Merge pull request #9923 from mpg/use-psa-crypto
Rm dead !USE_PSA_CRYPTO code from the library
diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py
index f7fc60f..2e8df33 100755
--- a/tests/scripts/depends.py
+++ b/tests/scripts/depends.py
@@ -274,21 +274,19 @@
'MBEDTLS_CIPHER_PADDING_ZEROS': ['MBEDTLS_CIPHER_MODE_CBC'],
'MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN': ['MBEDTLS_CIPHER_MODE_CBC'],
- 'MBEDTLS_ECP_DP_BP256R1_ENABLED': ['PSA_WANT_ECC_BRAINPOOL_P_R1_256'],
- 'MBEDTLS_ECP_DP_BP384R1_ENABLED': ['PSA_WANT_ECC_BRAINPOOL_P_R1_384'],
- 'MBEDTLS_ECP_DP_BP512R1_ENABLED': ['PSA_WANT_ECC_BRAINPOOL_P_R1_512'],
- 'MBEDTLS_ECP_DP_CURVE25519_ENABLED': ['PSA_WANT_ECC_MONTGOMERY_255'],
- 'MBEDTLS_ECP_DP_CURVE448_ENABLED': ['PSA_WANT_ECC_MONTGOMERY_448'],
- 'MBEDTLS_ECP_DP_SECP192R1_ENABLED': ['PSA_WANT_ECC_SECP_R1_192'],
- 'MBEDTLS_ECP_DP_SECP224R1_ENABLED': ['PSA_WANT_ECC_SECP_R1_224'],
- 'MBEDTLS_ECP_DP_SECP256R1_ENABLED': ['PSA_WANT_ECC_SECP_R1_256',
- 'PSA_WANT_ALG_JPAKE',
- 'MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'],
- 'MBEDTLS_ECP_DP_SECP384R1_ENABLED': ['PSA_WANT_ECC_SECP_R1_384'],
- 'MBEDTLS_ECP_DP_SECP512R1_ENABLED': ['PSA_WANT_ECC_SECP_R1_512'],
- 'MBEDTLS_ECP_DP_SECP521R1_ENABLED': ['PSA_WANT_ECC_SECP_R1_521'],
- 'MBEDTLS_ECP_DP_SECP192K1_ENABLED': ['PSA_WANT_ECC_SECP_K1_192'],
- 'MBEDTLS_ECP_DP_SECP256K1_ENABLED': ['PSA_WANT_ECC_SECP_K1_256'],
+ 'PSA_WANT_ECC_BRAINPOOL_P_R1_256': ['MBEDTLS_ECP_DP_BP256R1_ENABLED'],
+ 'PSA_WANT_ECC_BRAINPOOL_P_R1_384': ['MBEDTLS_ECP_DP_BP384R1_ENABLED'],
+ 'PSA_WANT_ECC_BRAINPOOL_P_R1_512': ['MBEDTLS_ECP_DP_BP512R1_ENABLED'],
+ 'PSA_WANT_ECC_MONTGOMERY_255': ['MBEDTLS_ECP_DP_CURVE25519_ENABLED'],
+ 'PSA_WANT_ECC_MONTGOMERY_448': ['MBEDTLS_ECP_DP_CURVE448_ENABLED'],
+ 'PSA_WANT_ECC_SECP_R1_192': ['MBEDTLS_ECP_DP_SECP192R1_ENABLED'],
+ 'PSA_WANT_ECC_SECP_R1_224': ['MBEDTLS_ECP_DP_SECP224R1_ENABLED'],
+ 'PSA_WANT_ECC_SECP_R1_256': ['MBEDTLS_ECJPAKE_C',
+ 'MBEDTLS_ECP_DP_SECP256R1_ENABLED'],
+ 'PSA_WANT_ECC_SECP_R1_384': ['MBEDTLS_ECP_DP_SECP384R1_ENABLED'],
+ 'PSA_WANT_ECC_SECP_R1_521': ['MBEDTLS_ECP_DP_SECP521R1_ENABLED'],
+ 'PSA_WANT_ECC_SECP_K1_192': ['MBEDTLS_ECP_DP_SECP192K1_ENABLED'],
+ 'PSA_WANT_ECC_SECP_K1_256': ['MBEDTLS_ECP_DP_SECP256K1_ENABLED'],
'MBEDTLS_ECDSA_C': ['MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED',
'MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED',
@@ -362,12 +360,12 @@
EXCLUSIVE_GROUPS = {
'MBEDTLS_SHA512_C': ['-MBEDTLS_SSL_COOKIE_C',
'-MBEDTLS_SSL_TLS_C'],
- 'MBEDTLS_ECP_DP_CURVE448_ENABLED': ['-MBEDTLS_ECDSA_C',
- '-MBEDTLS_ECDSA_DETERMINISTIC',
- '-MBEDTLS_ECJPAKE_C',],
- 'MBEDTLS_ECP_DP_CURVE25519_ENABLED': ['-MBEDTLS_ECDSA_C',
- '-MBEDTLS_ECDSA_DETERMINISTIC',
- '-MBEDTLS_ECJPAKE_C'],
+ 'PSA_WANT_ECC_MONTGOMERY_448': ['-MBEDTLS_ECDSA_C',
+ '-MBEDTLS_ECDSA_DETERMINISTIC',
+ '-MBEDTLS_ECJPAKE_C',],
+ 'PSA_WANT_ECC_MONTGOMERY_255': ['-MBEDTLS_ECDSA_C',
+ '-MBEDTLS_ECDSA_DETERMINISTIC',
+ '-MBEDTLS_ECJPAKE_C'],
'PSA_WANT_KEY_TYPE_ARIA': ['-PSA_WANT_ALG_CMAC',
'-PSA_WANT_ALG_CCM',
'-PSA_WANT_ALG_GCM',
@@ -512,8 +510,12 @@
# Find hash modules by name.
hash_symbols = self.config_symbols_matching(r'MBEDTLS_(MD|RIPEMD|SHA)[0-9]+_C\Z')
- # Find elliptic curve enabling macros by name.
- curve_symbols = self.config_symbols_matching(r'MBEDTLS_ECP_DP_\w+_ENABLED\Z')
+
+ # Find elliptic curve enabling macros
+ # MBEDTLS_ECP_DP_SECP224K1_ENABLED added to disable it for all curves
+ curve_symbols = self.config_symbols_matching(r'PSA_WANT_ECC_\w+\Z|'
+ r'MBEDTLS_ECP_DP_SECP224K1_ENABLED')
+
# Find key exchange enabling macros by name.
key_exchange_symbols = self.config_symbols_matching(r'MBEDTLS_KEY_EXCHANGE_\w+_ENABLED\Z')
@@ -541,8 +543,11 @@
'cipher_padding': ExclusiveDomain(cipher_padding_symbols,
build_and_test),
+
# Elliptic curves. Run the test suites.
- 'curves': ExclusiveDomain(curve_symbols, build_and_test),
+ 'curves': ExclusiveDomain(curve_symbols, build_and_test,
+ exclude=r'MBEDTLS_ECP_DP_SECP224K1_ENABLED'),
+
# Hash algorithms. Excluding exclusive domains of MD, RIPEMD, SHA1,
# SHA224 and SHA384 because MBEDTLS_ENTROPY_C is extensively used
# across various modules, but it depends on either SHA256 or SHA512.
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index b14b1b2..b1a4b92 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -2276,23 +2276,6 @@
-S "error" \
-C "error"
-requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
-requires_config_enabled MBEDTLS_RSA_C
-requires_hash_alg SHA_256
-run_test "Opaque key for client authentication: DHE-RSA" \
- "$P_SRV force_version=tls12 auth_mode=required crt_file=$DATA_FILES_PATH/server2-sha256.crt \
- key_file=$DATA_FILES_PATH/server2.key" \
- "$P_CLI key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
- key_file=$DATA_FILES_PATH/server2.key force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
- key_opaque_algs=rsa-sign-pkcs1,none" \
- 0 \
- -c "key type: Opaque" \
- -c "Ciphersuite is TLS-DHE-RSA" \
- -s "Verifying peer X.509 certificate... ok" \
- -s "Ciphersuite is TLS-DHE-RSA" \
- -S "error" \
- -C "error"
-
# Test using an EC opaque private key for server authentication
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
@@ -2524,21 +2507,6 @@
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_RSA_C
requires_hash_alg SHA_256
-run_test "Opaque key for server authentication: DHE-RSA" \
- "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
- key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \
- "$P_CLI force_version=tls12 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
- 0 \
- -c "Verifying peer X.509 certificate... ok" \
- -c "Ciphersuite is TLS-DHE-RSA" \
- -s "key types: Opaque, none" \
- -s "Ciphersuite is TLS-DHE-RSA" \
- -S "error" \
- -C "error"
-
-requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
-requires_config_enabled MBEDTLS_RSA_C
-requires_hash_alg SHA_256
run_test "Opaque key for server authentication: RSA-" \
"$P_SRV debug_level=3 key_opaque=1 key_opaque_algs=rsa-decrypt,none " \
"$P_CLI force_version=tls12 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA256" \
@@ -2553,11 +2521,12 @@
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_RSA_C
requires_hash_alg SHA_256
-run_test "Opaque key for server authentication: DHE-RSA, PSS instead of PKCS1" \
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+run_test "Opaque key for server authentication: ECDHE-RSA, PSS instead of PKCS1" \
"$P_SRV auth_mode=required key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=rsa-sign-pss,none debug_level=1" \
"$P_CLI crt_file=$DATA_FILES_PATH/server2-sha256.crt \
- key_file=$DATA_FILES_PATH/server2.key force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
+ key_file=$DATA_FILES_PATH/server2.key force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA" \
1 \
-s "key types: Opaque, none" \
-s "got ciphersuites in common, but none of them usable" \
@@ -2586,20 +2555,21 @@
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
requires_hash_alg SHA_384
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
-run_test "Opaque keys for server authentication: EC + RSA, force DHE-RSA" \
+run_test "Opaque keys for server authentication: EC + RSA, force ECDHE-RSA" \
"$P_SRV auth_mode=required key_opaque=1 crt_file=$DATA_FILES_PATH/server5.crt \
key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=ecdsa-sign,none \
crt_file2=$DATA_FILES_PATH/server4.crt \
key_file2=$DATA_FILES_PATH/server4.key key_opaque_algs2=rsa-sign-pkcs1,none" \
- "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
+ "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA" \
0 \
-c "Verifying peer X.509 certificate... ok" \
- -c "Ciphersuite is TLS-DHE-RSA" \
+ -c "Ciphersuite is TLS-ECDHE-RSA" \
-c "CN=Polarssl Test EC CA" \
-s "key types: Opaque, Opaque" \
- -s "Ciphersuite is TLS-DHE-RSA" \
+ -s "Ciphersuite is TLS-ECDHE-RSA" \
-S "error" \
-C "error"
@@ -2642,26 +2612,6 @@
-S "error" \
-C "error"
-requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
-requires_config_enabled MBEDTLS_RSA_C
-requires_hash_alg SHA_256
-run_test "Opaque key for client/server authentication: DHE-RSA" \
- "$P_SRV auth_mode=required key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
- key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \
- "$P_CLI key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
- key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=rsa-sign-pkcs1,none \
- force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
- 0 \
- -c "key type: Opaque" \
- -c "Verifying peer X.509 certificate... ok" \
- -c "Ciphersuite is TLS-DHE-RSA" \
- -s "key types: Opaque, none" \
- -s "Verifying peer X.509 certificate... ok" \
- -s "Ciphersuite is TLS-DHE-RSA" \
- -S "error" \
- -C "error"
-
-
# Test ciphersuites which we expect to be fully supported by PSA Crypto
# and check that we don't fall back to Mbed TLS' internal crypto primitives.
run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CCM
@@ -7843,11 +7793,11 @@
-C "Processing of the Certificate handshake message failed" \
-c "Ciphersuite is TLS-"
-run_test "keyUsage cli 1.2: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
+run_test "keyUsage cli 1.2: DigitalSignature+KeyEncipherment, ECDHE-RSA: OK" \
"$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
-cert $DATA_FILES_PATH/server2.ku-ds_ke.crt" \
"$P_CLI debug_level=1 \
- force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
+ force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA" \
0 \
-C "bad certificate (usage extensions)" \
-C "Processing of the Certificate handshake message failed" \
@@ -7863,11 +7813,11 @@
-C "Processing of the Certificate handshake message failed" \
-c "Ciphersuite is TLS-"
-run_test "keyUsage cli 1.2: KeyEncipherment, DHE-RSA: fail (hard)" \
+run_test "keyUsage cli 1.2: KeyEncipherment, ECDHE-RSA: fail (hard)" \
"$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
-cert $DATA_FILES_PATH/server2.ku-ke.crt" \
"$P_CLI debug_level=3 \
- force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
+ force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA" \
1 \
-c "bad certificate (usage extensions)" \
-c "Processing of the Certificate handshake message failed" \
@@ -7876,11 +7826,11 @@
-c "! Usage does not match the keyUsage extension"
# MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
-run_test "keyUsage cli 1.2: KeyEncipherment, DHE-RSA: fail (soft)" \
+run_test "keyUsage cli 1.2: KeyEncipherment, ECDHE-RSA: fail (soft)" \
"$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
-cert $DATA_FILES_PATH/server2.ku-ke.crt" \
"$P_CLI debug_level=3 auth_mode=optional \
- force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
+ force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA" \
0 \
-c "bad certificate (usage extensions)" \
-C "Processing of the Certificate handshake message failed" \
@@ -7888,11 +7838,11 @@
-C "send alert level=2 message=43" \
-c "! Usage does not match the keyUsage extension"
-run_test "keyUsage cli 1.2: DigitalSignature, DHE-RSA: OK" \
+run_test "keyUsage cli 1.2: DigitalSignature, ECDHE-RSA: OK" \
"$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
-cert $DATA_FILES_PATH/server2.ku-ds.crt" \
"$P_CLI debug_level=1 \
- force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
+ force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA" \
0 \
-C "bad certificate (usage extensions)" \
-C "Processing of the Certificate handshake message failed" \
@@ -8415,96 +8365,6 @@
-s "Processing of the Certificate handshake message failed"
# MBEDTLS_X509_BADCERT_EXT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
-# Tests for DHM parameters loading
-
-run_test "DHM parameters: reference" \
- "$P_SRV" \
- "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
- debug_level=3" \
- 0 \
- -c "value of 'DHM: P ' (2048 bits)" \
- -c "value of 'DHM: G ' (2 bits)"
-
-run_test "DHM parameters: other parameters" \
- "$P_SRV dhm_file=$DATA_FILES_PATH/dhparams.pem" \
- "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
- debug_level=3" \
- 0 \
- -c "value of 'DHM: P ' (1024 bits)" \
- -c "value of 'DHM: G ' (2 bits)"
-
-# Tests for DHM client-side size checking
-
-run_test "DHM size: server default, client default, OK" \
- "$P_SRV" \
- "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
- debug_level=1" \
- 0 \
- -C "DHM prime too short:"
-
-run_test "DHM size: server default, client 2048, OK" \
- "$P_SRV" \
- "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
- debug_level=1 dhmlen=2048" \
- 0 \
- -C "DHM prime too short:"
-
-run_test "DHM size: server 1024, client default, OK" \
- "$P_SRV dhm_file=$DATA_FILES_PATH/dhparams.pem" \
- "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
- debug_level=1" \
- 0 \
- -C "DHM prime too short:"
-
-run_test "DHM size: server 999, client 999, OK" \
- "$P_SRV dhm_file=$DATA_FILES_PATH/dh.999.pem" \
- "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
- debug_level=1 dhmlen=999" \
- 0 \
- -C "DHM prime too short:"
-
-run_test "DHM size: server 1000, client 1000, OK" \
- "$P_SRV dhm_file=$DATA_FILES_PATH/dh.1000.pem" \
- "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
- debug_level=1 dhmlen=1000" \
- 0 \
- -C "DHM prime too short:"
-
-run_test "DHM size: server 1000, client default, rejected" \
- "$P_SRV dhm_file=$DATA_FILES_PATH/dh.1000.pem" \
- "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
- debug_level=1" \
- 1 \
- -c "DHM prime too short:"
-
-run_test "DHM size: server 1000, client 1001, rejected" \
- "$P_SRV dhm_file=$DATA_FILES_PATH/dh.1000.pem" \
- "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
- debug_level=1 dhmlen=1001" \
- 1 \
- -c "DHM prime too short:"
-
-run_test "DHM size: server 999, client 1000, rejected" \
- "$P_SRV dhm_file=$DATA_FILES_PATH/dh.999.pem" \
- "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
- debug_level=1 dhmlen=1000" \
- 1 \
- -c "DHM prime too short:"
-
-run_test "DHM size: server 998, client 999, rejected" \
- "$P_SRV dhm_file=$DATA_FILES_PATH/dh.998.pem" \
- "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
- debug_level=1 dhmlen=999" \
- 1 \
- -c "DHM prime too short:"
-
-run_test "DHM size: server default, client 2049, rejected" \
- "$P_SRV" \
- "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
- debug_level=1 dhmlen=2049" \
- 1 \
- -c "DHM prime too short:"
-
# Tests for PSK callback
run_test "PSK callback: psk, no callback" \
diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data
index 2eeb172..8d9e8bb 100644
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -372,9 +372,9 @@
depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
handshake_cipher:"TLS-RSA-WITH-AES-128-CCM":MBEDTLS_PK_RSA:0
-Handshake, DHE-RSA-WITH-AES-256-CBC-SHA256
-depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_256:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-handshake_cipher:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256":MBEDTLS_PK_RSA:0
+Handshake, ECDHE-RSA-WITH-AES-256-CBC-SHA384
+depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_384:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+handshake_cipher:"TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_RSA:0
Handshake, ECDHE-ECDSA-WITH-AES-256-CCM
depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
@@ -400,9 +400,9 @@
depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
handshake_cipher:"TLS-RSA-WITH-AES-128-CCM":MBEDTLS_PK_RSA:1
-DTLS Handshake, DHE-RSA-WITH-AES-256-CBC-SHA256
-depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_256:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-handshake_cipher:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256":MBEDTLS_PK_RSA:1
+DTLS Handshake, ECDHE-RSA-WITH-AES-256-CBC-SHA384
+depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_384:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+handshake_cipher:"TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_RSA:1
DTLS Handshake, ECDHE-ECDSA-WITH-AES-256-CCM
depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
@@ -452,30 +452,6 @@
depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
handshake_ciphersuite_select:"TLS-RSA-WITH-AES-256-CBC-SHA256":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
-Handshake, select DHE-RSA-WITH-AES-256-GCM-SHA384, non-opaque
-depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-handshake_ciphersuite_select:"TLS-DHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
-
-Handshake, select DHE-RSA-WITH-AES-256-GCM-SHA384, opaque, PSA_ALG_ANY_HASH
-depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-handshake_ciphersuite_select:"TLS-DHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
-
-Handshake, select DHE-RSA-WITH-AES-256-GCM-SHA384, opaque, PSA_ALG_SHA_384
-depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-handshake_ciphersuite_select:"TLS-DHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_384):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
-
-Handshake, select DHE-RSA-WITH-AES-256-GCM-SHA384, opaque, invalid alg
-depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-handshake_ciphersuite_select:"TLS-DHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
-
-Handshake, select DHE-RSA-WITH-AES-256-GCM-SHA384, opaque, bad alg
-depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-handshake_ciphersuite_select:"TLS-DHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
-
-Handshake, select DHE-RSA-WITH-AES-256-GCM-SHA384, opaque, bad usage
-depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-handshake_ciphersuite_select:"TLS-DHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
-
Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, non-opaque
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
@@ -785,53 +761,53 @@
depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:"TLS-RSA-WITH-AES-128-CCM"
-DTLS no legacy renegotiation with MFL=512, DHE-RSA-WITH-AES-256-CBC-SHA256
-depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_512:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
+DTLS no legacy renegotiation with MFL=512, ECDHE-RSA-WITH-AES-256-CBC-SHA384
+depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_512:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:"TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384"
-DTLS no legacy renegotiation with MFL=1024, DHE-RSA-WITH-AES-256-CBC-SHA256
-depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_1024:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
+DTLS no legacy renegotiation with MFL=1024, ECDHE-RSA-WITH-AES-256-CBC-SHA384
+depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_1024:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:"TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384"
-DTLS no legacy renegotiation with MFL=2048, DHE-RSA-WITH-AES-256-CBC-SHA256
-depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_2048:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
+DTLS no legacy renegotiation with MFL=2048, ECDHE-RSA-WITH-AES-256-CBC-SHA384
+depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_2048:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:"TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384"
-DTLS no legacy renegotiation with MFL=4096, DHE-RSA-WITH-AES-256-CBC-SHA256
-depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
+DTLS no legacy renegotiation with MFL=4096, ECDHE-RSA-WITH-AES-256-CBC-SHA384
+depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:"TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384"
-DTLS legacy allow renegotiation with MFL=512, DHE-RSA-WITH-AES-256-CBC-SHA256
-depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_512:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
+DTLS legacy allow renegotiation with MFL=512, ECDHE-RSA-WITH-AES-256-CBC-SHA384
+depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_512:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:"TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384"
-DTLS legacy allow renegotiation with MFL=1024, DHE-RSA-WITH-AES-256-CBC-SHA256
-depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_1024:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
+DTLS legacy allow renegotiation with MFL=1024, ECDHE-RSA-WITH-AES-256-CBC-SHA384
+depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_1024:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:"TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384"
-DTLS legacy allow renegotiation with MFL=2048, DHE-RSA-WITH-AES-256-CBC-SHA256
-depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_2048:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
+DTLS legacy allow renegotiation with MFL=2048, ECDHE-RSA-WITH-AES-256-CBC-SHA384
+depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_2048:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:"TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384"
-DTLS legacy allow renegotiation with MFL=4096, DHE-RSA-WITH-AES-256-CBC-SHA256
-depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
+DTLS legacy allow renegotiation with MFL=4096, ECDHE-RSA-WITH-AES-256-CBC-SHA384
+depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:"TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384"
-DTLS legacy break handshake renegotiation with MFL=512, DHE-RSA-WITH-AES-256-CBC-SHA256
-depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_512:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
+DTLS legacy break handshake renegotiation with MFL=512, ECDHE-RSA-WITH-AES-256-CBC-SHA384
+depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_512:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:"TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384"
-DTLS legacy break handshake renegotiation with MFL=1024, DHE-RSA-WITH-AES-256-CBC-SHA256
-depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_1024:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
+DTLS legacy break handshake renegotiation with MFL=1024, ECDHE-RSA-WITH-AES-256-CBC-SHA384
+depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_1024:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:"TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384"
-DTLS legacy break handshake renegotiation with MFL=2048, DHE-RSA-WITH-AES-256-CBC-SHA256
-depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_2048:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
+DTLS legacy break handshake renegotiation with MFL=2048, ECDHE-RSA-WITH-AES-256-CBC-SHA384
+depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_2048:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:"TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384"
-DTLS legacy break handshake renegotiation with MFL=4096, DHE-RSA-WITH-AES-256-CBC-SHA256
-depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
+DTLS legacy break handshake renegotiation with MFL=4096, ECDHE-RSA-WITH-AES-256-CBC-SHA384
+depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:"TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384"
SSL DTLS replay: initial state, seqnum 0
ssl_dtls_replay:"":"000000000000":0
@@ -3086,7 +3062,7 @@
depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_SRV_C
ssl_serialize_session_load_buf_size:0:"":MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_VERSION_TLS1_3
-Test configuration of groups for DHE through mbedtls_ssl_conf_groups()
+Test configuration of EC groups through mbedtls_ssl_conf_groups()
conf_group:
Version config: valid client TLS 1.2 only
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 0781cef..6bb4dfe 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -2761,7 +2761,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_DEBUG_C:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_DEBUG_C:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
void handshake_fragmentation(int mfl,
int expected_srv_hs_fragmentation,
int expected_cli_hs_fragmentation)
@@ -2778,7 +2778,7 @@
options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2;
options.mfl = mfl;
/* Set cipher to one using CBC so that record splitting can be tested */
- options.cipher = "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256";
+ options.cipher = "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384";
options.srv_auth_mode = MBEDTLS_SSL_VERIFY_REQUIRED;
options.srv_log_obj = &srv_pattern;
options.cli_log_obj = &cli_pattern;