restoring test comment that refer to USE_PSA
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh
index c78e532..da776e7 100644
--- a/tests/scripts/components-configuration-crypto.sh
+++ b/tests/scripts/components-configuration-crypto.sh
@@ -16,7 +16,7 @@
CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
- msg "test: full config - PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan"
+ msg "test: full config - USE_PSA_CRYPTO + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan"
make test
}
@@ -188,16 +188,16 @@
CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
- msg "test: Full minus CTR_DRBG- main suites"
+ msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - main suites"
make test
# In this configuration, the TLS test programs use HMAC_DRBG.
# The SSL tests are slow, so run a small subset, just enough to get
# confidence that the SSL code copes with HMAC_DRBG.
- msg "test: Full minus CTR_DRBG - ssl-opt.sh (subset)"
+ msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)"
tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server'
- msg "test: Full minus CTR_DRBG - compat.sh (subset)"
+ msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - compat.sh (subset)"
tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL
}
@@ -210,7 +210,7 @@
CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
- msg "test: Full minus HMAC_DRBG - main suites"
+ msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - main suites"
make test
# Normally our ECDSA implementation uses deterministic ECDSA. But since
@@ -218,12 +218,12 @@
# instead.
# Test SSL with non-deterministic ECDSA. Only test features that
# might be affected by how ECDSA signature is performed.
- msg "test: Full minus HMAC_DRBG - ssl-opt.sh (subset)"
+ msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)"
tests/ssl-opt.sh -f 'Default\|SSL async private: sign'
# To save time, only test one protocol version, since this part of
# the protocol is identical in (D)TLS up to 1.2.
- msg "test: Full minus HMAC_DRBG - compat.sh (ECDSA)"
+ msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - compat.sh (ECDSA)"
tests/compat.sh -m tls12 -t 'ECDSA'
}
@@ -247,16 +247,16 @@
}
component_test_psa_external_rng_use_psa_crypto () {
- msg "build: full + PSA_CRYPTO_EXTERNAL_RNG minus CTR_DRBG"
+ msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
scripts/config.py unset MBEDTLS_CTR_DRBG_C
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
- msg "test: full + PSA_CRYPTO_EXTERNAL_RNG minus CTR_DRBG"
+ msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
make test
- msg "test: full + PSA_CRYPTO_EXTERNAL_RNG minus CTR_DRBG"
+ msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
tests/ssl-opt.sh -f 'Default\|opaque'
}
@@ -342,6 +342,7 @@
msg "build: full no PSA_WANT_ALG_CCM"
# Full config enables:
+ # - USE_PSA_CRYPTO so that TLS code dispatches cipher/AEAD to PSA
# - CRYPTO_CONFIG so that PSA_WANT config symbols are evaluated
scripts/config.py full
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 201a788..0cf9e23 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -9443,10 +9443,15 @@
-C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \
-C "mbedtls_pk_sign.*\(4b00\|-248\)"
+# As part of resolving https://github.com/Mbed-TLS/mbedtls/issues/7294,
+# we will remove the "(USE_PSA)" test cases and run the "(no USE_PSA)" test
+# cases.
+
+# With USE_PSA disabled we expect full restartable behaviour.
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled PSA_WANT_ECC_SECP_R1_256
skip_next_test
-run_test "EC restart: TLS, max_ops=1000" \
+run_test "EC restart: TLS, max_ops=1000 (no USE_PSA)" \
"$P_SRV groups=secp256r1 auth_mode=required" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
@@ -9457,9 +9462,11 @@
-c "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \
-c "mbedtls_pk_sign.*\(4b00\|-248\)"
+# With USE_PSA enabled we expect only partial restartable behaviour:
+# everything except ECDH (where TLS calls PSA directly).
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
-run_test "EC restart: TLS, max_ops=1000" \
+run_test "EC restart: TLS, max_ops=1000 (USE_PSA)" \
"$P_SRV groups=secp256r1 auth_mode=required" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
@@ -9470,7 +9477,8 @@
-C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \
-c "mbedtls_pk_sign.*\(4b00\|-248\)"
-# We abort as soon as we determined the cert is bad.
+# This works the same with & without USE_PSA as we never get to ECDH:
+# we abort as soon as we determined the cert is bad.
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled PSA_WANT_ECC_SECP_R1_256
run_test "EC restart: TLS, max_ops=1000, badsign" \
@@ -9489,10 +9497,11 @@
-c "! mbedtls_ssl_handshake returned" \
-c "X509 - Certificate verification failed"
+# With USE_PSA disabled we expect full restartable behaviour.
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled PSA_WANT_ECC_SECP_R1_256
skip_next_test
-run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \
+run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (no USE_PSA)" \
"$P_SRV groups=secp256r1 auth_mode=required \
crt_file=$DATA_FILES_PATH/server5-badsign.crt \
key_file=$DATA_FILES_PATH/server5.key" \
@@ -9508,11 +9517,11 @@
-C "! mbedtls_ssl_handshake returned" \
-C "X509 - Certificate verification failed"
-# We expect only partial restartable behaviour:
+# With USE_PSA enabled we expect only partial restartable behaviour:
# everything except ECDH (where TLS calls PSA directly).
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
-run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \
+run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (USE_PSA)" \
"$P_SRV groups=secp256r1 auth_mode=required \
crt_file=$DATA_FILES_PATH/server5-badsign.crt \
key_file=$DATA_FILES_PATH/server5.key" \
@@ -9528,10 +9537,11 @@
-C "! mbedtls_ssl_handshake returned" \
-C "X509 - Certificate verification failed"
+# With USE_PSA disabled we expect full restartable behaviour.
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled PSA_WANT_ECC_SECP_R1_256
skip_next_test
-run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \
+run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (no USE_PSA)" \
"$P_SRV groups=secp256r1 auth_mode=required \
crt_file=$DATA_FILES_PATH/server5-badsign.crt \
key_file=$DATA_FILES_PATH/server5.key" \
@@ -9547,11 +9557,11 @@
-C "! mbedtls_ssl_handshake returned" \
-C "X509 - Certificate verification failed"
-# We expect only partial restartable behaviour:
+# With USE_PSA enabled we expect only partial restartable behaviour:
# everything except ECDH (where TLS calls PSA directly).
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
-run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \
+run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (USE_PSA)" \
"$P_SRV groups=secp256r1 auth_mode=required \
crt_file=$DATA_FILES_PATH/server5-badsign.crt \
key_file=$DATA_FILES_PATH/server5.key" \
@@ -9567,10 +9577,11 @@
-C "! mbedtls_ssl_handshake returned" \
-C "X509 - Certificate verification failed"
+# With USE_PSA disabled we expect full restartable behaviour.
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled PSA_WANT_ECC_SECP_R1_256
skip_next_test
-run_test "EC restart: DTLS, max_ops=1000" \
+run_test "EC restart: DTLS, max_ops=1000 (no USE_PSA)" \
"$P_SRV groups=secp256r1 auth_mode=required dtls=1" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
@@ -9581,11 +9592,11 @@
-c "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \
-c "mbedtls_pk_sign.*\(4b00\|-248\)"
-# We expect only partial restartable behaviour:
+# With USE_PSA enabled we expect only partial restartable behaviour:
# everything except ECDH (where TLS calls PSA directly).
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
-run_test "EC restart: DTLS, max_ops=1000" \
+run_test "EC restart: DTLS, max_ops=1000 (USE_PSA)" \
"$P_SRV groups=secp256r1 auth_mode=required dtls=1" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
@@ -9596,10 +9607,11 @@
-C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \
-c "mbedtls_pk_sign.*\(4b00\|-248\)"
+# With USE_PSA disabled we expect full restartable behaviour.
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled PSA_WANT_ECC_SECP_R1_256
skip_next_test
-run_test "EC restart: TLS, max_ops=1000 no client auth" \
+run_test "EC restart: TLS, max_ops=1000 no client auth (no USE_PSA)" \
"$P_SRV groups=secp256r1" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
debug_level=1 ec_max_ops=1000" \
@@ -9610,11 +9622,11 @@
-C "mbedtls_pk_sign.*\(4b00\|-248\)"
-# We expect only partial restartable behaviour:
+# With USE_PSA enabled we expect only partial restartable behaviour:
# everything except ECDH (where TLS calls PSA directly).
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
-run_test "EC restart: TLS, max_ops=1000 no client auth" \
+run_test "EC restart: TLS, max_ops=1000 no client auth (USE_PSA)" \
"$P_SRV groups=secp256r1" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
debug_level=1 ec_max_ops=1000" \