From 39a68bf3472dce1c101bdd6ec5c9b424ea27a609 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Tue, 15 Jul 2025 13:34:55 +0100 Subject: [PATCH] removed additional references to USE_PSA in tests and comments Signed-off-by: Ben Taylor --- .../components-configuration-crypto.sh | 21 ++++---- tests/ssl-opt.sh | 52 +++++++------------ 2 files changed, 30 insertions(+), 43 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index da776e70b8..c78e53244d 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -16,7 +16,7 @@ component_test_psa_crypto_key_id_encodes_owner () { CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . make - msg "test: full config - USE_PSA_CRYPTO + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan" + msg "test: full config - PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan" make test } @@ -188,16 +188,16 @@ component_test_no_ctr_drbg_use_psa () { CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . make - msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - main suites" + msg "test: Full minus CTR_DRBG- main suites" make test # In this configuration, the TLS test programs use HMAC_DRBG. # The SSL tests are slow, so run a small subset, just enough to get # confidence that the SSL code copes with HMAC_DRBG. - msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)" + msg "test: Full minus CTR_DRBG - ssl-opt.sh (subset)" tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server' - msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - compat.sh (subset)" + msg "test: Full minus CTR_DRBG - compat.sh (subset)" tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL } @@ -210,7 +210,7 @@ component_test_no_hmac_drbg_use_psa () { CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . make - msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - main suites" + msg "test: Full minus HMAC_DRBG - main suites" make test # Normally our ECDSA implementation uses deterministic ECDSA. But since @@ -218,12 +218,12 @@ component_test_no_hmac_drbg_use_psa () { # instead. # Test SSL with non-deterministic ECDSA. Only test features that # might be affected by how ECDSA signature is performed. - msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)" + msg "test: Full minus HMAC_DRBG - ssl-opt.sh (subset)" tests/ssl-opt.sh -f 'Default\|SSL async private: sign' # To save time, only test one protocol version, since this part of # the protocol is identical in (D)TLS up to 1.2. - msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - compat.sh (ECDSA)" + msg "test: Full minus HMAC_DRBG - compat.sh (ECDSA)" tests/compat.sh -m tls12 -t 'ECDSA' } @@ -247,16 +247,16 @@ component_test_psa_external_rng_no_drbg_use_psa () { } component_test_psa_external_rng_use_psa_crypto () { - msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" + msg "build: full + PSA_CRYPTO_EXTERNAL_RNG minus CTR_DRBG" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG scripts/config.py unset MBEDTLS_CTR_DRBG_C make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" - msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" + msg "test: full + PSA_CRYPTO_EXTERNAL_RNG minus CTR_DRBG" make test - msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" + msg "test: full + PSA_CRYPTO_EXTERNAL_RNG minus CTR_DRBG" tests/ssl-opt.sh -f 'Default\|opaque' } @@ -342,7 +342,6 @@ component_test_full_no_ccm () { msg "build: full no PSA_WANT_ALG_CCM" # Full config enables: - # - USE_PSA_CRYPTO so that TLS code dispatches cipher/AEAD to PSA # - CRYPTO_CONFIG so that PSA_WANT config symbols are evaluated scripts/config.py full diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 36bde20bfc..201a788385 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -9443,15 +9443,10 @@ run_test "EC restart: TLS, max_ops=65535" \ -C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -C "mbedtls_pk_sign.*\(4b00\|-248\)" -# As part of resolving https://github.com/Mbed-TLS/mbedtls/issues/7294, -# we will remove the "(USE_PSA)" test cases and run the "(no USE_PSA)" test -# cases. - -# With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled PSA_WANT_ECC_SECP_R1_256 skip_next_test -run_test "EC restart: TLS, max_ops=1000 (no USE_PSA)" \ +run_test "EC restart: TLS, max_ops=1000" \ "$P_SRV groups=secp256r1 auth_mode=required" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ @@ -9462,11 +9457,9 @@ run_test "EC restart: TLS, max_ops=1000 (no USE_PSA)" \ -c "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -c "mbedtls_pk_sign.*\(4b00\|-248\)" -# With USE_PSA enabled we expect only partial restartable behaviour: -# everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled PSA_WANT_ECC_SECP_R1_256 -run_test "EC restart: TLS, max_ops=1000 (USE_PSA)" \ +requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +run_test "EC restart: TLS, max_ops=1000" \ "$P_SRV groups=secp256r1 auth_mode=required" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ @@ -9477,8 +9470,7 @@ run_test "EC restart: TLS, max_ops=1000 (USE_PSA)" \ -C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -c "mbedtls_pk_sign.*\(4b00\|-248\)" -# This works the same with & without USE_PSA as we never get to ECDH: -# we abort as soon as we determined the cert is bad. +# We abort as soon as we determined the cert is bad. requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled PSA_WANT_ECC_SECP_R1_256 run_test "EC restart: TLS, max_ops=1000, badsign" \ @@ -9497,11 +9489,10 @@ run_test "EC restart: TLS, max_ops=1000, badsign" \ -c "! mbedtls_ssl_handshake returned" \ -c "X509 - Certificate verification failed" -# With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled PSA_WANT_ECC_SECP_R1_256 skip_next_test -run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (no USE_PSA)" \ +run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \ "$P_SRV groups=secp256r1 auth_mode=required \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \ key_file=$DATA_FILES_PATH/server5.key" \ @@ -9517,11 +9508,11 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (no USE_P -C "! mbedtls_ssl_handshake returned" \ -C "X509 - Certificate verification failed" -# With USE_PSA enabled we expect only partial restartable behaviour: +# We expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled PSA_WANT_ECC_SECP_R1_256 -run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (USE_PSA)" \ +requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \ "$P_SRV groups=secp256r1 auth_mode=required \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \ key_file=$DATA_FILES_PATH/server5.key" \ @@ -9537,11 +9528,10 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (USE_PSA) -C "! mbedtls_ssl_handshake returned" \ -C "X509 - Certificate verification failed" -# With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled PSA_WANT_ECC_SECP_R1_256 skip_next_test -run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (no USE_PSA)" \ +run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \ "$P_SRV groups=secp256r1 auth_mode=required \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \ key_file=$DATA_FILES_PATH/server5.key" \ @@ -9557,11 +9547,11 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (no USE_PSA)" -C "! mbedtls_ssl_handshake returned" \ -C "X509 - Certificate verification failed" -# With USE_PSA enabled we expect only partial restartable behaviour: +# We expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled PSA_WANT_ECC_SECP_R1_256 -run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (USE_PSA)" \ +requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \ "$P_SRV groups=secp256r1 auth_mode=required \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \ key_file=$DATA_FILES_PATH/server5.key" \ @@ -9577,11 +9567,10 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (USE_PSA)" \ -C "! mbedtls_ssl_handshake returned" \ -C "X509 - Certificate verification failed" -# With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled PSA_WANT_ECC_SECP_R1_256 skip_next_test -run_test "EC restart: DTLS, max_ops=1000 (no USE_PSA)" \ +run_test "EC restart: DTLS, max_ops=1000" \ "$P_SRV groups=secp256r1 auth_mode=required dtls=1" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ @@ -9592,11 +9581,11 @@ run_test "EC restart: DTLS, max_ops=1000 (no USE_PSA)" \ -c "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -c "mbedtls_pk_sign.*\(4b00\|-248\)" -# With USE_PSA enabled we expect only partial restartable behaviour: +# We expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled PSA_WANT_ECC_SECP_R1_256 -run_test "EC restart: DTLS, max_ops=1000 (USE_PSA)" \ +requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +run_test "EC restart: DTLS, max_ops=1000" \ "$P_SRV groups=secp256r1 auth_mode=required dtls=1" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ @@ -9607,11 +9596,10 @@ run_test "EC restart: DTLS, max_ops=1000 (USE_PSA)" \ -C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -c "mbedtls_pk_sign.*\(4b00\|-248\)" -# With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled PSA_WANT_ECC_SECP_R1_256 skip_next_test -run_test "EC restart: TLS, max_ops=1000 no client auth (no USE_PSA)" \ +run_test "EC restart: TLS, max_ops=1000 no client auth" \ "$P_SRV groups=secp256r1" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ debug_level=1 ec_max_ops=1000" \ @@ -9622,11 +9610,11 @@ run_test "EC restart: TLS, max_ops=1000 no client auth (no USE_PSA)" \ -C "mbedtls_pk_sign.*\(4b00\|-248\)" -# With USE_PSA enabled we expect only partial restartable behaviour: +# We expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled PSA_WANT_ECC_SECP_R1_256 -run_test "EC restart: TLS, max_ops=1000 no client auth (USE_PSA)" \ +requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +run_test "EC restart: TLS, max_ops=1000 no client auth" \ "$P_SRV groups=secp256r1" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ debug_level=1 ec_max_ops=1000" \