From a1be1b8fbb3042e206dfc547ff39724c1a718ed3 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 30 Oct 2024 14:20:14 +0100 Subject: [PATCH 1/6] Remove ECJPAKE interoperability testing We no longer have two (only partially distinct) implementations of ECJ-PAKE cipher suites in TLS, now that the non-MBEDTLS_USE_PSA_CRYPTO implementation is being removed. We may want to add this testing back in the future, but we'll have to use an old Mbed TLS instead of a differently-built one. https://github.com/Mbed-TLS/mbedtls/issues/9740 Signed-off-by: Gilles Peskine --- tests/scripts/components-configuration-tls.sh | 33 ------------------- 1 file changed, 33 deletions(-) diff --git a/tests/scripts/components-configuration-tls.sh b/tests/scripts/components-configuration-tls.sh index b8834d6095..e01a5989df 100644 --- a/tests/scripts/components-configuration-tls.sh +++ b/tests/scripts/components-configuration-tls.sh @@ -184,39 +184,6 @@ component_test_config_thread () { tests/ssl-opt.sh -f 'ECJPAKE.*nolog' } -# We're not aware of any other (open source) implementation of EC J-PAKE in TLS -# that we could use for interop testing. However, we now have sort of two -# implementations ourselves: one using PSA, the other not. At least test that -# these two interoperate with each other. -component_test_tls1_2_ecjpake_compatibility () { - msg "build: TLS1.2 server+client w/ EC-JPAKE w/o USE_PSA" - scripts/config.py set MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED - # Explicitly make lib first to avoid a race condition: - # https://github.com/Mbed-TLS/mbedtls/issues/8229 - make lib - make -C programs ssl/ssl_server2 ssl/ssl_client2 - cp programs/ssl/ssl_server2 s2_no_use_psa - cp programs/ssl/ssl_client2 c2_no_use_psa - - msg "build: TLS1.2 server+client w/ EC-JPAKE w/ USE_PSA" - scripts/config.py set MBEDTLS_USE_PSA_CRYPTO - make clean - make lib - make -C programs ssl/ssl_server2 ssl/ssl_client2 - make -C programs test/udp_proxy test/query_compile_time_config - - msg "test: server w/o USE_PSA - client w/ USE_PSA, text password" - P_SRV=../s2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: working, TLS" - msg "test: server w/o USE_PSA - client w/ USE_PSA, opaque password" - P_SRV=../s2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: opaque password client only, working, TLS" - msg "test: client w/o USE_PSA - server w/ USE_PSA, text password" - P_CLI=../c2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: working, TLS" - msg "test: client w/o USE_PSA - server w/ USE_PSA, opaque password" - P_CLI=../c2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: opaque password server only, working, TLS" - - rm s2_no_use_psa c2_no_use_psa -} - component_test_tls1_2_ccm_psk () { msg "build: configs/config-ccm-psk-tls1_2.h" cp configs/config-ccm-psk-tls1_2.h "$CONFIG_H" From 5e443f983b01e72911c4c697156a320e2e40984d Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 24 Oct 2024 20:09:56 +0200 Subject: [PATCH 2/6] Remove direct requirements on MBEDTLS_USE_PSA_CRYPTO in ssl-opt.sh Now that MBEDTLS_USE_PSA_CRYPTO is always on, we don't need to check for it. Also this is a step towards no longer expecting it to be reported by query_compile_time_config. Signed-off-by: Gilles Peskine --- tests/ssl-opt.sh | 105 ----------------------------------------------- 1 file changed, 105 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index e7eef1a702..f8a35006a8 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2270,7 +2270,6 @@ run_test "CA callback on server" \ -C "error" # Test using an EC opaque private key for client authentication -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_hash_alg SHA_256 @@ -2288,7 +2287,6 @@ run_test "Opaque key for client authentication: ECDHE-ECDSA" \ -C "error" # Test using a RSA opaque private key for client authentication -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED @@ -2306,7 +2304,6 @@ run_test "Opaque key for client authentication: ECDHE-RSA" \ -S "error" \ -C "error" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_256 @@ -2325,7 +2322,6 @@ run_test "Opaque key for client authentication: DHE-RSA" \ -C "error" # Test using an EC opaque private key for server authentication -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_hash_alg SHA_256 @@ -2341,7 +2337,6 @@ run_test "Opaque key for server authentication: ECDHE-ECDSA" \ -S "error" \ -C "error" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_hash_alg SHA_256 run_test "Opaque key for server authentication: ECDH-" \ @@ -2357,7 +2352,6 @@ run_test "Opaque key for server authentication: ECDH-" \ -S "error" \ -C "error" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_disabled MBEDTLS_SSL_ASYNC_PRIVATE requires_hash_alg SHA_256 @@ -2372,7 +2366,6 @@ run_test "Opaque key for server authentication: invalid key: decrypt with ECC -c "error" \ -c "Public key type mismatch" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_RSA_C @@ -2389,7 +2382,6 @@ run_test "Opaque key for server authentication: invalid key: ecdh with RSA ke -c "error" \ -c "Public key type mismatch" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE requires_hash_alg SHA_256 @@ -2404,7 +2396,6 @@ run_test "Opaque key for server authentication: invalid alg: decrypt with ECC -s "error" \ -c "error" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE @@ -2420,7 +2411,6 @@ run_test "Opaque key for server authentication: invalid alg: ecdh with RSA ke -s "error" \ -c "error" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_hash_alg SHA_256 run_test "Opaque key for server authentication: invalid alg: ECDHE-ECDSA with ecdh" \ @@ -2434,7 +2424,6 @@ run_test "Opaque key for server authentication: invalid alg: ECDHE-ECDSA with -s "error" \ -c "error" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_hash_alg SHA_256 @@ -2454,7 +2443,6 @@ run_test "Opaque keys for server authentication: EC keys with different algs, -S "error" \ -C "error" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_hash_alg SHA_384 requires_config_disabled MBEDTLS_X509_REMOVE_INFO @@ -2473,7 +2461,6 @@ run_test "Opaque keys for server authentication: EC keys with different algs, -S "error" \ -C "error" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_hash_alg SHA_384 requires_config_disabled MBEDTLS_X509_REMOVE_INFO @@ -2493,7 +2480,6 @@ run_test "Opaque keys for server authentication: EC + RSA, force ECDHE-ECDSA" -C "error" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C @@ -2507,7 +2493,6 @@ run_test "TLS 1.3 opaque key: no suitable algorithm found" \ -s "no suitable signature algorithm" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C @@ -2521,7 +2506,6 @@ run_test "TLS 1.3 opaque key: suitable algorithm found" \ -S "error" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C @@ -2536,7 +2520,6 @@ run_test "TLS 1.3 opaque key: first client sig alg not suitable" \ -S "error" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C @@ -2550,7 +2533,6 @@ run_test "TLS 1.3 opaque key: 2 keys on server, suitable algorithm found" \ -S "error" \ # Test using a RSA opaque private key for server authentication -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED @@ -2567,7 +2549,6 @@ run_test "Opaque key for server authentication: ECDHE-RSA" \ -S "error" \ -C "error" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_256 @@ -2583,7 +2564,6 @@ run_test "Opaque key for server authentication: DHE-RSA" \ -S "error" \ -C "error" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_256 @@ -2600,7 +2580,6 @@ run_test "Opaque key for server authentication: RSA-PSK" \ -S "error" \ -C "error" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_256 @@ -2615,7 +2594,6 @@ run_test "Opaque key for server authentication: RSA-" \ -S "error" \ -C "error" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_256 @@ -2630,7 +2608,6 @@ run_test "Opaque key for server authentication: DHE-RSA, PSS instead of PKCS1 -s "error" \ -c "error" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_256 @@ -2651,7 +2628,6 @@ run_test "Opaque keys for server authentication: RSA keys with different algs -S "error" \ -C "error" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_384 @@ -2672,7 +2648,6 @@ run_test "Opaque keys for server authentication: EC + RSA, force DHE-RSA" \ -C "error" # Test using an EC opaque private key for client/server authentication -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_hash_alg SHA_256 @@ -2692,7 +2667,6 @@ run_test "Opaque key for client/server authentication: ECDHE-ECDSA" \ -C "error" # Test using a RSA opaque private key for client/server authentication -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_256 @@ -2712,7 +2686,6 @@ run_test "Opaque key for client/server authentication: ECDHE-RSA" \ -S "error" \ -C "error" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_256 @@ -8594,7 +8567,6 @@ run_test "PSK callback: psk, no callback" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque psk on client, no callback" \ "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ @@ -8606,7 +8578,6 @@ run_test "PSK callback: opaque psk on client, no callback" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque psk on client, no callback, SHA-384" \ "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ @@ -8618,7 +8589,6 @@ run_test "PSK callback: opaque psk on client, no callback, SHA-384" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque psk on client, no callback, EMS" \ "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ @@ -8630,7 +8600,6 @@ run_test "PSK callback: opaque psk on client, no callback, EMS" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque psk on client, no callback, SHA-384, EMS" \ "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ @@ -8642,7 +8611,6 @@ run_test "PSK callback: opaque psk on client, no callback, SHA-384, EMS" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque rsa-psk on client, no callback" \ "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256 \ @@ -8654,7 +8622,6 @@ run_test "PSK callback: opaque rsa-psk on client, no callback" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque rsa-psk on client, no callback, SHA-384" \ "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \ @@ -8666,7 +8633,6 @@ run_test "PSK callback: opaque rsa-psk on client, no callback, SHA-384" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque rsa-psk on client, no callback, EMS" \ "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \ @@ -8678,7 +8644,6 @@ run_test "PSK callback: opaque rsa-psk on client, no callback, EMS" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque rsa-psk on client, no callback, SHA-384, EMS" \ "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \ @@ -8690,7 +8655,6 @@ run_test "PSK callback: opaque rsa-psk on client, no callback, SHA-384, EMS" -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque ecdhe-psk on client, no callback" \ "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \ @@ -8702,7 +8666,6 @@ run_test "PSK callback: opaque ecdhe-psk on client, no callback" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque ecdhe-psk on client, no callback, SHA-384" \ "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \ @@ -8714,7 +8677,6 @@ run_test "PSK callback: opaque ecdhe-psk on client, no callback, SHA-384" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque ecdhe-psk on client, no callback, EMS" \ "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \ @@ -8726,7 +8688,6 @@ run_test "PSK callback: opaque ecdhe-psk on client, no callback, EMS" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque ecdhe-psk on client, no callback, SHA-384, EMS" \ "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \ @@ -8738,7 +8699,6 @@ run_test "PSK callback: opaque ecdhe-psk on client, no callback, SHA-384, EMS -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque dhe-psk on client, no callback" \ "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA256 \ @@ -8750,7 +8710,6 @@ run_test "PSK callback: opaque dhe-psk on client, no callback" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque dhe-psk on client, no callback, SHA-384" \ "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \ @@ -8762,7 +8721,6 @@ run_test "PSK callback: opaque dhe-psk on client, no callback, SHA-384" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque dhe-psk on client, no callback, EMS" \ "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA \ @@ -8774,7 +8732,6 @@ run_test "PSK callback: opaque dhe-psk on client, no callback, EMS" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque dhe-psk on client, no callback, SHA-384, EMS" \ "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \ @@ -8786,7 +8743,6 @@ run_test "PSK callback: opaque dhe-psk on client, no callback, SHA-384, EMS" -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, static opaque on server, no callback" \ "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ @@ -8798,7 +8754,6 @@ run_test "PSK callback: raw psk on client, static opaque on server, no callba -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, static opaque on server, no callback, SHA-384" \ "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ @@ -8810,7 +8765,6 @@ run_test "PSK callback: raw psk on client, static opaque on server, no callba -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, static opaque on server, no callback, EMS" \ "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \ force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \ @@ -8823,7 +8777,6 @@ run_test "PSK callback: raw psk on client, static opaque on server, no callba -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, static opaque on server, no callback, EMS, SHA384" \ "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \ force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \ @@ -8836,7 +8789,6 @@ run_test "PSK callback: raw psk on client, static opaque on server, no callba -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw rsa-psk on client, static opaque on server, no callback" \ "$P_SRV extended_ms=0 debug_level=5 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA" \ "$P_CLI extended_ms=0 debug_level=5 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \ @@ -8848,7 +8800,6 @@ run_test "PSK callback: raw rsa-psk on client, static opaque on server, no ca -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw rsa-psk on client, static opaque on server, no callback, SHA-384" \ "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \ @@ -8860,7 +8811,6 @@ run_test "PSK callback: raw rsa-psk on client, static opaque on server, no ca -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw rsa-psk on client, static opaque on server, no callback, EMS" \ "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \ force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \ @@ -8873,7 +8823,6 @@ run_test "PSK callback: raw rsa-psk on client, static opaque on server, no ca -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw rsa-psk on client, static opaque on server, no callback, EMS, SHA384" \ "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \ force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \ @@ -8886,7 +8835,6 @@ run_test "PSK callback: raw rsa-psk on client, static opaque on server, no ca -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no callback" \ "$P_SRV extended_ms=0 debug_level=5 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA" \ "$P_CLI extended_ms=0 debug_level=5 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \ @@ -8898,7 +8846,6 @@ run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no callback, SHA-384" \ "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \ @@ -8910,7 +8857,6 @@ run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no callback, EMS" \ "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \ force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \ @@ -8923,7 +8869,6 @@ run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no callback, EMS, SHA384" \ "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \ force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \ @@ -8936,7 +8881,6 @@ run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw dhe-psk on client, static opaque on server, no callback" \ "$P_SRV extended_ms=0 debug_level=5 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA" \ "$P_CLI extended_ms=0 debug_level=5 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA \ @@ -8948,7 +8892,6 @@ run_test "PSK callback: raw dhe-psk on client, static opaque on server, no ca -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw dhe-psk on client, static opaque on server, no callback, SHA-384" \ "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \ @@ -8960,7 +8903,6 @@ run_test "PSK callback: raw dhe-psk on client, static opaque on server, no ca -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw dhe-psk on client, static opaque on server, no callback, EMS" \ "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \ force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \ @@ -8973,7 +8915,6 @@ run_test "PSK callback: raw dhe-psk on client, static opaque on server, no ca -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw dhe-psk on client, static opaque on server, no callback, EMS, SHA384" \ "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \ force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \ @@ -8986,7 +8927,6 @@ run_test "PSK callback: raw dhe-psk on client, static opaque on server, no ca -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback" \ "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ @@ -8998,7 +8938,6 @@ run_test "PSK callback: raw psk on client, no static PSK on server, opaque PS -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback, SHA-384" \ "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \ "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ @@ -9010,7 +8949,6 @@ run_test "PSK callback: raw psk on client, no static PSK on server, opaque PS -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback, EMS" \ "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \ force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \ @@ -9023,7 +8961,6 @@ run_test "PSK callback: raw psk on client, no static PSK on server, opaque PS -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback, EMS, SHA384" \ "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \ force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \ @@ -9036,7 +8973,6 @@ run_test "PSK callback: raw psk on client, no static PSK on server, opaque PS -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw rsa-psk on client, no static RSA-PSK on server, opaque RSA-PSK from callback" \ "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA" \ "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \ @@ -9048,7 +8984,6 @@ run_test "PSK callback: raw rsa-psk on client, no static RSA-PSK on server, o -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw rsa-psk on client, no static RSA-PSK on server, opaque RSA-PSK from callback, SHA-384" \ "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384" \ "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \ @@ -9060,7 +8995,6 @@ run_test "PSK callback: raw rsa-psk on client, no static RSA-PSK on server, o -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw rsa-psk on client, no static RSA-PSK on server, opaque RSA-PSK from callback, EMS" \ "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \ force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \ @@ -9073,7 +9007,6 @@ run_test "PSK callback: raw rsa-psk on client, no static RSA-PSK on server, o -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw rsa-psk on client, no static RSA-PSK on server, opaque RSA-PSK from callback, EMS, SHA384" \ "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \ force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \ @@ -9086,7 +9019,6 @@ run_test "PSK callback: raw rsa-psk on client, no static RSA-PSK on server, o -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw ecdhe-psk on client, no static ECDHE-PSK on server, opaque ECDHE-PSK from callback" \ "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA" \ "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \ @@ -9098,7 +9030,6 @@ run_test "PSK callback: raw ecdhe-psk on client, no static ECDHE-PSK on serve -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw ecdhe-psk on client, no static ECDHE-PSK on server, opaque ECDHE-PSK from callback, SHA-384" \ "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384" \ "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \ @@ -9110,7 +9041,6 @@ run_test "PSK callback: raw ecdhe-psk on client, no static ECDHE-PSK on serve -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw ecdhe-psk on client, no static ECDHE-PSK on server, opaque ECDHE-PSK from callback, EMS" \ "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \ force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \ @@ -9123,7 +9053,6 @@ run_test "PSK callback: raw ecdhe-psk on client, no static ECDHE-PSK on serve -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw ecdhe-psk on client, no static ECDHE-PSK on server, opaque ECDHE-PSK from callback, EMS, SHA384" \ "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \ force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \ @@ -9136,7 +9065,6 @@ run_test "PSK callback: raw ecdhe-psk on client, no static ECDHE-PSK on serve -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw dhe-psk on client, no static DHE-PSK on server, opaque DHE-PSK from callback" \ "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA" \ "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA \ @@ -9148,7 +9076,6 @@ run_test "PSK callback: raw dhe-psk on client, no static DHE-PSK on server, o -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw dhe-psk on client, no static DHE-PSK on server, opaque DHE-PSK from callback, SHA-384" \ "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384" \ "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \ @@ -9160,7 +9087,6 @@ run_test "PSK callback: raw dhe-psk on client, no static DHE-PSK on server, o -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw dhe-psk on client, no static DHE-PSK on server, opaque DHE-PSK from callback, EMS" \ "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \ force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \ @@ -9173,7 +9099,6 @@ run_test "PSK callback: raw dhe-psk on client, no static DHE-PSK on server, o -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw dhe-psk on client, no static DHE-PSK on server, opaque DHE-PSK from callback, EMS, SHA384" \ "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \ force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \ @@ -9186,7 +9111,6 @@ run_test "PSK callback: raw dhe-psk on client, no static DHE-PSK on server, o -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, mismatching static raw PSK on server, opaque PSK from callback" \ "$P_SRV extended_ms=0 psk_identity=foo psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ @@ -9198,7 +9122,6 @@ run_test "PSK callback: raw psk on client, mismatching static raw PSK on serv -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, mismatching static opaque PSK on server, opaque PSK from callback" \ "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ @@ -9210,7 +9133,6 @@ run_test "PSK callback: raw psk on client, mismatching static opaque PSK on s -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, mismatching static opaque PSK on server, raw PSK from callback" \ "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ @@ -9222,7 +9144,6 @@ run_test "PSK callback: raw psk on client, mismatching static opaque PSK on s -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, id-matching but wrong raw PSK on server, opaque PSK from callback" \ "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ @@ -9234,7 +9155,6 @@ run_test "PSK callback: raw psk on client, id-matching but wrong raw PSK on s -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, matching opaque PSK on server, wrong opaque PSK from callback" \ "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=beef debug_level=3 psk_list=abc,dead,def,73776f726466697368 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ @@ -9348,7 +9268,6 @@ run_test "ECJPAKE: working, TLS" \ -S "SSL - Verification of the message MAC failed" requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "ECJPAKE: opaque password client+server, working, TLS" \ "$P_SRV debug_level=3 ecjpake_pw=bla ecjpake_pw_opaque=1" \ "$P_CLI debug_level=3 ecjpake_pw=bla ecjpake_pw_opaque=1\ @@ -9370,7 +9289,6 @@ run_test "ECJPAKE: opaque password client+server, working, TLS" \ # Note: if the name of this test is changed, then please adjust the corresponding # filtering label in "test_tls1_2_ecjpake_compatibility" (in "all.sh") requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "ECJPAKE: opaque password client only, working, TLS" \ "$P_SRV debug_level=3 ecjpake_pw=bla" \ "$P_CLI debug_level=3 ecjpake_pw=bla ecjpake_pw_opaque=1\ @@ -9392,7 +9310,6 @@ run_test "ECJPAKE: opaque password client only, working, TLS" \ # Note: if the name of this test is changed, then please adjust the corresponding # filtering label in "test_tls1_2_ecjpake_compatibility" (in "all.sh") requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "ECJPAKE: opaque password server only, working, TLS" \ "$P_SRV debug_level=3 ecjpake_pw=bla ecjpake_pw_opaque=1" \ "$P_CLI debug_level=3 ecjpake_pw=bla\ @@ -9423,7 +9340,6 @@ run_test "ECJPAKE: password mismatch, TLS" \ server_needs_more_time 1 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "ECJPAKE_OPAQUE_PW: opaque password mismatch, TLS" \ "$P_SRV debug_level=3 ecjpake_pw=bla ecjpake_pw_opaque=1" \ "$P_CLI debug_level=3 ecjpake_pw=bad ecjpake_pw_opaque=1 \ @@ -9839,7 +9755,6 @@ run_test "EC restart: TLS, max_ops=1000 (no USE_PSA)" \ # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "EC restart: TLS, max_ops=1000 (USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ @@ -9895,7 +9810,6 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (no USE_P # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \ @@ -9936,7 +9850,6 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (no USE_PSA)" # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \ @@ -9972,7 +9885,6 @@ run_test "EC restart: DTLS, max_ops=1000 (no USE_PSA)" \ # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "EC restart: DTLS, max_ops=1000 (USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required dtls=1" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ @@ -10003,7 +9915,6 @@ run_test "EC restart: TLS, max_ops=1000 no client auth (no USE_PSA)" \ # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "EC restart: TLS, max_ops=1000 no client auth (USE_PSA)" \ "$P_SRV groups=secp256r1" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ @@ -13086,7 +12997,6 @@ run_test "TLS 1.3: Client authentication, client alg not in server list - gnu requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, no server middlebox compat - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10 -no_middlebox" \ @@ -13101,7 +13011,6 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, no server middlebox compat - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE" \ @@ -13116,7 +13025,6 @@ run_test "TLS 1.3: Client authentication - opaque key, no server middlebox co requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp256r1_sha256 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ @@ -13132,7 +13040,6 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp256r1_sha256 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ @@ -13147,7 +13054,6 @@ run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp256r1_sha256 requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp384r1_sha384 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ @@ -13163,7 +13069,6 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp384r1_sha384 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ @@ -13178,7 +13083,6 @@ run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp384r1_sha384 requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp521r1_sha512 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ @@ -13194,7 +13098,6 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp521r1_sha512 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ @@ -13210,7 +13113,6 @@ requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha256 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ @@ -13227,7 +13129,6 @@ requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha256 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ @@ -13243,7 +13144,6 @@ requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha384 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ @@ -13260,7 +13160,6 @@ requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha384 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ @@ -13276,7 +13175,6 @@ requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha512 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ @@ -13293,7 +13191,6 @@ requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha512 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ @@ -13309,7 +13206,6 @@ requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, client alg not in server list - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10 @@ -13327,7 +13223,6 @@ requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, client alg not in server list - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:-SIGN-ALL:+SIGN-ECDSA-SECP256R1-SHA256:%NO_TICKETS" \ From fb31ebd6d59f70cf322d21b8e7ee0a3ff2d1ae8e Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 24 Oct 2024 20:14:16 +0200 Subject: [PATCH 3/6] Remove code for MBEDTLS_USE_PSA_CRYPTO disabled in ssl-opt.sh Now that MBEDTLS_USE_PSA_CRYPTO is always on, remove code that handles the case when it's disabled. Also this is a step towards no longer expecting it to be reported by query_compile_time_config. Signed-off-by: Gilles Peskine --- tests/ssl-opt.sh | 61 +++++++++++------------------------------------- 1 file changed, 13 insertions(+), 48 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index f8a35006a8..dc0b3245f8 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -422,29 +422,16 @@ requires_ciphersuite_enabled() { requires_cipher_enabled() { KEY_TYPE=$1 MODE=${2:-} - if is_config_enabled MBEDTLS_USE_PSA_CRYPTO; then - case "$KEY_TYPE" in - CHACHA20) - requires_config_enabled PSA_WANT_ALG_CHACHA20_POLY1305 - requires_config_enabled PSA_WANT_KEY_TYPE_CHACHA20 - ;; - *) - requires_config_enabled PSA_WANT_ALG_${MODE} - requires_config_enabled PSA_WANT_KEY_TYPE_${KEY_TYPE} - ;; - esac - else - case "$KEY_TYPE" in - CHACHA20) - requires_config_enabled MBEDTLS_CHACHA20_C - requires_config_enabled MBEDTLS_CHACHAPOLY_C - ;; - *) - requires_config_enabled MBEDTLS_${MODE}_C - requires_config_enabled MBEDTLS_${KEY_TYPE}_C - ;; - esac - fi + case "$KEY_TYPE" in + CHACHA20) + requires_config_enabled PSA_WANT_ALG_CHACHA20_POLY1305 + requires_config_enabled PSA_WANT_KEY_TYPE_CHACHA20 + ;; + *) + requires_config_enabled PSA_WANT_ALG_${MODE} + requires_config_enabled PSA_WANT_KEY_TYPE_${KEY_TYPE} + ;; + esac } # Automatically detect required features based on command line parameters. @@ -665,20 +652,7 @@ HAS_ALG_SHA_512="NO" check_for_hash_alg() { CURR_ALG="INVALID"; - USE_PSA="NO" - if is_config_enabled "MBEDTLS_USE_PSA_CRYPTO"; then - USE_PSA="YES"; - fi - if [ $USE_PSA = "YES" ]; then - CURR_ALG=PSA_WANT_ALG_${1} - else - CURR_ALG=MBEDTLS_${1}_C - # Remove the second underscore to match MBEDTLS_* naming convention - # MD5 is an exception to this convention - if [ "${1}" != "MD5" ]; then - CURR_ALG=$(echo "$CURR_ALG" | sed 's/_//2') - fi - fi + CURR_ALG=PSA_WANT_ALG_${1} case $CONFIGS_ENABLED in *" $CURR_ALG"[\ =]*) @@ -728,11 +702,7 @@ requires_hash_alg() { requires_pk_alg() { case $1 in ECDSA) - if is_config_enabled MBEDTLS_USE_PSA_CRYPTO; then - requires_config_enabled PSA_WANT_ALG_ECDSA - else - requires_config_enabled MBEDTLS_ECDSA_C - fi + requires_config_enabled PSA_WANT_ALG_ECDSA ;; *) echo "Unknown/unimplemented case $1 in requires_pk_alg" @@ -1362,10 +1332,7 @@ set_maybe_calc_verify() { *) echo "Bad parameter 1 to set_maybe_calc_verify: $1"; exit 1;; esac esac - case $CONFIGS_ENABLED in - *\ MBEDTLS_USE_PSA_CRYPTO\ *) maybe_calc_verify="PSA calc verify";; - *) maybe_calc_verify="<= calc verify";; - esac + maybe_calc_verify="PSA calc verify" } # Compare file content @@ -1874,7 +1841,6 @@ run_test() { } run_test_psa() { - requires_config_enabled MBEDTLS_USE_PSA_CRYPTO set_maybe_calc_verify none run_test "PSA-supported ciphersuite: $1" \ "$P_SRV debug_level=3 force_version=tls12" \ @@ -1893,7 +1859,6 @@ run_test_psa() { } run_test_psa_force_curve() { - requires_config_enabled MBEDTLS_USE_PSA_CRYPTO set_maybe_calc_verify none run_test "PSA - ECDH with $1" \ "$P_SRV debug_level=4 force_version=tls12 groups=$1" \ From 005370f0bec9b50a8aec27cf1296dd131f373579 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 24 Oct 2024 20:21:46 +0200 Subject: [PATCH 4/6] Skip "no USE_PSA" test cases in ssl-opt.sh These test cases are desirable, but they will fail until we resolve https://github.com/Mbed-TLS/mbedtls/issues/7294 . Signed-off-by: Gilles Peskine --- tests/ssl-opt.sh | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index dc0b3245f8..183f21a52e 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -9701,10 +9701,23 @@ run_test "EC restart: TLS, max_ops=65535" \ -C "mbedtls_ecdh_make_public.*4b00" \ -C "mbedtls_pk_sign.*4b00" +# The following test cases for restartable ECDH come in two variants: +# * The "(USE_PSA)" variant expects the current behavior, which is the behavior +# from Mbed TLS 3.x when MBEDTLS_USE_PSA_CRYPTO is disabled. This tests +# the partial implementation where ECDH in TLS is not actually restartable. +# * The "(no USE_PSA)" variant expects the desired behavior. These test +# cases cannot currently pass because the implementation of restartable ECC +# in TLS is partial: ECDH is not actually restartable. This is the behavior +# from Mbed TLS 3.x when MBEDTLS_USE_PSA_CRYPTO is enabled. +# +# As part of resolving https://github.com/Mbed-TLS/mbedtls/issues/7294, +# we will remove the "(USE_PSA)" test cases and run the "(no USE_PSA)" test +# cases. + # With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED -requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +skip_next_test run_test "EC restart: TLS, max_ops=1000 (no USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ @@ -9754,7 +9767,7 @@ run_test "EC restart: TLS, max_ops=1000, badsign" \ # With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED -requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +skip_next_test run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (no USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \ @@ -9794,7 +9807,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (USE_PSA) # With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED -requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +skip_next_test run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (no USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \ @@ -9834,7 +9847,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (USE_PSA)" \ # With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED -requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +skip_next_test run_test "EC restart: DTLS, max_ops=1000 (no USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required dtls=1" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ @@ -9864,7 +9877,7 @@ run_test "EC restart: DTLS, max_ops=1000 (USE_PSA)" \ # With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED -requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +skip_next_test run_test "EC restart: TLS, max_ops=1000 no client auth (no USE_PSA)" \ "$P_SRV groups=secp256r1" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ From b434192dcb7e24254d18cb7fac4ea5a395c1202a Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 24 Oct 2024 20:43:01 +0200 Subject: [PATCH 5/6] Remove explicit setting of MBEDTLS_USE_PSA_CRYPTO Now that it's always on, this is no longer necessary. Also this is a step towards no longer being able to set it, because it soon won't be a selectable configuration option anymore. Signed-off-by: Gilles Peskine --- tests/scripts/components-configuration-crypto.sh | 11 ----------- tests/scripts/components-configuration-tls.sh | 3 --- 2 files changed, 14 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 6ee0f919d7..eaa0bcab99 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -187,7 +187,6 @@ component_test_no_ctr_drbg_use_psa () { msg "build: Full minus CTR_DRBG, PSA crypto in TLS" scripts/config.py full scripts/config.py unset MBEDTLS_CTR_DRBG_C - scripts/config.py set MBEDTLS_USE_PSA_CRYPTO CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . make @@ -210,7 +209,6 @@ component_test_no_hmac_drbg_use_psa () { scripts/config.py full scripts/config.py unset MBEDTLS_HMAC_DRBG_C scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG - scripts/config.py set MBEDTLS_USE_PSA_CRYPTO CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . make @@ -255,7 +253,6 @@ component_test_psa_external_rng_use_psa_crypto () { msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG - scripts/config.py set MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_CTR_DRBG_C make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" @@ -656,8 +653,6 @@ component_test_psa_crypto_config_accel_ecdsa () { # Start from default config + TLS 1.3 helper_libtestdriver1_adjust_config "default" - scripts/config.py set MBEDTLS_USE_PSA_CRYPTO - # Disable the module that's accelerated scripts/config.py unset MBEDTLS_ECDSA_C @@ -1428,12 +1423,6 @@ common_tfm_config () { echo "#undef MBEDTLS_PSA_CRYPTO_CONFIG_FILE" >> "$CONFIG_H" cp configs/ext/crypto_config_profile_medium.h "$CRYPTO_CONFIG_H" - # Other config adjustment to make the tests pass. - # This should probably be adopted upstream. - # - # - USE_PSA_CRYPTO for PK_HAVE_ECC_KEYS - echo "#define MBEDTLS_USE_PSA_CRYPTO" >> "$CONFIG_H" - # Config adjustment for better test coverage in our environment. # This is not needed just to build and pass tests. # diff --git a/tests/scripts/components-configuration-tls.sh b/tests/scripts/components-configuration-tls.sh index e01a5989df..077d0a076c 100644 --- a/tests/scripts/components-configuration-tls.sh +++ b/tests/scripts/components-configuration-tls.sh @@ -57,7 +57,6 @@ component_test_no_renegotiation () { component_test_tls1_2_default_stream_cipher_only () { msg "build: default with only stream cipher use psa" - scripts/config.py set MBEDTLS_USE_PSA_CRYPTO scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM @@ -95,7 +94,6 @@ component_test_tls1_2_default_stream_cipher_only () { component_test_tls1_2_default_cbc_legacy_cipher_only () { msg "build: default with only CBC-legacy cipher use psa" - scripts/config.py set MBEDTLS_USE_PSA_CRYPTO scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM @@ -130,7 +128,6 @@ component_test_tls1_2_default_cbc_legacy_cipher_only () { component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () { msg "build: default with only CBC-legacy and CBC-EtM ciphers use psa" - scripts/config.py set MBEDTLS_USE_PSA_CRYPTO scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM From 9863b04dec129c2a2daebf8fd0c8e4caa1284b87 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 24 Oct 2024 20:56:37 +0200 Subject: [PATCH 6/6] Make MBEDTLS_USE_PSA_CRYPTO no longer a selectable option The macro MBEDTLS_USE_PSA_CRYPTO is now always defined. It is no longer a configuration option. Signed-off-by: Gilles Peskine --- include/mbedtls/config_adjust_legacy_crypto.h | 14 +++++++++ include/mbedtls/mbedtls_config.h | 30 ------------------- 2 files changed, 14 insertions(+), 30 deletions(-) diff --git a/include/mbedtls/config_adjust_legacy_crypto.h b/include/mbedtls/config_adjust_legacy_crypto.h index d669f4cf76..40ef083045 100644 --- a/include/mbedtls/config_adjust_legacy_crypto.h +++ b/include/mbedtls/config_adjust_legacy_crypto.h @@ -48,6 +48,20 @@ #endif #endif /* _MINGW32__ || (_MSC_VER && (_MSC_VER <= 1900)) */ + +/** + * \def MBEDTLS_USE_PSA_CRYPTO + * + * Make the X.509 and TLS libraries use PSA for cryptographic operations as + * much as possible, and enable new APIs for using keys handled by PSA Crypto. + * + * \note This is a legacy symbol which still exists for backward compatibility. + * Up to Mbed TLS 3.x, it was not enabled by default. Now it is always + * enabled, and it will eventually disappear from the code base. This + * is not part of the public API of TF-PSA-Crypto or of Mbed TLS >=4.0. + */ +#define MBEDTLS_USE_PSA_CRYPTO + /* Auto-enable CIPHER_C when any of the unauthenticated ciphers is builtin * in PSA. */ #if defined(MBEDTLS_PSA_CRYPTO_C) && \ diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index b204166de4..ba1dd42802 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -1927,36 +1927,6 @@ */ //#define MBEDTLS_THREADING_PTHREAD -/** - * \def MBEDTLS_USE_PSA_CRYPTO - * - * Make the X.509 and TLS libraries use PSA for cryptographic operations as - * much as possible, and enable new APIs for using keys handled by PSA Crypto. - * - * \note Development of this option is currently in progress, and parts of Mbed - * TLS's X.509 and TLS modules are not ported to PSA yet. However, these parts - * will still continue to work as usual, so enabling this option should not - * break backwards compatibility. - * - * \warning If you enable this option, you need to call `psa_crypto_init()` - * before calling any function from the SSL/TLS, X.509 or PK modules, except - * for the various mbedtls_xxx_init() functions which can be called at any time. - * - * \note An important and desirable effect of this option is that it allows - * PK, X.509 and TLS to take advantage of PSA drivers. For example, enabling - * this option is what allows use of drivers for ECDSA, ECDH and EC J-PAKE in - * those modules. However, note that even with this option disabled, some code - * in PK, X.509, TLS or the crypto library might still use PSA drivers, if it - * can determine it's safe to do so; currently that's the case for hashes. - * - * \note See docs/use-psa-crypto.md for a complete description this option. - * - * Requires: MBEDTLS_PSA_CRYPTO_C. - * - * Uncomment this to enable internal use of PSA Crypto and new associated APIs. - */ -#define MBEDTLS_USE_PSA_CRYPTO - /** * \def MBEDTLS_PSA_CRYPTO_CONFIG *