From c1d9531c561e1cd286eef141ef5450d05f568bb6 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 19 Jun 2025 14:16:32 +0200 Subject: [PATCH 01/14] Do not link against builtin/everest/p256m libraries anymore Following the move of all crypto code to the tfpsacrypto library, do not link against the driver libraries anymore. Signed-off-by: Ronald Cron --- CMakeLists.txt | 9 ++------- pkgconfig/mbedcrypto.pc.in | 2 +- 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index a099356389..64a390a307 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -376,15 +376,10 @@ if(USE_STATIC_MBEDTLS_LIBRARY AND USE_SHARED_MBEDTLS_LIBRARY) endif() set(tf_psa_crypto_library_targets - ${TF_PSA_CRYPTO_TARGET_PREFIX}tfpsacrypto - ${TF_PSA_CRYPTO_TARGET_PREFIX}builtin - ${TF_PSA_CRYPTO_TARGET_PREFIX}everest - ${TF_PSA_CRYPTO_TARGET_PREFIX}p256m) + ${TF_PSA_CRYPTO_TARGET_PREFIX}tfpsacrypto) if(USE_STATIC_MBEDTLS_LIBRARY AND USE_SHARED_MBEDTLS_LIBRARY) - list(APPEND tf_psa_crypto_library_targets - ${TF_PSA_CRYPTO_TARGET_PREFIX}tfpsacrypto_static - ${TF_PSA_CRYPTO_TARGET_PREFIX}builtin_static) + list(APPEND tf_psa_crypto_library_targets) endif() foreach(target IN LISTS tf_psa_crypto_library_targets) diff --git a/pkgconfig/mbedcrypto.pc.in b/pkgconfig/mbedcrypto.pc.in index 28b9716b64..303f8852cd 100644 --- a/pkgconfig/mbedcrypto.pc.in +++ b/pkgconfig/mbedcrypto.pc.in @@ -7,4 +7,4 @@ Description: @PKGCONFIG_PROJECT_DESCRIPTION@ URL: @PKGCONFIG_PROJECT_HOMEPAGE_URL@ Version: @PROJECT_VERSION@ Cflags: -I"${includedir}" -Libs: -L"${libdir}" -ltfpsacrypto -lbuiltin -leverest -lp256m +Libs: -L"${libdir}" -ltfpsacrypto From d5da020a632a953eb33b5079c9e425a5eb04d8e6 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 2 Jul 2025 09:12:50 +0200 Subject: [PATCH 02/14] depends.py: Do not fail when disabling a non-existing option To ease the removal of legacy crypto options, do not fail in depends.py when disabling a non-existing option. This mimics the behavior of 'config.py unset'. Signed-off-by: Ronald Cron --- tests/scripts/depends.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 0cb55377a7..08829d1936 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -109,6 +109,8 @@ def set_config_option_value(conf, option, colors, value: Union[bool, str]): value can be either True/False (set/unset config option), or a string, which will make a symbol defined with a certain value.""" if not option_exists(conf, option): + if value is False: + return True log_line('Symbol {} was not found in {}'.format(option, conf.filename), color=colors.red) return False From bd28acf24004e548c9e8c5825f49d1a08b75024e Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 10 Jul 2025 09:53:50 +0200 Subject: [PATCH 03/14] ssl-opt.sh: Remove dependencies on built-in CBC and AES Remove dependencies on MBEDTLS_CIPHER_MODE_CBC and MBEDTLS_AES_C, as these options will no longer be available once they are removed from the configuration. The affected tests rely on the built-in CBC and AES implementations. With the removal of MBEDTLS_CIPHER_MODE_CBC and MBEDTLS_AES_C as configuration options, there is no longer a mechanism in ssl-opt.sh to express these dependencies. As a result, filter out these tests at the all.sh component level when the built-in CBC and AES implementations are not available. Signed-off-by: Ronald Cron --- .../components-configuration-crypto.sh | 6 ++++-- tests/ssl-opt.sh | 21 +++++++++++-------- 2 files changed, 16 insertions(+), 11 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 9de7597c1c..f7eb6d617f 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -1894,7 +1894,8 @@ component_test_psa_crypto_config_accel_cipher_aead_cmac () { make test msg "ssl-opt: full config with accelerated cipher inc. AEAD and CMAC" - tests/ssl-opt.sh + # Exclude password-protected key tests — they require built-in CBC and AES. + tests/ssl-opt.sh -e "TLS: password protected" msg "compat.sh: full config with accelerated cipher inc. AEAD and CMAC" tests/compat.sh -V NO -p mbedTLS @@ -1910,7 +1911,8 @@ component_test_psa_crypto_config_reference_cipher_aead_cmac () { make test msg "ssl-opt: full config with non-accelerated cipher inc. AEAD and CMAC" - tests/ssl-opt.sh + # Exclude password-protected key tests as in test_psa_crypto_config_accel_cipher_aead_cmac. + tests/ssl-opt.sh -e "TLS: password protected" msg "compat.sh: full config with non-accelerated cipher inc. AEAD and CMAC" tests/compat.sh -V NO -p mbedTLS diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 5b2425bf55..5b7bb517c6 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2245,9 +2245,10 @@ run_test "key size: TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C # server5.key.enc is in PEM format and AES-256-CBC crypted. Unfortunately PEM -# module does not support PSA dispatching so we need builtin support. -requires_config_enabled MBEDTLS_CIPHER_MODE_CBC -requires_config_enabled MBEDTLS_AES_C +# module does not support PSA dispatching so we need builtin support. With the +# removal of the legacy cryptography configuration options, there is currently +# no way to express this dependency. This test fails if run in a configuration +# where the built-in implementation of CBC or AES is not present. requires_hash_alg MD5 requires_hash_alg SHA_256 run_test "TLS: password protected client key" \ @@ -2257,9 +2258,10 @@ run_test "TLS: password protected client key" \ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C # server5.key.enc is in PEM format and AES-256-CBC crypted. Unfortunately PEM -# module does not support PSA dispatching so we need builtin support. -requires_config_enabled MBEDTLS_CIPHER_MODE_CBC -requires_config_enabled MBEDTLS_AES_C +# module does not support PSA dispatching so we need builtin support. With the +# removal of the legacy cryptography configuration options, there is currently +# no way to express this dependency. This test fails if run in a configuration +# where the built-in implementation of CBC or AES is not present. requires_hash_alg MD5 requires_hash_alg SHA_256 run_test "TLS: password protected server key" \ @@ -2270,9 +2272,10 @@ run_test "TLS: password protected server key" \ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_RSA_C # server5.key.enc is in PEM format and AES-256-CBC crypted. Unfortunately PEM -# module does not support PSA dispatching so we need builtin support. -requires_config_enabled MBEDTLS_CIPHER_MODE_CBC -requires_config_enabled MBEDTLS_AES_C +# module does not support PSA dispatching so we need builtin support. With the +# removal of the legacy cryptography configuration options, there is currently +# no way to express this dependency. This test fails if run in a configuration +# where the built-in implementation of CBC or AES is not present. requires_hash_alg MD5 requires_hash_alg SHA_256 run_test "TLS: password protected server key, two certificates" \ From 68ba7f7ab7885394cb03d7884d8f71c78d05f715 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 30 Jun 2025 07:45:17 +0200 Subject: [PATCH 04/14] ssl-opt.sh: Replace MBEDTLS_RSA_C dependencies In preparation of the removal of MBEDTLS_RSA_C, replace MBEDTLS_RSA_C by its PSA_WANT_ closest equivalent PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC in dependencies. Signed-off-by: Ronald Cron --- tests/ssl-opt.sh | 134 +++++++++++++++++++++++------------------------ 1 file changed, 67 insertions(+), 67 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 5b7bb517c6..d4e23b538a 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -559,7 +559,7 @@ detect_required_features() { # we aren't currently running ssl-opt.sh in configurations # where partial RSA support is a problem, so generically, we # just require RSA and it works out for our tests so far. - requires_config_enabled "MBEDTLS_RSA_C" + requires_config_enabled "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" esac unset tmp @@ -2270,7 +2270,7 @@ run_test "TLS: password protected server key" \ 0 requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC # server5.key.enc is in PEM format and AES-256-CBC crypted. Unfortunately PEM # module does not support PSA dispatching so we need builtin support. With the # removal of the legacy cryptography configuration options, there is currently @@ -2324,7 +2324,7 @@ run_test "Opaque key for client authentication: ECDHE-ECDSA" \ # Test using a RSA opaque private key for client authentication requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED requires_hash_alg SHA_256 run_test "Opaque key for client authentication: ECDHE-RSA" \ @@ -2373,7 +2373,7 @@ run_test "Opaque key for server authentication: ECDH-" \ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_disabled MBEDTLS_SSL_ASYNC_PRIVATE requires_hash_alg SHA_256 run_test "Opaque key for server authentication: invalid key: ecdh with RSA key, no async" \ @@ -2388,7 +2388,7 @@ run_test "Opaque key for server authentication: invalid key: ecdh with RSA ke -c "Public key type mismatch" requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE requires_hash_alg SHA_256 run_test "Opaque key for server authentication: invalid alg: ecdh with RSA key, async" \ @@ -2471,7 +2471,7 @@ run_test "Opaque keys for server authentication: EC + RSA, force ECDHE-ECDSA" -C "error" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3 opaque key: no suitable algorithm found" \ @@ -2484,7 +2484,7 @@ run_test "TLS 1.3 opaque key: no suitable algorithm found" \ -s "no suitable signature algorithm" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3 opaque key: suitable algorithm found" \ @@ -2497,7 +2497,7 @@ run_test "TLS 1.3 opaque key: suitable algorithm found" \ -S "error" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3 opaque key: first client sig alg not suitable" \ @@ -2511,7 +2511,7 @@ run_test "TLS 1.3 opaque key: first client sig alg not suitable" \ -S "error" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3 opaque key: 2 keys on server, suitable algorithm found" \ @@ -2525,7 +2525,7 @@ run_test "TLS 1.3 opaque key: 2 keys on server, suitable algorithm found" \ # Test using a RSA opaque private key for server authentication requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED requires_hash_alg SHA_256 run_test "Opaque key for server authentication: ECDHE-RSA" \ @@ -2541,7 +2541,7 @@ run_test "Opaque key for server authentication: ECDHE-RSA" \ -C "error" requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_hash_alg SHA_256 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED run_test "Opaque key for server authentication: ECDHE-RSA, PSS instead of PKCS1" \ @@ -2556,7 +2556,7 @@ run_test "Opaque key for server authentication: ECDHE-RSA, PSS instead of PKC -c "error" requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_hash_alg SHA_256 requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED @@ -2576,7 +2576,7 @@ run_test "Opaque keys for server authentication: RSA keys with different algs -C "error" requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED requires_hash_alg SHA_384 requires_config_disabled MBEDTLS_X509_REMOVE_INFO @@ -2616,7 +2616,7 @@ run_test "Opaque key for client/server authentication: ECDHE-ECDSA" \ # Test using a RSA opaque private key for client/server authentication requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_hash_alg SHA_256 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED run_test "Opaque key for client/server authentication: ECDHE-RSA" \ @@ -2751,7 +2751,7 @@ run_test "SHA-256 allowed by default in server certificate" \ 0 requires_hash_alg SHA_1 -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC run_test "SHA-1 forbidden by default in client certificate" \ "$P_SRV force_version=tls12 auth_mode=required allow_sha1=0" \ "$P_CLI key_file=$DATA_FILES_PATH/cli-rsa.key crt_file=$DATA_FILES_PATH/cli-rsa-sha1.crt" \ @@ -2759,13 +2759,13 @@ run_test "SHA-1 forbidden by default in client certificate" \ -s "The certificate is signed with an unacceptable hash" requires_hash_alg SHA_1 -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC run_test "SHA-1 explicitly allowed in client certificate" \ "$P_SRV force_version=tls12 auth_mode=required allow_sha1=1" \ "$P_CLI key_file=$DATA_FILES_PATH/cli-rsa.key crt_file=$DATA_FILES_PATH/cli-rsa-sha1.crt" \ 0 -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_hash_alg SHA_256 run_test "SHA-256 allowed by default in client certificate" \ "$P_SRV force_version=tls12 auth_mode=required allow_sha1=0" \ @@ -10190,7 +10190,7 @@ run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \ # All those tests assume MAX_CONTENT_LEN is at least 2048 requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -10211,7 +10211,7 @@ run_test "DTLS fragmenting: none (for reference)" \ -C "error" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -10236,7 +10236,7 @@ run_test "DTLS fragmenting: server only (max_frag_len)" \ # test can't be replicated with an MTU proxy such as the one # `client-initiated, server only (max_frag_len)` below. requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -10257,7 +10257,7 @@ run_test "DTLS fragmenting: server only (more) (max_frag_len)" \ -C "error" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -10285,7 +10285,7 @@ run_test "DTLS fragmenting: client-initiated, server only (max_frag_len)" \ # The next test checks that no datagrams significantly larger than the # negotiated MFL are sent. requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -10307,7 +10307,7 @@ run_test "DTLS fragmenting: client-initiated, server only (max_frag_len), pro -C "error" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -10335,7 +10335,7 @@ run_test "DTLS fragmenting: client-initiated, both (max_frag_len)" \ # The next test checks that no datagrams significantly larger than the # negotiated MFL are sent. requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -10357,7 +10357,7 @@ run_test "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU" -C "error" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: none (for reference) (MTU)" \ @@ -10377,7 +10377,7 @@ run_test "DTLS fragmenting: none (for reference) (MTU)" \ -C "error" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: client (MTU)" \ @@ -10397,7 +10397,7 @@ run_test "DTLS fragmenting: client (MTU)" \ -C "error" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: server (MTU)" \ @@ -10417,7 +10417,7 @@ run_test "DTLS fragmenting: server (MTU)" \ -C "error" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: both (MTU=1024)" \ @@ -10439,7 +10439,7 @@ run_test "DTLS fragmenting: both (MTU=1024)" \ # Forcing ciphersuite for this test to fit the MTU of 512 with full config. requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_hash_alg SHA_256 requires_max_content_len 2048 run_test "DTLS fragmenting: both (MTU=512)" \ @@ -10468,7 +10468,7 @@ run_test "DTLS fragmenting: both (MTU=512)" \ # hence the ratio of 8. not_with_valgrind requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU: auto-reduction (not valgrind)" \ -p "$P_PXY mtu=508" \ @@ -10489,7 +10489,7 @@ run_test "DTLS fragmenting: proxy MTU: auto-reduction (not valgrind)" \ # Forcing ciphersuite for this test to fit the MTU of 508 with full config. only_with_valgrind requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU: auto-reduction (with valgrind)" \ -p "$P_PXY mtu=508" \ @@ -10512,7 +10512,7 @@ run_test "DTLS fragmenting: proxy MTU: auto-reduction (with valgrind)" \ # a HelloVerifyRequest, so only check for no retransmission server-side not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \ @@ -10539,7 +10539,7 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \ # a HelloVerifyRequest, so only check for no retransmission server-side not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=512)" \ -p "$P_PXY mtu=512" \ @@ -10562,7 +10562,7 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=512)" \ not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \ @@ -10586,7 +10586,7 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \ # Forcing ciphersuite for this test to fit the MTU of 512 with full config. not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=512)" \ -p "$P_PXY mtu=512" \ @@ -10619,7 +10619,7 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=512)" \ # resumed listening, which would result in a spurious autoreduction. not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, resumed handshake" \ -p "$P_PXY mtu=1450" \ @@ -10644,7 +10644,7 @@ run_test "DTLS fragmenting: proxy MTU, resumed handshake" \ # slow to reset, therefore omitting '-C "autoreduction"' below. not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_hash_alg SHA_256 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_max_content_len 2048 @@ -10673,7 +10673,7 @@ run_test "DTLS fragmenting: proxy MTU, ChachaPoly renego" \ # slow to reset, therefore omitting '-C "autoreduction"' below. not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_hash_alg SHA_256 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_max_content_len 2048 @@ -10702,7 +10702,7 @@ run_test "DTLS fragmenting: proxy MTU, AES-GCM renego" \ # slow to reset, therefore omitting '-C "autoreduction"' below. not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_hash_alg SHA_256 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_max_content_len 2048 @@ -10731,7 +10731,7 @@ run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \ # slow to reset, therefore omitting '-C "autoreduction"' below. not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_hash_alg SHA_256 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_SSL_ENCRYPT_THEN_MAC @@ -10761,7 +10761,7 @@ run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \ # slow to reset, therefore omitting '-C "autoreduction"' below. not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_hash_alg SHA_256 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_max_content_len 2048 @@ -10788,7 +10788,7 @@ run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \ # Forcing ciphersuite for this test to fit the MTU of 512 with full config. requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC client_needs_more_time 2 requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU + 3d" \ @@ -10809,7 +10809,7 @@ run_test "DTLS fragmenting: proxy MTU + 3d" \ # Forcing ciphersuite for this test to fit the MTU of 512 with full config. requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC client_needs_more_time 2 requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \ @@ -10833,7 +10833,7 @@ run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \ # here and below we just want to test that the we fragment in a way that # pleases other implementations, so we don't need the peer to fragment requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_gnutls requires_max_content_len 2048 run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \ @@ -10854,7 +10854,7 @@ run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \ # certificate validation fail, but passing --insecure makes # GnuTLS continue the connection nonetheless. requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_gnutls requires_not_i686 requires_max_content_len 2048 @@ -10868,7 +10868,7 @@ run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \ -s "fragmenting handshake message" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_max_content_len 2048 run_test "DTLS fragmenting: openssl server, DTLS 1.2" \ "$O_SRV -dtls1_2 -verify 10" \ @@ -10881,7 +10881,7 @@ run_test "DTLS fragmenting: openssl server, DTLS 1.2" \ -C "error" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_max_content_len 2048 run_test "DTLS fragmenting: openssl client, DTLS 1.2" \ "$P_SRV dtls=1 debug_level=2 \ @@ -10898,7 +10898,7 @@ run_test "DTLS fragmenting: openssl client, DTLS 1.2" \ # pleases other implementations, so we don't need the peer to fragment requires_gnutls_next requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC client_needs_more_time 4 requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \ @@ -10914,7 +10914,7 @@ run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \ requires_gnutls_next requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC client_needs_more_time 4 requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \ @@ -10931,7 +10931,7 @@ run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \ ## it might trigger a bug due to openssl server (https://github.com/openssl/openssl/issues/6902) requires_openssl_next requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC client_needs_more_time 4 requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \ @@ -10949,7 +10949,7 @@ run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \ ## The cause is an openssl bug (https://github.com/openssl/openssl/issues/18887) skip_next_test requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC client_needs_more_time 4 requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \ @@ -12469,7 +12469,7 @@ run_test "TLS 1.3: Client authentication, ecdsa_secp521r1_sha512 - gnutls" \ requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha256 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ @@ -12485,7 +12485,7 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha256 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ @@ -12500,7 +12500,7 @@ run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha256 - gnutls" \ requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha384 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ @@ -12516,7 +12516,7 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha384 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ @@ -12531,7 +12531,7 @@ run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha384 - gnutls" \ requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha512 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ @@ -12547,7 +12547,7 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha512 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ @@ -12562,7 +12562,7 @@ run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha512 - gnutls" \ requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication, client alg not in server list - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10 @@ -12579,7 +12579,7 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication, client alg not in server list - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:-SIGN-ALL:+SIGN-ECDSA-SECP256R1-SHA256:%NO_TICKETS" \ @@ -12710,7 +12710,7 @@ run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp521r1_sha512 requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha256 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ @@ -12726,7 +12726,7 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha256 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ @@ -12741,7 +12741,7 @@ run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha256 - requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha384 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ @@ -12757,7 +12757,7 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha384 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ @@ -12772,7 +12772,7 @@ run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha384 - requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha512 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ @@ -12788,7 +12788,7 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha512 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ @@ -12803,7 +12803,7 @@ run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha512 - requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, client alg not in server list - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10 @@ -12820,7 +12820,7 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, client alg not in server list - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:-SIGN-ALL:+SIGN-ECDSA-SECP256R1-SHA256:%NO_TICKETS" \ From fbd51579895eceea3447315bbf4e8bbbf7a5a093 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 10 Jul 2025 13:19:31 +0200 Subject: [PATCH 05/14] ssl-opt.sh: Replace MBEDTLS_ECP_DP_* dependencies In preparation of the removal of MBEDTLS_ECP_DP_* configuration options, replace them by their PSA_WANT_ECC_* equivalent in dependencies. Signed-off-by: Ronald Cron --- tests/ssl-opt.sh | 39 ++++++++++++++++++--------------------- 1 file changed, 18 insertions(+), 21 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index d4e23b538a..c667cd14bd 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2201,8 +2201,7 @@ trap cleanup INT TERM HUP # - the expected parameters are selected requires_ciphersuite_enabled TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 requires_hash_alg SHA_512 # "signature_algorithm ext: 6" -requires_any_configs_enabled MBEDTLS_ECP_DP_CURVE25519_ENABLED \ - PSA_WANT_ECC_MONTGOMERY_255 +requires_config_enabled PSA_WANT_ECC_MONTGOMERY_255 run_test "Default, TLS 1.2" \ "$P_SRV debug_level=3" \ "$P_CLI force_version=tls12" \ @@ -2685,8 +2684,7 @@ run_test "Unique IV in GCM" \ -U "IV used" # Test for correctness of sent single supported algorithm -requires_any_configs_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED \ - PSA_WANT_ECC_SECP_R1_256 +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_SRV_C @@ -2701,8 +2699,7 @@ run_test "Single supported algorithm sending: mbedtls client" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_SRV_C -requires_any_configs_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED \ - PSA_WANT_ECC_SECP_R1_256 +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 requires_hash_alg SHA_256 run_test "Single supported algorithm sending: openssl client" \ "$P_SRV sig_algs=ecdsa_secp256r1_sha256 auth_mode=required" \ @@ -9408,7 +9405,7 @@ run_test "Large server packet TLS 1.3 AEAD shorter tag" \ # Force the use of a curve that supports restartable ECC (secp256r1). requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 run_test "EC restart: TLS, default" \ "$P_SRV groups=secp256r1 auth_mode=required" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ @@ -9421,7 +9418,7 @@ run_test "EC restart: TLS, default" \ -C "mbedtls_pk_sign.*\(4b00\|-248\)" requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 run_test "EC restart: TLS, max_ops=0" \ "$P_SRV groups=secp256r1 auth_mode=required" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ @@ -9434,7 +9431,7 @@ run_test "EC restart: TLS, max_ops=0" \ -C "mbedtls_pk_sign.*\(4b00\|-248\)" requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 run_test "EC restart: TLS, max_ops=65535" \ "$P_SRV groups=secp256r1 auth_mode=required" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ @@ -9461,7 +9458,7 @@ run_test "EC restart: TLS, max_ops=65535" \ # With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 skip_next_test run_test "EC restart: TLS, max_ops=1000 (no USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required" \ @@ -9477,7 +9474,7 @@ run_test "EC restart: TLS, max_ops=1000 (no USE_PSA)" \ # With USE_PSA enabled we expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 run_test "EC restart: TLS, max_ops=1000 (USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ @@ -9492,7 +9489,7 @@ run_test "EC restart: TLS, max_ops=1000 (USE_PSA)" \ # This works the same with & without USE_PSA as we never get to ECDH: # we abort as soon as we determined the cert is bad. requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 run_test "EC restart: TLS, max_ops=1000, badsign" \ "$P_SRV groups=secp256r1 auth_mode=required \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \ @@ -9511,7 +9508,7 @@ run_test "EC restart: TLS, max_ops=1000, badsign" \ # With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 skip_next_test run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (no USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required \ @@ -9532,7 +9529,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (no USE_P # With USE_PSA enabled we expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \ @@ -9551,7 +9548,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (USE_PSA) # With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 skip_next_test run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (no USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required \ @@ -9572,7 +9569,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (no USE_PSA)" # With USE_PSA enabled we expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \ @@ -9591,7 +9588,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (USE_PSA)" \ # With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 skip_next_test run_test "EC restart: DTLS, max_ops=1000 (no USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required dtls=1" \ @@ -9607,7 +9604,7 @@ run_test "EC restart: DTLS, max_ops=1000 (no USE_PSA)" \ # With USE_PSA enabled we expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 run_test "EC restart: DTLS, max_ops=1000 (USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required dtls=1" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ @@ -9621,7 +9618,7 @@ run_test "EC restart: DTLS, max_ops=1000 (USE_PSA)" \ # With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 skip_next_test run_test "EC restart: TLS, max_ops=1000 no client auth (no USE_PSA)" \ "$P_SRV groups=secp256r1" \ @@ -9637,7 +9634,7 @@ run_test "EC restart: TLS, max_ops=1000 no client auth (no USE_PSA)" \ # With USE_PSA enabled we expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 run_test "EC restart: TLS, max_ops=1000 no client auth (USE_PSA)" \ "$P_SRV groups=secp256r1" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ @@ -9653,7 +9650,7 @@ run_test "EC restart: TLS, max_ops=1000 no client auth (USE_PSA)" \ # This is the same as "EC restart: TLS, max_ops=1000" except with ECDHE-RSA, # and all 4 assertions negated. requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 run_test "EC restart: TLS, max_ops=1000, ECDHE-RSA" \ "$P_SRV groups=secp256r1 auth_mode=required" \ "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 \ From 3f1200644177138feb2efa7f784d9a7415d357c9 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 3 Jul 2025 14:45:51 +0200 Subject: [PATCH 06/14] build_psa_config_file: Check PSA_WANT_ALG_CMAC instead of MBEDTLS_CMAC_C Signed-off-by: Ronald Cron --- tests/scripts/components-configuration-crypto.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index f7eb6d617f..a290c3ed06 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -2541,7 +2541,7 @@ component_build_psa_config_file () { echo '#error "TF_PSA_CRYPTO_CONFIG_FILE is not working"' >"$CRYPTO_CONFIG_H" make CFLAGS="-I '$PWD' -DTF_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"'" # Make sure this feature is enabled. We'll disable it in the next phase. - programs/test/query_compile_time_config MBEDTLS_CMAC_C + programs/test/query_compile_time_config PSA_WANT_ALG_CMAC make clean msg "build: make with TF_PSA_CRYPTO_CONFIG_FILE + TF_PSA_CRYPTO_USER_CONFIG_FILE" # ~40s @@ -2552,7 +2552,7 @@ component_build_psa_config_file () { echo '#undef PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128' >> psa_user_config.h echo '#undef MBEDTLS_CMAC_C' >> psa_user_config.h make CFLAGS="-I '$PWD' -DTF_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"' -DTF_PSA_CRYPTO_USER_CONFIG_FILE='\"psa_user_config.h\"'" - not programs/test/query_compile_time_config MBEDTLS_CMAC_C + not programs/test/query_compile_time_config PSA_WANT_ALG_CMAC rm -f psa_test_config.h psa_user_config.h } From b5c6fcc4c9abd378b17c5eab13c681b461f61bcf Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 10 Jul 2025 13:40:00 +0200 Subject: [PATCH 07/14] test_psa_crypto_config_accel_cipher_aead_cmac: Disable POLY1305 In preparation of the removal of the configuration option MBEDTLS_POLY1305_C, disable it in test_psa_crypto_config_accel_cipher_aead_cmac as it will be not possible to enable it when CHACHA20_POLY1305 is accelerated. Signed-off-by: Ronald Cron --- tests/scripts/analyze_outcomes.py | 6 +++--- tests/scripts/components-configuration-crypto.sh | 2 ++ 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 429a04f7f5..2ea3cd9511 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -292,15 +292,15 @@ class DriverVSReference_cipher_aead_cmac(outcome_analysis.DriverVSReference): IGNORED_SUITES = [ # low-level (block/stream) cipher modules 'aes', 'aria', 'camellia', 'des', 'chacha20', - # AEAD modes and CMAC - 'ccm', 'chachapoly', 'cmac', 'gcm', + # AEAD modes, CMAC and POLY1305 + 'ccm', 'chachapoly', 'cmac', 'gcm', 'poly1305', # The Cipher abstraction layer 'cipher', ] IGNORED_TESTS = { 'test_suite_config': [ re.compile(r'.*\bMBEDTLS_(AES|ARIA|CAMELLIA|CHACHA20|DES)_.*'), - re.compile(r'.*\bMBEDTLS_(CCM|CHACHAPOLY|CMAC|GCM)_.*'), + re.compile(r'.*\bMBEDTLS_(CCM|CHACHAPOLY|CMAC|GCM|POLY1305)_.*'), re.compile(r'.*\bMBEDTLS_AES(\w+)_C\b.*'), re.compile(r'.*\bMBEDTLS_CIPHER_.*'), ], diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index a290c3ed06..ffe7248b7a 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -1864,6 +1864,7 @@ component_test_psa_crypto_config_accel_cipher_aead_cmac () { scripts/config.py unset MBEDTLS_ARIA_C scripts/config.py unset MBEDTLS_CHACHA20_C scripts/config.py unset MBEDTLS_CAMELLIA_C + scripts/config.py unset MBEDTLS_POLY1305_C # Disable CIPHER_C entirely as all ciphers/AEADs are accelerated and PSA # does not depend on it. @@ -1886,6 +1887,7 @@ component_test_psa_crypto_config_accel_cipher_aead_cmac () { not grep mbedtls_gcm ${BUILTIN_SRC_PATH}/gcm.o not grep mbedtls_chachapoly ${BUILTIN_SRC_PATH}/chachapoly.o not grep mbedtls_cmac ${BUILTIN_SRC_PATH}/cmac.o + not grep mbedtls_poly1305 ${BUILTIN_SRC_PATH}/poly1305.o # Run the tests # ------------- From f256f8ac3e2fb92c0a796533a1cc9849e09ecf4c Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 10 Jul 2025 17:37:18 +0200 Subject: [PATCH 08/14] Add test_xts component Signed-off-by: Ronald Cron --- tests/scripts/components-configuration-crypto.sh | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index ffe7248b7a..c966c14b5a 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -2589,3 +2589,18 @@ component_test_min_mpi_window_size () { msg "test: MBEDTLS_MPI_WINDOW_SIZE=1 - main suites (inc. selftests) (ASan build)" # ~ 10s make test } + +component_test_xts () { + # Component dedicated to run XTS unit test cases while XTS is not + # supported through the PSA API. + msg "build: Default + MBEDTLS_CIPHER_MODE_XTS" + + echo "#define MBEDTLS_CIPHER_MODE_XTS" > psa_user_config.h + cmake -DTF_PSA_CRYPTO_USER_CONFIG_FILE="psa_user_config.h" + make + + msg "test: Default + MBEDTLS_CIPHER_MODE_XTS" + make test + + rm -f psa_user_config.h +} From e0b06eb3a12fe94b9096a7ebe560f647257a040d Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 15 Jul 2025 08:58:32 +0200 Subject: [PATCH 09/14] test_xts: Remove temporarily file earlier Signed-off-by: Ronald Cron --- tests/scripts/components-configuration-crypto.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index c966c14b5a..cdef0d1173 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -2599,8 +2599,8 @@ component_test_xts () { cmake -DTF_PSA_CRYPTO_USER_CONFIG_FILE="psa_user_config.h" make + rm -f psa_user_config.h + msg "test: Default + MBEDTLS_CIPHER_MODE_XTS" make test - - rm -f psa_user_config.h } From 50f99caf42094f6e43321935452e2e99b2b75d57 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 15 Jul 2025 09:32:03 +0200 Subject: [PATCH 10/14] depends.py: Add warning log Add warning log when disabling a configuration option that does not exist. When the removal of the legacy crypto config options is completed, the warning will be reverted to an error. Signed-off-by: Ronald Cron --- tests/scripts/depends.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 08829d1936..7fccb2006f 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -110,6 +110,10 @@ value can be either True/False (set/unset config option), or a string, which will make a symbol defined with a certain value.""" if not option_exists(conf, option): if value is False: + log_line( + f'Warning, disabling {option} that does not exist in {conf.filename}', + color=colors.cyan + ) return True log_line('Symbol {} was not found in {}'.format(option, conf.filename), color=colors.red) return False From a5f36483ef3bd9296e11b7aee7cdd4a3c51fb8c1 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 30 Jun 2025 10:36:25 +0200 Subject: [PATCH 11/14] Replace legacy RSA crypto options in check_config.h For the test_psa_crypto_config_accel_rsa_crypto component, ignore test cases that depend on MBEDTLS_GENPRIME being enabled. When all RSA cryptographic operations are provided by drivers, MBEDTLS_GENPRIME will not be enabled, as it will no longer be a configuration option. Signed-off-by: Ronald Cron --- include/mbedtls/check_config.h | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 22ddaa80fd..5e5a5b31db 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -64,7 +64,7 @@ #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ - ( !defined(MBEDTLS_CAN_ECDH) || !defined(MBEDTLS_RSA_C) || \ + ( !defined(MBEDTLS_CAN_ECDH) || !defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) || \ !defined(MBEDTLS_X509_CRT_PARSE_C) ) #error "MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED defined, but not all prerequisites" #endif @@ -75,8 +75,8 @@ #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ - ( !defined(MBEDTLS_CAN_ECDH) || !defined(MBEDTLS_RSA_C) || \ - !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_PKCS1_V15) ) + ( !defined(MBEDTLS_CAN_ECDH) || !defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) || \ + !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(PSA_WANT_ALG_RSA_PKCS1V15_CRYPT) || !defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN) ) #error "MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED defined, but not all prerequisites" #endif @@ -109,7 +109,7 @@ #endif #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \ - ( !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_PKCS1_V21) ) + ( !defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) || !defined(PSA_WANT_ALG_RSA_OAEP) ) #error "MBEDTLS_X509_RSASSA_PSS_SUPPORT defined, but not all prerequisites" #endif @@ -130,7 +130,7 @@ #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) #if !( (defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)) && \ defined(MBEDTLS_X509_CRT_PARSE_C) && \ - ( defined(PSA_HAVE_ALG_ECDSA_SIGN) || defined(MBEDTLS_PKCS1_V21) ) ) + ( defined(PSA_HAVE_ALG_ECDSA_SIGN) || defined(PSA_WANT_ALG_RSA_OAEP) ) ) #error "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED defined, but not all prerequisites" #endif #endif From 4c48114f7dc0573ccde3f24cbc804dc4ec66484b Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 11 Jul 2025 17:23:41 +0200 Subject: [PATCH 12/14] analyze_outcomes.py: Ignore test cases depending on MBEDTLS_GENPRIME For the component test_psa_crypto_config_accel_rsa_crypto, ignore the test cases depending on MBEDTLS_GENPRIME being enabled. When all RSA crypto is provided by drivers MBEDTLS_GENPRIME will not be enabled when it is not a configuration option anymore. Signed-off-by: Ronald Cron --- tests/scripts/analyze_outcomes.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 2ea3cd9511..132d53ec97 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -568,6 +568,10 @@ class DriverVSReference_rsa(outcome_analysis.DriverVSReference): 'pk', 'pkwrite', 'pkparse' ] IGNORED_TESTS = { + 'test_suite_bignum.misc': [ + re.compile(r'.*\bmbedtls_mpi_is_prime.*'), + re.compile(r'.*\bmbedtls_mpi_gen_prime.*'), + ], 'test_suite_config': [ re.compile(r'.*\bMBEDTLS_(PKCS1|RSA)_.*'), re.compile(r'.*\bMBEDTLS_GENPRIME\b.*') From 9edf4c54b61c192596caf5a17fe315326fc8489a Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 15 Jul 2025 15:40:46 +0200 Subject: [PATCH 13/14] test_psa_crypto_config_accel_rsa_crypto: Disable MBEDTLS_GENPRIME Disable MBEDTLS_GENPRIME in the test_psa_crypto_config_accel_rsa_crypto component. This should likely have been the case already, as all RSA crypto in this component is expected to be provided by the test driver. This change is necessary following the previous commit to prevent analyze_outcomes.py from complaining that, as MBEDTLS_GENPRIME tests are passing in both the driver and reference components, they should not be ignored. Signed-off-by: Ronald Cron --- tests/scripts/components-configuration-crypto.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index cdef0d1173..b2ea2b3039 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -1429,6 +1429,7 @@ config_psa_crypto_accel_rsa () { scripts/config.py unset MBEDTLS_RSA_C scripts/config.py unset MBEDTLS_PKCS1_V15 scripts/config.py unset MBEDTLS_PKCS1_V21 + scripts/config.py unset MBEDTLS_GENPRIME # We need PEM parsing in the test library as well to support the import # of PEM encoded RSA keys. From ce7de61ad4c672a91066e7911de54e8e602e3d21 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 16 Jul 2025 10:23:17 +0200 Subject: [PATCH 14/14] cmake: Fix list of TF-PSA-Crypto library targets Signed-off-by: Ronald Cron --- CMakeLists.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 64a390a307..162373182b 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -379,7 +379,8 @@ set(tf_psa_crypto_library_targets ${TF_PSA_CRYPTO_TARGET_PREFIX}tfpsacrypto) if(USE_STATIC_MBEDTLS_LIBRARY AND USE_SHARED_MBEDTLS_LIBRARY) - list(APPEND tf_psa_crypto_library_targets) + list(APPEND tf_psa_crypto_library_targets + ${TF_PSA_CRYPTO_TARGET_PREFIX}tfpsacrypto_static) endif() foreach(target IN LISTS tf_psa_crypto_library_targets)