diff --git a/CMakeLists.txt b/CMakeLists.txt index a099356389..162373182b 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -376,15 +376,11 @@ if(USE_STATIC_MBEDTLS_LIBRARY AND USE_SHARED_MBEDTLS_LIBRARY) endif() set(tf_psa_crypto_library_targets - ${TF_PSA_CRYPTO_TARGET_PREFIX}tfpsacrypto - ${TF_PSA_CRYPTO_TARGET_PREFIX}builtin - ${TF_PSA_CRYPTO_TARGET_PREFIX}everest - ${TF_PSA_CRYPTO_TARGET_PREFIX}p256m) + ${TF_PSA_CRYPTO_TARGET_PREFIX}tfpsacrypto) if(USE_STATIC_MBEDTLS_LIBRARY AND USE_SHARED_MBEDTLS_LIBRARY) list(APPEND tf_psa_crypto_library_targets - ${TF_PSA_CRYPTO_TARGET_PREFIX}tfpsacrypto_static - ${TF_PSA_CRYPTO_TARGET_PREFIX}builtin_static) + ${TF_PSA_CRYPTO_TARGET_PREFIX}tfpsacrypto_static) endif() foreach(target IN LISTS tf_psa_crypto_library_targets) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 22ddaa80fd..5e5a5b31db 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -64,7 +64,7 @@ #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ - ( !defined(MBEDTLS_CAN_ECDH) || !defined(MBEDTLS_RSA_C) || \ + ( !defined(MBEDTLS_CAN_ECDH) || !defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) || \ !defined(MBEDTLS_X509_CRT_PARSE_C) ) #error "MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED defined, but not all prerequisites" #endif @@ -75,8 +75,8 @@ #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ - ( !defined(MBEDTLS_CAN_ECDH) || !defined(MBEDTLS_RSA_C) || \ - !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_PKCS1_V15) ) + ( !defined(MBEDTLS_CAN_ECDH) || !defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) || \ + !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(PSA_WANT_ALG_RSA_PKCS1V15_CRYPT) || !defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN) ) #error "MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED defined, but not all prerequisites" #endif @@ -109,7 +109,7 @@ #endif #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \ - ( !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_PKCS1_V21) ) + ( !defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) || !defined(PSA_WANT_ALG_RSA_OAEP) ) #error "MBEDTLS_X509_RSASSA_PSS_SUPPORT defined, but not all prerequisites" #endif @@ -130,7 +130,7 @@ #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) #if !( (defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)) && \ defined(MBEDTLS_X509_CRT_PARSE_C) && \ - ( defined(PSA_HAVE_ALG_ECDSA_SIGN) || defined(MBEDTLS_PKCS1_V21) ) ) + ( defined(PSA_HAVE_ALG_ECDSA_SIGN) || defined(PSA_WANT_ALG_RSA_OAEP) ) ) #error "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED defined, but not all prerequisites" #endif #endif diff --git a/pkgconfig/mbedcrypto.pc.in b/pkgconfig/mbedcrypto.pc.in index 28b9716b64..303f8852cd 100644 --- a/pkgconfig/mbedcrypto.pc.in +++ b/pkgconfig/mbedcrypto.pc.in @@ -7,4 +7,4 @@ Description: @PKGCONFIG_PROJECT_DESCRIPTION@ URL: @PKGCONFIG_PROJECT_HOMEPAGE_URL@ Version: @PROJECT_VERSION@ Cflags: -I"${includedir}" -Libs: -L"${libdir}" -ltfpsacrypto -lbuiltin -leverest -lp256m +Libs: -L"${libdir}" -ltfpsacrypto diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 429a04f7f5..132d53ec97 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -292,15 +292,15 @@ class DriverVSReference_cipher_aead_cmac(outcome_analysis.DriverVSReference): IGNORED_SUITES = [ # low-level (block/stream) cipher modules 'aes', 'aria', 'camellia', 'des', 'chacha20', - # AEAD modes and CMAC - 'ccm', 'chachapoly', 'cmac', 'gcm', + # AEAD modes, CMAC and POLY1305 + 'ccm', 'chachapoly', 'cmac', 'gcm', 'poly1305', # The Cipher abstraction layer 'cipher', ] IGNORED_TESTS = { 'test_suite_config': [ re.compile(r'.*\bMBEDTLS_(AES|ARIA|CAMELLIA|CHACHA20|DES)_.*'), - re.compile(r'.*\bMBEDTLS_(CCM|CHACHAPOLY|CMAC|GCM)_.*'), + re.compile(r'.*\bMBEDTLS_(CCM|CHACHAPOLY|CMAC|GCM|POLY1305)_.*'), re.compile(r'.*\bMBEDTLS_AES(\w+)_C\b.*'), re.compile(r'.*\bMBEDTLS_CIPHER_.*'), ], @@ -568,6 +568,10 @@ class DriverVSReference_rsa(outcome_analysis.DriverVSReference): 'pk', 'pkwrite', 'pkparse' ] IGNORED_TESTS = { + 'test_suite_bignum.misc': [ + re.compile(r'.*\bmbedtls_mpi_is_prime.*'), + re.compile(r'.*\bmbedtls_mpi_gen_prime.*'), + ], 'test_suite_config': [ re.compile(r'.*\bMBEDTLS_(PKCS1|RSA)_.*'), re.compile(r'.*\bMBEDTLS_GENPRIME\b.*') diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 43c30a2bb7..bb0375add1 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -1429,6 +1429,7 @@ config_psa_crypto_accel_rsa () { scripts/config.py unset MBEDTLS_RSA_C scripts/config.py unset MBEDTLS_PKCS1_V15 scripts/config.py unset MBEDTLS_PKCS1_V21 + scripts/config.py unset MBEDTLS_GENPRIME # We need PEM parsing in the test library as well to support the import # of PEM encoded RSA keys. @@ -1817,6 +1818,7 @@ component_test_psa_crypto_config_accel_cipher_aead_cmac () { scripts/config.py unset MBEDTLS_ARIA_C scripts/config.py unset MBEDTLS_CHACHA20_C scripts/config.py unset MBEDTLS_CAMELLIA_C + scripts/config.py unset MBEDTLS_POLY1305_C # Disable DES, if it still exists. # This can be removed once we remove DES from the library. @@ -1842,6 +1844,7 @@ component_test_psa_crypto_config_accel_cipher_aead_cmac () { not grep mbedtls_gcm ${BUILTIN_SRC_PATH}/gcm.o not grep mbedtls_chachapoly ${BUILTIN_SRC_PATH}/chachapoly.o not grep mbedtls_cmac ${BUILTIN_SRC_PATH}/cmac.o + not grep mbedtls_poly1305 ${BUILTIN_SRC_PATH}/poly1305.o # Run the tests # ------------- @@ -1850,7 +1853,8 @@ component_test_psa_crypto_config_accel_cipher_aead_cmac () { make test msg "ssl-opt: full config with accelerated cipher inc. AEAD and CMAC" - tests/ssl-opt.sh + # Exclude password-protected key tests — they require built-in CBC and AES. + tests/ssl-opt.sh -e "TLS: password protected" msg "compat.sh: full config with accelerated cipher inc. AEAD and CMAC" tests/compat.sh -V NO -p mbedTLS @@ -1870,7 +1874,8 @@ component_test_psa_crypto_config_reference_cipher_aead_cmac () { make test msg "ssl-opt: full config with non-accelerated cipher inc. AEAD and CMAC" - tests/ssl-opt.sh + # Exclude password-protected key tests as in test_psa_crypto_config_accel_cipher_aead_cmac. + tests/ssl-opt.sh -e "TLS: password protected" msg "compat.sh: full config with non-accelerated cipher inc. AEAD and CMAC" tests/compat.sh -V NO -p mbedTLS @@ -2499,7 +2504,7 @@ component_build_psa_config_file () { echo '#error "TF_PSA_CRYPTO_CONFIG_FILE is not working"' >"$CRYPTO_CONFIG_H" make CFLAGS="-I '$PWD' -DTF_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"'" # Make sure this feature is enabled. We'll disable it in the next phase. - programs/test/query_compile_time_config MBEDTLS_CMAC_C + programs/test/query_compile_time_config PSA_WANT_ALG_CMAC make clean msg "build: make with TF_PSA_CRYPTO_CONFIG_FILE + TF_PSA_CRYPTO_USER_CONFIG_FILE" # ~40s @@ -2510,7 +2515,7 @@ component_build_psa_config_file () { echo '#undef PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128' >> psa_user_config.h echo '#undef MBEDTLS_CMAC_C' >> psa_user_config.h make CFLAGS="-I '$PWD' -DTF_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"' -DTF_PSA_CRYPTO_USER_CONFIG_FILE='\"psa_user_config.h\"'" - not programs/test/query_compile_time_config MBEDTLS_CMAC_C + not programs/test/query_compile_time_config PSA_WANT_ALG_CMAC rm -f psa_test_config.h psa_user_config.h } @@ -2545,3 +2550,18 @@ component_test_min_mpi_window_size () { msg "test: MBEDTLS_MPI_WINDOW_SIZE=1 - main suites (inc. selftests) (ASan build)" # ~ 10s make test } + +component_test_xts () { + # Component dedicated to run XTS unit test cases while XTS is not + # supported through the PSA API. + msg "build: Default + MBEDTLS_CIPHER_MODE_XTS" + + echo "#define MBEDTLS_CIPHER_MODE_XTS" > psa_user_config.h + cmake -DTF_PSA_CRYPTO_USER_CONFIG_FILE="psa_user_config.h" + make + + rm -f psa_user_config.h + + msg "test: Default + MBEDTLS_CIPHER_MODE_XTS" + make test +} diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 0cb55377a7..7fccb2006f 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -109,6 +109,12 @@ def set_config_option_value(conf, option, colors, value: Union[bool, str]): value can be either True/False (set/unset config option), or a string, which will make a symbol defined with a certain value.""" if not option_exists(conf, option): + if value is False: + log_line( + f'Warning, disabling {option} that does not exist in {conf.filename}', + color=colors.cyan + ) + return True log_line('Symbol {} was not found in {}'.format(option, conf.filename), color=colors.red) return False diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 5b2425bf55..c667cd14bd 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -559,7 +559,7 @@ detect_required_features() { # we aren't currently running ssl-opt.sh in configurations # where partial RSA support is a problem, so generically, we # just require RSA and it works out for our tests so far. - requires_config_enabled "MBEDTLS_RSA_C" + requires_config_enabled "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" esac unset tmp @@ -2201,8 +2201,7 @@ trap cleanup INT TERM HUP # - the expected parameters are selected requires_ciphersuite_enabled TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 requires_hash_alg SHA_512 # "signature_algorithm ext: 6" -requires_any_configs_enabled MBEDTLS_ECP_DP_CURVE25519_ENABLED \ - PSA_WANT_ECC_MONTGOMERY_255 +requires_config_enabled PSA_WANT_ECC_MONTGOMERY_255 run_test "Default, TLS 1.2" \ "$P_SRV debug_level=3" \ "$P_CLI force_version=tls12" \ @@ -2245,9 +2244,10 @@ run_test "key size: TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C # server5.key.enc is in PEM format and AES-256-CBC crypted. Unfortunately PEM -# module does not support PSA dispatching so we need builtin support. -requires_config_enabled MBEDTLS_CIPHER_MODE_CBC -requires_config_enabled MBEDTLS_AES_C +# module does not support PSA dispatching so we need builtin support. With the +# removal of the legacy cryptography configuration options, there is currently +# no way to express this dependency. This test fails if run in a configuration +# where the built-in implementation of CBC or AES is not present. requires_hash_alg MD5 requires_hash_alg SHA_256 run_test "TLS: password protected client key" \ @@ -2257,9 +2257,10 @@ run_test "TLS: password protected client key" \ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C # server5.key.enc is in PEM format and AES-256-CBC crypted. Unfortunately PEM -# module does not support PSA dispatching so we need builtin support. -requires_config_enabled MBEDTLS_CIPHER_MODE_CBC -requires_config_enabled MBEDTLS_AES_C +# module does not support PSA dispatching so we need builtin support. With the +# removal of the legacy cryptography configuration options, there is currently +# no way to express this dependency. This test fails if run in a configuration +# where the built-in implementation of CBC or AES is not present. requires_hash_alg MD5 requires_hash_alg SHA_256 run_test "TLS: password protected server key" \ @@ -2268,11 +2269,12 @@ run_test "TLS: password protected server key" \ 0 requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC # server5.key.enc is in PEM format and AES-256-CBC crypted. Unfortunately PEM -# module does not support PSA dispatching so we need builtin support. -requires_config_enabled MBEDTLS_CIPHER_MODE_CBC -requires_config_enabled MBEDTLS_AES_C +# module does not support PSA dispatching so we need builtin support. With the +# removal of the legacy cryptography configuration options, there is currently +# no way to express this dependency. This test fails if run in a configuration +# where the built-in implementation of CBC or AES is not present. requires_hash_alg MD5 requires_hash_alg SHA_256 run_test "TLS: password protected server key, two certificates" \ @@ -2321,7 +2323,7 @@ run_test "Opaque key for client authentication: ECDHE-ECDSA" \ # Test using a RSA opaque private key for client authentication requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED requires_hash_alg SHA_256 run_test "Opaque key for client authentication: ECDHE-RSA" \ @@ -2370,7 +2372,7 @@ run_test "Opaque key for server authentication: ECDH-" \ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_disabled MBEDTLS_SSL_ASYNC_PRIVATE requires_hash_alg SHA_256 run_test "Opaque key for server authentication: invalid key: ecdh with RSA key, no async" \ @@ -2385,7 +2387,7 @@ run_test "Opaque key for server authentication: invalid key: ecdh with RSA ke -c "Public key type mismatch" requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE requires_hash_alg SHA_256 run_test "Opaque key for server authentication: invalid alg: ecdh with RSA key, async" \ @@ -2468,7 +2470,7 @@ run_test "Opaque keys for server authentication: EC + RSA, force ECDHE-ECDSA" -C "error" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3 opaque key: no suitable algorithm found" \ @@ -2481,7 +2483,7 @@ run_test "TLS 1.3 opaque key: no suitable algorithm found" \ -s "no suitable signature algorithm" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3 opaque key: suitable algorithm found" \ @@ -2494,7 +2496,7 @@ run_test "TLS 1.3 opaque key: suitable algorithm found" \ -S "error" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3 opaque key: first client sig alg not suitable" \ @@ -2508,7 +2510,7 @@ run_test "TLS 1.3 opaque key: first client sig alg not suitable" \ -S "error" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3 opaque key: 2 keys on server, suitable algorithm found" \ @@ -2522,7 +2524,7 @@ run_test "TLS 1.3 opaque key: 2 keys on server, suitable algorithm found" \ # Test using a RSA opaque private key for server authentication requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED requires_hash_alg SHA_256 run_test "Opaque key for server authentication: ECDHE-RSA" \ @@ -2538,7 +2540,7 @@ run_test "Opaque key for server authentication: ECDHE-RSA" \ -C "error" requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_hash_alg SHA_256 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED run_test "Opaque key for server authentication: ECDHE-RSA, PSS instead of PKCS1" \ @@ -2553,7 +2555,7 @@ run_test "Opaque key for server authentication: ECDHE-RSA, PSS instead of PKC -c "error" requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_hash_alg SHA_256 requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED @@ -2573,7 +2575,7 @@ run_test "Opaque keys for server authentication: RSA keys with different algs -C "error" requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED requires_hash_alg SHA_384 requires_config_disabled MBEDTLS_X509_REMOVE_INFO @@ -2613,7 +2615,7 @@ run_test "Opaque key for client/server authentication: ECDHE-ECDSA" \ # Test using a RSA opaque private key for client/server authentication requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_hash_alg SHA_256 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED run_test "Opaque key for client/server authentication: ECDHE-RSA" \ @@ -2682,8 +2684,7 @@ run_test "Unique IV in GCM" \ -U "IV used" # Test for correctness of sent single supported algorithm -requires_any_configs_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED \ - PSA_WANT_ECC_SECP_R1_256 +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_SRV_C @@ -2698,8 +2699,7 @@ run_test "Single supported algorithm sending: mbedtls client" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_SRV_C -requires_any_configs_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED \ - PSA_WANT_ECC_SECP_R1_256 +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 requires_hash_alg SHA_256 run_test "Single supported algorithm sending: openssl client" \ "$P_SRV sig_algs=ecdsa_secp256r1_sha256 auth_mode=required" \ @@ -2748,7 +2748,7 @@ run_test "SHA-256 allowed by default in server certificate" \ 0 requires_hash_alg SHA_1 -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC run_test "SHA-1 forbidden by default in client certificate" \ "$P_SRV force_version=tls12 auth_mode=required allow_sha1=0" \ "$P_CLI key_file=$DATA_FILES_PATH/cli-rsa.key crt_file=$DATA_FILES_PATH/cli-rsa-sha1.crt" \ @@ -2756,13 +2756,13 @@ run_test "SHA-1 forbidden by default in client certificate" \ -s "The certificate is signed with an unacceptable hash" requires_hash_alg SHA_1 -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC run_test "SHA-1 explicitly allowed in client certificate" \ "$P_SRV force_version=tls12 auth_mode=required allow_sha1=1" \ "$P_CLI key_file=$DATA_FILES_PATH/cli-rsa.key crt_file=$DATA_FILES_PATH/cli-rsa-sha1.crt" \ 0 -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_hash_alg SHA_256 run_test "SHA-256 allowed by default in client certificate" \ "$P_SRV force_version=tls12 auth_mode=required allow_sha1=0" \ @@ -9405,7 +9405,7 @@ run_test "Large server packet TLS 1.3 AEAD shorter tag" \ # Force the use of a curve that supports restartable ECC (secp256r1). requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 run_test "EC restart: TLS, default" \ "$P_SRV groups=secp256r1 auth_mode=required" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ @@ -9418,7 +9418,7 @@ run_test "EC restart: TLS, default" \ -C "mbedtls_pk_sign.*\(4b00\|-248\)" requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 run_test "EC restart: TLS, max_ops=0" \ "$P_SRV groups=secp256r1 auth_mode=required" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ @@ -9431,7 +9431,7 @@ run_test "EC restart: TLS, max_ops=0" \ -C "mbedtls_pk_sign.*\(4b00\|-248\)" requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 run_test "EC restart: TLS, max_ops=65535" \ "$P_SRV groups=secp256r1 auth_mode=required" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ @@ -9458,7 +9458,7 @@ run_test "EC restart: TLS, max_ops=65535" \ # With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 skip_next_test run_test "EC restart: TLS, max_ops=1000 (no USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required" \ @@ -9474,7 +9474,7 @@ run_test "EC restart: TLS, max_ops=1000 (no USE_PSA)" \ # With USE_PSA enabled we expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 run_test "EC restart: TLS, max_ops=1000 (USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ @@ -9489,7 +9489,7 @@ run_test "EC restart: TLS, max_ops=1000 (USE_PSA)" \ # This works the same with & without USE_PSA as we never get to ECDH: # we abort as soon as we determined the cert is bad. requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 run_test "EC restart: TLS, max_ops=1000, badsign" \ "$P_SRV groups=secp256r1 auth_mode=required \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \ @@ -9508,7 +9508,7 @@ run_test "EC restart: TLS, max_ops=1000, badsign" \ # With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 skip_next_test run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (no USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required \ @@ -9529,7 +9529,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (no USE_P # With USE_PSA enabled we expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \ @@ -9548,7 +9548,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (USE_PSA) # With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 skip_next_test run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (no USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required \ @@ -9569,7 +9569,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (no USE_PSA)" # With USE_PSA enabled we expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \ @@ -9588,7 +9588,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (USE_PSA)" \ # With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 skip_next_test run_test "EC restart: DTLS, max_ops=1000 (no USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required dtls=1" \ @@ -9604,7 +9604,7 @@ run_test "EC restart: DTLS, max_ops=1000 (no USE_PSA)" \ # With USE_PSA enabled we expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 run_test "EC restart: DTLS, max_ops=1000 (USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required dtls=1" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ @@ -9618,7 +9618,7 @@ run_test "EC restart: DTLS, max_ops=1000 (USE_PSA)" \ # With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 skip_next_test run_test "EC restart: TLS, max_ops=1000 no client auth (no USE_PSA)" \ "$P_SRV groups=secp256r1" \ @@ -9634,7 +9634,7 @@ run_test "EC restart: TLS, max_ops=1000 no client auth (no USE_PSA)" \ # With USE_PSA enabled we expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 run_test "EC restart: TLS, max_ops=1000 no client auth (USE_PSA)" \ "$P_SRV groups=secp256r1" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ @@ -9650,7 +9650,7 @@ run_test "EC restart: TLS, max_ops=1000 no client auth (USE_PSA)" \ # This is the same as "EC restart: TLS, max_ops=1000" except with ECDHE-RSA, # and all 4 assertions negated. requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 run_test "EC restart: TLS, max_ops=1000, ECDHE-RSA" \ "$P_SRV groups=secp256r1 auth_mode=required" \ "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 \ @@ -10187,7 +10187,7 @@ run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \ # All those tests assume MAX_CONTENT_LEN is at least 2048 requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -10208,7 +10208,7 @@ run_test "DTLS fragmenting: none (for reference)" \ -C "error" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -10233,7 +10233,7 @@ run_test "DTLS fragmenting: server only (max_frag_len)" \ # test can't be replicated with an MTU proxy such as the one # `client-initiated, server only (max_frag_len)` below. requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -10254,7 +10254,7 @@ run_test "DTLS fragmenting: server only (more) (max_frag_len)" \ -C "error" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -10282,7 +10282,7 @@ run_test "DTLS fragmenting: client-initiated, server only (max_frag_len)" \ # The next test checks that no datagrams significantly larger than the # negotiated MFL are sent. requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -10304,7 +10304,7 @@ run_test "DTLS fragmenting: client-initiated, server only (max_frag_len), pro -C "error" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -10332,7 +10332,7 @@ run_test "DTLS fragmenting: client-initiated, both (max_frag_len)" \ # The next test checks that no datagrams significantly larger than the # negotiated MFL are sent. requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -10354,7 +10354,7 @@ run_test "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU" -C "error" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: none (for reference) (MTU)" \ @@ -10374,7 +10374,7 @@ run_test "DTLS fragmenting: none (for reference) (MTU)" \ -C "error" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: client (MTU)" \ @@ -10394,7 +10394,7 @@ run_test "DTLS fragmenting: client (MTU)" \ -C "error" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: server (MTU)" \ @@ -10414,7 +10414,7 @@ run_test "DTLS fragmenting: server (MTU)" \ -C "error" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: both (MTU=1024)" \ @@ -10436,7 +10436,7 @@ run_test "DTLS fragmenting: both (MTU=1024)" \ # Forcing ciphersuite for this test to fit the MTU of 512 with full config. requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_hash_alg SHA_256 requires_max_content_len 2048 run_test "DTLS fragmenting: both (MTU=512)" \ @@ -10465,7 +10465,7 @@ run_test "DTLS fragmenting: both (MTU=512)" \ # hence the ratio of 8. not_with_valgrind requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU: auto-reduction (not valgrind)" \ -p "$P_PXY mtu=508" \ @@ -10486,7 +10486,7 @@ run_test "DTLS fragmenting: proxy MTU: auto-reduction (not valgrind)" \ # Forcing ciphersuite for this test to fit the MTU of 508 with full config. only_with_valgrind requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU: auto-reduction (with valgrind)" \ -p "$P_PXY mtu=508" \ @@ -10509,7 +10509,7 @@ run_test "DTLS fragmenting: proxy MTU: auto-reduction (with valgrind)" \ # a HelloVerifyRequest, so only check for no retransmission server-side not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \ @@ -10536,7 +10536,7 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \ # a HelloVerifyRequest, so only check for no retransmission server-side not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=512)" \ -p "$P_PXY mtu=512" \ @@ -10559,7 +10559,7 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=512)" \ not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \ @@ -10583,7 +10583,7 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \ # Forcing ciphersuite for this test to fit the MTU of 512 with full config. not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=512)" \ -p "$P_PXY mtu=512" \ @@ -10616,7 +10616,7 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=512)" \ # resumed listening, which would result in a spurious autoreduction. not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, resumed handshake" \ -p "$P_PXY mtu=1450" \ @@ -10641,7 +10641,7 @@ run_test "DTLS fragmenting: proxy MTU, resumed handshake" \ # slow to reset, therefore omitting '-C "autoreduction"' below. not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_hash_alg SHA_256 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_max_content_len 2048 @@ -10670,7 +10670,7 @@ run_test "DTLS fragmenting: proxy MTU, ChachaPoly renego" \ # slow to reset, therefore omitting '-C "autoreduction"' below. not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_hash_alg SHA_256 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_max_content_len 2048 @@ -10699,7 +10699,7 @@ run_test "DTLS fragmenting: proxy MTU, AES-GCM renego" \ # slow to reset, therefore omitting '-C "autoreduction"' below. not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_hash_alg SHA_256 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_max_content_len 2048 @@ -10728,7 +10728,7 @@ run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \ # slow to reset, therefore omitting '-C "autoreduction"' below. not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_hash_alg SHA_256 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_SSL_ENCRYPT_THEN_MAC @@ -10758,7 +10758,7 @@ run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \ # slow to reset, therefore omitting '-C "autoreduction"' below. not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_hash_alg SHA_256 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_max_content_len 2048 @@ -10785,7 +10785,7 @@ run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \ # Forcing ciphersuite for this test to fit the MTU of 512 with full config. requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC client_needs_more_time 2 requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU + 3d" \ @@ -10806,7 +10806,7 @@ run_test "DTLS fragmenting: proxy MTU + 3d" \ # Forcing ciphersuite for this test to fit the MTU of 512 with full config. requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC client_needs_more_time 2 requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \ @@ -10830,7 +10830,7 @@ run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \ # here and below we just want to test that the we fragment in a way that # pleases other implementations, so we don't need the peer to fragment requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_gnutls requires_max_content_len 2048 run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \ @@ -10851,7 +10851,7 @@ run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \ # certificate validation fail, but passing --insecure makes # GnuTLS continue the connection nonetheless. requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_gnutls requires_not_i686 requires_max_content_len 2048 @@ -10865,7 +10865,7 @@ run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \ -s "fragmenting handshake message" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_max_content_len 2048 run_test "DTLS fragmenting: openssl server, DTLS 1.2" \ "$O_SRV -dtls1_2 -verify 10" \ @@ -10878,7 +10878,7 @@ run_test "DTLS fragmenting: openssl server, DTLS 1.2" \ -C "error" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_max_content_len 2048 run_test "DTLS fragmenting: openssl client, DTLS 1.2" \ "$P_SRV dtls=1 debug_level=2 \ @@ -10895,7 +10895,7 @@ run_test "DTLS fragmenting: openssl client, DTLS 1.2" \ # pleases other implementations, so we don't need the peer to fragment requires_gnutls_next requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC client_needs_more_time 4 requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \ @@ -10911,7 +10911,7 @@ run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \ requires_gnutls_next requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC client_needs_more_time 4 requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \ @@ -10928,7 +10928,7 @@ run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \ ## it might trigger a bug due to openssl server (https://github.com/openssl/openssl/issues/6902) requires_openssl_next requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC client_needs_more_time 4 requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \ @@ -10946,7 +10946,7 @@ run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \ ## The cause is an openssl bug (https://github.com/openssl/openssl/issues/18887) skip_next_test requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC client_needs_more_time 4 requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \ @@ -12466,7 +12466,7 @@ run_test "TLS 1.3: Client authentication, ecdsa_secp521r1_sha512 - gnutls" \ requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha256 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ @@ -12482,7 +12482,7 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha256 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ @@ -12497,7 +12497,7 @@ run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha256 - gnutls" \ requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha384 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ @@ -12513,7 +12513,7 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha384 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ @@ -12528,7 +12528,7 @@ run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha384 - gnutls" \ requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha512 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ @@ -12544,7 +12544,7 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha512 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ @@ -12559,7 +12559,7 @@ run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha512 - gnutls" \ requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication, client alg not in server list - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10 @@ -12576,7 +12576,7 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication, client alg not in server list - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:-SIGN-ALL:+SIGN-ECDSA-SECP256R1-SHA256:%NO_TICKETS" \ @@ -12707,7 +12707,7 @@ run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp521r1_sha512 requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha256 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ @@ -12723,7 +12723,7 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha256 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ @@ -12738,7 +12738,7 @@ run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha256 - requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha384 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ @@ -12754,7 +12754,7 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha384 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ @@ -12769,7 +12769,7 @@ run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha384 - requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha512 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ @@ -12785,7 +12785,7 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha512 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ @@ -12800,7 +12800,7 @@ run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha512 - requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, client alg not in server list - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10 @@ -12817,7 +12817,7 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, client alg not in server list - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:-SIGN-ALL:+SIGN-ECDSA-SECP256R1-SHA256:%NO_TICKETS" \