_IgnoreAndReturn( CKR_ARGUMENTS_BAD );
     xResult = xInitializePKCS11();
 
-    TEST_ASSERT_EQUAL( CKR_ARGUMENTS_BAD, xResult );
+    TEST_ASSERT_EQUAL( CKR_DEVICE_ERROR, xResult );
 }
 
 /*!

diff --git a/tools/mbedtls.cmake b/tools/mbedtls.cmake
@@ -52,7 +52,7 @@ if(NOT TARGET MbedTLS2_mbedtls)
     add_library(MbedTLS2::interface ALIAS MbedTLS2_interface)
 endif()
 
-set(MBEDTLS_3_VERSION 3.4.0)
+set(MBEDTLS_3_VERSION 3.5.1)
 
 FetchContent_Declare(
     mbedtls_3