lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-08-08 17:42:09 +03:00
Code Activity

restoring test comment that refer to USE_PSA

Browse Source 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
This commit is contained in:
Ben Taylor
2025-07-16 08:03:43 +01:00
parent 39a68bf347
commit 07687266b9
2 changed files with 38 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
tests/scripts/components-configuration-crypto.sh
View File

@@ -16,7 +16,7 @@ component_test_psa_crypto_key_id_encodes_owner () {
CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
make make
msg "test: full config - PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan" msg "test: full config - USE_PSA_CRYPTO + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan"
make test make test
} }
@@ -188,16 +188,16 @@ component_test_no_ctr_drbg_use_psa () {
CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
make make
msg "test: Full minus CTR_DRBG- main suites" msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - main suites"
make test make test
# In this configuration, the TLS test programs use HMAC_DRBG. # In this configuration, the TLS test programs use HMAC_DRBG.
# The SSL tests are slow, so run a small subset, just enough to get # The SSL tests are slow, so run a small subset, just enough to get
# confidence that the SSL code copes with HMAC_DRBG. # confidence that the SSL code copes with HMAC_DRBG.
msg "test: Full minus CTR_DRBG - ssl-opt.sh (subset)" msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)"
tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server' tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server'
msg "test: Full minus CTR_DRBG - compat.sh (subset)" msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - compat.sh (subset)"
tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL
} }
@@ -210,7 +210,7 @@ component_test_no_hmac_drbg_use_psa () {
CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
make make
msg "test: Full minus HMAC_DRBG - main suites" msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - main suites"
make test make test
# Normally our ECDSA implementation uses deterministic ECDSA. But since # Normally our ECDSA implementation uses deterministic ECDSA. But since
@@ -218,12 +218,12 @@ component_test_no_hmac_drbg_use_psa () {
# instead. # instead.
# Test SSL with non-deterministic ECDSA. Only test features that # Test SSL with non-deterministic ECDSA. Only test features that
# might be affected by how ECDSA signature is performed. # might be affected by how ECDSA signature is performed.
msg "test: Full minus HMAC_DRBG - ssl-opt.sh (subset)" msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)"
tests/ssl-opt.sh -f 'Default\|SSL async private: sign' tests/ssl-opt.sh -f 'Default\|SSL async private: sign'
# To save time, only test one protocol version, since this part of # To save time, only test one protocol version, since this part of
# the protocol is identical in (D)TLS up to 1.2. # the protocol is identical in (D)TLS up to 1.2.
msg "test: Full minus HMAC_DRBG - compat.sh (ECDSA)" msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - compat.sh (ECDSA)"
tests/compat.sh -m tls12 -t 'ECDSA' tests/compat.sh -m tls12 -t 'ECDSA'
} }
@@ -247,16 +247,16 @@ component_test_psa_external_rng_no_drbg_use_psa () {
} }
component_test_psa_external_rng_use_psa_crypto () { component_test_psa_external_rng_use_psa_crypto () {
msg "build: full + PSA_CRYPTO_EXTERNAL_RNG minus CTR_DRBG" msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
scripts/config.py full scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
scripts/config.py unset MBEDTLS_CTR_DRBG_C scripts/config.py unset MBEDTLS_CTR_DRBG_C
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
msg "test: full + PSA_CRYPTO_EXTERNAL_RNG minus CTR_DRBG" msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
make test make test
msg "test: full + PSA_CRYPTO_EXTERNAL_RNG minus CTR_DRBG" msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
tests/ssl-opt.sh -f 'Default\|opaque' tests/ssl-opt.sh -f 'Default\|opaque'
} }
@@ -342,6 +342,7 @@ component_test_full_no_ccm () {
msg "build: full no PSA_WANT_ALG_CCM" msg "build: full no PSA_WANT_ALG_CCM"
# Full config enables: # Full config enables:
# - USE_PSA_CRYPTO so that TLS code dispatches cipher/AEAD to PSA
# - CRYPTO_CONFIG so that PSA_WANT config symbols are evaluated # - CRYPTO_CONFIG so that PSA_WANT config symbols are evaluated
scripts/config.py full scripts/config.py full

42
tests/ssl-opt.sh
View File

@@ -9443,10 +9443,15 @@ run_test "EC restart: TLS, max_ops=65535" \
-C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \
-C "mbedtls_pk_sign.*\(4b00\|-248\)" -C "mbedtls_pk_sign.*\(4b00\|-248\)"
# As part of resolving https://github.com/Mbed-TLS/mbedtls/issues/7294,
# we will remove the "(USE_PSA)" test cases and run the "(no USE_PSA)" test
# cases.
# With USE_PSA disabled we expect full restartable behaviour.
requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled PSA_WANT_ECC_SECP_R1_256 requires_config_enabled PSA_WANT_ECC_SECP_R1_256
skip_next_test skip_next_test
run_test "EC restart: TLS, max_ops=1000" \ run_test "EC restart: TLS, max_ops=1000 (no USE_PSA)" \
"$P_SRV groups=secp256r1 auth_mode=required" \ "$P_SRV groups=secp256r1 auth_mode=required" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
@@ -9457,9 +9462,11 @@ run_test "EC restart: TLS, max_ops=1000" \
-c "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -c "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \
-c "mbedtls_pk_sign.*\(4b00\|-248\)" -c "mbedtls_pk_sign.*\(4b00\|-248\)"
# With USE_PSA enabled we expect only partial restartable behaviour:
# everything except ECDH (where TLS calls PSA directly).
requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
run_test "EC restart: TLS, max_ops=1000" \ run_test "EC restart: TLS, max_ops=1000 (USE_PSA)" \
"$P_SRV groups=secp256r1 auth_mode=required" \ "$P_SRV groups=secp256r1 auth_mode=required" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
@@ -9470,7 +9477,8 @@ run_test "EC restart: TLS, max_ops=1000" \
-C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \
-c "mbedtls_pk_sign.*\(4b00\|-248\)" -c "mbedtls_pk_sign.*\(4b00\|-248\)"
# We abort as soon as we determined the cert is bad. # This works the same with & without USE_PSA as we never get to ECDH:
# we abort as soon as we determined the cert is bad.
requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled PSA_WANT_ECC_SECP_R1_256 requires_config_enabled PSA_WANT_ECC_SECP_R1_256
run_test "EC restart: TLS, max_ops=1000, badsign" \ run_test "EC restart: TLS, max_ops=1000, badsign" \
@@ -9489,10 +9497,11 @@ run_test "EC restart: TLS, max_ops=1000, badsign" \
-c "! mbedtls_ssl_handshake returned" \ -c "! mbedtls_ssl_handshake returned" \
-c "X509 - Certificate verification failed" -c "X509 - Certificate verification failed"
# With USE_PSA disabled we expect full restartable behaviour.
requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled PSA_WANT_ECC_SECP_R1_256 requires_config_enabled PSA_WANT_ECC_SECP_R1_256
skip_next_test skip_next_test
run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (no USE_PSA)" \
"$P_SRV groups=secp256r1 auth_mode=required \ "$P_SRV groups=secp256r1 auth_mode=required \
crt_file=$DATA_FILES_PATH/server5-badsign.crt \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \
key_file=$DATA_FILES_PATH/server5.key" \ key_file=$DATA_FILES_PATH/server5.key" \
@@ -9508,11 +9517,11 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \
-C "! mbedtls_ssl_handshake returned" \ -C "! mbedtls_ssl_handshake returned" \
-C "X509 - Certificate verification failed" -C "X509 - Certificate verification failed"
# We expect only partial restartable behaviour: # With USE_PSA enabled we expect only partial restartable behaviour:
# everything except ECDH (where TLS calls PSA directly). # everything except ECDH (where TLS calls PSA directly).
requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (USE_PSA)" \
"$P_SRV groups=secp256r1 auth_mode=required \ "$P_SRV groups=secp256r1 auth_mode=required \
crt_file=$DATA_FILES_PATH/server5-badsign.crt \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \
key_file=$DATA_FILES_PATH/server5.key" \ key_file=$DATA_FILES_PATH/server5.key" \
@@ -9528,10 +9537,11 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \
-C "! mbedtls_ssl_handshake returned" \ -C "! mbedtls_ssl_handshake returned" \
-C "X509 - Certificate verification failed" -C "X509 - Certificate verification failed"
# With USE_PSA disabled we expect full restartable behaviour.
requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled PSA_WANT_ECC_SECP_R1_256 requires_config_enabled PSA_WANT_ECC_SECP_R1_256
skip_next_test skip_next_test
run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (no USE_PSA)" \
"$P_SRV groups=secp256r1 auth_mode=required \ "$P_SRV groups=secp256r1 auth_mode=required \
crt_file=$DATA_FILES_PATH/server5-badsign.crt \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \
key_file=$DATA_FILES_PATH/server5.key" \ key_file=$DATA_FILES_PATH/server5.key" \
@@ -9547,11 +9557,11 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \
-C "! mbedtls_ssl_handshake returned" \ -C "! mbedtls_ssl_handshake returned" \
-C "X509 - Certificate verification failed" -C "X509 - Certificate verification failed"
# We expect only partial restartable behaviour: # With USE_PSA enabled we expect only partial restartable behaviour:
# everything except ECDH (where TLS calls PSA directly). # everything except ECDH (where TLS calls PSA directly).
requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (USE_PSA)" \
"$P_SRV groups=secp256r1 auth_mode=required \ "$P_SRV groups=secp256r1 auth_mode=required \
crt_file=$DATA_FILES_PATH/server5-badsign.crt \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \
key_file=$DATA_FILES_PATH/server5.key" \ key_file=$DATA_FILES_PATH/server5.key" \
@@ -9567,10 +9577,11 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \
-C "! mbedtls_ssl_handshake returned" \ -C "! mbedtls_ssl_handshake returned" \
-C "X509 - Certificate verification failed" -C "X509 - Certificate verification failed"
# With USE_PSA disabled we expect full restartable behaviour.
requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled PSA_WANT_ECC_SECP_R1_256 requires_config_enabled PSA_WANT_ECC_SECP_R1_256
skip_next_test skip_next_test
run_test "EC restart: DTLS, max_ops=1000" \ run_test "EC restart: DTLS, max_ops=1000 (no USE_PSA)" \
"$P_SRV groups=secp256r1 auth_mode=required dtls=1" \ "$P_SRV groups=secp256r1 auth_mode=required dtls=1" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
@@ -9581,11 +9592,11 @@ run_test "EC restart: DTLS, max_ops=1000" \
-c "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -c "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \
-c "mbedtls_pk_sign.*\(4b00\|-248\)" -c "mbedtls_pk_sign.*\(4b00\|-248\)"
# We expect only partial restartable behaviour: # With USE_PSA enabled we expect only partial restartable behaviour:
# everything except ECDH (where TLS calls PSA directly). # everything except ECDH (where TLS calls PSA directly).
requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
run_test "EC restart: DTLS, max_ops=1000" \ run_test "EC restart: DTLS, max_ops=1000 (USE_PSA)" \
"$P_SRV groups=secp256r1 auth_mode=required dtls=1" \ "$P_SRV groups=secp256r1 auth_mode=required dtls=1" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
@@ -9596,10 +9607,11 @@ run_test "EC restart: DTLS, max_ops=1000" \
-C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \
-c "mbedtls_pk_sign.*\(4b00\|-248\)" -c "mbedtls_pk_sign.*\(4b00\|-248\)"
# With USE_PSA disabled we expect full restartable behaviour.
requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled PSA_WANT_ECC_SECP_R1_256 requires_config_enabled PSA_WANT_ECC_SECP_R1_256
skip_next_test skip_next_test
run_test "EC restart: TLS, max_ops=1000 no client auth" \ run_test "EC restart: TLS, max_ops=1000 no client auth (no USE_PSA)" \
"$P_SRV groups=secp256r1" \ "$P_SRV groups=secp256r1" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
debug_level=1 ec_max_ops=1000" \ debug_level=1 ec_max_ops=1000" \
@@ -9610,11 +9622,11 @@ run_test "EC restart: TLS, max_ops=1000 no client auth" \
-C "mbedtls_pk_sign.*\(4b00\|-248\)" -C "mbedtls_pk_sign.*\(4b00\|-248\)"
# We expect only partial restartable behaviour: # With USE_PSA enabled we expect only partial restartable behaviour:
# everything except ECDH (where TLS calls PSA directly). # everything except ECDH (where TLS calls PSA directly).
requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
run_test "EC restart: TLS, max_ops=1000 no client auth" \ run_test "EC restart: TLS, max_ops=1000 no client auth (USE_PSA)" \
"$P_SRV groups=secp256r1" \ "$P_SRV groups=secp256r1" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
debug_level=1 ec_max_ops=1000" \ debug_level=1 ec_max_ops=1000" \