From 07687266b9f33d66b36885784cb9130e0ddb59ab Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Wed, 16 Jul 2025 08:03:43 +0100 Subject: [PATCH] restoring test comment that refer to USE_PSA Signed-off-by: Ben Taylor --- .../components-configuration-crypto.sh | 21 +++++----- tests/ssl-opt.sh | 42 ++++++++++++------- 2 files changed, 38 insertions(+), 25 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index c78e53244d..da776e70b8 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -16,7 +16,7 @@ component_test_psa_crypto_key_id_encodes_owner () { CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . make - msg "test: full config - PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan" + msg "test: full config - USE_PSA_CRYPTO + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan" make test } @@ -188,16 +188,16 @@ component_test_no_ctr_drbg_use_psa () { CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . make - msg "test: Full minus CTR_DRBG- main suites" + msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - main suites" make test # In this configuration, the TLS test programs use HMAC_DRBG. # The SSL tests are slow, so run a small subset, just enough to get # confidence that the SSL code copes with HMAC_DRBG. - msg "test: Full minus CTR_DRBG - ssl-opt.sh (subset)" + msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)" tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server' - msg "test: Full minus CTR_DRBG - compat.sh (subset)" + msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - compat.sh (subset)" tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL } @@ -210,7 +210,7 @@ component_test_no_hmac_drbg_use_psa () { CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . make - msg "test: Full minus HMAC_DRBG - main suites" + msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - main suites" make test # Normally our ECDSA implementation uses deterministic ECDSA. But since @@ -218,12 +218,12 @@ component_test_no_hmac_drbg_use_psa () { # instead. # Test SSL with non-deterministic ECDSA. Only test features that # might be affected by how ECDSA signature is performed. - msg "test: Full minus HMAC_DRBG - ssl-opt.sh (subset)" + msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)" tests/ssl-opt.sh -f 'Default\|SSL async private: sign' # To save time, only test one protocol version, since this part of # the protocol is identical in (D)TLS up to 1.2. - msg "test: Full minus HMAC_DRBG - compat.sh (ECDSA)" + msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - compat.sh (ECDSA)" tests/compat.sh -m tls12 -t 'ECDSA' } @@ -247,16 +247,16 @@ component_test_psa_external_rng_no_drbg_use_psa () { } component_test_psa_external_rng_use_psa_crypto () { - msg "build: full + PSA_CRYPTO_EXTERNAL_RNG minus CTR_DRBG" + msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG scripts/config.py unset MBEDTLS_CTR_DRBG_C make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" - msg "test: full + PSA_CRYPTO_EXTERNAL_RNG minus CTR_DRBG" + msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" make test - msg "test: full + PSA_CRYPTO_EXTERNAL_RNG minus CTR_DRBG" + msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" tests/ssl-opt.sh -f 'Default\|opaque' } @@ -342,6 +342,7 @@ component_test_full_no_ccm () { msg "build: full no PSA_WANT_ALG_CCM" # Full config enables: + # - USE_PSA_CRYPTO so that TLS code dispatches cipher/AEAD to PSA # - CRYPTO_CONFIG so that PSA_WANT config symbols are evaluated scripts/config.py full diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 201a788385..0cf9e23cc4 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -9443,10 +9443,15 @@ run_test "EC restart: TLS, max_ops=65535" \ -C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -C "mbedtls_pk_sign.*\(4b00\|-248\)" +# As part of resolving https://github.com/Mbed-TLS/mbedtls/issues/7294, +# we will remove the "(USE_PSA)" test cases and run the "(no USE_PSA)" test +# cases. + +# With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled PSA_WANT_ECC_SECP_R1_256 skip_next_test -run_test "EC restart: TLS, max_ops=1000" \ +run_test "EC restart: TLS, max_ops=1000 (no USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ @@ -9457,9 +9462,11 @@ run_test "EC restart: TLS, max_ops=1000" \ -c "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -c "mbedtls_pk_sign.*\(4b00\|-248\)" +# With USE_PSA enabled we expect only partial restartable behaviour: +# everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED -run_test "EC restart: TLS, max_ops=1000" \ +run_test "EC restart: TLS, max_ops=1000 (USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ @@ -9470,7 +9477,8 @@ run_test "EC restart: TLS, max_ops=1000" \ -C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -c "mbedtls_pk_sign.*\(4b00\|-248\)" -# We abort as soon as we determined the cert is bad. +# This works the same with & without USE_PSA as we never get to ECDH: +# we abort as soon as we determined the cert is bad. requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled PSA_WANT_ECC_SECP_R1_256 run_test "EC restart: TLS, max_ops=1000, badsign" \ @@ -9489,10 +9497,11 @@ run_test "EC restart: TLS, max_ops=1000, badsign" \ -c "! mbedtls_ssl_handshake returned" \ -c "X509 - Certificate verification failed" +# With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled PSA_WANT_ECC_SECP_R1_256 skip_next_test -run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \ +run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (no USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \ key_file=$DATA_FILES_PATH/server5.key" \ @@ -9508,11 +9517,11 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \ -C "! mbedtls_ssl_handshake returned" \ -C "X509 - Certificate verification failed" -# We expect only partial restartable behaviour: +# With USE_PSA enabled we expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED -run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \ +run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \ key_file=$DATA_FILES_PATH/server5.key" \ @@ -9528,10 +9537,11 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \ -C "! mbedtls_ssl_handshake returned" \ -C "X509 - Certificate verification failed" +# With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled PSA_WANT_ECC_SECP_R1_256 skip_next_test -run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \ +run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (no USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \ key_file=$DATA_FILES_PATH/server5.key" \ @@ -9547,11 +9557,11 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \ -C "! mbedtls_ssl_handshake returned" \ -C "X509 - Certificate verification failed" -# We expect only partial restartable behaviour: +# With USE_PSA enabled we expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED -run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \ +run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \ key_file=$DATA_FILES_PATH/server5.key" \ @@ -9567,10 +9577,11 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \ -C "! mbedtls_ssl_handshake returned" \ -C "X509 - Certificate verification failed" +# With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled PSA_WANT_ECC_SECP_R1_256 skip_next_test -run_test "EC restart: DTLS, max_ops=1000" \ +run_test "EC restart: DTLS, max_ops=1000 (no USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required dtls=1" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ @@ -9581,11 +9592,11 @@ run_test "EC restart: DTLS, max_ops=1000" \ -c "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -c "mbedtls_pk_sign.*\(4b00\|-248\)" -# We expect only partial restartable behaviour: +# With USE_PSA enabled we expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED -run_test "EC restart: DTLS, max_ops=1000" \ +run_test "EC restart: DTLS, max_ops=1000 (USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required dtls=1" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ @@ -9596,10 +9607,11 @@ run_test "EC restart: DTLS, max_ops=1000" \ -C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -c "mbedtls_pk_sign.*\(4b00\|-248\)" +# With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled PSA_WANT_ECC_SECP_R1_256 skip_next_test -run_test "EC restart: TLS, max_ops=1000 no client auth" \ +run_test "EC restart: TLS, max_ops=1000 no client auth (no USE_PSA)" \ "$P_SRV groups=secp256r1" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ debug_level=1 ec_max_ops=1000" \ @@ -9610,11 +9622,11 @@ run_test "EC restart: TLS, max_ops=1000 no client auth" \ -C "mbedtls_pk_sign.*\(4b00\|-248\)" -# We expect only partial restartable behaviour: +# With USE_PSA enabled we expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED -run_test "EC restart: TLS, max_ops=1000 no client auth" \ +run_test "EC restart: TLS, max_ops=1000 no client auth (USE_PSA)" \ "$P_SRV groups=secp256r1" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ debug_level=1 ec_max_ops=1000" \