lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-08-08 17:42:09 +03:00
Code Activity

removed additional references to USE_PSA in tests and comments

Browse Source 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
This commit is contained in:
Ben Taylor
2025-07-15 13:34:55 +01:00
parent cdc191b500
commit 39a68bf347
2 changed files with 30 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
tests/scripts/components-configuration-crypto.sh
View File

@@ -16,7 +16,7 @@ component_test_psa_crypto_key_id_encodes_owner () {
CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
make make
msg "test: full config - USE_PSA_CRYPTO + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan" msg "test: full config - PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan"
make test make test
} }
@@ -188,16 +188,16 @@ component_test_no_ctr_drbg_use_psa () {
CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
make make
msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - main suites" msg "test: Full minus CTR_DRBG- main suites"
make test make test
# In this configuration, the TLS test programs use HMAC_DRBG. # In this configuration, the TLS test programs use HMAC_DRBG.
# The SSL tests are slow, so run a small subset, just enough to get # The SSL tests are slow, so run a small subset, just enough to get
# confidence that the SSL code copes with HMAC_DRBG. # confidence that the SSL code copes with HMAC_DRBG.
msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)" msg "test: Full minus CTR_DRBG - ssl-opt.sh (subset)"
tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server' tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server'
msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - compat.sh (subset)" msg "test: Full minus CTR_DRBG - compat.sh (subset)"
tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL
} }
@@ -210,7 +210,7 @@ component_test_no_hmac_drbg_use_psa () {
CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
make make
msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - main suites" msg "test: Full minus HMAC_DRBG - main suites"
make test make test
# Normally our ECDSA implementation uses deterministic ECDSA. But since # Normally our ECDSA implementation uses deterministic ECDSA. But since
@@ -218,12 +218,12 @@ component_test_no_hmac_drbg_use_psa () {
# instead. # instead.
# Test SSL with non-deterministic ECDSA. Only test features that # Test SSL with non-deterministic ECDSA. Only test features that
# might be affected by how ECDSA signature is performed. # might be affected by how ECDSA signature is performed.
msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)" msg "test: Full minus HMAC_DRBG - ssl-opt.sh (subset)"
tests/ssl-opt.sh -f 'Default\|SSL async private: sign' tests/ssl-opt.sh -f 'Default\|SSL async private: sign'
# To save time, only test one protocol version, since this part of # To save time, only test one protocol version, since this part of
# the protocol is identical in (D)TLS up to 1.2. # the protocol is identical in (D)TLS up to 1.2.
msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - compat.sh (ECDSA)" msg "test: Full minus HMAC_DRBG - compat.sh (ECDSA)"
tests/compat.sh -m tls12 -t 'ECDSA' tests/compat.sh -m tls12 -t 'ECDSA'
} }
@@ -247,16 +247,16 @@ component_test_psa_external_rng_no_drbg_use_psa () {
} }
component_test_psa_external_rng_use_psa_crypto () { component_test_psa_external_rng_use_psa_crypto () {
msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" msg "build: full + PSA_CRYPTO_EXTERNAL_RNG minus CTR_DRBG"
scripts/config.py full scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
scripts/config.py unset MBEDTLS_CTR_DRBG_C scripts/config.py unset MBEDTLS_CTR_DRBG_C
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" msg "test: full + PSA_CRYPTO_EXTERNAL_RNG minus CTR_DRBG"
make test make test
msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" msg "test: full + PSA_CRYPTO_EXTERNAL_RNG minus CTR_DRBG"
tests/ssl-opt.sh -f 'Default\|opaque' tests/ssl-opt.sh -f 'Default\|opaque'
} }
@@ -342,7 +342,6 @@ component_test_full_no_ccm () {
msg "build: full no PSA_WANT_ALG_CCM" msg "build: full no PSA_WANT_ALG_CCM"
# Full config enables: # Full config enables:
# - USE_PSA_CRYPTO so that TLS code dispatches cipher/AEAD to PSA
# - CRYPTO_CONFIG so that PSA_WANT config symbols are evaluated # - CRYPTO_CONFIG so that PSA_WANT config symbols are evaluated
scripts/config.py full scripts/config.py full

52
tests/ssl-opt.sh
View File

@@ -9443,15 +9443,10 @@ run_test "EC restart: TLS, max_ops=65535" \
-C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \
-C "mbedtls_pk_sign.*\(4b00\|-248\)" -C "mbedtls_pk_sign.*\(4b00\|-248\)"
# As part of resolving https://github.com/Mbed-TLS/mbedtls/issues/7294,
# we will remove the "(USE_PSA)" test cases and run the "(no USE_PSA)" test
# cases.
# With USE_PSA disabled we expect full restartable behaviour.
requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled PSA_WANT_ECC_SECP_R1_256 requires_config_enabled PSA_WANT_ECC_SECP_R1_256
skip_next_test skip_next_test
run_test "EC restart: TLS, max_ops=1000 (no USE_PSA)" \ run_test "EC restart: TLS, max_ops=1000" \
"$P_SRV groups=secp256r1 auth_mode=required" \ "$P_SRV groups=secp256r1 auth_mode=required" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
@@ -9462,11 +9457,9 @@ run_test "EC restart: TLS, max_ops=1000 (no USE_PSA)" \
-c "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -c "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \
-c "mbedtls_pk_sign.*\(4b00\|-248\)" -c "mbedtls_pk_sign.*\(4b00\|-248\)"
# With USE_PSA enabled we expect only partial restartable behaviour:
# everything except ECDH (where TLS calls PSA directly).
requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled PSA_WANT_ECC_SECP_R1_256 requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
run_test "EC restart: TLS, max_ops=1000 (USE_PSA)" \ run_test "EC restart: TLS, max_ops=1000" \
"$P_SRV groups=secp256r1 auth_mode=required" \ "$P_SRV groups=secp256r1 auth_mode=required" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
@@ -9477,8 +9470,7 @@ run_test "EC restart: TLS, max_ops=1000 (USE_PSA)" \
-C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \
-c "mbedtls_pk_sign.*\(4b00\|-248\)" -c "mbedtls_pk_sign.*\(4b00\|-248\)"
# This works the same with & without USE_PSA as we never get to ECDH: # We abort as soon as we determined the cert is bad.
# we abort as soon as we determined the cert is bad.
requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled PSA_WANT_ECC_SECP_R1_256 requires_config_enabled PSA_WANT_ECC_SECP_R1_256
run_test "EC restart: TLS, max_ops=1000, badsign" \ run_test "EC restart: TLS, max_ops=1000, badsign" \
@@ -9497,11 +9489,10 @@ run_test "EC restart: TLS, max_ops=1000, badsign" \
-c "! mbedtls_ssl_handshake returned" \ -c "! mbedtls_ssl_handshake returned" \
-c "X509 - Certificate verification failed" -c "X509 - Certificate verification failed"
# With USE_PSA disabled we expect full restartable behaviour.
requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled PSA_WANT_ECC_SECP_R1_256 requires_config_enabled PSA_WANT_ECC_SECP_R1_256
skip_next_test skip_next_test
run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (no USE_PSA)" \ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \
"$P_SRV groups=secp256r1 auth_mode=required \ "$P_SRV groups=secp256r1 auth_mode=required \
crt_file=$DATA_FILES_PATH/server5-badsign.crt \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \
key_file=$DATA_FILES_PATH/server5.key" \ key_file=$DATA_FILES_PATH/server5.key" \
@@ -9517,11 +9508,11 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (no USE_P
-C "! mbedtls_ssl_handshake returned" \ -C "! mbedtls_ssl_handshake returned" \
-C "X509 - Certificate verification failed" -C "X509 - Certificate verification failed"
# With USE_PSA enabled we expect only partial restartable behaviour: # We expect only partial restartable behaviour:
# everything except ECDH (where TLS calls PSA directly). # everything except ECDH (where TLS calls PSA directly).
requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled PSA_WANT_ECC_SECP_R1_256 requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (USE_PSA)" \ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \
"$P_SRV groups=secp256r1 auth_mode=required \ "$P_SRV groups=secp256r1 auth_mode=required \
crt_file=$DATA_FILES_PATH/server5-badsign.crt \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \
key_file=$DATA_FILES_PATH/server5.key" \ key_file=$DATA_FILES_PATH/server5.key" \
@@ -9537,11 +9528,10 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (USE_PSA)
-C "! mbedtls_ssl_handshake returned" \ -C "! mbedtls_ssl_handshake returned" \
-C "X509 - Certificate verification failed" -C "X509 - Certificate verification failed"
# With USE_PSA disabled we expect full restartable behaviour.
requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled PSA_WANT_ECC_SECP_R1_256 requires_config_enabled PSA_WANT_ECC_SECP_R1_256
skip_next_test skip_next_test
run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (no USE_PSA)" \ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \
"$P_SRV groups=secp256r1 auth_mode=required \ "$P_SRV groups=secp256r1 auth_mode=required \
crt_file=$DATA_FILES_PATH/server5-badsign.crt \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \
key_file=$DATA_FILES_PATH/server5.key" \ key_file=$DATA_FILES_PATH/server5.key" \
@@ -9557,11 +9547,11 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (no USE_PSA)"
-C "! mbedtls_ssl_handshake returned" \ -C "! mbedtls_ssl_handshake returned" \
-C "X509 - Certificate verification failed" -C "X509 - Certificate verification failed"
# With USE_PSA enabled we expect only partial restartable behaviour: # We expect only partial restartable behaviour:
# everything except ECDH (where TLS calls PSA directly). # everything except ECDH (where TLS calls PSA directly).
requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled PSA_WANT_ECC_SECP_R1_256 requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (USE_PSA)" \ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \
"$P_SRV groups=secp256r1 auth_mode=required \ "$P_SRV groups=secp256r1 auth_mode=required \
crt_file=$DATA_FILES_PATH/server5-badsign.crt \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \
key_file=$DATA_FILES_PATH/server5.key" \ key_file=$DATA_FILES_PATH/server5.key" \
@@ -9577,11 +9567,10 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (USE_PSA)" \
-C "! mbedtls_ssl_handshake returned" \ -C "! mbedtls_ssl_handshake returned" \
-C "X509 - Certificate verification failed" -C "X509 - Certificate verification failed"
# With USE_PSA disabled we expect full restartable behaviour.
requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled PSA_WANT_ECC_SECP_R1_256 requires_config_enabled PSA_WANT_ECC_SECP_R1_256
skip_next_test skip_next_test
run_test "EC restart: DTLS, max_ops=1000 (no USE_PSA)" \ run_test "EC restart: DTLS, max_ops=1000" \
"$P_SRV groups=secp256r1 auth_mode=required dtls=1" \ "$P_SRV groups=secp256r1 auth_mode=required dtls=1" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
@@ -9592,11 +9581,11 @@ run_test "EC restart: DTLS, max_ops=1000 (no USE_PSA)" \
-c "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -c "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \
-c "mbedtls_pk_sign.*\(4b00\|-248\)" -c "mbedtls_pk_sign.*\(4b00\|-248\)"
# With USE_PSA enabled we expect only partial restartable behaviour: # We expect only partial restartable behaviour:
# everything except ECDH (where TLS calls PSA directly). # everything except ECDH (where TLS calls PSA directly).
requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled PSA_WANT_ECC_SECP_R1_256 requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
run_test "EC restart: DTLS, max_ops=1000 (USE_PSA)" \ run_test "EC restart: DTLS, max_ops=1000" \
"$P_SRV groups=secp256r1 auth_mode=required dtls=1" \ "$P_SRV groups=secp256r1 auth_mode=required dtls=1" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
@@ -9607,11 +9596,10 @@ run_test "EC restart: DTLS, max_ops=1000 (USE_PSA)" \
-C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \
-c "mbedtls_pk_sign.*\(4b00\|-248\)" -c "mbedtls_pk_sign.*\(4b00\|-248\)"
# With USE_PSA disabled we expect full restartable behaviour.
requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled PSA_WANT_ECC_SECP_R1_256 requires_config_enabled PSA_WANT_ECC_SECP_R1_256
skip_next_test skip_next_test
run_test "EC restart: TLS, max_ops=1000 no client auth (no USE_PSA)" \ run_test "EC restart: TLS, max_ops=1000 no client auth" \
"$P_SRV groups=secp256r1" \ "$P_SRV groups=secp256r1" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
debug_level=1 ec_max_ops=1000" \ debug_level=1 ec_max_ops=1000" \
@@ -9622,11 +9610,11 @@ run_test "EC restart: TLS, max_ops=1000 no client auth (no USE_PSA)" \
-C "mbedtls_pk_sign.*\(4b00\|-248\)" -C "mbedtls_pk_sign.*\(4b00\|-248\)"
# With USE_PSA enabled we expect only partial restartable behaviour: # We expect only partial restartable behaviour:
# everything except ECDH (where TLS calls PSA directly). # everything except ECDH (where TLS calls PSA directly).
requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled PSA_WANT_ECC_SECP_R1_256 requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
run_test "EC restart: TLS, max_ops=1000 no client auth (USE_PSA)" \ run_test "EC restart: TLS, max_ops=1000 no client auth" \
"$P_SRV groups=secp256r1" \ "$P_SRV groups=secp256r1" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
debug_level=1 ec_max_ops=1000" \ debug_level=1 ec_max_ops=1000" \