From 6bcdd67f8321cef2e695220d4902a0ee2e0fbf58 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Mon, 2 Jun 2025 15:51:32 +0100 Subject: [PATCH] Update ssl progs to restore build Signed-off-by: Ben Taylor --- programs/ssl/ssl_client2.c | 65 ++++++++++++++++++++++++++++---- programs/ssl/ssl_server2.c | 76 +++++++++++++++++++++++++++++++++----- 2 files changed, 124 insertions(+), 17 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index b76055ed5b..d5e7fdf304 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -9,7 +9,9 @@ #include "ssl_test_lib.h" +#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) #include "test/psa_crypto_helpers.h" +#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_TEST_IMPOSSIBLE) int main(void) @@ -143,7 +145,7 @@ int main(void) #else /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ #define USAGE_IO "" #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ -#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) #define USAGE_KEY_OPAQUE \ " key_opaque=%%d Handle your private key as if it were opaque\n" \ " default: 0 (disabled)\n" @@ -170,6 +172,7 @@ int main(void) " psk=%%s default: \"\" (disabled)\n" \ " The PSK values are in hex, without 0x.\n" \ " psk_identity=%%s default: \"Client_identity\"\n" +#if defined(MBEDTLS_USE_PSA_CRYPTO) #define USAGE_PSK_SLOT \ " psk_opaque=%%d default: 0 (don't use opaque static PSK)\n" \ " Enable this to store the PSK configured through command line\n" \ @@ -182,6 +185,7 @@ int main(void) " with prepopulated key slots instead of importing raw key material.\n" #else #define USAGE_PSK_SLOT "" +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #define USAGE_PSK USAGE_PSK_RAW USAGE_PSK_SLOT #else #define USAGE_PSK "" @@ -305,9 +309,14 @@ int main(void) #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) #define USAGE_ECJPAKE \ " ecjpake_pw=%%s default: none (disabled)\n" \ " ecjpake_pw_opaque=%%d default: 0 (disabled)\n" +#else /* MBEDTLS_USE_PSA_CRYPTO */ +#define USAGE_ECJPAKE \ + " ecjpake_pw=%%s default: none (disabled)\n" +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #else /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #define USAGE_ECJPAKE "" #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ @@ -479,7 +488,9 @@ struct options { const char *crt_file; /* the file with the client certificate */ const char *key_file; /* the file with the client key */ int key_opaque; /* handle private key as if it were opaque */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) int psk_opaque; +#endif #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) int ca_callback; /* Use callback for trusted certificate list */ #endif @@ -487,7 +498,9 @@ struct options { const char *psk; /* the pre-shared key */ const char *psk_identity; /* the pre-shared key identity */ const char *ecjpake_pw; /* the EC J-PAKE password */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) int ecjpake_pw_opaque; /* set to 1 to use the opaque method for setting the password */ +#endif int ec_max_ops; /* EC consecutive operations limit */ int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */ #if defined(MBEDTLS_SSL_PROTO_TLS1_3) @@ -811,12 +824,16 @@ int main(int argc, char *argv[]) const char *pers = "ssl_client2"; +#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) mbedtls_svc_key_id_t slot = MBEDTLS_SVC_KEY_ID_INIT; psa_algorithm_t alg = 0; psa_key_attributes_t key_attributes; #endif psa_status_t status; +#elif defined(MBEDTLS_SSL_PROTO_TLS1_3) + psa_status_t status; +#endif rng_context_t rng; mbedtls_ssl_context ssl; @@ -833,7 +850,9 @@ int main(int argc, char *argv[]) mbedtls_x509_crt clicert; mbedtls_pk_context pkey; mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default; +#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t key_slot = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */ +#endif #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ char *p, *q; const int *list; @@ -858,9 +877,10 @@ int main(int argc, char *argv[]) MBEDTLS_TLS_SRTP_UNSET }; #endif /* MBEDTLS_SSL_DTLS_SRTP */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ + defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t ecjpake_pw_slot = MBEDTLS_SVC_KEY_ID_INIT; /* ecjpake password key slot */ -#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ +#endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) mbedtls_memory_buffer_alloc_init(alloc_buf, sizeof(alloc_buf)); @@ -887,6 +907,7 @@ int main(int argc, char *argv[]) memset((void *) alpn_list, 0, sizeof(alpn_list)); #endif +#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) status = psa_crypto_init(); if (status != PSA_SUCCESS) { mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", @@ -894,6 +915,7 @@ int main(int argc, char *argv[]) ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; goto exit; } +#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) mbedtls_test_enable_insecure_external_rng(); #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ @@ -920,13 +942,17 @@ int main(int argc, char *argv[]) opt.key_opaque = DFL_KEY_OPAQUE; opt.key_pwd = DFL_KEY_PWD; opt.psk = DFL_PSK; +#if defined(MBEDTLS_USE_PSA_CRYPTO) opt.psk_opaque = DFL_PSK_OPAQUE; +#endif #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) opt.ca_callback = DFL_CA_CALLBACK; #endif opt.psk_identity = DFL_PSK_IDENTITY; opt.ecjpake_pw = DFL_ECJPAKE_PW; +#if defined(MBEDTLS_USE_PSA_CRYPTO) opt.ecjpake_pw_opaque = DFL_ECJPAKE_PW_OPAQUE; +#endif opt.ec_max_ops = DFL_EC_MAX_OPS; opt.force_ciphersuite[0] = DFL_FORCE_CIPHER; #if defined(MBEDTLS_SSL_PROTO_TLS1_3) @@ -1101,7 +1127,7 @@ usage: } else if (strcmp(p, "key_pwd") == 0) { opt.key_pwd = q; } -#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) else if (strcmp(p, "key_opaque") == 0) { opt.key_opaque = atoi(q); } @@ -1126,9 +1152,11 @@ usage: else if (strcmp(p, "psk") == 0) { opt.psk = q; } +#if defined(MBEDTLS_USE_PSA_CRYPTO) else if (strcmp(p, "psk_opaque") == 0) { opt.psk_opaque = atoi(q); } +#endif #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) else if (strcmp(p, "ca_callback") == 0) { opt.ca_callback = atoi(q); @@ -1139,9 +1167,11 @@ usage: } else if (strcmp(p, "ecjpake_pw") == 0) { opt.ecjpake_pw = q; } +#if defined(MBEDTLS_USE_PSA_CRYPTO) else if (strcmp(p, "ecjpake_pw_opaque") == 0) { opt.ecjpake_pw_opaque = atoi(q); } +#endif else if (strcmp(p, "ec_max_ops") == 0) { opt.ec_max_ops = atoi(q); } else if (strcmp(p, "force_ciphersuite") == 0) { @@ -1470,6 +1500,7 @@ usage: } #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.psk_opaque != 0) { if (opt.psk == NULL) { mbedtls_printf("psk_opaque set but no psk to be imported specified.\n"); @@ -1484,6 +1515,7 @@ usage: goto usage; } } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (opt.force_ciphersuite[0] > 0) { const mbedtls_ssl_ciphersuite_t *ciphersuite_info; @@ -1518,6 +1550,7 @@ usage: } } +#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) if (opt.psk_opaque != 0) { /* Determine KDF algorithm the opaque PSK will be used in. */ @@ -1529,6 +1562,7 @@ usage: alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256); } #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) @@ -1752,6 +1786,7 @@ usage: goto exit; } +#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.key_opaque != 0) { psa_algorithm_t psa_alg, psa_alg2 = PSA_ALG_NONE; psa_key_usage_t usage = 0; @@ -1770,6 +1805,7 @@ usage: } } } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_printf(" ok (key type: %s)\n", strlen(opt.key_file) || strlen(opt.key_opaque_alg1) ? @@ -1970,6 +2006,7 @@ usage: #endif #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.psk_opaque != 0) { key_attributes = psa_key_attributes_init(); psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); @@ -1990,6 +2027,7 @@ usage: goto exit; } } else +#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (psk_len > 0) { ret = mbedtls_ssl_conf_psk(&conf, psk, psk_len, (const unsigned char *) opt.psk_identity, @@ -2060,6 +2098,7 @@ usage: #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) if (opt.ecjpake_pw != DFL_ECJPAKE_PW) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.ecjpake_pw_opaque != DFL_ECJPAKE_PW_OPAQUE) { psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; @@ -2085,6 +2124,7 @@ usage: } mbedtls_printf("using opaque password\n"); } else +#endif /* MBEDTLS_USE_PSA_CRYPTO */ { if ((ret = mbedtls_ssl_set_hs_ecjpake_password(&ssl, (const unsigned char *) opt.ecjpake_pw, @@ -3166,10 +3206,13 @@ exit: mbedtls_x509_crt_free(&clicert); mbedtls_x509_crt_free(&cacert); mbedtls_pk_free(&pkey); +#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_destroy_key(key_slot); +#endif #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ -#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) && \ + defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.psk_opaque != 0) { /* This is ok even if the slot hasn't been * initialized (we might have jumed here @@ -3186,9 +3229,11 @@ exit: } } } -#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED && + MBEDTLS_USE_PSA_CRYPTO */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ + defined(MBEDTLS_USE_PSA_CRYPTO) /* * In case opaque keys it's the user responsibility to keep the key valid * for the duration of the handshake and destroy it at the end @@ -3207,8 +3252,9 @@ exit: psa_destroy_key(ecjpake_pw_slot); } } -#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) const char *message = mbedtls_test_helper_is_psa_leaking(); if (message) { if (ret == 0) { @@ -3216,11 +3262,14 @@ exit: } mbedtls_printf("PSA memory leak detected: %s\n", message); } +#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ /* For builds with MBEDTLS_TEST_USE_PSA_CRYPTO_RNG psa crypto * resources are freed by rng_free(). */ +#if (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)) && \ !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) mbedtls_psa_crypto_free(); +#endif rng_free(&rng); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index cb933e7e6d..639fe5616e 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -53,7 +53,9 @@ int main(void) #include #endif +#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) #include "test/psa_crypto_helpers.h" +#endif #include "mbedtls/pk.h" #if defined(MBEDTLS_PK_HAVE_PRIVATE_HEADER) @@ -203,7 +205,7 @@ int main(void) #else #define USAGE_IO "" #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ -#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) #define USAGE_KEY_OPAQUE \ " key_opaque=%%d Handle your private keys as if they were opaque\n" \ " default: 0 (disabled)\n" @@ -246,6 +248,7 @@ int main(void) " The PSK values are in hex, without 0x.\n" \ " id1,psk1[,id2,psk2[,...]]\n" \ " psk_identity=%%s default: \"Client_identity\"\n" +#if defined(MBEDTLS_USE_PSA_CRYPTO) #define USAGE_PSK_SLOT \ " psk_opaque=%%d default: 0 (don't use opaque static PSK)\n" \ " Enable this to store the PSK configured through command line\n" \ @@ -267,6 +270,7 @@ int main(void) " with prepopulated key slots instead of importing raw key material.\n" #else #define USAGE_PSK_SLOT "" +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #define USAGE_PSK USAGE_PSK_RAW USAGE_PSK_SLOT #else #define USAGE_PSK "" @@ -415,9 +419,14 @@ int main(void) #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) #define USAGE_ECJPAKE \ " ecjpake_pw=%%s default: none (disabled)\n" \ " ecjpake_pw_opaque=%%d default: 0 (disabled)\n" +#else /* MBEDTLS_USE_PSA_CRYPTO */ +#define USAGE_ECJPAKE \ + " ecjpake_pw=%%s default: none (disabled)\n" +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #else /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #define USAGE_ECJPAKE "" #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ @@ -632,8 +641,10 @@ struct options { int async_private_delay1; /* number of times f_async_resume needs to be called for key 1, or -1 for no async */ int async_private_delay2; /* number of times f_async_resume needs to be called for key 2, or -1 for no async */ int async_private_error; /* inject error in async private callback */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) int psk_opaque; int psk_list_opaque; +#endif #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) int ca_callback; /* Use callback for trusted certificate list */ #endif @@ -641,7 +652,9 @@ struct options { const char *psk_identity; /* the pre-shared key identity */ char *psk_list; /* list of PSK id/key pairs for callback */ const char *ecjpake_pw; /* the EC J-PAKE password */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) int ecjpake_pw_opaque; /* set to 1 to use the opaque method for setting the password */ +#endif int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */ #if defined(MBEDTLS_SSL_PROTO_TLS1_3) int tls13_kex_modes; /* supported TLS 1.3 key exchange modes */ @@ -949,7 +962,9 @@ struct _psk_entry { const char *name; size_t key_len; unsigned char key[MBEDTLS_PSK_MAX_LEN]; +#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t slot; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ psk_entry *next; }; @@ -961,6 +976,7 @@ static int psk_free(psk_entry *head) psk_entry *next; while (head != NULL) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status; mbedtls_svc_key_id_t const slot = head->slot; @@ -970,6 +986,7 @@ static int psk_free(psk_entry *head) return status; } } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ next = head->next; mbedtls_free(head); @@ -1035,9 +1052,11 @@ static int psk_callback(void *p_info, mbedtls_ssl_context *ssl, while (cur != NULL) { if (name_len == strlen(cur->name) && memcmp(name, cur->name, name_len) == 0) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) if (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(cur->slot) != 0) { return mbedtls_ssl_set_hs_psk_opaque(ssl, cur->slot); } else +#endif return mbedtls_ssl_set_hs_psk(ssl, cur->key, cur->key_len); } @@ -1283,6 +1302,7 @@ static void ssl_async_cancel(mbedtls_ssl_context *ssl) #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) static psa_status_t psa_setup_psk_key_slot(mbedtls_svc_key_id_t *slot, psa_algorithm_t alg, @@ -1306,6 +1326,7 @@ static psa_status_t psa_setup_psk_key_slot(mbedtls_svc_key_id_t *slot, return PSA_SUCCESS; } #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) static int report_cid_usage(mbedtls_ssl_context *ssl, @@ -1522,8 +1543,10 @@ int main(int argc, char *argv[]) io_ctx_t io_ctx; unsigned char *buf = 0; #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_algorithm_t alg = 0; mbedtls_svc_key_id_t psk_slot = MBEDTLS_SVC_KEY_ID_INIT; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ unsigned char psk[MBEDTLS_PSK_MAX_LEN]; size_t psk_len = 0; psk_entry *psk_info = NULL; @@ -1551,8 +1574,10 @@ int main(int argc, char *argv[]) mbedtls_x509_crt srvcert2; mbedtls_pk_context pkey2; mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default; +#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t key_slot = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */ mbedtls_svc_key_id_t key_slot2 = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */ +#endif int key_cert_init = 0, key_cert_init2 = 0; #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) @@ -1584,9 +1609,10 @@ int main(int argc, char *argv[]) unsigned char *context_buf = NULL; size_t context_buf_len = 0; #endif -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ + defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t ecjpake_pw_slot = MBEDTLS_SVC_KEY_ID_INIT; /* ecjpake password key slot */ -#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ +#endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) uint16_t sig_alg_list[SIG_ALG_LIST_SIZE]; @@ -1595,7 +1621,9 @@ int main(int argc, char *argv[]) int i; char *p, *q; const int *list; +#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) psa_status_t status; +#endif unsigned char eap_tls_keymaterial[16]; unsigned char eap_tls_iv[8]; const char *eap_tls_label = "client EAP encryption"; @@ -1656,6 +1684,7 @@ int main(int argc, char *argv[]) mbedtls_ssl_cookie_init(&cookie_ctx); #endif +#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) status = psa_crypto_init(); if (status != PSA_SUCCESS) { mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", @@ -1663,6 +1692,7 @@ int main(int argc, char *argv[]) ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; goto exit; } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) mbedtls_test_enable_insecure_external_rng(); #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ @@ -1701,15 +1731,19 @@ int main(int argc, char *argv[]) opt.async_private_delay2 = DFL_ASYNC_PRIVATE_DELAY2; opt.async_private_error = DFL_ASYNC_PRIVATE_ERROR; opt.psk = DFL_PSK; +#if defined(MBEDTLS_USE_PSA_CRYPTO) opt.psk_opaque = DFL_PSK_OPAQUE; opt.psk_list_opaque = DFL_PSK_LIST_OPAQUE; +#endif #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) opt.ca_callback = DFL_CA_CALLBACK; #endif opt.psk_identity = DFL_PSK_IDENTITY; opt.psk_list = DFL_PSK_LIST; opt.ecjpake_pw = DFL_ECJPAKE_PW; +#if defined(MBEDTLS_USE_PSA_CRYPTO) opt.ecjpake_pw_opaque = DFL_ECJPAKE_PW_OPAQUE; +#endif opt.force_ciphersuite[0] = DFL_FORCE_CIPHER; #if defined(MBEDTLS_SSL_PROTO_TLS1_3) opt.tls13_kex_modes = DFL_TLS1_3_KEX_MODES; @@ -1890,7 +1924,7 @@ usage: } else if (strcmp(p, "key_pwd") == 0) { opt.key_pwd = q; } -#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) else if (strcmp(p, "key_opaque") == 0) { opt.key_opaque = atoi(q); } @@ -1939,11 +1973,13 @@ usage: else if (strcmp(p, "psk") == 0) { opt.psk = q; } +#if defined(MBEDTLS_USE_PSA_CRYPTO) else if (strcmp(p, "psk_opaque") == 0) { opt.psk_opaque = atoi(q); } else if (strcmp(p, "psk_list_opaque") == 0) { opt.psk_list_opaque = atoi(q); } +#endif #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) else if (strcmp(p, "ca_callback") == 0) { opt.ca_callback = atoi(q); @@ -1956,9 +1992,11 @@ usage: } else if (strcmp(p, "ecjpake_pw") == 0) { opt.ecjpake_pw = q; } +#if defined(MBEDTLS_USE_PSA_CRYPTO) else if (strcmp(p, "ecjpake_pw_opaque") == 0) { opt.ecjpake_pw_opaque = atoi(q); } +#endif else if (strcmp(p, "force_ciphersuite") == 0) { opt.force_ciphersuite[0] = mbedtls_ssl_get_ciphersuite_id(q); @@ -2329,6 +2367,7 @@ usage: goto exit; } +#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.psk_opaque != 0) { if (strlen(opt.psk) == 0) { mbedtls_printf("psk_opaque set but no psk to be imported specified.\n"); @@ -2358,6 +2397,7 @@ usage: goto usage; } } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (opt.force_ciphersuite[0] > 0) { const mbedtls_ssl_ciphersuite_t *ciphersuite_info; @@ -2387,6 +2427,7 @@ usage: opt.min_version = ciphersuite_info->min_tls_version; } +#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) if (opt.psk_opaque != 0 || opt.psk_list_opaque != 0) { /* Determine KDF algorithm the opaque PSK will be used in. */ @@ -2398,6 +2439,7 @@ usage: alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256); } #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) @@ -2690,6 +2732,7 @@ usage: #endif /* PSA_HAVE_ALG_SOME_ECDSA && PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT */ } +#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.key_opaque != 0) { psa_algorithm_t psa_alg, psa_alg2 = PSA_ALG_NONE; psa_key_usage_t psa_usage = 0; @@ -2725,6 +2768,7 @@ usage: } } } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_printf(" ok (key types: %s, %s)\n", key_cert_init ? mbedtls_pk_get_name(&pkey) : "none", @@ -3138,6 +3182,7 @@ usage: #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) if (strlen(opt.psk) != 0 && strlen(opt.psk_identity) != 0) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.psk_opaque != 0) { /* The algorithm has already been determined earlier. */ status = psa_setup_psk_key_slot(&psk_slot, alg, psk, psk_len); @@ -3154,6 +3199,7 @@ usage: goto exit; } } else +#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (psk_len > 0) { ret = mbedtls_ssl_conf_psk(&conf, psk, psk_len, (const unsigned char *) opt.psk_identity, @@ -3167,6 +3213,7 @@ usage: } if (opt.psk_list != NULL) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.psk_list_opaque != 0) { psk_entry *cur_psk; for (cur_psk = psk_info; cur_psk != NULL; cur_psk = cur_psk->next) { @@ -3180,6 +3227,7 @@ usage: } } } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_ssl_conf_psk_cb(&conf, psk_callback, psk_info); } @@ -3336,6 +3384,7 @@ reset: #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) if (opt.ecjpake_pw != DFL_ECJPAKE_PW) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.ecjpake_pw_opaque != DFL_ECJPAKE_PW_OPAQUE) { psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; @@ -3361,6 +3410,7 @@ reset: } mbedtls_printf("using opaque password\n"); } else +#endif /* MBEDTLS_USE_PSA_CRYPTO */ { if ((ret = mbedtls_ssl_set_hs_ecjpake_password(&ssl, (const unsigned char *) opt.ecjpake_pw, @@ -4203,9 +4253,11 @@ exit: mbedtls_pk_free(&pkey); mbedtls_x509_crt_free(&srvcert2); mbedtls_pk_free(&pkey2); +#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_destroy_key(key_slot); psa_destroy_key(key_slot2); #endif +#endif #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) for (i = 0; (size_t) i < ssl_async_keys.slots_used; i++) { @@ -4217,7 +4269,8 @@ exit: } #endif -#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) && \ + defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.psk_opaque != 0) { /* This is ok even if the slot hasn't been * initialized (we might have jumed here @@ -4231,9 +4284,11 @@ exit: (int) status); } } -#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED && + MBEDTLS_USE_PSA_CRYPTO */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ + defined(MBEDTLS_USE_PSA_CRYPTO) /* * In case opaque keys it's the user responsibility to keep the key valid * for the duration of the handshake and destroy it at the end @@ -4252,8 +4307,9 @@ exit: psa_destroy_key(ecjpake_pw_slot); } } -#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) const char *message = mbedtls_test_helper_is_psa_leaking(); if (message) { if (ret == 0) { @@ -4261,10 +4317,12 @@ exit: } mbedtls_printf("PSA memory leak detected: %s\n", message); } +#endif /* For builds with MBEDTLS_TEST_USE_PSA_CRYPTO_RNG psa crypto * resources are freed by rng_free(). */ -#if !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) +#if (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)) \ + && !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) mbedtls_psa_crypto_free(); #endif